fix: validate TLS certificate when downloading Kubernetes bundle#3900
Open
pascalbreuninger wants to merge 1 commit intomainfrom
Open
fix: validate TLS certificate when downloading Kubernetes bundle#3900pascalbreuninger wants to merge 1 commit intomainfrom
pascalbreuninger wants to merge 1 commit intomainfrom
Conversation
pascalbreuninger
force-pushed
the
issue/engcp-577
branch
from
690d112 to
a93cb62
Compare
Adds an --insecure flag to the vcluster and vclusterctl node upgrade commands and a privateNodes.autoUpgrade.insecure config field for the auto-upgrade controller. All paths default to verifying TLS, with opt-in skip for environments using a self-signed bundle repository (e.g. the in-cluster /node/download fallback). Linear: ENGCP-577
pascalbreuninger
force-pushed
the
issue/engcp-577
branch
from
a93cb62 to
c56666b
Compare
E2E Ginkgo Tests
|
roehrijn
approved these changes
Apr 29, 2026
FabianKramm
requested changes
May 5, 2026
Member
FabianKramm
left a comment
FabianKramm
left a comment
There was a problem hiding this comment.
Lets do a different approach for this
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What issue type does this pull request address?
/kind bugfix
What does this pull request do? Which issues does it resolve?
Adds the OSS-side wiring for an
--insecureflag on the node upgrade flow:vcluster node upgrade --insecure(in-pod binary)vclusterctl node upgrade <node> --insecure(user-facing CLI; threaded through to the upgrade pod's command)privateNodes.autoUpgrade.insecureconfig field for the auto-upgrade controllerAll paths default to verifying TLS. Operators using a non-publicly-trusted bundle repository (most commonly the in-cluster
/node/downloadfallback that's served by a self-signed control plane certificate) must opt in explicitly.The actual gating in the download path lives in vcluster-pro: https://github.com/loft-sh/vcluster-pro/pull/1730
Please provide a short message that should be published in the vcluster release notes
Fixed an issue where the private-node upgrade flow skipped TLS verification when downloading the Kubernetes bundle from
github.com/loft-sh/kubernetes. TLS verification is now enabled by default; pass--insecure(manual upgrade) or setprivateNodes.autoUpgrade.insecure: true(auto-upgrade) when the bundle repository is served by a non-publicly-trusted CA.What else do we need to know?
privateNodes.autoUpgradeagainst a self-signed control plane endpoint: auto-upgrades will fail untilinsecure: trueis set. Worth a release-notes call-out.E2E Tests
Default Test Execution
The mandatory PR suite runs automatically. Only specify additional test suites below if needed.
Additional test suites
Additional test suite(s) that will be executed before the mandatory PR suite: