-
Notifications
You must be signed in to change notification settings - Fork 1.1k
Conversation
We do not connect to the FQDN but only to <service>.<namespace> as the service DNS domain (.cluster.local) is configurable.
Gives the user control over the server name used to verify the hostname on the returned certificates from Tiller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thanks @hiddeco
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for getting to this so fast.
It might be worth mentioning in the release notes that the helm client version has been increased from 2.8.1 to 2.11.0 in case people have issues.
@Smirl the client already was Go dep only pins to a version if you make it either Ref: https://golang.github.io/dep/docs/Gopkg.toml.html#version |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good job on puzzling this out! There's what looks like a typo; otherwise all looks good to me. 💎
Flag was introduced in v2.10.0
3d24fb3
to
073fc65
Compare
@squaremo @stefanprodan thanks a lot for the reviews guys! 🥇 Stefan; when drafting the new Helm operator release it may be wise to mention the version increase of the internal Helm client. During my testing I was able to talk to a lower Tiller version (client
|
First off: this bug wasn't completely our fault.
The Helm docs on this subject are giving you the idea that everything is configured as it should be but are actually ignoring the TLS CA verification.
Their example tells you to run:
$ helm ls --tls --tls-ca-cert ca.cert.pem --tls-cert helm.cert.pem --tls-key helm.key.pem
The latter is not true, to actually validate the CA provided you have to add an additional configuration flag
--tls-verify
.If you run the command with the
--tls-verify
flag you will get an error back:This error brings you to the troubleshooting section on the same page:
The solution would be to add the cluster IP of the
tiller-deploy
service to the Tiller certificate. This quite inconvenient for our users as they don't know the cluster IP beforehand and it's likely to change over time.Alternative solution:
<service>.<namespace>
)--tls-hostname
Helm client flag so user has full control over verification processBonus:
Image available for testing:
hiddeco/helm-operator:1465-tiller-tls
Fixes #1465 #1475