Skip to content

Use CABundle when fetching chart with helm.chart field of fleet.yaml file #4185

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Use CABundle when fetching chart with helm.chart field of fleet.yaml file #4185

wants to merge 4 commits into from

Conversation

@p-se
Copy link
Contributor

@p-se p-se commented Oct 1, 2025

Refers to #3646

Additional Information

Checklist

  • I have updated the documentation via a pull request in the
    fleet-docs repository.

@p-se p-se force-pushed the SURE-9881 branch 7 times, most recently from 81d1690 to c63d1b6 Compare October 2, 2025 07:12
@p-se p-se force-pushed the SURE-9881 branch 2 times, most recently from c7ede99 to d343974 Compare October 9, 2025 15:27
p-se
p-se commented Oct 10, 2025
View reviewed changes
e2e/single-cluster/gitrepo_test.go
HTTPSPort = 4343
)

type gitRepoTestValues struct {
Copy link
Contributor Author

@p-se p-se Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

By using this struct instead of inline structs, the additional fields added in gitrepo.yaml don't need to be provided. The empty value preserves the previous behavior and it is a bit clearer which values can be provided.

e2e/single-cluster/schedule_test.go
Comment on lines -252 to -274
// replace replaces string s with r in the file located at path. That file must exist and be writable.
func replace(path string, s string, r string) {
b, err := os.ReadFile(path)
Expect(err).ToNot(HaveOccurred())

b = bytes.ReplaceAll(b, []byte(s), []byte(r))

err = os.WriteFile(path, b, 0644)
Expect(err).ToNot(HaveOccurred())
}

// getGitRepoStatus retrieves the status of the gitrepo with the provided name.
func getGitRepoStatus(g Gomega, k kubectl.Command, name string) fleet.GitRepoStatus {
gr, err := k.Get("gitrepo", name, "-o=json")

g.Expect(err).ToNot(HaveOccurred())

var gitrepo fleet.GitRepo
_ = json.Unmarshal([]byte(gr), &gitrepo)

return gitrepo.Status
}

Copy link
Contributor Author

@p-se p-se Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are already provided in the singlecluster_test package.

e2e/testenv/githelper/git.go
return nil, err
}
_, err = g.Update(repo, UpdateForce)

Copy link
Contributor Author

@p-se p-se Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm reusing the functionality of Update in Create and the newly added Add method. Create can be used a second time to force push an update to an already existing repo.

internal/bundlereader/loaddirectory.go
Comment on lines 257 to 272
if auth.CABundle != nil {
tmpFile, err := os.CreateTemp("", "ca-bundle")
if err != nil {
return nil, err
}
defer os.Remove(tmpFile.Name())
if _, err := tmpFile.Write(auth.CABundle); err != nil {
return nil, err
}
if err := os.Setenv("GIT_SSL_CAINFO", tmpFile.Name()); err != nil {
return nil, err
}
defer os.Unsetenv("GIT_SSL_CAINFO")
}

Copy link
Contributor Author

@p-se p-se Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm setting the data here because the logic to determine which CABundle and value for SkipInsecureTLSVerify is supposed to be used is determined in the gitjob controller. The alternative is to map all secrets into the pod of the Job and have it handled here more or less again. The Gitjob controllers needs to do it anyway because we apparently need those values in different places. Those are passed as arguments, environment variables and volumes to the pod. So, I thought it would be simpler to keep the logic there.

Copy link
Contributor

@weyfonk weyfonk Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this logic wouldn't find a better home in apply.go's addAuthToOpts, where fleet apply deals with populating that Auth.CABundle field.
Instead of creating an additional file, perhaps this logic could then directly read the CACertsFile 🤔
Happy to discuss.

Copy link
Contributor Author

@p-se p-se Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Long story short, the CABundle is replaced per path if helmSecretNameForPaths is configured. That happens after apply.go's addAuthToOpts.

@p-se p-se marked this pull request as ready for review October 10, 2025 07:34
@p-se p-se requested a review from a team as a code owner October 10, 2025 07:34
@kkaempf kkaempf added this to Fleet Oct 10, 2025
@kkaempf kkaempf moved this to 👀 In review in Fleet Oct 10, 2025
@kkaempf kkaempf added this to the v2.13.1 milestone Oct 10, 2025
weyfonk
weyfonk reviewed Oct 28, 2025
View reviewed changes
internal/bundlereader/loaddirectory.go
Comment on lines 257 to 272
if auth.CABundle != nil {
tmpFile, err := os.CreateTemp("", "ca-bundle")
if err != nil {
return nil, err
}
defer os.Remove(tmpFile.Name())
if _, err := tmpFile.Write(auth.CABundle); err != nil {
return nil, err
}
if err := os.Setenv("GIT_SSL_CAINFO", tmpFile.Name()); err != nil {
return nil, err
}
defer os.Unsetenv("GIT_SSL_CAINFO")
}

Copy link
Contributor

@weyfonk weyfonk Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if this logic wouldn't find a better home in apply.go's addAuthToOpts, where fleet apply deals with populating that Auth.CABundle field.
Instead of creating an additional file, perhaps this logic could then directly read the CACertsFile 🤔
Happy to discuss.

@kkaempf kkaempf added kind/bug JIRA Must shout labels Oct 30, 2025
@p-se p-se force-pushed the SURE-9881 branch 4 times, most recently from 41ed1c9 to 26b02a0 Compare November 17, 2025 09:01
@p-se p-se requested a review from weyfonk November 17, 2025 10:24
weyfonk
weyfonk reviewed Nov 18, 2025
View reviewed changes
@p-se
Copy link
Contributor Author

p-se commented Nov 18, 2025
edited
Loading

Incidental that all tests pass in the first run when I cherry picked the fix for the race? 🤔

Edit: Twice.

weyfonk
weyfonk reviewed Nov 19, 2025
View reviewed changes
Copy link
Contributor

@weyfonk weyfonk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, although ideally the git job vs secret race fix would be merged separately, through #4319.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weyfonk weyfonk weyfonk approved these changes

Assignees

@p-se p-se

Labels

JIRA Must shout kind/bug

Projects

Fleet
Status: 👀 In review

Milestone

v2.13.1

Development

Successfully merging this pull request may close these issues.

3 participants

@p-se @weyfonk @kkaempf