rancher · thardeck · Jul 9, 2024 · Jun 26, 2024 · Jul 4, 2024 · Jul 3, 2024
@@ -0,0 +1,15 @@
+#!/bin/bash
+# Description: build fleet binary and image with debug flags
+
+set -euxo pipefail
+
+export GOARCH="${GOARCH:-amd64}"
+export CGO_ENABLED=0
+export GOOS=linux
+
+# fleet
+go build -gcflags='all=-N -l' -o bin/fleetcontroller-linux-"$GOARCH" ./cmd/fleetcontroller
+
+# fleet agent
+go build -gcflags='all=-N -l' -o "bin/fleet-linux-$GOARCH" ./cmd/fleetcli
+go build -gcflags='all=-N -l' -o "bin/fleetagent-linux-$GOARCH" ./cmd/fleetagent
@@ -15,14 +15,20 @@ else
   agentTag="dev"
 fi
 
+host=$(kubectl get node k3d-upstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
+ca=$( kubectl config view --flatten -o jsonpath='{.clusters[?(@.name == "k3d-upstream")].cluster.certificate-authority-data}' | base64 -d )
+server="https://$host:6443"
+
 helm -n cattle-fleet-system upgrade --install --create-namespace --wait fleet-crd charts/fleet-crd
 helm upgrade --install fleet charts/fleet \
   -n cattle-fleet-system --create-namespace --wait \
   --set image.repository="$fleetRepo" \
   --set image.tag="$fleetTag" \
   --set agentImage.repository="$agentRepo" \
   --set agentImage.tag="$agentTag" \
-  --set agentImage.imagePullPolicy=IfNotPresent
+  --set agentImage.imagePullPolicy=IfNotPresent \
+  --set apiServerCA="$ca" \
+  --set apiServerURL="$server" \
 
 # wait for controller and agent rollout
 kubectl -n cattle-fleet-system rollout status deploy/fleet-controller

@@ -0,0 +1,75 @@
+#!/bin/bash
+#
+# Submit new Fleet version against a test fork of rancher/charts
+
+set -ue
+
+PREV_FLEET_VERSION="$1"   # e.g. 0.5.2-rc.3
+NEW_FLEET_VERSION="$2"
+PREV_CHART_VERSION="$3"   # e.g. 101.2.0
+NEW_CHART_VERSION="$4"
+UUID="$5" 		  # for ttl.sh image resolution
+
+if [ -z "${GITHUB_WORKSPACE:-}" ]; then
+    CHARTS_DIR="$(dirname -- "$0")/../../../charts"
+else
+    CHARTS_DIR="${GITHUB_WORKSPACE}/charts"
+fi
+
+pushd "${CHARTS_DIR}" > /dev/null
+
+if [ ! -e ~/.gitconfig ]; then
+    git config --global user.name "fleet-bot"
+    git config --global user.email [email protected]
+fi
+
+if [ ! -f bin/charts-build-scripts ]; then
+    make pull-scripts
+fi
+
+if grep -q "version: ${PREV_CHART_VERSION}" ./packages/fleet/fleet/package.yaml && grep -q "${PREV_FLEET_VERSION}" ./packages/fleet/fleet/package.yaml; then
+
+    find ./packages/fleet/ -type f -exec sed -i -e "s/${PREV_FLEET_VERSION}/${NEW_FLEET_VERSION}/g" {} \;
+    find ./packages/fleet/ -type f -exec sed -i -e "s/version: ${PREV_CHART_VERSION}/version: ${NEW_CHART_VERSION}/g" {} \;
+else
+    echo "Previous Fleet version references do not exist in ./packages/fleet/ so replacing it with the new version is not possible. Exiting..."
+    exit 1
+fi
+
+for i in fleet fleet-crd fleet-agent; do
+    yq --inplace "del( .${i}.[] | select(. == \"${PREV_CHART_VERSION}+up${PREV_FLEET_VERSION}\") )" release.yaml
+    yq --inplace ".${i} += [\"${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}\"]" release.yaml
+done
+
+git add packages/fleet release.yaml
+git commit -m "Updating to Fleet v${NEW_FLEET_VERSION}"
+
+NEW_FULL_VERSION=${NEW_CHART_VERSION}+up${NEW_FLEET_VERSION}
+
+for suffix in '' '-agent' '-crd'; do
+    chart_dir=charts/fleet$suffix/${NEW_FULL_VERSION}
+    mkdir -p $chart_dir
+    cp -r ../fleet/charts/fleet$suffix/* $chart_dir
+    cd $chart_dir
+
+    # Replace rancher/fleet and rancher/fleet-agent image names, but not eg. rancher/kubectl
+    sed -i \
+        -e "s@repository: rancher/\(fleet.*\).*@repository: ttl.sh/rancher-\\1-$UUID@" \
+        -e "s/tag: dev/tag: 1h/" \
+        values.yaml
+
+    cd -
+
+    helm package \
+        --version="$NEW_FULL_VERSION" \
+        --app-version="$NEW_FLEET_VERSION" \
+        -d ./assets/fleet$suffix \
+        $chart_dir
+done
+
+make index # Merge new chart entries into `index.yaml`
+
+git add assets/fleet* charts/fleet* index.yaml
+git commit -m "Autogenerated changes for Fleet v${NEW_FLEET_VERSION}"
+
+popd > /dev/null
@@ -64,15 +64,15 @@ jobs:
         # k3d will automatically create a network named k3d-test-cluster-1 with the range 172.18.0.0/16
         with:
           k3d-version: ${{ env.SETUP_K3D_VERSION }}
-          cluster-name: "k3s-default"
+          cluster-name: "upstream"
           args: >-
             --agents 1
             --network "nw01"
             --image docker.io/rancher/k3s:${{matrix.k3s_version}}
       -
         name: Import Images Into k3d
         run: |
-          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev
+          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev -c upstream
           #k3d image import nginx-git:test nginx-git:test
       -
         name: Set Up Tmate Debug Session

@@ -62,7 +62,7 @@ jobs:
             --agents 1
             --network "nw01"
       -
-        name: Provision k3d Downstream Cluster
+        name: Provision k3d Downstream Cluster for agent-initiated registration
         uses: AbsaOSS/k3d-action@v2
         with:
           k3d-version: ${{ env.SETUP_K3D_VERSION }}
@@ -73,11 +73,24 @@ jobs:
             --api-port 6644
             --agents 1
             --network "nw01"
+      -
+        name: Provision k3d Downstream Cluster for manager-initiated registration
+        uses: AbsaOSS/k3d-action@v2
+        with:
+          k3d-version: ${{ env.SETUP_K3D_VERSION }}
+          cluster-name: "managed-downstream"
+          args: >-
+            -p "82:80@agent:0:direct"
+            -p "445:443@agent:0:direct"
+            --api-port 6645
+            --agents 1
+            --network "nw01"
       -
         name: Import Images Into k3d
         run: |
-          k3d image import rancher/fleet:dev rancher/fleet-agent:dev -c upstream
-          k3d image import rancher/fleet-agent:dev -c downstream
+          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev -c upstream
+          ./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c downstream
+          ./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c managed-downstream
       -
         name: Set Up Tmate Debug Session
         if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.enable_tmate == 'true' }}
@@ -107,14 +120,71 @@ jobs:
 
           token=$(kubectl get secret -n fleet-default second-token -o go-template='{{index .data "values" | base64decode}}' | yq eval .token -)
           ca=$(kubectl get secret -n cattle-fleet-system fleet-controller-bootstrap-token -o go-template='{{index .data "ca.crt" | base64decode}}')
+          apiServerIP=$(kubectl get node k3d-upstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
 
+          # agent initiated cluster registration
           kubectl config use-context k3d-downstream
           helm -n cattle-fleet-system upgrade --install --create-namespace --wait fleet-agent charts/fleet-agent \
             --set-string labels.env=test \
             --set apiServerCA="$ca" \
-            --set apiServerURL="https://172.18.0.1.sslip.io:6443" \
+            --set apiServerURL="https://$apiServerIP:6443" \
             --set clusterNamespace="fleet-default" \
             --set token="$token"
+
+      -
+        name: Deploy and Register Managed Downstream Fleet
+        run: |
+          kubectl config use-context k3d-managed-downstream
+          host=$(kubectl get node k3d-managed-downstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
+          ca=$( kubectl config view --flatten -o jsonpath='{.clusters[?(@.name == "k3d-managed-downstream")].cluster.certificate-authority-data}' )
+          client_cert=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-certificate-data}' )
+          token=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-key-data}' )
+          server="https://$host:6443"
+
+          kubectl config use-context k3d-upstream
+
+          value=$(cat <<EOF
+          apiVersion: v1
+          kind: Config
+          current-context: default
+          clusters:
+          - cluster:
+              certificate-authority-data: $ca
+              server: $server
+            name: cluster
+          contexts:
+          - context:
+              cluster: cluster
+              user: user
+            name: default
+          preferences: {}
+          users:
+          - name: user
+            user:
+              client-certificate-data: $client_cert
+              client-key-data: $token
+          EOF
+          )
+
+          kubectl create ns fleet-default || true
+          kubectl delete secret -n fleet-default kbcfg-second || true
+          # Rancher sets a token value in the secret, but our docs don't mention it
+          # * https://github.com/rancher/rancher/blob/c24fb8b0869a0b445f55b3307c6ed4582e147747/pkg/provisioningv2/kubeconfig/manager.go#L362
+          # * https://fleet.rancher.io/0.5/manager-initiated#kubeconfig-secret-1
+          kubectl create secret generic -n fleet-default kbcfg-second --from-literal=token="$token" --from-literal=value="$value"
+
+          kubectl apply -n fleet-default -f - <<EOF
+          apiVersion: "fleet.cattle.io/v1alpha1"
+          kind: Cluster
+          metadata:
+            name: second
+            namespace: fleet-default
+            labels:
+              name: second
+          spec:
+            kubeConfigSecret: kbcfg-second
+          EOF
+
       -
         name: E2E tests
         env:
@@ -123,6 +193,15 @@ jobs:
         run: |
           kubectl config use-context k3d-upstream
           ginkgo e2e/multi-cluster
+      -
+        name: E2E tests with managed downstream agent
+        env:
+          FLEET_E2E_NS: fleet-local
+          FLEET_E2E_NS_DOWNSTREAM: fleet-default
+          FLEET_E2E_CLUSTER_DOWNSTREAM: k3d-managed-downstream
+        run: |
+          kubectl config use-context k3d-upstream
+          ginkgo e2e/multi-cluster/installation
       -
         name: Acceptance Tests for Examples
         if: >

@@ -26,10 +26,10 @@ jobs:
           export PATH=$PATH:/home/runner/go/bin/
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.6.0
+        uses: golangci/golangci-lint-action@v6.0.1
         with:
           # Required: the version of golangci-lint is required and must be specified without patch version: we always use the latest patch version.
-          version: v1.53
+          version: v1.58
 
           args: --timeout=10m --config=.golangci.json
 

@@ -8,5 +8,6 @@ data:
       {{ if .Values.labels }}
       "labels":{{toJson .Values.labels}},
       {{ end }}
-      "clientID":"{{.Values.clientID}}"
+      "clientID":"{{.Values.clientID}}",
+      "agentTLSMode": "{{.Values.agentTLSMode}}"
     }
@@ -11,6 +11,10 @@ apiServerURL: ""
 # If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
 apiServerCA: ""
 
+# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a
+# management cluster. True in `system-store` mode, false in `strict` mode.
+agentTLSMode: "system-store"
+
 # The cluster registration value
 token: ""
 

@@ -2545,6 +2545,9 @@ spec:
               agentResourcesHash:
                 nullable: true
                 type: string
+              agentTLSMode:
+                nullable: true
+                type: string
               agentTolerationsHash:
                 nullable: true
                 type: string

@@ -11,6 +11,7 @@ data:
       "apiServerURL": "{{.Values.apiServerURL}}",
       "apiServerCA": "{{b64enc .Values.apiServerCA}}",
       "agentCheckinInterval": "{{.Values.agentCheckinInterval}}",
+      "agentTLSMode": "{{.Values.agentTLSMode}}",
       "ignoreClusterRegistrationLabels": {{.Values.ignoreClusterRegistrationLabels}},
       "bootstrap": {
         "paths": "{{.Values.bootstrap.paths}}",

@@ -16,6 +16,10 @@ apiServerURL: ""
 # If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
 apiServerCA: ""
 
+# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a
+# management cluster. True in `system-store` mode, false in `strict` mode.
+agentTLSMode: "system-store"
+
 # A duration string for how often agents should report a heartbeat
 agentCheckinInterval: "15m"