Fall back to Rancher CA bundles for HelmOps#4724
Merged
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds HelmOps support for falling back to Rancher-managed CA bundle secrets (in cattle-system) by resolving the CA bundle in the controller and passing it through Bundle/BundleDeployment options so agents don’t need access to cattle-system secrets.
Changes:
- Add
CABundletoBundleHelmOptions(API + CRD + deepcopy) to carry a PEM CA bundle to the agent. - Resolve Rancher CA bundle in the HelmOps controller (and use it as fallback for chart version resolution) and have the agent use the pre-resolved bundle from
HelmChartOptions. - Extend unit/integration/e2e tests and restart helmops pods in the k3d dev script.
Reviewed changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/cert/cabundle.go | Broadens CA bundle resolver to accept a client.Reader (read-only access). |
| pkg/apis/fleet.cattle.io/v1alpha1/bundle_types.go | Adds helmOpCABundle field to API type for passing CA bundles. |
| pkg/apis/fleet.cattle.io/v1alpha1/zz_generated.deepcopy.go | Ensures CABundle (byte slice) is deep-copied correctly. |
| internal/cmd/controller/helmops/reconciler/helmop_controller.go | Resolves Rancher CA bundle in-controller; adds fallback CA logic for chart version lookup. |
| internal/cmd/controller/helmops/reconciler/helmop_controller_test.go | Updates unit tests to account for Rancher CA lookup behavior. |
| internal/bundlereader/helm.go | Agent uses controller-provided CA bundle from HelmChartOptions.CABundle when secret has none. |
| internal/bundlereader/helm_test.go | Adds test coverage to validate CA bundle propagation via HelmChartOptions. |
| integrationtests/helmops/controller/suite_test.go | Creates cattle-system namespace in envtest to support CA secret scenarios. |
| integrationtests/helmops/controller/controller_test.go | Adds integration coverage for tls-ca / tls-ca-additional CA fallback. |
| e2e/single-cluster/helmop_test.go | Adds an E2E case validating HelmOps Rancher CA fallback in a real cluster. |
| dev/update-controller-k3d | Restarts helmops pods to pick up new controller builds during dev. |
| charts/fleet-crd/templates/crds.yaml | Exposes the new helmOpCABundle field in generated CRDs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
thardeck
force-pushed
the
implement_3845
branch
from
6b9cde6 to
598f723
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Resolve the CA bundle in the HelmOps controller and store it in BundleHelmOptions.CABundle so the agent can use it without needing access to cattle-system secrets. The agent service account only has access to its own namespace. Also restart helmops pods in dev/update-controller-k3d so that redeployments pick up the new controller binary.
The test relied on the OCI registry being untrusted when InsecureSkipTLSVerify is false and no CA bundle is provided. Since the Rancher CA bundle fallback now supplies the fleet CI root CA (stored in cattle-system/tls-ca-additional), the Zot OCI registry is trusted automatically and the chart deploys successfully.
thardeck
force-pushed
the
implement_3845
branch
from
598f723 to
8105534
Compare
weyfonk
reviewed
Mar 3, 2026
Note that Rancher's cattle-system secrets may not exist in standalone Fleet installations. Also use "CA bundle" consistently in the bundlereader comment.
The CA bundle is stored in bundle.Spec.HelmOpOptions.CABundle before handleVersion is called, so passing it again as a separate parameter is redundant. Remove the parameter and read it from the bundle directly.
The version "0.1.0" is a literal in the HelmOp spec, not a resolved constraint, so asserting it appears in status adds no signal.
Combine our CA bundle pre-fetch logic with main's event interface migration: - Get bundle first to extract stored CA bundle (implement_3845) - Pass CA bundle to getChartVersion as 4th parameter (implement_3845) - Adopt new Eventf interface with corev1.EventTypeWarning (#4678) - Update fail() to take eventAction parameter (#4678)
thardeck
added a commit
that referenced
this pull request
Mar 17, 2026
* Fall back to Rancher CA bundles for HelmOps Resolve the CA bundle in the HelmOps controller and store it in BundleHelmOptions.CABundle so the agent can use it without needing access to cattle-system secrets. The agent service account only has access to its own namespace. Also restart helmops pods in dev/update-controller-k3d so that redeployments pick up the new controller binary. * Remove obsolete OCI no-TLS negative test The test relied on the OCI registry being untrusted when InsecureSkipTLSVerify is false and no CA bundle is provided. Since the Rancher CA bundle fallback now supplies the fleet CI root CA (stored in cattle-system/tls-ca-additional), the Zot OCI registry is trusted automatically and the chart deploys successfully.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolve the CA bundle in the HelmOps controller and store it in BundleHelmOptions.CABundle so the agent can use it without needing access to cattle-system secrets. The agent service account only has access to its own namespace.
Also restart helmops pods in dev/update-controller-k3d so that redeployments pick up the new controller binary.
Refers to #3845