Merge pull request #2680 from rancher/0.8_revert_tls_changes

[v0.8] Revert "Add strict TLS mode support (#2507)"

.github/scripts/deploy-fleet.sh

@@ -15,20 +15,14 @@ else
   agentTag="dev"
 fi
 
-host=$(kubectl get node k3d-upstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
-ca=$( kubectl config view --flatten -o jsonpath='{.clusters[?(@.name == "k3d-upstream")].cluster.certificate-authority-data}' | base64 -d )
-server="https://$host:6443"
-
 helm -n cattle-fleet-system upgrade --install --create-namespace --wait fleet-crd charts/fleet-crd
 helm upgrade --install fleet charts/fleet \
   -n cattle-fleet-system --create-namespace --wait \
   --set image.repository="$fleetRepo" \
   --set image.tag="$fleetTag" \
   --set agentImage.repository="$agentRepo" \
   --set agentImage.tag="$agentTag" \
-  --set agentImage.imagePullPolicy=IfNotPresent \
-  --set apiServerCA="$ca" \
-  --set apiServerURL="$server" \
+  --set agentImage.imagePullPolicy=IfNotPresent
 
 # wait for controller and agent rollout
 kubectl -n cattle-fleet-system rollout status deploy/fleet-controller

.github/workflows/e2e-ci.yml

@@ -64,15 +64,15 @@ jobs:
         # k3d will automatically create a network named k3d-test-cluster-1 with the range 172.18.0.0/16
         with:
           k3d-version: ${{ env.SETUP_K3D_VERSION }}
-          cluster-name: "upstream"
+          cluster-name: "k3s-default"
           args: >-
             --agents 1
             --network "nw01"
             --image docker.io/rancher/k3s:${{matrix.k3s_version}}
       -
         name: Import Images Into k3d
         run: |
-          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev -c upstream
+          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev
           #k3d image import nginx-git:test nginx-git:test
       -
         name: Set Up Tmate Debug Session

.github/workflows/e2e-multicluster-ci.yml

@@ -62,7 +62,7 @@ jobs:
             --agents 1
             --network "nw01"
       -
-        name: Provision k3d Downstream Cluster for agent-initiated registration
+        name: Provision k3d Downstream Cluster
         uses: AbsaOSS/k3d-action@v2
         with:
           k3d-version: ${{ env.SETUP_K3D_VERSION }}
@@ -73,24 +73,11 @@ jobs:
             --api-port 6644
             --agents 1
             --network "nw01"
-      -
-        name: Provision k3d Downstream Cluster for manager-initiated registration
-        uses: AbsaOSS/k3d-action@v2
-        with:
-          k3d-version: ${{ env.SETUP_K3D_VERSION }}
-          cluster-name: "managed-downstream"
-          args: >-
-            -p "82:80@agent:0:direct"
-            -p "445:443@agent:0:direct"
-            --api-port 6645
-            --agents 1
-            --network "nw01"
       -
         name: Import Images Into k3d
         run: |
-          ./.github/scripts/k3d-import-retry.sh rancher/fleet:dev rancher/fleet-agent:dev -c upstream
-          ./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c downstream
-          ./.github/scripts/k3d-import-retry.sh rancher/fleet-agent:dev -c managed-downstream
+          k3d image import rancher/fleet:dev rancher/fleet-agent:dev -c upstream
+          k3d image import rancher/fleet-agent:dev -c downstream
       -
         name: Set Up Tmate Debug Session
         if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.enable_tmate == 'true' }}
@@ -120,71 +107,14 @@ jobs:
 
           token=$(kubectl get secret -n fleet-default second-token -o go-template='{{index .data "values" | base64decode}}' | yq eval .token -)
           ca=$(kubectl get secret -n cattle-fleet-system fleet-controller-bootstrap-token -o go-template='{{index .data "ca.crt" | base64decode}}')
-          apiServerIP=$(kubectl get node k3d-upstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
 
-          # agent initiated cluster registration
           kubectl config use-context k3d-downstream
           helm -n cattle-fleet-system upgrade --install --create-namespace --wait fleet-agent charts/fleet-agent \
             --set-string labels.env=test \
             --set apiServerCA="$ca" \
-            --set apiServerURL="https://$apiServerIP:6443" \
+            --set apiServerURL="https://172.18.0.1.sslip.io:6443" \
             --set clusterNamespace="fleet-default" \
             --set token="$token"
-
-      -
-        name: Deploy and Register Managed Downstream Fleet
-        run: |
-          kubectl config use-context k3d-managed-downstream
-          host=$(kubectl get node k3d-managed-downstream-server-0 -o jsonpath='{.status.addresses[?(@.type=="InternalIP")].address}')
-          ca=$( kubectl config view --flatten -o jsonpath='{.clusters[?(@.name == "k3d-managed-downstream")].cluster.certificate-authority-data}' )
-          client_cert=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-certificate-data}' )
-          token=$( kubectl config view --flatten -o jsonpath='{.users[?(@.name == "admin@k3d-managed-downstream")].user.client-key-data}' )
-          server="https://$host:6443"
-
-          kubectl config use-context k3d-upstream
-
-          value=$(cat <<EOF
-          apiVersion: v1
-          kind: Config
-          current-context: default
-          clusters:
-          - cluster:
-              certificate-authority-data: $ca
-              server: $server
-            name: cluster
-          contexts:
-          - context:
-              cluster: cluster
-              user: user
-            name: default
-          preferences: {}
-          users:
-          - name: user
-            user:
-              client-certificate-data: $client_cert
-              client-key-data: $token
-          EOF
-          )
-
-          kubectl create ns fleet-default || true
-          kubectl delete secret -n fleet-default kbcfg-second || true
-          # Rancher sets a token value in the secret, but our docs don't mention it
-          # * https://github.com/rancher/rancher/blob/c24fb8b0869a0b445f55b3307c6ed4582e147747/pkg/provisioningv2/kubeconfig/manager.go#L362
-          # * https://fleet.rancher.io/0.5/manager-initiated#kubeconfig-secret-1
-          kubectl create secret generic -n fleet-default kbcfg-second --from-literal=token="$token" --from-literal=value="$value"
-
-          kubectl apply -n fleet-default -f - <<EOF
-          apiVersion: "fleet.cattle.io/v1alpha1"
-          kind: Cluster
-          metadata:
-            name: second
-            namespace: fleet-default
-            labels:
-              name: second
-          spec:
-            kubeConfigSecret: kbcfg-second
-          EOF
-
       -
         name: E2E tests
         env:
@@ -193,15 +123,6 @@ jobs:
         run: |
           kubectl config use-context k3d-upstream
           ginkgo e2e/multi-cluster
-      -
-        name: E2E tests with managed downstream agent
-        env:
-          FLEET_E2E_NS: fleet-local
-          FLEET_E2E_NS_DOWNSTREAM: fleet-default
-          FLEET_E2E_CLUSTER_DOWNSTREAM: k3d-managed-downstream
-        run: |
-          kubectl config use-context k3d-upstream
-          ginkgo e2e/multi-cluster/installation
       -
         name: Acceptance Tests for Examples
         if: >

charts/fleet-agent/templates/configmap.yaml

@@ -8,6 +8,5 @@ data:
       {{ if .Values.labels }}
       "labels":{{toJson .Values.labels}},
       {{ end }}
-      "clientID":"{{.Values.clientID}}",
-      "agentTLSMode": "{{.Values.agentTLSMode}}"
+      "clientID":"{{.Values.clientID}}"
     }

charts/fleet-agent/values.yaml

@@ -11,10 +11,6 @@ apiServerURL: ""
 # If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
 apiServerCA: ""
 
-# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a
-# management cluster. True in `system-store` mode, false in `strict` mode.
-agentTLSMode: "system-store"
-
 # The cluster registration value
 token: ""
 

charts/fleet-crd/templates/crds.yaml

@@ -2545,9 +2545,6 @@ spec:
               agentResourcesHash:
                 nullable: true
                 type: string
-              agentTLSMode:
-                nullable: true
-                type: string
               agentTolerationsHash:
                 nullable: true
                 type: string

charts/fleet/templates/configmap.yaml

@@ -11,7 +11,6 @@ data:
       "apiServerURL": "{{.Values.apiServerURL}}",
       "apiServerCA": "{{b64enc .Values.apiServerCA}}",
       "agentCheckinInterval": "{{.Values.agentCheckinInterval}}",
-      "agentTLSMode": "{{.Values.agentTLSMode}}",
       "ignoreClusterRegistrationLabels": {{.Values.ignoreClusterRegistrationLabels}},
       "bootstrap": {
         "paths": "{{.Values.bootstrap.paths}}",

charts/fleet/values.yaml

@@ -16,10 +16,6 @@ apiServerURL: ""
 # If left empty it is assumed this Kubernetes API TLS is signed by a well known CA.
 apiServerCA: ""
 
-# Determines whether the agent should trust CA bundles from the operating system's trust store when connecting to a
-# management cluster. True in `system-store` mode, false in `strict` mode.
-agentTLSMode: "system-store"
-
 # A duration string for how often agents should report a heartbeat
 agentCheckinInterval: "15m"
 

e2e/testenv/kubectl/kubectl.go

@@ -59,10 +59,6 @@ func (c Command) Create(args ...string) (string, error) {
 	return c.Run(append([]string{"create"}, args...)...)
 }
 
-func (c Command) Logs(args ...string) (string, error) {
-	return c.Run(append([]string{"logs"}, args...)...)
-}
-
 func (c Command) Patch(args ...string) (string, error) {
 	return c.Run(append([]string{"patch"}, args...)...)
 }