Skip to content

Enable HelmOps deployments with strict TLS mode #3806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
thardeck merged 4 commits into from
Jul 1, 2025
Merged

Enable HelmOps deployments with strict TLS mode #3806

thardeck merged 4 commits into from
Jul 1, 2025

Conversation

@weyfonk
Copy link
Contributor

@weyfonk weyfonk commented Jun 18, 2025
edited
Loading

When the agent TLS mode is set to strict, the Fleet agent bypasses the operating system's CA store only for the duration of the agent registration process. Once registration is successful, the store can be used again, which enables Helm charts to be pulled from the agent.

This does not compromise on security for the cluster registration process, while exposing HelmOps deployments to the limited risk of failing while cluster (re-)registration is in progress.

A cleaner alternative to this could consist in isolating cluster registration in its own container again, where the OS CA store could be bypassed entirely without affecting the Helm deployer.

Refers to #3589

@weyfonk weyfonk requested a review from a team as a code owner June 18, 2025 11:13
@weyfonk weyfonk force-pushed the 3589-helmops-strict-tls branch from 8227e6d to 7bfb574 Compare June 18, 2025 11:21
weyfonk added 3 commits June 19, 2025 11:28
@weyfonk
Enable HelmOps deployments with strict TLS mode
d803f3f 
When the agent TLS mode is set to `strict`, the Fleet agent bypasses the
operating system's CA store only for the duration of the agent
registration process. Once registration is successful, the store can be
used again, which enables Helm charts to be pulled from the agent.
@weyfonk
Move config map patching earlier in test preparation
430ebcd 
No conflicts should happen between `JustBeforeEach` blocks, which
resulted in agent TLS mode not being configured as expected.
@weyfonk
Fix expectations in multi-cluster end-to-end tests
27cffc8 
Expectations run inside a function taking a `Gomega` argument must use
that argument.
@weyfonk weyfonk force-pushed the 3589-helmops-strict-tls branch from 790a6c3 to 82d32fa Compare June 19, 2025 09:28
@weyfonk weyfonk force-pushed the 3589-helmops-strict-tls branch from 82d32fa to 7727bf7 Compare June 19, 2025 09:55
@thardeck thardeck merged commit a27bb1f into rancher:main Jul 1, 2025
14 checks passed
@weyfonk weyfonk mentioned this pull request Jul 2, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thardeck thardeck thardeck approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weyfonk @thardeck