Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v0.9] Add strict TLS mode #2577

Merged
merged 1 commit into from
Jul 9, 2024
Merged

[v0.9] Add strict TLS mode #2577

merged 1 commit into from
Jul 9, 2024

Conversation

weyfonk
Copy link
Contributor

@weyfonk weyfonk commented Jul 2, 2024
edited
Loading

Refers to #2584

Backport of #2507 to release/v0.9.

fleet#2556 does not need backporting, because Fleet's 0.9 agent uses a single container per pod.

Tested as described in rancher/rancher#45964

@weyfonk weyfonk requested a review from a team as a code owner July 2, 2024 15:40
@weyfonk weyfonk marked this pull request as draft July 2, 2024 15:40
@weyfonk weyfonk mentioned this pull request Jul 2, 2024
Merged
@weyfonk weyfonk force-pushed the 0.9-strict-tls-mode branch 3 times, most recently from 5a76226 to d4d1ad0 Compare July 3, 2024 06:49
@manno manno changed the title [0.9] Add strict TLS mode [v0.9] Add strict TLS mode Jul 3, 2024
@weyfonk weyfonk marked this pull request as ready for review July 3, 2024 14:08
@weyfonk weyfonk marked this pull request as draft July 3, 2024 14:08
@weyfonk weyfonk force-pushed the 0.9-strict-tls-mode branch from 56664a7 to d4d1ad0 Compare July 3, 2024 14:13
@weyfonk weyfonk marked this pull request as ready for review July 3, 2024 14:14
@weyfonk weyfonk mentioned this pull request Jul 3, 2024
Merged
@weyfonk weyfonk force-pushed the 0.9-strict-tls-mode branch from d4d1ad0 to c1c5cdf Compare July 3, 2024 15:34
@weyfonk
Add strict TLS mode support (rancher#2507)
30f1357 
* Add agentTLSMode option

Fleet now supports two distinct TLS mode for its agent when registering
against an upstream cluster:
* `system-store`, the default, does not change its current behaviour:
  the Fleet agent trusts any certificate signed by a CA found in its
  system store. In this mode, Fleet will also ignore a configured CA,
  if the system trust store is sufficient.
* `strict`, to bypass the system store when validating a certificate.

* Redeploy Fleet agent when TLS mode setting changes

This commit takes care of watching the agent TLS mode setting in the
`fleet-controller` config map, and of redeploying the Fleet agent to
upstream and downstream clusters when that setting changes.
Note that this only works for downstream clusters registered through a
manager-initiated process [1].

Testing this is done by reusing existing agent TLS mode test cases, and
triggering new deployments of the Fleet agent by patching the
`fleet-controller` config map.
Requirements for this include a cluster registered in manager-initiated
mode, while existing multi-cluster end-to-end tests need a downstream
cluster registered in agent-initiated mode.
Therefore, this commit also adds a new downstream cluster to the
multi-cluster CI workflow, which is so far only used for agent TLS mode
tests.

[1]: https://fleet.rancher.io/cluster-registration#manager-initiated
@weyfonk weyfonk force-pushed the 0.9-strict-tls-mode branch from c1c5cdf to 30f1357 Compare July 5, 2024 08:35
@thardeck thardeck merged commit 87a0abd into rancher:release/v0.9 Jul 9, 2024
9 checks passed
@thardeck thardeck mentioned this pull request Jul 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@manno manno manno approved these changes

Assignees
No one assigned
Labels
None yet
Projects
Fleet
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@weyfonk @manno @thardeck