Skip to content

[BUG] [Windows] STRICT_VERIFY environment variable is not passed to windows nodes #46396

New issue
New issue
Closed
Closed
[BUG] [Windows] STRICT_VERIFY environment variable is not passed to windows nodes#46396
Assignees
HarrisonWAffelmarkusewalker
Labels
area/windowskind/bugIssues that are defects reported by users or that we know have reached a real releasepriority/0release-noteNote this issue in the milestone's release notesteam/hostbustersThe team that is responsible for provisioning/managing downstream clusters + K8s version support
Milestone
v2.10.0
@HarrisonWAffel

Description

@HarrisonWAffel
HarrisonWAffel
opened on Jul 31, 2024

Rancher Server Setup

  • Rancher version: 2.9.0-rc7
  • Installation option (Docker install/Helm Chart):
    • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc):
  • Proxy/Cert Details:

Information about the Cluster

  • Kubernetes version: n/a
  • Cluster Type (Local/Downstream): downstream
    • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider): Custom Windows

User Information

  • What is the role of the user logged in? (Admin/Cluster Owner/Cluster Member/Project Owner/Project Member/Custom)
    • If custom, define the set of permissions: n/a

Describe the bug

Rancher has introduced the agentTLSMode setting, which determines if agent connections should perform strict validation of CA certificates before connecting to the local Rancher cluster. The system-agent and related scripts have been updated for Linux nodes to support this feature, however Windows nodes do not yet receive this setting or handle it properly. This is partly due to the environment variable not being provided in the rancher-wins install script, as well as the system agent upgrade plan not properly executing on windows nodes.

To Reproduce

This issue cannot be easily reproduced, as the current behavior will ignore the requested agentTLSMode and continue without issue. The root issue is that the most recently released version of Wins does not use a version of the system-agent which supports the agentTLSMode feature, and that the STRICT_VERIFY environment variable is not set or utilized at the time of initial installation and is not properly delivered to downstream nodes post provisioning.

Result

Expected Result
Rancher provides the relevant environment variables to rancher-wins so that it can start the system-agent plan watcher in the desired mode. Rancher is able to provide plans to rancher-wins to further configure the service post provisioning.

Screenshots

Additional context

The initial PR did make changes with the expectation that windows nodes would receive the new environment variable, however the original logic implemented that was updated was improperly validated and does not seem to function as intended. Additionally, other aspects of the provisioning process need to be updated to achieve feature parity with linux nodes, such as the version of the system-agent embedded in rancher-wins, the rancher-wins install script used during node registration, and potentially the flags offered by rancher-wins.

Metadata

Metadata

Assignees

Labels

area/windowskind/bugIssues that are defects reported by users or that we know have reached a real releasepriority/0release-noteNote this issue in the milestone's release notesteam/hostbustersThe team that is responsible for provisioning/managing downstream clusters + K8s version support

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions