bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity

runners: bake step-ca root CA into image (v20260525-stepca) #27

Merged
bluejay merged 1 commits from ops/runners-bake-step-ca-root-2026-05-25 into main 2026-05-26 01:04:20 +00:00
Conversation 0 Commits 1 Files Changed 4 +100 -66
bluejay commented 2026-05-26 01:03:57 +00:00
Owner
Copy Link

Closes the PartialChain warning surfaced in FlowerCore.Print.Web build job (run 26424807451). CI tests hit https://selenium.iamworkin.lan/session and the .NET HTTP client rejected the chain because the runner image did not have the IAmWorkin step-ca root.

Change

  • Dockerfile: COPY step-ca-root.crt into /usr/local/share/ca-certificates/ and run update-ca-certificates
  • step-ca-root.crt: new file, extracted from cluster cert-manager/step-ca-root Secret (O=IAmWorkin ACME CA, CN=IAmWorkin ACME CA Root CA, expires 2036-03-05)
  • github-runner.yaml: bump image tag from v20260520-ruby3.3.11 -> v20260525-ruby3.3.11-stepca (28 Deployments)
  • README.md: note CA bake step + refresh recipe

Pre-merge verification

Image already built and imported on all 3 schedulable RKE2 nodes before this PR, so ArgoCD will not hit ImagePullBackOff after sync:

--- 10.0.56.11 ---
localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
--- 10.0.56.12 ---
localhost/fc-github-runner:v20260525-ruby3.3.11-stepca
--- 10.0.56.13 ---
localhost/fc-github-runner:v20260525-ruby3.3.11-stepca

In-image trust verified: openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt returns OK.

Test plan

  • ArgoCD reconciles infra-github-runner to the new image tag
  • kubectl exec in a refreshed runner pod: curl https://selenium.iamworkin.lan/status returns 200 (no -k)
  • Re-run FlowerCore.Print.Web build job; Selenium HTML render failed PartialChain warnings disappear
Closes the `PartialChain` warning surfaced in FlowerCore.Print.Web `build` job ([run 26424807451](https://github.com/astoltz/FlowerCore.Print.Web/actions/runs/26424807451)). CI tests hit `https://selenium.iamworkin.lan/session` and the .NET HTTP client rejected the chain because the runner image did not have the IAmWorkin step-ca root. ## Change - `Dockerfile`: COPY `step-ca-root.crt` into `/usr/local/share/ca-certificates/` and run `update-ca-certificates` - `step-ca-root.crt`: new file, extracted from cluster `cert-manager/step-ca-root` Secret (`O=IAmWorkin ACME CA, CN=IAmWorkin ACME CA Root CA`, expires 2036-03-05) - `github-runner.yaml`: bump image tag from `v20260520-ruby3.3.11` -> `v20260525-ruby3.3.11-stepca` (28 Deployments) - `README.md`: note CA bake step + refresh recipe ## Pre-merge verification Image already built and imported on all 3 schedulable RKE2 nodes before this PR, so ArgoCD will not hit `ImagePullBackOff` after sync: ``` --- 10.0.56.11 --- localhost/fc-github-runner:v20260525-ruby3.3.11-stepca --- 10.0.56.12 --- localhost/fc-github-runner:v20260525-ruby3.3.11-stepca --- 10.0.56.13 --- localhost/fc-github-runner:v20260525-ruby3.3.11-stepca ``` In-image trust verified: `openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/iamworkin-step-ca-root.crt` returns `OK`. ## Test plan - [ ] ArgoCD reconciles `infra-github-runner` to the new image tag - [ ] `kubectl exec` in a refreshed runner pod: `curl https://selenium.iamworkin.lan/status` returns 200 (no `-k`) - [ ] Re-run FlowerCore.Print.Web build job; `Selenium HTML render failed` PartialChain warnings disappear
bluejay added 1 commit 2026-05-26 01:04:03 +00:00
runners: bake step-ca root CA into image (v20260525-stepca) 2a1e842100 
Without the IAmWorkin step-ca root CA in the runner image's system
trust store, .NET HttpClient calls from CI tests against
`*.iamworkin.lan` (e.g. `https://selenium.iamworkin.lan/session`) fail
with `The remote certificate is invalid because of errors in the
certificate chain: PartialChain`. FlowerCore.Print.Web's
`WebScreenshotService` unit tests hit this on every build.

Drop the step-ca root PEM into `/usr/local/share/ca-certificates/`,
run `update-ca-certificates` once during apt install, and let OpenSSL +
.NET-on-Linux read the regenerated `/etc/ssl/certs/ca-certificates.crt`
automatically — no `SSL_CERT_FILE` env var, no per-Deployment volume
mount.

Image rebuilt + saved + imported on all 3 schedulable RKE2 nodes
(rke2-server, rke2-agent1, rke2-agent2) before this PR — verified with
`ctr images list -q | grep stepca` on each node.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
bluejay merged commit 148bc87b9a into main 2026-05-26 01:04:20 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
bluejay
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: bluejay/bluejay-infra#27
Delete Branch "ops/runners-bake-step-ca-root-2026-05-25"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?