Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix/missing ssl params #3152

Merged
merged 2 commits into from Nov 16, 2017
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 4 additions & 4 deletions cmd/helm/get.go
Expand Up @@ -64,17 +64,17 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
}
get.release = args[0]
if get.client == nil {
get.client = helm.NewClient(helm.Host(settings.TillerHost))
get.client = newClient()
}
return get.run()
},
}

cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision")

cmd.AddCommand(newGetValuesCmd(nil, out))
cmd.AddCommand(newGetManifestCmd(nil, out))
cmd.AddCommand(newGetHooksCmd(nil, out))
cmd.AddCommand(addFlagsTLS(newGetValuesCmd(nil, out)))
cmd.AddCommand(addFlagsTLS(newGetManifestCmd(nil, out)))
cmd.AddCommand(addFlagsTLS(newGetHooksCmd(nil, out)))

return cmd
}
Expand Down
20 changes: 14 additions & 6 deletions cmd/helm/helm.go
Expand Up @@ -45,6 +45,10 @@ var (
tlsVerify bool // enable TLS and verify remote certificates
tlsEnable bool // enable TLS

tlsCaCertDefault = "$HELM_HOME/ca.pem"
tlsCertDefault = "$HELM_HOME/cert.pem"
tlsKeyDefault = "$HELM_HOME/key.pem"

tillerTunnel *kube.Tunnel
settings helm_env.EnvSettings
)
Expand Down Expand Up @@ -263,6 +267,16 @@ func newClient() helm.Interface {
options := []helm.Option{helm.Host(settings.TillerHost)}

if tlsVerify || tlsEnable {
if tlsCaCertFile == "" {
tlsCaCertFile = os.ExpandEnv(tlsCaCertDefault)
}
if tlsCertFile == "" {
tlsCertFile = os.ExpandEnv(tlsCertDefault)
}
if tlsKeyFile == "" {
tlsKeyFile = os.ExpandEnv(tlsKeyDefault)
}
debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
if tlsVerify {
tlsopts.CaCertFile = tlsCaCertFile
Expand All @@ -281,12 +295,6 @@ func newClient() helm.Interface {
// addFlagsTLS adds the flags for supporting client side TLS to the
// helm command (only those that invoke communicate to Tiller.)
func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
// defaults
var (
tlsCaCertDefault = "$HELM_HOME/ca.pem"
tlsCertDefault = "$HELM_HOME/cert.pem"
tlsKeyDefault = "$HELM_HOME/key.pem"
)

// add flags
cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
Expand Down
2 changes: 1 addition & 1 deletion cmd/helm/history.go
Expand Up @@ -66,7 +66,7 @@ func newHistoryCmd(c helm.Interface, w io.Writer) *cobra.Command {
case len(args) == 0:
return errReleaseRequired
case his.helmc == nil:
his.helmc = helm.NewClient(helm.Host(settings.TillerHost))
his.helmc = newClient()
}
his.rls = args[0]
return his.run()
Expand Down
2 changes: 1 addition & 1 deletion cmd/helm/list.go
Expand Up @@ -93,7 +93,7 @@ func newListCmd(client helm.Interface, out io.Writer) *cobra.Command {
list.filter = strings.Join(args, " ")
}
if list.client == nil {
list.client = helm.NewClient(helm.Host(settings.TillerHost))
list.client = newClient()
}
return list.run()
},
Expand Down
2 changes: 1 addition & 1 deletion cmd/helm/status.go
Expand Up @@ -67,7 +67,7 @@ func newStatusCmd(client helm.Interface, out io.Writer) *cobra.Command {
}
status.release = args[0]
if status.client == nil {
status.client = helm.NewClient(helm.Host(settings.TillerHost))
status.client = newClient()
}
return status.run()
},
Expand Down
6 changes: 5 additions & 1 deletion cmd/tiller/tiller.go
Expand Up @@ -232,7 +232,11 @@ func tlsOptions() tlsutil.Options {
opts := tlsutil.Options{CertFile: *certFile, KeyFile: *keyFile}
if *tlsVerify {
opts.CaCertFile = *caCertFile
opts.ClientAuth = tls.VerifyClientCertIfGiven

// We want to force the client to not only provide a cert, but to
// provide a cert that we can validate.
// http://www.bite-code.com/2015/06/25/tls-mutual-auth-in-golang/
opts.ClientAuth = tls.RequireAndVerifyClientCert
}
return opts
}
Expand Down
9 changes: 7 additions & 2 deletions docs/helm/helm_get_hooks.md
Expand Up @@ -18,7 +18,12 @@ helm get hooks [flags] RELEASE_NAME
### Options

```
--revision int32 get the named release with revision
--revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
```

### Options inherited from parent commands
Expand All @@ -35,4 +40,4 @@ helm get hooks [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release

###### Auto generated by spf13/cobra on 7-Nov-2017
###### Auto generated by spf13/cobra on 15-Nov-2017
9 changes: 7 additions & 2 deletions docs/helm/helm_get_manifest.md
Expand Up @@ -20,7 +20,12 @@ helm get manifest [flags] RELEASE_NAME
### Options

```
--revision int32 get the named release with revision
--revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
```

### Options inherited from parent commands
Expand All @@ -37,4 +42,4 @@ helm get manifest [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release

###### Auto generated by spf13/cobra on 7-Nov-2017
###### Auto generated by spf13/cobra on 15-Nov-2017
11 changes: 8 additions & 3 deletions docs/helm/helm_get_values.md
Expand Up @@ -16,8 +16,13 @@ helm get values [flags] RELEASE_NAME
### Options

```
-a, --all dump all (computed) values
--revision int32 get the named release with revision
-a, --all dump all (computed) values
--revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
```

### Options inherited from parent commands
Expand All @@ -34,4 +39,4 @@ helm get values [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release

###### Auto generated by spf13/cobra on 7-Nov-2017
###### Auto generated by spf13/cobra on 15-Nov-2017
2 changes: 2 additions & 0 deletions docs/index.md
Expand Up @@ -6,6 +6,8 @@
- [Frequently Asked Questions](install_faq.md)
- [Using Helm](using_helm.md) - Learn the Helm tools
- [Plugins](plugins.md)
- [Service Accounts for Tiller](service_accounts.md) - Apply RBACs to Tiller
- [TLS/SSL for Helm and Tiller](tiller_ssl.md) - Use Helm-to-Tiller encryption
- [Developing Charts](charts.md) - An introduction to chart development
- [Chart Lifecycle Hooks](charts_hooks.md)
- [Chart Tips and Tricks](charts_tips_and_tricks.md)
Expand Down