fix(kubeapiserver client):allow certificate validation to be skipped

Close: #8487 Signed-off-by: Dong Gang <dong.gang@daocloud.io>
5 years ago · 52e1df0067
parent 37d3dacfb5
commit 52e1df0067
3 changed files with 78 additions and 7 deletions
--- a/cmd/helm/load_plugins.go
+++ b/cmd/helm/load_plugins.go
@ -154,7 +154,7 @@ func callPluginExecutable(pluginName string, main string, argv []string, out io.
 func manuallyProcessArgs(args []string) ([]string, []string) {
 	known := []string{}
 	unknown := []string{}
-	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--kube-ca-file", "--registry-config", "--repository-cache", "--repository-config"}
+	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--kube-ca-file", "--kube-insecure-skip-tls-verify", "--registry-config", "--repository-cache", "--repository-config"}
 	knownArg := func(a string) bool {
 		for _, pre := range kvargs {
 			if strings.HasPrefix(a, pre+"=") {
--- a/pkg/cli/environment.go
+++ b/pkg/cli/environment.go
@ -56,6 +56,8 @@ type EnvSettings struct {
 	KubeAPIServer string
 	// Custom certificate authority file.
 	KubeCaFile string
 	// KubeInsecure indicates whether or not checking kubernetes apiserver's certificate
 	KubeInsecure bool
 	// Debug indicates whether or not Helm is running in Debug mode.
 	Debug bool
 	// RegistryConfig is the path to the registry config file.
@ -80,6 +82,7 @@ func New() *EnvSettings {
 		KubeAsGroups:     envCSV("HELM_KUBEASGROUPS"),
 		KubeAPIServer:    os.Getenv("HELM_KUBEAPISERVER"),
 		KubeCaFile:       os.Getenv("HELM_KUBECAFILE"),
 		KubeInsecure:     envBoolOr("HELM_KUBEAPISERVER_INSECURE", false),
 		PluginsDirectory: envOr("HELM_PLUGINS", helmpath.DataPath("plugins")),
 		RegistryConfig:   envOr("HELM_REGISTRY_CONFIG", helmpath.ConfigPath("registry.json")),
 		RepositoryConfig: envOr("HELM_REPOSITORY_CONFIG", helmpath.ConfigPath("repositories.yaml")),
@ -97,6 +100,7 @@ func New() *EnvSettings {
 		KubeConfig:       &env.KubeConfig,
 		Impersonate:      &env.KubeAsUser,
 		ImpersonateGroup: &env.KubeAsGroups,
 		Insecure:         &env.KubeInsecure,
 	}
 	return env
 }
@ -111,6 +115,7 @@ func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) {
 	fs.StringArrayVar(&s.KubeAsGroups, "kube-as-group", s.KubeAsGroups, "group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
 	fs.StringVar(&s.KubeAPIServer, "kube-apiserver", s.KubeAPIServer, "the address and the port for the Kubernetes API server")
 	fs.StringVar(&s.KubeCaFile, "kube-ca-file", s.KubeCaFile, "the certificate authority file for the Kubernetes API server connection")
 	fs.BoolVar(&s.KubeInsecure, "kube-insecure-skip-tls-verify", s.KubeInsecure, "if true, the kubernetes apiserver's certificate will not be checked for validity. This will make your HTTPS connections insecure")
 	fs.BoolVar(&s.Debug, "debug", s.Debug, "enable verbose output")
 	fs.StringVar(&s.RegistryConfig, "registry-config", s.RegistryConfig, "path to the registry config file")
 	fs.StringVar(&s.RepositoryConfig, "repository-config", s.RepositoryConfig, "path to the file containing repository names and URLs")
@ -144,6 +149,18 @@ func envCSV(name string) (ls []string) {
 	return
 }
 func envBoolOr(name string, def bool) bool {
 	if name == "" {
 		return def
 	}
 	envVal := envOr(name, strconv.FormatBool(def))
 	ret, err := strconv.ParseBool(envVal)
 	if err != nil {
 		return def
 	}
 	return ret
 }
 func (s *EnvSettings) EnvVars() map[string]string {
 	envvars := map[string]string{
 		"HELM_BIN":               os.Args[0],
@ -159,12 +176,13 @@ func (s *EnvSettings) EnvVars() map[string]string {
 		"HELM_MAX_HISTORY":       strconv.Itoa(s.MaxHistory),
 		// broken, these are populated from helm flags and not kubeconfig.
-		"HELM_KUBECONTEXT":   s.KubeContext,
+		"HELM_KUBECONTEXT":            s.KubeContext,
-		"HELM_KUBETOKEN":     s.KubeToken,
+		"HELM_KUBETOKEN":              s.KubeToken,
-		"HELM_KUBEASUSER":    s.KubeAsUser,
+		"HELM_KUBEASUSER":             s.KubeAsUser,
-		"HELM_KUBEASGROUPS":  strings.Join(s.KubeAsGroups, ","),
+		"HELM_KUBEASGROUPS":           strings.Join(s.KubeAsGroups, ","),
-		"HELM_KUBEAPISERVER": s.KubeAPIServer,
+		"HELM_KUBEAPISERVER":          s.KubeAPIServer,
-		"HELM_KUBECAFILE":    s.KubeCaFile,
+		"HELM_KUBECAFILE":             s.KubeCaFile,
 		"HELM_KUBEAPISERVER_INSECURE": strconv.FormatBool(s.KubeInsecure),
 	}
 	if s.KubeConfig != "" {
 		envvars["KUBECONFIG"] = s.KubeConfig
--- a/pkg/cli/environment_test.go
+++ b/pkg/cli/environment_test.go
@ -40,6 +40,7 @@ func TestEnvSettings(t *testing.T) {
 		kAsUser      string
 		kAsGroups    []string
 		kCaFile      string
 		kubeInsecure bool
 	}{
 		{
 			name:       "defaults",
@ -133,3 +134,55 @@ func resetEnv() func() {
 		}
 	}
 }
 func Test_envBoolOr(t *testing.T) {
 	type args struct {
 		name     string
 		envValue string
 		def      bool
 	}
 	tests := []struct {
 		name string
 		args args
 		want bool
 	}{
 		{
 			name: "empty name",
 			args: args{
 				name:     "",
 				envValue: "",
 				def:      true,
 			},
 			want: true,
 		},
 		{
 			name: "with ENV set",
 			args: args{
 				name:     "ENV",
 				envValue: "true",
 				def:      false,
 			},
 			want: true,
 		},
 		{
 			name: "with illegal ENV set",
 			args: args{
 				name:     "ENV",
 				envValue: "true1",
 				def:      true,
 			},
 			want: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			if tt.args.envValue != "" && tt.args.name != "" {
 				defer os.Unsetenv(tt.args.name)
 				os.Setenv(tt.args.name, tt.args.envValue)
 			}
 			if got := envBoolOr(tt.args.name, tt.args.def); got != tt.want {
 				t.Errorf("envBoolOr() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }