Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GitRepoRestrictions not defaulting the GitRepo #3077

Open
manno opened this issue Nov 14, 2024 · 3 comments
Open

GitRepoRestrictions not defaulting the GitRepo #3077

manno opened this issue Nov 14, 2024 · 3 comments
Assignees
@manno
Labels
kind/bug status/waiting-for-fleet-rc-and-chart
Milestone
v2.11.0

Comments

@manno
Copy link
Member

manno commented Nov 14, 2024
edited
Loading

GitRepoRestriction resources can be used to default GitRepos and restrict their values.

Default values for GitRepo resources, configured through a GitRepoRestriction resource are not applied, although the restrictions remain functional.

  • defaultServiceAccount
  • defaultClientSecretName

Additional QA

Problem

Default values for GitRepo resources, configured through a GitRepoRestriction resource are not applied, although the restrictions remain functional.

See https://fleet.rancher.io/namespaces#restricting-gitrepos and https://fleet.rancher.io/ref-crds#gitreporestriction for all options.

This affects these fields:

  • defaultServiceAccount
  • defaultClientSecretName

As described in https://fleet.rancher.io/multi-user#restricting-access-to-downstream-clusters one can create GitRepoRestriction resource to limit fields of GitRepo resources.

Solution

Fix the code, so the the GitRepo is mutated once again.

Testing

Automated Testing

The PR adds unit tests.

QA Testing Considerations

When creating a GitRepoRestriction resource in the same namespace as a GitRepo, it should overwrite the values with the defaults. This was broken in 0.11.0

When a disallowed value is used, it should not process the GitRepo at all, this worked before and was not broken.

Please test with a different service account on the downstream cluster, e.g.:

kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
  name: restriction
  namespace: project1

defaultServiceAccount: limited-service-account

That service account must be created manually on the downstream cluster. When it doesn't have enough access to create a resource from the bundle, the deployment would fail.

kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
  name: restriction
  namespace: project1

defaultClientSecretName: basic-auth-secret

This will default the https://fleet.rancher.io/ref-crds#gitrepospec clientSecretName to clone the gitrepo.
@rancherbot rancherbot added this to Fleet Nov 14, 2024
@github-project-automation github-project-automation bot moved this to 🆕 New in Fleet Nov 14, 2024
@manno manno moved this from 🆕 New to 📋 Backlog in Fleet Nov 14, 2024
@manno manno added this to the v2.10.1 milestone Nov 14, 2024
@manno manno self-assigned this Nov 14, 2024
@manno manno added the kind/bug label Nov 14, 2024
@manno manno mentioned this issue Nov 14, 2024
Merged
2 tasks
@manno
Copy link
Member Author

manno commented Nov 14, 2024

/backport v2.10.1

@rancherbot rancherbot mentioned this issue Nov 14, 2024
Open
@manno manno moved this from 📋 Backlog to Needs QA review in Fleet Nov 14, 2024
@manno manno modified the milestones: v2.10.1, v2.11.0 Nov 14, 2024
@manno
Copy link
Member Author

manno commented Nov 15, 2024

/backport v2.9.5

@rancherbot rancherbot mentioned this issue Nov 15, 2024
Open
@mmartin24
Copy link
Collaborator

mmartin24 commented Nov 15, 2024
edited
Loading

Testing steps with UI (QASE link: Fleet-153):

  • Deploy gitrepo (for example):
https://github.com/rancher/fleet-test-data/
qa-test-apps/nginx-app
  • Add gitrepo restriction on upstream cluster
kind: GitRepoRestriction
apiVersion: fleet.cattle.io/v1alpha1
metadata:
  name: restriction
  namespace: fleet-default

defaultServiceAccount: limited-service-account
  • In downstream cluster:create service account pointing to gitrepo restricition:
apiVersion: v1
kind: ServiceAccount
metadata:
  name: limited-service-account
  namespace: cattle-fleet-system

  • Force update.

  • Check job logs from gitjob and search for serviceaccount. Observe is empty under container:
    image.

  • Observe how the gitrepo apperars deployed as service account is not seen:
    2024-11-15_15-15

  • Update to fleet version with fix. If chart not present use this command pointing to right image:

export TAG=v0.11.1-rc.1
kubectl set image -n cattle-fleet-system deployment/gitjob gitjob=rancher/fleet:$TAG-linux-amd64
deployment.apps/gitjob image updated

  • Force update gitrepo to retrigger job.

  • Confirm service account limited-service-account is present in job.
    image

  • Confirm that gitrepo now is not deployed due the low permissions in service account passed
    2024-11-15_15-17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@manno manno

Labels
kind/bug status/waiting-for-fleet-rc-and-chart
Projects
Fleet
Status: Needs QA review
Milestone
v2.11.0
Development

No branches or pull requests
2 participants
@manno @mmartin24