Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[v0.8] Add strict TLS mode #2596

Merged
merged 3 commits into from
Jul 9, 2024
Merged

[v0.8] Add strict TLS mode #2596

merged 3 commits into from
Jul 9, 2024

Conversation

weyfonk
Copy link
Contributor

@weyfonk weyfonk commented Jul 4, 2024

Refers to #2585

Backport of #2507 to release/v0.8.

fleet#2556 does not need backporting, because Fleet's 0.8 agent uses a single container per pod.

Tested as described in rancher/rancher#46008

@weyfonk weyfonk requested a review from a team as a code owner July 4, 2024 10:13
@weyfonk weyfonk marked this pull request as draft July 4, 2024 10:13
@weyfonk weyfonk changed the base branch from main to release/v0.8 July 4, 2024 10:14
@weyfonk weyfonk force-pushed the 0.8-strict-tls-mode branch from 1fb9202 to 7e11256 Compare July 4, 2024 10:17
* Add agentTLSMode option

Fleet now supports two distinct TLS mode for its agent when registering
against an upstream cluster:
* `system-store`, the default, does not change its current behaviour:
  the Fleet agent trusts any certificate signed by a CA found in its
  system store. In this mode, Fleet will also ignore a configured CA,
  if the system trust store is sufficient.
* `strict`, to bypass the system store when validating a certificate.

* Redeploy Fleet agent when TLS mode setting changes

This commit takes care of watching the agent TLS mode setting in the
`fleet-controller` config map, and of redeploying the Fleet agent to
upstream and downstream clusters when that setting changes.
Note that this only works for downstream clusters registered through a
manager-initiated process [1].

Testing this is done by reusing existing agent TLS mode test cases, and
triggering new deployments of the Fleet agent by patching the
`fleet-controller` config map.
Requirements for this include a cluster registered in manager-initiated
mode, while existing multi-cluster end-to-end tests need a downstream
cluster registered in agent-initiated mode.
Therefore, this commit also adds a new downstream cluster to the
multi-cluster CI workflow, which is so far only used for agent TLS mode
tests.

[1]: https://fleet.rancher.io/cluster-registration#manager-initiated
@weyfonk weyfonk force-pushed the 0.8-strict-tls-mode branch from 7e11256 to b82c75b Compare July 4, 2024 11:31
weyfonk added 2 commits July 4, 2024 14:57
This bumps both the action and the `golangci-lint` version used by it,
which should fix errors not seen locally.
This commit is only relevant to release test charts for this branch and
test it within Rancher 2.8. It can be, and should be, safely reverted
afterwards.
@weyfonk weyfonk marked this pull request as ready for review July 5, 2024 07:43
@kkaempf kkaempf modified the milestones: v2.8-Next1, v2.7-Next1 Jul 9, 2024
@thardeck thardeck merged commit 7f7946e into release/v0.8 Jul 9, 2024
10 checks passed
@thardeck thardeck deleted the 0.8-strict-tls-mode branch July 9, 2024 11:33
@thardeck thardeck mentioned this pull request Jul 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

4 participants