Comments (2)
QA Testing
Root cause
The webhook doesn't validate changes to the new agent-tls-mode
setting's value
and default
fields.
What was fixed, or what changes have occurred
If agent-tls-mode
has default
or value
updated from system-store
to strict
, then all non-local clusters must
have a status condition AgentTlsStrictCheck
set to True
, unless the new setting has an overriding
annotation cattle.io/force=true
.
Areas or cases that should be tested
What areas could experience regressions?
Steps
- Get a Rancher instance meant to be used with this version of the webhook. Configure it to use
system-store
as the
value of theagent-tls-mode
setting. To do this, start Rancher with an env varCATTLE_AGENT_TLS_MODE
set
tosystem-store
. - Provision two downstream clusters.
- Note the v3.Clusters' conditions in
status
.AgentTlsStrictCheck
should beTrue
. - Set the condition to
False
or anything else for one of them. Don't do this on the local cluster, as the webhook
ignores its condition for this check. - Try changing the value of the
agent-tls-mode
setting tostrict
. - Observe an error from the webhook.
- Try this again, but also set the overriding annotation
cattle.io/force=true
on the setting. - Ensure the webhook issues no errors, and the setting's been updated.
from rancher.
β PASSED
Validation Environment
Component | Version / Type |
---|---|
Rancher version starting | v2.9-3c4ccdc5bc9fde3510089153b5ad58fdbe604880-head |
Rancher version upgraded | not applicable |
Rancher commit link | 3c4ccdc |
Installation option | Helm (high availability) |
RKE binary version used | v1.6.0-rc8 |
If Helm Chart k8s cluster | v1.30.2 |
Cert Details | external tls aws acm |
Docker version | 20.10.7, build f0df350 |
Helm version | v2.16.8-rancher2 |
Downstream cluster type | Linode k3s |
Downstream K8s version | v1.30.2+k3s2 |
Authentication providers enabled | local |
Logged in user role | admin |
Browser type | Google Chrome |
Browser version | 126.0.6478.127 (Official Build) (x86_64) |
Dashboard | master 102f1e6 |
Webhook version | rancher/rancher-webhook:v0.5.0-rc13 |
ποΈ Rancher Installation Details... CLICK TO EXPAND! β¬ οΈ
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.crds.yaml
# Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io
# Update your local Helm chart repository cache
helm repo update
# Install the cert-manager Helm chart
helm install cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.15.0
helm install rancher rancher-alpha/rancher --devel \
--namespace cattle-system \
--set hostname=$URL_VAR \
--set ingress.tls.source=letsEncrypt \
--set letsEncrypt.email=$EMAIL_VAR\
--set letsEncrypt.ingress.class=nginx \
--set bootstrapPassword=$PW_VAR \
--set rancherImage=rancher/rancher \
--set rancherImageTag=v2.9-head \
--version 2.9.0-alpha7 \
--set global.cattle.psp.enabled=false \
--set agentTLSMode=system-store \
--set privateCA=true
https://letsencrypt.org/certificates/
>>> ISRG Root X1
>>> pem
kubectl -n cattle-system create secret generic tls-ca \
--from-file=cacerts.pem=./cacerts.pem
π§ͺ Test Cases
# | Priority | Description & Link | PASS/FAIL |
---|---|---|---|
1 | P1 | set agent-tls-mode setting during helm install to system-store | β PASS |
2 | P1 | set agent-tls-mode setting during helm install to strict | β PASS |
3 | P0 | Changing agent-tls-mode setting with kubectl | β PASS |
4 | P0 | Changing agent-tls-mode setting with the UI | β PASS |
5 | P1 | Adding force annotation using kubectl, change setting with kubectl | β PASS |
6 | P1 | Adding force annotation using kubectl, change setting with the UI | β PASS |
7 | P1 | Upgrade | β PASS |
8 | P1 | Set tls-mode Strict with multiple downstream AgentTlsStrictCheck=True | β PASS |
π¨ 8 test cases... CLICK TO EXPAND! (For table links to work) β¬ οΈ
1 / set agent-tls-mode setting during helm install to system-store Status: β PASS
πΊ back to top
Test 1 details... Click to expand
Test Steps for Validation
-
Install Rancher via helm
-
Include this set:
--set agentTLSMode=system-store
-
Once Rancher is setup check that status of the setting via kubectl
kubectl get setting agent-tls-mode -o yaml
-
You should see the setting as
system-store
β Expected Outcome
For system-store
to be set
β Actual Outcome
Value system-store was set
2 / set agent-tls-mode setting during helm install to strict Status: βΈοΈ NOT TESTED YET
πΊ back to top
Test 2 details... Click to expand
Test Steps for Validation
-
Install Rancher via helm
-
Include this set:
--set agentTLSMode=strict
-
Once Rancher is setup check that status of the setting via kubectl
kubectl get setting agent-tls-mode -o yaml
-
You should see the setting as
strict
β Expected Outcome
For strict
to be set
β Actual Outcome
Strict
was correctly set
3 / Changing agent-tls-mode setting with kubectl Status: β PASS
πΊ back to top
Test 3 details... Click to expand
Test Steps for Validation
-
Create a rancher with
--set agentTLSMode=system-store
-
Create a downstream cluster
-
Ensure this downstream cluster has
AgentTlsStrictCheck
set to false-
This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
status: 'False' type: AgentTlsStrictCheck
-
-
Now try changing the agent-tls-mode setting to strict using kubectl
kubectl edit setting agent-tls-mode
-
Change the value from
system-store
tostrict
- This should be blocked by webhook since at least 1 downstream cluster has
AgentTlsStrictCheck
set to'False'
- This should be blocked by webhook since at least 1 downstream cluster has
β Expected Outcome
For webhook to block this change to the agent-tls-mode setting
β Actual Outcome
Getting the expected error:
error: settings.management.cattle.io "agent-tls-mode" could not be patched: admission webhook "rancher.cattle.io.settings.management.cattle.io" denied the request: value.default: Forbidden: AgentTlsStrictCheck condition of cluster c-m-c7bshql9 isn't 'True'
4 / Changing agent-tls-mode setting with the UI Status: β PASS
πΊ back to top
Test 4 details... Click to expand
Test Steps for Validation
- Create a rancher with
--set agentTLSMode=system-store
- Create a downstream cluster
- Ensure this downstream cluster has
AgentTlsStrictCheck
set to false-
This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
-
If it's not already set as False, you can change it to False and save the yaml
status: 'False' type: AgentTlsStrictCheck
-
- Now try changing the agent-tls-mode setting to strict using the Rancher UI
- This can be accessed from starting at
dashboard/home
> clickGlobal Settings
(bottom left globe icon) >Settings
> click the ellipsis (three dots) at the settingagent-tls-mode
>Edit Setting
> change the value to Strict >Save
- This should be blocked by webhook as long as at least one downstream cluster has
AgentTlsStrictCheck
set to false
β Expected Outcome
The UI action should be blocked by webhook
β Actual Outcome
Getting the expected error of:
admission webhook "rancher.cattle.io.settings.management.cattle.io" denied the request: value.default: Forbidden: AgentTlsStrictCheck condition of cluster c-m-c7bshql9 isn't 'True'
5 / Adding force annotation using kubectl, change setting with kubectl Status: β PASS
πΊ back to top
Test 5 details... Click to expand
Test Steps for Validation
-
Create a rancher with
--set agentTLSMode=system-store
-
Create a downstream cluster
-
Ensure this downstream cluster has
AgentTlsStrictCheck
set to false-
This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
-
If it's not already set as False, you can change it to False and save the yaml
status: 'False' type: AgentTlsStrictCheck
-
-
Now try changing the agent-tls-mode setting to strict using the Rancher UI
-
This can be accessed from starting at
dashboard/home
> clickGlobal Settings
(bottom left globe icon) >Settings
> click the ellipsis (three dots) at the settingagent-tls-mode
>Edit Setting
> change the value to Strict >Save
-
This should be blocked by webhook as long as at least one downstream cluster has
AgentTlsStrictCheck
set to false -
Now edit the
agent-tls-mode
setting using kubectl >kubectl edit setting agent-tls-mode
-
Add this annotation under metadata:
metadata: annotations: cattle.io/force: "true"
-
After this annotation is added try changing the agent-tls-setting to strict using kubectl
-
Now even if there is a downstream cluster that has
AgentTlsStrictCheck
set to false the webhook will allow it now
β Expected Outcome
The webhook should allow the setting to be changed now, even with a downstream cluster that has AgentTlsStrictCheck
set to false
β Actual Outcome
Successful edit with annotation added
6 / dding force annotation using kubectl, change setting with the UI Status: β PASS
πΊ back to top
Test 6 details... Click to expand
Test Steps for Validation
-
Create a rancher with
--set agentTLSMode=system-store
-
Create a downstream cluster
-
Ensure this downstream cluster has
AgentTlsStrictCheck
set to false-
This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
-
If it's not already set as False, you can change it to False and save the yaml
status: 'False' type: AgentTlsStrictCheck
-
-
Now try changing the agent-tls-mode setting to strict using the Rancher UI
-
This can be accessed from starting at
dashboard/home
> clickGlobal Settings
(bottom left globe icon) >Settings
> click the ellipsis (three dots) at the settingagent-tls-mode
>Edit Setting
> change the value to Strict >Save
-
This should be blocked by webhook as long as at least one downstream cluster has
AgentTlsStrictCheck
set to false -
Now edit the
agent-tls-mode
setting using kubectl >kubectl edit setting agent-tls-mode
-
Add this annotation under metadata:
metadata: annotations: cattle.io/force: "true"
-
After this annotation is added try changing the agent-tls-setting to strict using the Rancher UI
-
Now even if there is a downstream cluster that has
AgentTlsStrictCheck
set to false the webhook will allow it now
β Expected Outcome
The webhook should allow the setting to be changed now, even with a downstream cluster that has AgentTlsStrictCheck
set to false
β Actual Outcome
Successful edit with annotation added
7 / Upgrade Status: β PASS
πΊ back to top
Test 7 details... Click to expand
Test Steps for Validation
- Start with Rancher 2.8.5
- Upgrade Rancher to 2.9-head
- Add this env var to the rancher deployment >
CATTLE_AGENT_TLS_MODE
> value:system-store
- Create a downstream cluster
- Ensure this downstream cluster has
AgentTlsStrictCheck
set to false-
This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
status: 'False' type: AgentTlsStrictCheck
-
- Now try changing the agent-tls-mode setting to strict using the Rancher UI
- This can be accessed from starting at
dashboard/home
> clickGlobal Settings
(bottom left globe icon) >Settings
> click the ellipsis (three dots) at the settingagent-tls-mode
>Edit Setting
> change the value to Strict >Save
- This should be blocked by webhook as long as at least one downstream cluster has
AgentTlsStrictCheck
set to false
β Expected Outcome
The UI action should be blocked by webhook
β Actual Outcome
Action is blocked by webhook
8 / Set tls-mode Strict with multiple downstream AgentTlsStrictCheck=True Status: β PASS
πΊ back to top
Test 8 details... Click to expand
Test Steps for Validation
-
Create a rancher with
--set agentTLSMode=system-store
-
Create two downstream clusters
-
Ensure both downstream clusters have
AgentTlsStrictCheck
set to'True'
- This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
AgentTlsStrictCheck
- This can be checked by going to cluster management > edit the downstream cluster as yaml > check under status at the bottom for
-
Now try changing the agent-tls-mode setting to strict using kubectl
kubectl edit setting agent-tls-mode
-
Change the value from
system-store
tostrict
- This should be allowed by webhook since both downstream cluster have
AgentTlsStrictCheck
set to'True'
- This should be allowed by webhook since both downstream cluster have
β Expected Outcome
For the change to be successful since both downstream clusters have AgentTlsStrictCheck
set to 'True'
β Actual Outcome
The change was successful since both downstream clusters have AgentTlsStrictCheck
set to 'True'
from rancher.
Related Issues (20)
- Feature charts: Need to add NeuVector chart 103.0.5+up2.7.9 to 2.8x and NeuVector chart 104.0.1+up2.7.9 to 2.9.x
- [v2.8] Backport Audit Log Image bumps
- [BUG] Only apply "auth-prov-v2-" finalizers to necessary resources
- [v2.8] High CPU load due to calico errors on Ubuntu 20.04 - Update to calico needed HOT 1
- [v2.10] High CPU load due to calico errors on Ubuntu 20.04 - Update to calico needed
- [dev-v2.9] go get workflow is missing the go generate changes
- [2.8 Backport] `C:\etc\rancher\wins\config` shows duplicate entries in a downstream vSphere Windows RKE2 cluster HOT 1
- Make webhook CI deploy Rancher directly with webhook image
- [main] `C:\etc\rancher\wins\config` shows duplicate entries in a downstream vSphere Windows RKE2 cluster
- [RFE] Add the ability to specify private cluster/DNS zones in AKS through Rancher.
- [BUG] Unable to add helm oci repo from harbor at project level HOT 2
- [2.10] go get workflow is missing the go generate changes
- [RFE] Allow search on node screen to use labels and or taints to filter nodes
- [RFE] Create a yaml replacement for Restricted Admin
- [Backport 2.8 ]Managed RKE2 clusters are broken after upgrade to 2.9.1 when KDM is not updated to release-v2.9
- [Forwardport 2.10] Managed RKE2 clusters are broken after upgrade to 2.9.1 when KDM is not updated to release-v2.9
- [flaky-test] TestClusterRepoTestSuite/TestOCIRepo5
- Use RemoveDialerProxy for extension API server in Rancher
- [BUG] Syntax error in rancher-monitoring/prometheus-node-exporter charts
- [BUG] RKE1 cluster gets stuck "Waiting to register with Kubernetes"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rancher.