forked from rancher/fleet
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add strict TLS mode support (rancher#2507)
* Add agentTLSMode option Fleet now supports two distinct TLS mode for its agent when registering against an upstream cluster: * `system-store`, the default, does not change its current behaviour: the Fleet agent trusts any certificate signed by a CA found in its system store. In this mode, Fleet will also ignore a configured CA, if the system trust store is sufficient. * `strict`, to bypass the system store when validating a certificate. * Redeploy Fleet agent when TLS mode setting changes This commit takes care of watching the agent TLS mode setting in the `fleet-controller` config map, and of redeploying the Fleet agent to upstream and downstream clusters when that setting changes. Note that this only works for downstream clusters registered through a manager-initiated process [1]. Testing this is done by reusing existing agent TLS mode test cases, and triggering new deployments of the Fleet agent by patching the `fleet-controller` config map. Requirements for this include a cluster registered in manager-initiated mode, while existing multi-cluster end-to-end tests need a downstream cluster registered in agent-initiated mode. Therefore, this commit also adds a new downstream cluster to the multi-cluster CI workflow, which is so far only used for agent TLS mode tests. [1]: https://fleet.rancher.io/cluster-registration#manager-initiated
- Loading branch information
Showing
16 changed files
with
353 additions
and
30 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,104 @@ | ||
package installation_test | ||
|
||
import ( | ||
"fmt" | ||
|
||
. "github.com/onsi/ginkgo/v2" | ||
. "github.com/onsi/gomega" | ||
"github.com/onsi/gomega/matchers" | ||
"github.com/rancher/fleet/e2e/testenv/kubectl" | ||
) | ||
|
||
var ( | ||
agentMode string | ||
kd kubectl.Command | ||
) | ||
|
||
var _ = Describe("Fleet installation with TLS agent modes", func() { | ||
BeforeEach(func() { | ||
kd = env.Kubectl.Context(env.Downstream) | ||
}) | ||
|
||
JustBeforeEach(func() { | ||
out, err := ku.Patch( | ||
"configmap", | ||
"fleet-controller", | ||
"-n", | ||
"cattle-fleet-system", | ||
"--type=merge", | ||
"-p", | ||
fmt.Sprintf( | ||
`{"data":{"config":"{\"apiServerURL\": \"https://google.com\", \"apiServerCA\": \"\", \"agentTLSMode\": \"%s\"}"}}`, | ||
agentMode, | ||
), | ||
) | ||
Expect(err).ToNot(HaveOccurred(), string(out)) | ||
|
||
}) | ||
|
||
Context("with non-strict agent TLS mode", func() { | ||
When("fetching fleet-agent-register logs", func() { | ||
BeforeEach(func() { | ||
agentMode = "system-store" | ||
}) | ||
|
||
It("reaches the server without cert issues", func() { | ||
Eventually(func() bool { | ||
logs, err := kd.Namespace("cattle-fleet-system").Logs( | ||
"-l", | ||
"app=fleet-agent", | ||
"-c", | ||
"fleet-agent-register", | ||
"--tail=-1", | ||
) | ||
if err != nil { | ||
return false | ||
} | ||
|
||
regexMatcher := matchers.MatchRegexpMatcher{ | ||
Regexp: "Failed to register agent.*could not find the requested resource", | ||
} | ||
reachesServerWithoutCertIssue, err := regexMatcher.Match(logs) | ||
if err != nil { | ||
return false | ||
} | ||
|
||
return reachesServerWithoutCertIssue | ||
}).Should(BeTrue()) | ||
}) | ||
}) | ||
}) | ||
|
||
Context("with strict agent TLS mode", func() { | ||
When("fetching fleet-agent-register logs", func() { | ||
BeforeEach(func() { | ||
agentMode = "strict" | ||
}) | ||
|
||
It("cannot reach the server because the cert is signed by an unknown authority", func() { | ||
Eventually(func() bool { | ||
logs, err := kd.Namespace("cattle-fleet-system").Logs( | ||
"-l", | ||
"app=fleet-agent", | ||
"-c", | ||
"fleet-agent-register", | ||
"--tail=-1", | ||
) | ||
if err != nil { | ||
return false | ||
} | ||
|
||
regexMatcher := matchers.MatchRegexpMatcher{ | ||
Regexp: "Failed to register agent.*signed by unknown authority", | ||
} | ||
reachesServerWithoutCertIssue, err := regexMatcher.Match(logs) | ||
if err != nil { | ||
return false | ||
} | ||
|
||
return reachesServerWithoutCertIssue | ||
}).Should(BeTrue()) | ||
}) | ||
}) | ||
}) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
// Package installation contains e2e tests deploying Fleet to multiple clusters. The tests use kubectl to apply | ||
// manifests. Expectations are verified by checking cluster resources. | ||
package installation_test | ||
|
||
import ( | ||
"fmt" | ||
"strings" | ||
"testing" | ||
|
||
"github.com/rancher/fleet/e2e/testenv" | ||
"github.com/rancher/fleet/e2e/testenv/kubectl" | ||
|
||
. "github.com/onsi/ginkgo/v2" | ||
. "github.com/onsi/gomega" | ||
) | ||
|
||
func TestE2E(t *testing.T) { | ||
RegisterFailHandler(Fail) | ||
RunSpecs(t, "E2E Installation Suite for Multi-Cluster") | ||
} | ||
|
||
var ( | ||
env *testenv.Env | ||
ku kubectl.Command | ||
config string | ||
) | ||
|
||
var _ = BeforeSuite(func() { | ||
SetDefaultEventuallyTimeout(testenv.Timeout) | ||
testenv.SetRoot("../..") | ||
|
||
env = testenv.New() | ||
ku = env.Kubectl.Context(env.Upstream) | ||
|
||
// Save initial state of `fleet-controller` config map | ||
cfg, err := ku.Get( | ||
"configmap", | ||
"fleet-controller", | ||
"-n", | ||
"cattle-fleet-system", | ||
"-o", | ||
"jsonpath={.data.config}") | ||
Expect(err).ToNot(HaveOccurred(), cfg) | ||
|
||
cfg = strings.ReplaceAll(cfg, `"`, `\"`) | ||
config = strings.ReplaceAll(cfg, "\n", "") | ||
}) | ||
|
||
var _ = AfterSuite(func() { | ||
// Restore initial state of config map | ||
out, err := ku.Patch( | ||
"configmap", | ||
"fleet-controller", | ||
"-n", | ||
"cattle-fleet-system", | ||
"--type=merge", | ||
"-p", | ||
fmt.Sprintf(`{"data":{"config":"%s"}}`, config), | ||
) | ||
Expect(err).ToNot(HaveOccurred(), string(out)) | ||
}) |
Oops, something went wrong.