-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add a webhook check for the agent-tls-mode setting #45589
Comments
QA TestingRoot causeThe webhook doesn't validate changes to the new What was fixed, or what changes have occurredIf Areas or cases that should be testedWhat areas could experience regressions?Steps
|
✅ PASSEDValidation Environment
🏗️ Rancher Installation Details... CLICK TO EXPAND! ⬅️kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.crds.yaml
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.15.0 helm install rancher rancher-alpha/rancher --devel \
--namespace cattle-system \
--set hostname=$URL_VAR \
--set ingress.tls.source=letsEncrypt \
--set letsEncrypt.email=$EMAIL_VAR\
--set letsEncrypt.ingress.class=nginx \
--set bootstrapPassword=$PW_VAR \
--set rancherImage=rancher/rancher \
--set rancherImageTag=v2.9-head \
--version 2.9.0-alpha7 \
--set global.cattle.psp.enabled=false \
--set agentTLSMode=system-store \
--set privateCA=true
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem=./cacerts.pem 🧪 Test Cases
🚨 8 test cases... CLICK TO EXPAND! (For table links to work) ⬅️1 / set agent-tls-mode setting during helm install to system-store Status: ✅ PASSTest 1 details... Click to expandTest Steps for Validation
✅ Expected Outcome For ✅ Actual Outcome Value system-store was set 2 / set agent-tls-mode setting during helm install to strict Status: ⏸️ NOT TESTED YETTest 2 details... Click to expandTest Steps for Validation
✅ Expected Outcome For ✅ Actual Outcome
3 / Changing agent-tls-mode setting with kubectl Status: ✅ PASSTest 3 details... Click to expandTest Steps for Validation
✅ Expected Outcome For webhook to block this change to the agent-tls-mode setting ✅ Actual Outcome Getting the expected error:
4 / Changing agent-tls-mode setting with the UI Status: ✅ PASSTest 4 details... Click to expandTest Steps for Validation
✅ Expected Outcome The UI action should be blocked by webhook ✅ Actual Outcome Getting the expected error of:
5 / Adding force annotation using kubectl, change setting with kubectl Status: ✅ PASSTest 5 details... Click to expandTest Steps for Validation
✅ Expected Outcome The webhook should allow the setting to be changed now, even with a downstream cluster that has ✅ Actual Outcome Successful edit with annotation added 6 / dding force annotation using kubectl, change setting with the UI Status: ✅ PASSTest 6 details... Click to expandTest Steps for Validation
✅ Expected Outcome The webhook should allow the setting to be changed now, even with a downstream cluster that has ✅ Actual Outcome Successful edit with annotation added 7 / Upgrade Status: ✅ PASSTest 7 details... Click to expandTest Steps for Validation
✅ Expected Outcome The UI action should be blocked by webhook ✅ Actual Outcome Action is blocked by webhook 8 / Set tls-mode Strict with multiple downstream AgentTlsStrictCheck=True Status: ✅ PASSTest 8 details... Click to expandTest Steps for Validation
✅ Expected Outcome For the change to be successful since both downstream clusters have ✅ Actual Outcome The change was successful since both downstream clusters have |
make sure that it can't be enabled unless the clusters have all reported they can accept the strict setting.
The text was updated successfully, but these errors were encountered: