Add step-ca agent issuer manifest

apps/fc-desktop/fc-desktop.yaml

@@ -1,13 +1,10 @@
 # FlowerCore Remote Desktop — TLS + Ingress
 #
 # Source-of-truth split:
-#   - bluejay-infra OWNS: Certificate, IngressRoute, all NetworkPolicies,
-#     and the explicit RemoteDesktopPoolCrd warm-pool intent in
-#     remotedesktop-pools.yaml.
+#   - bluejay-infra OWNS: Certificate, IngressRoute, all NetworkPolicies
 #     (see network-policies.yaml in this directory).
-#   - FlowerCore.RemoteDesktop OWNS: CRD definition/operator Deployment and
-#     scripts/deploy-web.sh Deployment + Service. Reason: image refs like
-#     `localhost/fc-desktop:linux-xfce`
+#   - FlowerCore.RemoteDesktop scripts/deploy-web.sh OWNS: Deployment +
+#     Service. Reason: image refs like `localhost/fc-desktop:linux-xfce`
 #     only exist on each node's containerd after a manual import, so a
 #     Deployment manifest in bluejay-infra would race the image-import
 #     step and crash-loop.

apps/fc-desktop/remotedesktop-pools.yaml

@@ -1,101 +0,0 @@
-# FlowerCore RemoteDesktop warm-pool intent.
-#
-# These CRDs are deliberately explicit. The RemoteDesktop warmup loop no
-# longer scans template defaults to decide what to warm; every enabled pool
-# here represents operator/GitOps intent and prevents a repeat of the
-# orphan-pool leak from 2026-05-08.
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: browser-lab-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: browser-only
-  desiredSize: 1
-  enabled: true
-  reconcileNow: true
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: opensuse-xfce-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: opensuse-xfce
-  desiredSize: 1
-  enabled: true
-  userVolumeMode: LateAttach
-  reconcileNow: true
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: dev-workstation-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: dev-workstation
-  desiredSize: 1
-  enabled: true
-  userVolumeMode: LateAttach
-  reconcileNow: true
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: ai-station-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: ai-station
-  desiredSize: 1
-  enabled: true
-  userVolumeMode: LateAttach
-  reconcileNow: true
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: linux-xfce-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: linux-xfce
-  desiredSize: 1
-  enabled: true
-  userVolumeMode: LateAttach
-  reconcileNow: true
----
-apiVersion: flowercore.io/v1
-kind: RemoteDesktopPoolCrd
-metadata:
-  name: linux-xfce-rdp-pool
-  namespace: fc-desktop
-  labels:
-    app.kubernetes.io/name: remotedesktop-pool
-    app.kubernetes.io/part-of: flowercore-remotedesktop
-    app.kubernetes.io/managed-by: bluejay-infra
-spec:
-  templateSlug: linux-xfce-rdp
-  desiredSize: 1
-  enabled: true
-  userVolumeMode: LateAttach
-  reconcileNow: true

apps/fc-devicemgmt/clusterissuer-step-ca-agent.yaml

@@ -0,0 +1,31 @@
+# Step issuer for FlowerCore.DeviceManagement runtime mTLS leaves.
+#
+# Requires the smallstep step-issuer CRDs/controller:
+#   stepclusterissuers.certmanager.step.sm
+# The provisioner password lives in the live cert-manager Secret below; do not
+# commit the password or generated private key material to this repo.
+apiVersion: certmanager.step.sm/v1beta1
+kind: StepClusterIssuer
+metadata:
+  name: step-ca-agent
+  labels:
+    app.kubernetes.io/name: step-ca-agent
+    app.kubernetes.io/component: pki
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    flowercore.io/tenant-id: system
+    flowercore.io/created-by: bluejay-infra
+  annotations:
+    flowercore.io/traceability-standard: k8s-pod-ownership-and-traceability-standard
+    flowercore.io/provisioner-source: profile::pki::stepca
+    flowercore.io/secret-source: cert-manager/step-ca-agent-provisioner-password
+spec:
+  url: https://10.0.56.10:9443
+  caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lSQVBZMzU3RzZvdzZ6TUFMNSs0YlMya2t3Q2dZSUtvWkl6ajBFQXdJd1FERWEKTUJnR0ExVUVDaE1SU1VGdFYyOXlhMmx1SUVGRFRVVWdRMEV4SWpBZ0JnTlZCQU1UR1VsQmJWZHZjbXRwYmlCQgpRMDFGSUVOQklGSnZiM1FnUTBFd0hoY05Nall3TXpBNE1UZ3dOekV4V2hjTk16WXdNekExTVRnd056RXhXakJBCk1Sb3dHQVlEVlFRS0V4RkpRVzFYYjNKcmFXNGdRVU5OUlNCRFFURWlNQ0FHQTFVRUF4TVpTVUZ0VjI5eWEybHUKSUVGRFRVVWdRMEVnVW05dmRDQkRRVEJaTUJNR0J5cUdTTTQ5QWdFR0NDcUdTTTQ5QXdFSEEwSUFCSjJuMDRYMQpKWm81WmRxL2kxSWR2OCtmcXdaeUF6Qmg3d2hicWowU1dzSkw4VVdSYWJDTXFZQ3M3K2RYTzB4UlN6cWt3RkRMCngrdm9vT2FpOFJnUk5oYWpSVEJETUE0R0ExVWREd0VCL3dRRUF3SUJCakFTQmdOVkhSTUJBZjhFQ0RBR0FRSC8KQWdFQk1CMEdBMVVkRGdRV0JCUm51UFBRUjZpTS9INnZPbHVpVTNTeWdheXo4akFLQmdncWhrak9QUVFEQWdOSQpBREJGQWlFQXJRSzlkWVBHbUFac2RZbmp6aXVGVlZFNU5LWlVjY2VZdkdmR0MrdExYVXNDSUF1ZEYyekpyQ1JxCjNtSzUwWlpFVC9md1RrSndpRUY0ODI0bWpQOHAxQ0tNCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
+  provisioner:
+    name: step-ca-agent
+    kid: RF3A9welUYVOWBX8tr19aWyA2kQlxoGZN1dRwTElUEM
+    passwordRef:
+      name: step-ca-agent-provisioner-password
+      namespace: cert-manager
+      key: password

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -387,38 +387,6 @@ public sealed class FleetManifestLintTests
         violations.Should().BeEmpty();
     }
 
-    [Fact]
-    public void RemoteDesktopPoolCrds_MustExplicitlyOptInHookReadyTemplates()
-    {
-        var expectedModes = new Dictionary<string, string?>(StringComparer.Ordinal)
-        {
-            ["browser-only"] = null,
-            ["opensuse-xfce"] = "LateAttach",
-            ["dev-workstation"] = "LateAttach",
-            ["ai-station"] = "LateAttach",
-            ["linux-xfce"] = "LateAttach",
-            ["linux-xfce-rdp"] = "LateAttach",
-        };
-
-        var pools = Inventory.Documents
-            .Where(document => document.Kind == "RemoteDesktopPoolCrd")
-            .Where(document => document.RelativePath == "fc-desktop/remotedesktop-pools.yaml")
-            .ToDictionary(
-                document => document.Scalar("spec", "templateSlug") ?? string.Empty,
-                StringComparer.Ordinal);
-
-        pools.Keys.Should().BeEquivalentTo(expectedModes.Keys);
-        foreach (var expected in expectedModes)
-        {
-            var pool = pools[expected.Key];
-            pool.Namespace.Should().Be("fc-desktop");
-            pool.Scalar("spec", "desiredSize").Should().Be("1");
-            pool.Scalar("spec", "enabled").Should().Be("true");
-            pool.Scalar("spec", "reconcileNow").Should().Be("true");
-            pool.Scalar("spec", "userVolumeMode").Should().Be(expected.Value);
-        }
-    }
-
     [Fact]
     public void PublicEgressDeployments_MustOptOutOfIamworkinLanSearchSuffixes()
     {
@@ -464,6 +432,7 @@ public sealed class FleetManifestLintTests
             "1password-item.yaml",
             "argocd-application.yaml",
             "certificate-web.yaml",
+            "clusterissuer-step-ca-agent.yaml",
             "clusterrole-operator.yaml",
             "clusterrolebinding-operator.yaml",
             "deployment-operator.yaml",
@@ -548,6 +517,53 @@ public sealed class FleetManifestLintTests
             .ContainSingle("devices.iamworkin.lan");
     }
 
+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustTargetNocProvisioner()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("apiVersion").Should().Be("certmanager.step.sm/v1beta1");
+        issuer.Scalar("spec", "url").Should().Be("https://10.0.56.10:9443");
+        issuer.Scalar("spec", "caBundle").Should().NotBeNullOrWhiteSpace();
+        issuer.Scalar("spec", "provisioner", "name").Should().Be("step-ca-agent");
+        issuer.Scalar("spec", "provisioner", "kid").Should().Be("RF3A9welUYVOWBX8tr19aWyA2kQlxoGZN1dRwTElUEM");
+    }
+
+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustReferencePasswordSecretOnly()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("spec", "provisioner", "passwordRef", "name")
+            .Should()
+            .Be("step-ca-agent-provisioner-password");
+        issuer.Scalar("spec", "provisioner", "passwordRef", "namespace").Should().Be("cert-manager");
+        issuer.Scalar("spec", "provisioner", "passwordRef", "key").Should().Be("password");
+
+        var issuerText = File.ReadAllText(Path.Combine(Inventory.BluejayRoot, "apps", "fc-devicemgmt", "clusterissuer-step-ca-agent.yaml"));
+        issuerText.Should().NotContain("stringData:");
+        issuerText.Should().NotContain("password:");
+        issuerText.Should().NotContain("privateKey");
+    }
+
+    [Fact]
+    public void FcDeviceManagement_StepCaAgentIssuerMustCarryTraceabilityMetadata()
+    {
+        var issuer = FcDeviceManagementDocuments()
+            .Single(document => document.Kind == "StepClusterIssuer" && document.Name == "step-ca-agent");
+
+        issuer.Scalar("metadata", "labels", "app.kubernetes.io/managed-by").Should().Be("argocd");
+        issuer.Scalar("metadata", "labels", "flowercore.io/tenant-id").Should().Be("system");
+        issuer.Scalar("metadata", "annotations", "flowercore.io/provisioner-source")
+            .Should()
+            .Be("profile::pki::stepca");
+        issuer.Scalar("metadata", "annotations", "flowercore.io/secret-source")
+            .Should()
+            .Be("cert-manager/step-ca-agent-provisioner-password");
+    }
+
     [Fact]
     public void FcDeviceManagement_OperatorRbacMustCoverDevicesAndOwnerLookup()
     {