Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Skip cabundle secrets when Gitrepo does not include GitRepo's .Spec.CABundle #2904

Closed
mmartin24 opened this issue Sep 26, 2024 · 2 comments
Closed

Skip cabundle secrets when Gitrepo does not include GitRepo's .Spec.CABundle #2904

mmartin24 opened this issue Sep 26, 2024 · 2 comments
Assignees
@mmartin24
Labels
kind/bug status/waiting-for-fleet-rc-and-chart
Milestone
v2.10.0

Comments

@mmartin24
Copy link
Collaborator

Description

On Rancher 2.9.-head we have introduced automatic cabundle secret creation when any gitrepo is deployed (perhaps after #2831?)

In this screenshot we can see how upon creation of 60 gitrepos without any certificate passed, it creates 60 cabundles secrets in 2.9.2 while 0 in 2.9.1:

Request

We should only create this cabundle secret when a certificate is passed

Steps to reproduce

The expected behavior would be

  • not to deploy the cabundle secret in this case. @weyfonk , pointed out to perhaps skip secret creation if GitRepo's .Spec.CABundle field is empty
  • be able to deploy it when an aditional certificate as this pem file is passed along when creating the gitrepo
@mmartin24 mmartin24 added this to Fleet Sep 26, 2024
@mmartin24 mmartin24 converted this from a draft issue Sep 26, 2024
@weyfonk weyfonk changed the title Skip cabundes secrets when Gitrepo does not include GitRepo's .Spec.CABundle Skip cabundles secrets when Gitrepo does not include GitRepo's .Spec.CABundle Sep 26, 2024
@weyfonk weyfonk changed the title Skip cabundles secrets when Gitrepo does not include GitRepo's .Spec.CABundle Skip cabundle secrets when Gitrepo does not include GitRepo's .Spec.CABundle Sep 26, 2024
@manno manno moved this from 🆕 New to 📋 Backlog in Fleet Sep 27, 2024
@manno manno added this to the v2.9.3 milestone Sep 30, 2024
@weyfonk weyfonk moved this from 📋 Backlog to 🏗 In progress in Fleet Sep 30, 2024
@weyfonk weyfonk self-assigned this Sep 30, 2024
@weyfonk weyfonk mentioned this issue Sep 30, 2024
Merged
@weyfonk weyfonk moved this from 🏗 In progress to 👀 In review in Fleet Sep 30, 2024
@weyfonk weyfonk mentioned this issue Oct 1, 2024
Closed
@weyfonk weyfonk modified the milestones: v2.9.3, v2.10.0 Oct 1, 2024
@weyfonk weyfonk mentioned this issue Oct 1, 2024
Merged
@weyfonk
Copy link
Contributor

weyfonk commented Oct 1, 2024

Additional QA

Problem

Each git job would be created with a *-cabundle secret for the GitRepo, even when that GitRepo did not specify any .Spec.CABundle field.

Solution

Only create that secret when a non-empty .Spec.CABundle field exists.

Testing

Engineering Testing

Manual Testing

None.

Automated Testing

Updated integration tests to verify that a CA bundle secret is only created when the GitRepo has a non-empty .Spec.CABundle field.

QA Testing Considerations

This should be tested following the reproduction steps above.

Regressions Considerations

N/A

@weyfonk weyfonk moved this from 👀 In review to Needs QA review in Fleet Oct 1, 2024
@weyfonk weyfonk removed their assignment Oct 1, 2024
@mmartin24 mmartin24 self-assigned this Oct 23, 2024
@mmartin24
Copy link
Collaborator Author

Verified in v2.10-fe49760f4e50d0b78ca0102c8475bc93361336b0-head with fleet:105.0.0+up0.11.0-beta.3 along here.

  • ca-bundle secret IS NOT created when TLS cert is not added

@github-project-automation github-project-automation bot moved this from Needs QA review to ✅ Done in Fleet Oct 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mmartin24 mmartin24

Labels
kind/bug status/waiting-for-fleet-rc-and-chart
Projects
Fleet
Archived in project
Milestone
v2.10.0
Development

No branches or pull requests
3 participants
@manno @weyfonk @mmartin24