msb-public
/
helm
mirror of https://github.com/helm/helm
1
0
Code Issues Projects Releases Wiki Activity

Allow TLS command-line options to be set via environment variables and be used with all commands.

Browse Source
pull/3496/head
Keith Burdis 8 years ago
parent 2a9a9f1851
commit b0b380ebab
4 changed files with 71 additions and 69 deletions
Show Stats Download Patch File Download Diff File

6
cmd/helm/get.go
Unescape View File

@ -72,9 +72,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision") cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision")
cmd.AddCommand(addFlagsTLS(newGetValuesCmd(nil, out))) cmd.AddCommand(newGetValuesCmd(nil, out))
cmd.AddCommand(addFlagsTLS(newGetManifestCmd(nil, out))) cmd.AddCommand(newGetManifestCmd(nil, out))
cmd.AddCommand(addFlagsTLS(newGetHooksCmd(nil, out))) cmd.AddCommand(newGetHooksCmd(nil, out))
return cmd return cmd
} }

76
cmd/helm/helm.go
Unescape View File

@ -39,16 +39,6 @@ import (
) )
var ( var (
tlsCaCertFile string // path to TLS CA certificate file
tlsCertFile string // path to TLS certificate file
tlsKeyFile string // path to TLS key file
tlsVerify bool // enable TLS and verify remote certificates
tlsEnable bool // enable TLS
tlsCaCertDefault = "$HELM_HOME/ca.pem"
tlsCertDefault = "$HELM_HOME/cert.pem"
tlsKeyDefault = "$HELM_HOME/key.pem"
tillerTunnel *kube.Tunnel tillerTunnel *kube.Tunnel
settings helm_env.EnvSettings settings helm_env.EnvSettings
) )
@ -75,6 +65,11 @@ Environment:
$HELM_NO_PLUGINS disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins. $HELM_NO_PLUGINS disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins.
$TILLER_NAMESPACE set an alternative Tiller namespace (default "kube-system") $TILLER_NAMESPACE set an alternative Tiller namespace (default "kube-system")
$KUBECONFIG set an alternative Kubernetes configuration file (default "~/.kube/config") $KUBECONFIG set an alternative Kubernetes configuration file (default "~/.kube/config")
$HELM_TLS_CA_CERT path to TLS CA certificate file to verify Tiller server certificate (default "$HELM_HOME/ca.pem")
$HELM_TLS_CERT path to TLS client certificate file for authenticating to Tiller (default "$HELM_HOME/cert.pem")
$HELM_TLS_KEY path to TLS cient key file for authenticating to Tiller (default "$HELM_HOME/key.pem")
$HELM_TLS_VERIFY enable TLS for request and verify remote (default "false")
$HELM_TLS_ENABLE enable TLS for request (default "false")
` `
func newRootCmd(args []string) *cobra.Command { func newRootCmd(args []string) *cobra.Command {
@ -83,11 +78,6 @@ func newRootCmd(args []string) *cobra.Command {
Short: "The Helm package manager for Kubernetes.", Short: "The Helm package manager for Kubernetes.",
Long: globalUsage, Long: globalUsage,
SilenceUsage: true, SilenceUsage: true,
PersistentPreRun: func(*cobra.Command, []string) {
tlsCaCertFile = os.ExpandEnv(tlsCaCertFile)
tlsCertFile = os.ExpandEnv(tlsCertFile)
tlsKeyFile = os.ExpandEnv(tlsKeyFile)
},
PersistentPostRun: func(*cobra.Command, []string) { PersistentPostRun: func(*cobra.Command, []string) {
teardown() teardown()
}, },
@ -112,18 +102,18 @@ func newRootCmd(args []string) *cobra.Command {
newVerifyCmd(out), newVerifyCmd(out),
// release commands // release commands
addFlagsTLS(newDeleteCmd(nil, out)), newDeleteCmd(nil, out),
addFlagsTLS(newGetCmd(nil, out)), newGetCmd(nil, out),
addFlagsTLS(newHistoryCmd(nil, out)), newHistoryCmd(nil, out),
addFlagsTLS(newInstallCmd(nil, out)), newInstallCmd(nil, out),
addFlagsTLS(newListCmd(nil, out)), newListCmd(nil, out),
addFlagsTLS(newRollbackCmd(nil, out)), newRollbackCmd(nil, out),
addFlagsTLS(newStatusCmd(nil, out)), newStatusCmd(nil, out),
addFlagsTLS(newUpgradeCmd(nil, out)), newUpgradeCmd(nil, out),
addFlagsTLS(newReleaseTestCmd(nil, out)), newReleaseTestCmd(nil, out),
addFlagsTLS(newResetCmd(nil, out)), newResetCmd(nil, out),
addFlagsTLS(newVersionCmd(nil, out)), newVersionCmd(nil, out),
newCompletionCmd(out), newCompletionCmd(out),
newHomeCmd(out), newHomeCmd(out),
@ -266,20 +256,11 @@ func ensureHelmClient(h helm.Interface) helm.Interface {
func newClient() helm.Interface { func newClient() helm.Interface {
options := []helm.Option{helm.Host(settings.TillerHost)} options := []helm.Option{helm.Host(settings.TillerHost)}
if tlsVerify || tlsEnable { if settings.TLSVerify || settings.TLSEnable {
if tlsCaCertFile == "" { debug("Key=%q, Cert=%q, CA=%q\n", settings.TLSKeyFile, settings.TLSCertFile, settings.TLSCaCertFile)
tlsCaCertFile = settings.Home.TLSCaCert() tlsopts := tlsutil.Options{KeyFile: settings.TLSKeyFile, CertFile: settings.TLSCertFile, InsecureSkipVerify: true}
} if settings.TLSVerify {
if tlsCertFile == "" { tlsopts.CaCertFile = settings.TLSCaCertFile
tlsCertFile = settings.Home.TLSCert()
}
if tlsKeyFile == "" {
tlsKeyFile = settings.Home.TLSKey()
}
debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
if tlsVerify {
tlsopts.CaCertFile = tlsCaCertFile
tlsopts.InsecureSkipVerify = false tlsopts.InsecureSkipVerify = false
} }
tlscfg, err := tlsutil.ClientConfig(tlsopts) tlscfg, err := tlsutil.ClientConfig(tlsopts)
@ -291,16 +272,3 @@ func newClient() helm.Interface {
} }
return helm.NewClient(options...) return helm.NewClient(options...)
} }
// addFlagsTLS adds the flags for supporting client side TLS to the
// helm command (only those that invoke communicate to Tiller.)
func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
// add flags
cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")
cmd.Flags().BoolVar(&tlsVerify, "tls-verify", false, "enable TLS for request and verify remote")
cmd.Flags().BoolVar(&tlsEnable, "tls", false, "enable TLS for request")
return cmd
}

26
cmd/helm/init.go
Unescape View File

@ -87,6 +87,11 @@ type initCmd struct {
serviceAccount string serviceAccount string
maxHistory int maxHistory int
wait bool wait bool
tlsEnable bool
tlsVerify bool
tlsKeyFile string
tlsCertFile string
tlsCaCertFile string
} }
func newInitCmd(out io.Writer) *cobra.Command { func newInitCmd(out io.Writer) *cobra.Command {
@ -103,6 +108,11 @@ func newInitCmd(out io.Writer) *cobra.Command {
i.namespace = settings.TillerNamespace i.namespace = settings.TillerNamespace
i.home = settings.Home i.home = settings.Home
i.client = ensureHelmClient(i.client) i.client = ensureHelmClient(i.client)
i.tlsEnable = settings.TLSEnable
i.tlsVerify = settings.TLSVerify
i.tlsKeyFile = settings.TLSKeyFile
i.tlsCertFile = settings.TLSCertFile
i.tlsCaCertFile = settings.TLSCaCertFile
return i.run() return i.run()
}, },
@ -118,12 +128,6 @@ func newInitCmd(out io.Writer) *cobra.Command {
f.BoolVar(&i.skipRefresh, "skip-refresh", false, "do not refresh (download) the local repository cache") f.BoolVar(&i.skipRefresh, "skip-refresh", false, "do not refresh (download) the local repository cache")
f.BoolVar(&i.wait, "wait", false, "block until Tiller is running and ready to receive requests") f.BoolVar(&i.wait, "wait", false, "block until Tiller is running and ready to receive requests")
f.BoolVar(&tlsEnable, "tiller-tls", false, "install Tiller with TLS enabled")
f.BoolVar(&tlsVerify, "tiller-tls-verify", false, "install Tiller with TLS enabled and to verify remote certificates")
f.StringVar(&tlsKeyFile, "tiller-tls-key", "", "path to TLS key file to install with Tiller")
f.StringVar(&tlsCertFile, "tiller-tls-cert", "", "path to TLS certificate file to install with Tiller")
f.StringVar(&tlsCaCertFile, "tls-ca-cert", "", "path to CA root certificate")
f.StringVar(&stableRepositoryURL, "stable-repo-url", stableRepositoryURL, "URL for stable repository") f.StringVar(&stableRepositoryURL, "stable-repo-url", stableRepositoryURL, "URL for stable repository")
f.StringVar(&localRepositoryURL, "local-repo-url", localRepositoryURL, "URL for local repository") f.StringVar(&localRepositoryURL, "local-repo-url", localRepositoryURL, "URL for local repository")
@ -141,22 +145,22 @@ func newInitCmd(out io.Writer) *cobra.Command {
// tlsOptions sanitizes the tls flags as well as checks for the existence of required // tlsOptions sanitizes the tls flags as well as checks for the existence of required
// tls files indicated by those flags, if any. // tls files indicated by those flags, if any.
func (i *initCmd) tlsOptions() error { func (i *initCmd) tlsOptions() error {
i.opts.EnableTLS = tlsEnable || tlsVerify i.opts.EnableTLS = i.tlsEnable || i.tlsVerify
i.opts.VerifyTLS = tlsVerify i.opts.VerifyTLS = i.tlsVerify
if i.opts.EnableTLS { if i.opts.EnableTLS {
missing := func(file string) bool { missing := func(file string) bool {
_, err := os.Stat(file) _, err := os.Stat(file)
return os.IsNotExist(err) return os.IsNotExist(err)
} }
if i.opts.TLSKeyFile = tlsKeyFile; i.opts.TLSKeyFile == "" || missing(i.opts.TLSKeyFile) { if i.opts.TLSKeyFile = i.tlsKeyFile; i.opts.TLSKeyFile == "" || missing(i.opts.TLSKeyFile) {
return errors.New("missing required TLS key file") return errors.New("missing required TLS key file")
} }
if i.opts.TLSCertFile = tlsCertFile; i.opts.TLSCertFile == "" || missing(i.opts.TLSCertFile) { if i.opts.TLSCertFile = i.tlsCertFile; i.opts.TLSCertFile == "" || missing(i.opts.TLSCertFile) {
return errors.New("missing required TLS certificate file") return errors.New("missing required TLS certificate file")
} }
if i.opts.VerifyTLS { if i.opts.VerifyTLS {
if i.opts.TLSCaCertFile = tlsCaCertFile; i.opts.TLSCaCertFile == "" || missing(i.opts.TLSCaCertFile) { if i.opts.TLSCaCertFile = i.tlsCaCertFile; i.opts.TLSCaCertFile == "" || missing(i.opts.TLSCaCertFile) {
return errors.New("missing required TLS CA file") return errors.New("missing required TLS CA file")
} }
} }

32
pkg/helm/environment/environment.go
Unescape View File

@ -49,6 +49,16 @@ type EnvSettings struct {
KubeContext string KubeContext string
// KubeConfig is the name of the kubeconfig file. // KubeConfig is the name of the kubeconfig file.
KubeConfig string KubeConfig string
// TLSCaCertFile is the path to TLS CA certificate file for Helm to verify the Tiller server certificate
TLSCaCertFile string
// TLSCertFile is the path to Helm TLS client certificate file for authenticating to Tiller
TLSCertFile string
// TLSKeyFile is the path to Helm TLS client key file for authenticating to Tiller
TLSKeyFile string
// TLSVerify enables TLS between Helm and Tiller and verification of the Tiller server certificate
TLSVerify bool
// TLSEnable enables TLS between Helm and Tiller
TLSEnable bool
} }
// AddFlags binds flags to the given flagset. // AddFlags binds flags to the given flagset.
@ -59,6 +69,11 @@ func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) {
fs.StringVar(&s.KubeConfig, "kubeconfig", "", "path to kubeconfig file. Overrides $KUBECONFIG") fs.StringVar(&s.KubeConfig, "kubeconfig", "", "path to kubeconfig file. Overrides $KUBECONFIG")
fs.BoolVar(&s.Debug, "debug", false, "enable verbose output") fs.BoolVar(&s.Debug, "debug", false, "enable verbose output")
fs.StringVar(&s.TillerNamespace, "tiller-namespace", "kube-system", "namespace of Tiller") fs.StringVar(&s.TillerNamespace, "tiller-namespace", "kube-system", "namespace of Tiller")
fs.StringVar(&s.TLSCaCertFile, "tls-ca-cert", "", "path to TLS CA certificate file for Helm to verify Tiller server certificate")
fs.StringVar(&s.TLSCertFile, "tls-cert", "", "path to Helm TLS client certificate file for authenticating to Tiller")
fs.StringVar(&s.TLSKeyFile, "tls-key", "", "path to Helm TLS client key file for authenticating to Tiller")
fs.BoolVar(&s.TLSVerify, "tls-verify", false, "enable TLS connection between Helm and Tiller and verify Tiller server certificate")
fs.BoolVar(&s.TLSEnable, "tls", false, "enable TLS connection between Helm and Tiller")
} }
// Init sets values from the environment. // Init sets values from the environment.
@ -66,6 +81,16 @@ func (s *EnvSettings) Init(fs *pflag.FlagSet) {
for name, envar := range envMap { for name, envar := range envMap {
setFlagFromEnv(name, envar, fs) setFlagFromEnv(name, envar, fs)
} }
// TLS defaults that depend on Home value
if s.TLSCaCertFile == "" {
s.TLSCaCertFile = s.Home.TLSCaCert()
}
if s.TLSCertFile == "" {
s.TLSCertFile = s.Home.TLSCert()
}
if s.TLSKeyFile == "" {
s.TLSKeyFile = s.Home.TLSKey()
}
} }
// PluginDirs is the path to the plugin directories. // PluginDirs is the path to the plugin directories.
@ -83,6 +108,11 @@ var envMap = map[string]string{
"host": "HELM_HOST", "host": "HELM_HOST",
"kubeconfig": "KUBECONFIG", "kubeconfig": "KUBECONFIG",
"tiller-namespace": "TILLER_NAMESPACE", "tiller-namespace": "TILLER_NAMESPACE",
"tls-ca-cert": "HELM_TLS_CA_CERT",
"tls-cert": "HELM_TLS_CERT",
"tls-key": "HELM_TLS_KEY",
"tls-verify": "HELM_TLS_VERIFY",
"tls": "HELM_TLS_ENABLE",
} }
func setFlagFromEnv(name, envar string, fs *pflag.FlagSet) { func setFlagFromEnv(name, envar string, fs *pflag.FlagSet) {
@ -90,7 +120,7 @@ func setFlagFromEnv(name, envar string, fs *pflag.FlagSet) {
return return
} }
if v, ok := os.LookupEnv(envar); ok { if v, ok := os.LookupEnv(envar); ok {
fs.Set(name, v) fs.Set(name, os.ExpandEnv(v))
} }
} }

Write Preview
Loading…
Cancel
Save