Add step-ca agent issuer manifest #21

Open

bluejay wants to merge 1 commits from sprint41/cx-2-step-ca-agent-provisioner into main

pull from: sprint41/cx-2-step-ca-agent-provisioner

merge into: bluejay:main

bluejay:main

bluejay:codex/s63-cx10

bluejay:codex/s62-cx10

bluejay:codex/s61-cx10

bluejay:codex/s60-cx3

bluejay:codex/s60-cx4

bluejay:codex/s59-auth-safe-to-expose-bluejay-infra

bluejay:codex/s58-distribution-root-anon-gitops

bluejay:codex/s58-oidc-proper

bluejay:codex/s57-monitoring-coverage

bluejay:codex/s57-oidc-flip

bluejay:codex/s56-monitoring-coverage

bluejay:codex/s54-cx14-ttsreader-pr29-live

bluejay:codex/s50-cx12-signalcontrol-platform

bluejay:codex/s49-cx11-signalcontrol-platform

bluejay:runners/add-dm-ailinux-worldbuilder-2026-05-26

bluejay:runners/bluejay-ws-exclusion-lint-2026-05-26

bluejay:runners/add-updater-deployment-2026-05-26

bluejay:runners/add-pimanager-deployment-2026-05-25

bluejay:ops/selenium-right-size-memory-2026-05-25

bluejay:ops/runners-bake-step-ca-root-2026-05-25

bluejay:ops/selenium-allow-github-runner-2026-05-25

bluejay:authentik/initial-deploy

bluejay:sprint44/cx-9-fc-desktop-cpu-phase-1

bluejay:sprint42/cx-4-linux-runner-ruby-bake

bluejay:sprint42/cx-5-fc-build-windows-runner

bluejay:sprint42/cx-2-fc-devicemgmt-self-ref-cleanup

bluejay:sprint41/cx-5-pirelay-scrape-investigation

bluejay:sprint40/cx-7-fc-desktop-prewarm-rq-codify

bluejay:sprint40/cx-5-alert-classification-offline-vs-depleted

bluejay:sprint39/cx-12-longhorn-pvc-growth-alarm

bluejay:sprint39/cx-8-qt-sdk-image

bluejay:sprint39/cx-3-claim-init-hooks-xfce

bluejay:sprint39/cx-5-netpol-isolation

bluejay:sprint37/cx-2-linux-runner-expansion

bluejay:codex/sprint29-linux-runner-fleet

bluejay:claude/github-runner-token-provisioning

bluejay:claude/fix-guacamole-yaml-doc-separator

bluejay:feat/authentik-oidc-client-registration

bluejay:feat/redis-bluejay-infra-cleanup-phase-1

bluejay:claude/ci1-revert-virtio-disk-2026-05-08

bluejay:claude/ci1-iso-as-virtio-disk-2026-05-08

bluejay:claude/ci1-disable-secureboot-2026-05-08

bluejay:claude/ci1-containerdisk-2026-05-08

bluejay:codex/signage-observability-tail-20260508

bluejay:claude/ci1-longhorn-scsi-2026-05-08

bluejay:claude/ci1-vm-phase1-2026-05-08

bluejay:codex/ttsreader-deploy-20260506

bluejay:claude/bluejay-infra-worldbuilder

bluejay:claude/bluejay-infra-ttsreader-4delta

bluejay:claude/marquee-monitoring-mirror-2026-05-06

bluejay:claude/bluejay-infra-update-center-monitoring-2026-05-05

bluejay:claude/k8s-manifest-hardening

bluejay:claude/fc-vision-deploy

bluejay:codex/agent-zero-bridge-phase3-20260429

Conversation 0 Commits 1 Files Changed 2 +79

bluejay commented 2026-05-19 22:54:26 +00:00

Owner

Copy Link

Summary

• Adds apps/fc-devicemgmt/clusterissuer-step-ca-agent.yaml as the Smallstep StepClusterIssuer for the live step-ca-agent provisioner.
• References the live cert-manager/step-ca-agent-provisioner-password Secret without committing secret material.
• Adds fc-devicemgmt lint coverage for issuer target, Secret reference, and traceability metadata.

Verification

• dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~FcDeviceManagement" passed: 10/10.
• dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~StepCaAgentIssuer" passed: 3/3.
• kubectl apply --dry-run=server -f clusterissuer-step-ca-agent.yaml is blocked live because stepclusterissuers.certmanager.step.sm CRD is not installed yet.
• Live noc1 smoke minted a 1-year CN/SAN fc-devicemgmt-runtime leaf via step-ca-agent.

Agent Report

• Files created: D:\git\FlowerCore\bluejay-infra-sprint41-cx-2\apps\fc-devicemgmt\clusterissuer-step-ca-agent.yaml
• Files modified: D:\git\FlowerCore\bluejay-infra-sprint41-cx-2\tests\bluejay-infra-lint\FleetManifestLintTests.cs
• Tests before: 185 | Tests after: 193 | Delta: +8
• Docs needing update: D:\git\FlowerCore\FlowerCore.Notes\docs\infrastructure\fc-devicemgmt-1p-provisioning-runbook.md may need a follow-up note that the live provisioner/password Secret now exist, and a separate lane should add/install Smallstep step-issuer CRDs/controller.
• Decisions made (defaults): Used Smallstep StepClusterIssuer (certmanager.step.sm/v1beta1) rather than cert-manager ACME because the required agent provisioner is JWK-based and must allow 8760h leaves.
• Build status: Pass with blocker (focused lint passes; server dry-run blocked by missing step-issuer CRD).

## Summary - Adds `apps/fc-devicemgmt/clusterissuer-step-ca-agent.yaml` as the Smallstep `StepClusterIssuer` for the live `step-ca-agent` provisioner. - References the live `cert-manager/step-ca-agent-provisioner-password` Secret without committing secret material. - Adds fc-devicemgmt lint coverage for issuer target, Secret reference, and traceability metadata. ## Verification - `dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~FcDeviceManagement"` passed: 10/10. - `dotnet.exe test tests\bluejay-infra-lint\BluejayInfraLint.Tests.csproj --filter "FullyQualifiedName~StepCaAgentIssuer"` passed: 3/3. - `kubectl apply --dry-run=server -f clusterissuer-step-ca-agent.yaml` is blocked live because `stepclusterissuers.certmanager.step.sm` CRD is not installed yet. - Live noc1 smoke minted a 1-year CN/SAN `fc-devicemgmt-runtime` leaf via `step-ca-agent`. ## Agent Report - **Files created:** `D:\git\FlowerCore\bluejay-infra-sprint41-cx-2\apps\fc-devicemgmt\clusterissuer-step-ca-agent.yaml` - **Files modified:** `D:\git\FlowerCore\bluejay-infra-sprint41-cx-2\tests\bluejay-infra-lint\FleetManifestLintTests.cs` - **Tests before:** 185 | **Tests after:** 193 | **Delta:** +8 - **Docs needing update:** `D:\git\FlowerCore\FlowerCore.Notes\docs\infrastructure\fc-devicemgmt-1p-provisioning-runbook.md` may need a follow-up note that the live provisioner/password Secret now exist, and a separate lane should add/install Smallstep step-issuer CRDs/controller. - **Decisions made (defaults):** Used Smallstep `StepClusterIssuer` (`certmanager.step.sm/v1beta1`) rather than cert-manager ACME because the required agent provisioner is JWK-based and must allow 8760h leaves. - **Build status:** Pass with blocker (focused lint passes; server dry-run blocked by missing step-issuer CRD).

bluejay added 1 commit 2026-05-19 22:54:29 +00:00

Add step-ca agent issuer manifest 46bbd00d09

bluejay referenced this issue from a commit 2026-05-26 03:32:11 +00:00

runners: bump tts-reader memory limit 4Gi -> 8Gi

This pull request can be merged automatically.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin sprint41/cx-2-step-ca-agent-provisioner:sprint41/cx-2-step-ca-agent-provisioner

git checkout sprint41/cx-2-step-ca-agent-provisioner

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

bluejay

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#21