Enable HelmOps deployments with strict TLS mode

weyfonk · weyfonk · commit 8227e6d4f0fb · 2025-06-18T13:11:37.000+02:00
When the agent TLS mode is set to `strict`, the Fleet agent bypasses the
operating system's CA store only for the duration of the agent
registration process. Once registration is successful, the store can be
used again, which enables Helm charts to be pulled from the agent.
diff --git a/e2e/assets/multi-cluster/helmop.yaml b/e2e/assets/multi-cluster/helmop.yaml
@@ -0,0 +1,16 @@
+apiVersion: fleet.cattle.io/v1alpha1
+kind: HelmOp
+metadata:
+  name: {{.Name}}
+  namespace: {{.Namespace}}
+spec:
+  helm:
+    releaseName: testhelm
+    repo: {{.Repo}}
+    chart: {{.Chart}}
+    version: '{{.Version}}'
+  pollingInterval: {{.PollingInterval}}
+  helmSecretName: {{.HelmSecretName}}
+  insecureSkipTLSVerify: {{.InsecureSkipTLSVerify}}
+  targets:
+    - clusterSelector: {}
diff --git a/e2e/multi-cluster/installation/agent_test.go b/e2e/multi-cluster/installation/agent_test.go
@@ -1,10 +1,15 @@
 package installation_test
 
 import (
+	"encoding/json"
 	"fmt"
+	"strings"
+	"time"
 
 	. "github.com/onsi/ginkgo/v2"
 	. "github.com/onsi/gomega"
+
+	"github.com/rancher/fleet/e2e/testenv"
 )
 
 var (
@@ -69,11 +74,11 @@ var _ = Describe("Fleet installation with TLS agent modes", func() {
 	})
 
 	Context("with strict agent TLS mode", func() {
-		When("fetching fleet-agent logs", func() {
-			BeforeEach(func() {
-				agentMode = "strict"
-			})
+		BeforeEach(func() {
+			agentMode = "strict"
+		})
 
+		When("fetching fleet-agent logs", func() {
 			It("cannot reach the server because the cert is signed by an unknown authority", func() {
 				Eventually(func(g Gomega) error {
 					logs, err := kd.Namespace("cattle-fleet-system").Logs(
@@ -98,3 +103,93 @@ var _ = Describe("Fleet installation with TLS agent modes", func() {
 		})
 	})
 })
+
+var _ = Describe("HelmOps installation with strict TLS mode", func() {
+	BeforeEach(func() {
+		kd = env.Kubectl.Context(env.Downstream)
+
+		_, err := kd.Delete(
+			"pod",
+			"-n",
+			"cattle-fleet-system",
+			"-l",
+			"app=fleet-agent",
+		)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	JustBeforeEach(func() {
+		restoreConfig() // prevent interference with other test cases in the suite.
+		out, err := ku.Patch(
+			"configmap",
+			"fleet-controller",
+			"-n",
+			"cattle-fleet-system",
+			"--type=merge",
+			"-p",
+			fmt.Sprintf(`{"data":{"config":"{\"agentTLSMode\": \"%s\"}"}}`, agentMode),
+		)
+		Expect(err).ToNot(HaveOccurred(), string(out))
+
+		// Check that the config change has been applied downstream
+		type configWithTLSMode struct {
+			AgentTLSMode string `json:"agentTLSMode"`
+		}
+		Eventually(func(g Gomega) {
+			data, err := kd.Namespace("cattle-fleet-system").Get(
+				"configmap",
+				"fleet-agent",
+				"-o",
+				"jsonpath={.data.config}",
+			)
+			Expect(err).ToNot(HaveOccurred(), data)
+
+			var c configWithTLSMode
+
+			err = json.Unmarshal([]byte(data), &c)
+			Expect(err).ToNot(HaveOccurred())
+
+			Expect(c.AgentTLSMode).To(Equal("strict"))
+		}).Should(Succeed())
+	})
+
+	When("installing a HelmOp", func() {
+		name := "basic"
+		ns := "fleet-default"
+
+		JustBeforeEach(func() {
+			ku = ku.Namespace(ns)
+			err := testenv.ApplyTemplate(ku, "../../assets/multi-cluster/helmop.yaml", struct {
+				Name                  string
+				Namespace             string
+				Repo                  string
+				Chart                 string
+				Version               string
+				PollingInterval       time.Duration
+				HelmSecretName        string
+				InsecureSkipTLSVerify bool
+			}{
+				name,
+				ns,
+				"",
+				"https://github.com/rancher/fleet/raw/refs/heads/main/integrationtests/cli/assets/helmrepository/config-chart-0.1.0.tgz",
+				"0.1.0",
+				0,
+				"",
+				false,
+			})
+			Expect(err).ToNot(HaveOccurred())
+		})
+
+		It("deploys the chart", func() {
+			Eventually(func() bool {
+				outPods, _ := kd.Get("configmaps")
+				return strings.Contains(outPods, "test-simple-chart-config")
+			}).Should(BeTrue())
+		})
+
+		AfterEach(func() {
+			ku.Delete("helmop", name)
+		})
+	})
+})
diff --git a/e2e/multi-cluster/installation/suite_test.go b/e2e/multi-cluster/installation/suite_test.go
@@ -49,7 +49,11 @@ var _ = BeforeSuite(func() {
 })
 
 var _ = AfterSuite(func() {
-	// Restore initial state of config map
+	restoreConfig()
+})
+
+// restoreConfig restores the initial state of the `fleet-controller` config map.
+func restoreConfig() {
 	out, err := ku.Patch(
 		"configmap",
 		"fleet-controller",
@@ -60,4 +64,4 @@ var _ = AfterSuite(func() {
 		fmt.Sprintf(`{"data":{"config":"%s"}}`, config),
 	)
 	Expect(err).ToNot(HaveOccurred(), string(out))
-})
+}
diff --git a/internal/cmd/agent/operator.go b/internal/cmd/agent/operator.go
@@ -345,9 +345,5 @@ func getAgentConfig(ctx context.Context, namespace string, cfg *rest.Config) (ag
 		return nil, fmt.Errorf("failed to parse config from ConfigMap: %w", err)
 	}
 
-	if agentConfig.AgentTLSMode == config.AgentTLSModeStrict {
-		config.BypassSystemCAStore()
-	}
-
 	return agentConfig, nil
 }
diff --git a/internal/cmd/agent/register/register.go b/internal/cmd/agent/register/register.go
@@ -140,7 +140,8 @@ func runRegistration(ctx context.Context, k8s coreInterface, namespace string) (
 		return nil, fmt.Errorf("failed to look up client config %s/%s: %w", secret.Namespace, config.AgentConfigName, err)
 	}
 
-	clientConfig := createClientConfigFromSecret(secret, cfg.AgentTLSMode == config.AgentTLSModeSystemStore)
+	clientConfig, undoBypass := createClientConfigFromSecret(secret, cfg.AgentTLSMode == config.AgentTLSModeSystemStore)
+	defer undoBypass()
 
 	ns, _, err := clientConfig.Namespace()
 	if err != nil {
@@ -287,20 +288,22 @@ func values(data map[string][]byte) map[string][]byte {
 
 // createClientConfigFromSecret reads the fleet-agent-bootstrap secret and
 // creates a clientConfig to access the upstream cluster
-func createClientConfigFromSecret(secret *corev1.Secret, trustSystemStoreCAs bool) clientcmd.ClientConfig {
+func createClientConfigFromSecret(secret *corev1.Secret, trustSystemStoreCAs bool) (clientcmd.ClientConfig, func()) {
 	data := values(secret.Data)
 	apiServerURL := string(data[config.APIServerURLKey])
 	apiServerCA := data[config.APIServerCAKey]
 	namespace := string(data[ClusterNamespace])
 	token := string(data[Token])
 
+	undoBypass := func() {}
+
 	if trustSystemStoreCAs { // Save a request to the API server URL if system CAs are not to be trusted.
 		// NOTE(manno): client-go will use the system trust store even if a CA is configured. So, why do this?
 		if _, err := http.Get(apiServerURL); err == nil {
 			apiServerCA = nil
 		}
 	} else {
-		config.BypassSystemCAStore()
+		undoBypass = config.BypassSystemCAStore()
 	}
 
 	cfg := clientcmdapi.Config{
@@ -325,7 +328,7 @@ func createClientConfigFromSecret(secret *corev1.Secret, trustSystemStoreCAs boo
 		CurrentContext: "default",
 	}
 
-	return clientcmd.NewDefaultClientConfig(cfg, &clientcmd.ConfigOverrides{})
+	return clientcmd.NewDefaultClientConfig(cfg, &clientcmd.ConfigOverrides{}), undoBypass
 }
 
 func testClientConfig(cfg []byte) error {
diff --git a/internal/config/overrides.go b/internal/config/overrides.go
@@ -6,20 +6,37 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	envVarSSLCertFile = "SSL_CERT_FILE"
+	envVarSSLCertDir  = "SSL_CERT_DIR"
+)
+
 // BypassSystemCAStore is used to bypass the OS trust store in agents through env vars, see
 // https://pkg.go.dev/crypto/x509#SystemCertPool for more info.
 // We set values to paths belonging to the root filesystem, which is read-only, to prevent tampering.
 // Eventually, this should not be necessary, if/when we find a way to set client-go's API Config to achieve similar
 // effects.
 // Note: this will not work on Windows nor Mac OS. Agents are expected to run on Linux nodes.
-func BypassSystemCAStore() {
-	err := os.Setenv("SSL_CERT_FILE", "/dev/null")
-	if err != nil {
-		logrus.Errorf("failed to set env var SSL_CERT_FILE: %s", err.Error())
+// Returns a function allowing the bypass to be undone.
+func BypassSystemCAStore() func() {
+	certFileBkp := os.Getenv(envVarSSLCertFile)
+	certDirBkp := os.Getenv(envVarSSLCertDir)
+
+	if err := os.Setenv(envVarSSLCertFile, "/dev/null"); err != nil {
+		logrus.Errorf("failed to set env var %s: %s", envVarSSLCertFile, err.Error())
 	}
 
-	err = os.Setenv("SSL_CERT_DIR", "/dev/null")
-	if err != nil {
-		logrus.Errorf("failed to set env var SSL_CERT_DIR: %s", err.Error())
+	if err := os.Setenv(envVarSSLCertDir, "/dev/null"); err != nil {
+		logrus.Errorf("failed to set env var %s: %s", envVarSSLCertDir, err.Error())
+	}
+
+	return func() {
+		if err := os.Setenv(envVarSSLCertFile, certFileBkp); err != nil {
+			logrus.Errorf("failed to restore env var %s: %s", envVarSSLCertFile, err.Error())
+		}
+
+		if err := os.Setenv(envVarSSLCertDir, certDirBkp); err != nil {
+			logrus.Errorf("failed to restore env var %s: %s", envVarSSLCertDir, err.Error())
+		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -345,9 +345,5 @@ func getAgentConfig(ctx context.Context, namespace string, cfg *rest.Config) (ag`
`345`	`345`	`return nil, fmt.Errorf("failed to parse config from ConfigMap: %w", err)`
`346`	`346`	`}`
`347`	`347`
`348`		`- if agentConfig.AgentTLSMode == config.AgentTLSModeStrict {`
`349`		`- config.BypassSystemCAStore()`
`350`		`- }`
`351`		`-`
`352`	`348`	`return agentConfig, nil`
`353`	`349`	`}`