manno
commented
3 weeks ago We should add support to Fleet to fall back to a default value, unless overridden in the resource. This is most likely a Fleet install option, I think Fleet already gets re-installed when the Rancher CA changes.
However there are multiple clients in Fleet, which would need to support this. They all use a PEM block for CA in their spec instead. Specifying the CA in the resource directly has the advantage that we don't need to watch another resource for changes, e.g. to redeploy on certificate rotation. That's not possible, when we rely on a global setting. Does re-installing Fleet re-render all bundles with the new CA, or do we need to implement this?
- git monitor (lsremote)
- git cloner
- chart downloader
- image scan (no custom CA yet)
marthydavid
SURE-8809
Issue description:
When adding a git repo to fleet that has a fleet.yaml referencing an external helm chart.
and
the server serving the helm chart uses a custom CA
Then
the Git Repo is added and marked with State "active"
the "Clusters Ready" status remains on "0/0" indefinitely
no error is thrown or visible in the Fleet UI
Expected behavior:
1) Fleet should honor the custom CA configured in the Rancher global settings or the custom CA configured in the GitRepo resource (spec.CaBundle) when downloading resources, such as Helm charts.
2) Fleet should display an error message in the UI, indicating that there was a problem downloading the Helm chart
Business impact:
Customer can't use any helm charts from internet sources, because their corporate firewall performs TLS inception, replacing all SSL certs with their own CA.