Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CA check improvements for system-agent #45581

Closed
snasovich opened this issue May 23, 2024 · 7 comments
Closed

CA check improvements for system-agent #45581

snasovich opened this issue May 23, 2024 · 7 comments
Assignees
@Oats87 @markusewalker
Labels
area/system-agent internal JIRA To be used in correspondence with the internal ticketing system. kind/enhancement Issues that improve or augment existing functionality kind/feature Issues that represent larger new pieces of functionality, not enhancements to existing functionality priority/0 team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support
Milestone
v2.9.0

Comments

@snasovich
Copy link
Collaborator

Placeholder
SURE-7665
@snasovich snasovich added kind/enhancement Issues that improve or augment existing functionality kind/feature Issues that represent larger new pieces of functionality, not enhancements to existing functionality priority/0 area/system-agent team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support labels May 23, 2024
@snasovich snasovich added this to the v2.9-Next1 milestone May 23, 2024
@markusewalker markusewalker added internal JIRA To be used in correspondence with the internal ticketing system. labels May 23, 2024
@snasovich
Copy link
Collaborator Author

Blocked on design review currently.

@MbolotSuse
Copy link
Contributor

Depends on #45628.

This was referenced Jun 26, 2024
Merged
Merged
@Sahota1225
Copy link
Contributor

#45973

@markusewalker
Copy link
Contributor

markusewalker commented Jul 2, 2024
edited
Loading

Tested this with results over in Qase test run /RM/1631. I noted the following failure:

# Scenario Result
4 Setup Rancher with valid ca-certs and agent-tls-mode=system-store

VALIDATION STEPS

  1. Setup Rancher v2.9-head with a valid cert.pem and/or key.pem file.
    • Ensured agentTLSMode=system-store in the helm install command.
  2. Ran command kubectl get settings agent-tls-mode -o yaml and noted that the value is strict:
$ kubectl get settings agent-tls-mode -o yaml
apiVersion: management.cattle.io/v3
customized: false
default: strict
kind: Setting
metadata:
  creationTimestamp: "2024-07-02T20:30:00Z"
  generation: 1
  name: agent-tls-mode
  resourceVersion: "936"
  uid: ba85e161-b9b9-4450-9265-d01d04ca59f9
source: ""
value: ""

There are two other scenarios that have the same steps as above that have not been tested yet due to this failure. Marking as blocked until this is resolved.

@MbolotSuse
Copy link
Contributor

@markusewalker Can you provide more details? The default on 2.9.0 will be strict, but the actual value should be as in the helm command, system-store - your output doesn't provide sufficient detail to determine if that is the case.

@markusewalker
Copy link
Contributor

@MbolotSuse sure, updated my comment with the information we discussed offline.

@markusewalker
Copy link
Contributor

Re-ran the test cases outlined in Qase test run /RM/1631. Using v2.9.0-alpha7, I was successfully able to validate this issue. Summary of the scenarios tested provided below:

# Scenario Result
1 Validate Rancher is accessible with valid ca-certs
2 Validate Rancher is inaccessible with invalid ca-certs
3 Validate Rancher is unusable with invalid ca-certs and agentTLSMode=system-store
4 Validate Rancher is accessible/usable with valid ca-certs and agentTLSMode=system-store
5 Update agentTLSMode from strict to system-store
6 Update agentTLSMode from system-store to strict
7 Upgrade Rancher from v2.8-head -> v2.9-head
8 Upgrade Rancher from v2.8-head -> v2.9-head w/agentTLSMode=strict

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Oats87 Oats87

@markusewalker markusewalker

Labels
area/system-agent internal JIRA To be used in correspondence with the internal ticketing system. kind/enhancement Issues that improve or augment existing functionality kind/feature Issues that represent larger new pieces of functionality, not enhancements to existing functionality priority/0 team/hostbusters The team that is responsible for provisioning/managing downstream clusters + K8s version support
Projects
None yet
Milestone
v2.9.0
Development

No branches or pull requests
5 participants
@Oats87 @markusewalker @snasovich @Sahota1225 @MbolotSuse