[SURE-8809] Fleet deployment fails when Helm chart repo uses custom CA / missing error

[kkaempf]

SURE-8809

Issue description:

When
adding a git repo to fleet that has a fleet.yaml referencing an external helm chart.

and

the server serving the helm chart uses a custom CA

Then

the Git Repo is added and marked with State "active"

the "Clusters Ready" status remains on "0/0" indefinitely

no error is thrown or visible in the Fleet UI

Expected behavior:

1. Fleet should honor the custom CA configured in the Rancher global settings or the custom CA configured in the GitRepo resource (spec.CaBundle) when downloading resources, such as Helm charts.

2. Fleet should display an error message in the UI, indicating that there was a problem downloading the Helm chart

Business impact:

Customer can't use any helm charts from internet sources, because their corporate firewall performs TLS inception, replacing all SSL certs with their own CA.

[manno]

We should add support to Fleet to fall back to a default value, unless overridden in the resource.
This is most likely a Fleet install option, I think Fleet already gets re-installed when the Rancher CA changes.

However there are multiple clients in Fleet, which would need to support this. They all use a PEM block for CA in their spec instead.
Specifying the CA in the resource directly has the advantage that we don't need to watch another resource for changes, e.g. to redeploy on certificate rotation. That's not possible, when we rely on a global setting.
Does re-installing Fleet re-render all bundles with the new CA, or do we need to implement this?

• git monitor (lsremote)
• git cloner
• chart downloader
• image scan (no custom CA yet)

[marthydavid]

I've faced the same issue.