msb-public
/
helm
mirror of https://github.com/helm/helm
1
0
Code Issues Projects Releases Wiki Activity

Merge pull request #4444 from bacongobbler/rebase-4345

Browse Source 
fix(helm): fix(helm): add `--tls-hostname` flag to tls flags
pull/4449/head
Matthew Fisher 6 years ago committed by GitHub
parent 99bfe7c5ec bd0686731c
commit daa7c2a773
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
17 changed files with 167 additions and 122 deletions
Show Stats Download Patch File Download Diff File

11
cmd/helm/helm.go
Unescape View File

@ -40,6 +40,7 @@ import (
) )
var ( var (
tlsServerName string // overrides the server name used to verify the hostname on the returned certificates from the server.
tlsCaCertFile string // path to TLS CA certificate file tlsCaCertFile string // path to TLS CA certificate file
tlsCertFile string // path to TLS certificate file tlsCertFile string // path to TLS certificate file
tlsKeyFile string // path to TLS key file tlsKeyFile string // path to TLS key file
@ -285,8 +286,13 @@ func newClient() helm.Interface {
if tlsKeyFile == "" { if tlsKeyFile == "" {
tlsKeyFile = settings.Home.TLSKey() tlsKeyFile = settings.Home.TLSKey()
} }
debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile) debug("Host=%q, Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true} tlsopts := tlsutil.Options{
ServerName: tlsServerName,
KeyFile: tlsKeyFile,
CertFile: tlsCertFile,
InsecureSkipVerify: true,
}
if tlsVerify { if tlsVerify {
tlsopts.CaCertFile = tlsCaCertFile tlsopts.CaCertFile = tlsCaCertFile
tlsopts.InsecureSkipVerify = false tlsopts.InsecureSkipVerify = false
@ -306,6 +312,7 @@ func newClient() helm.Interface {
func addFlagsTLS(cmd *cobra.Command) *cobra.Command { func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
// add flags // add flags
cmd.Flags().StringVar(&tlsServerName, "tls-hostname", settings.TillerHost, "the server name used to verify the hostname on the returned certificates from the server")
cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file") cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file") cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file") cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")

23
docs/helm/helm_delete.md
Unescape View File

@ -20,16 +20,17 @@ helm delete [flags] RELEASE_NAME [...]
### Options ### Options
``` ```
--description string specify a description for the release --description string specify a description for the release
--dry-run simulate a delete --dry-run simulate a delete
--no-hooks prevent hooks from running during deletion --no-hooks prevent hooks from running during deletion
--purge remove the release from the store and make its name free for later use --purge remove the release from the store and make its name free for later use
--timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300) --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -47,4 +48,4 @@ helm delete [flags] RELEASE_NAME [...]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

15
docs/helm/helm_get.md
Unescape View File

@ -25,12 +25,13 @@ helm get [flags] RELEASE_NAME
### Options ### Options
``` ```
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -51,4 +52,4 @@ helm get [flags] RELEASE_NAME
* [helm get manifest](helm_get_manifest.md) - download the manifest for a named release * [helm get manifest](helm_get_manifest.md) - download the manifest for a named release
* [helm get values](helm_get_values.md) - download the values file for a named release * [helm get values](helm_get_values.md) - download the values file for a named release
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

15
docs/helm/helm_get_hooks.md
Unescape View File

@ -18,12 +18,13 @@ helm get hooks [flags] RELEASE_NAME
### Options ### Options
``` ```
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -41,4 +42,4 @@ helm get hooks [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

15
docs/helm/helm_get_manifest.md
Unescape View File

@ -20,12 +20,13 @@ helm get manifest [flags] RELEASE_NAME
### Options ### Options
``` ```
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -43,4 +44,4 @@ helm get manifest [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

17
docs/helm/helm_get_values.md
Unescape View File

@ -16,13 +16,14 @@ helm get values [flags] RELEASE_NAME
### Options ### Options
``` ```
-a, --all dump all (computed) values -a, --all dump all (computed) values
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -40,4 +41,4 @@ helm get values [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

19
docs/helm/helm_history.md
Unescape View File

@ -28,14 +28,15 @@ helm history [flags] RELEASE_NAME
### Options ### Options
``` ```
--col-width uint specifies the max column width of output (default 60) --col-width uint specifies the max column width of output (default 60)
--max int32 maximum number of revision to include in history (default 256) --max int32 maximum number of revision to include in history (default 256)
-o, --output string prints the output in the specified format (json|table|yaml) (default "table") -o, --output string prints the output in the specified format (json|table|yaml) (default "table")
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -53,4 +54,4 @@ helm history [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

3
docs/helm/helm_install.md
Unescape View File

@ -102,6 +102,7 @@ helm install [CHART]
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote --tls-verify enable TLS for request and verify remote
--username string chart repository username where to locate the requested chart --username string chart repository username where to locate the requested chart
@ -126,4 +127,4 @@ helm install [CHART]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jul-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

41
docs/helm/helm_list.md
Unescape View File

@ -39,25 +39,26 @@ helm list [flags] [FILTER]
### Options ### Options
``` ```
-a, --all show all releases, not just the ones marked DEPLOYED -a, --all show all releases, not just the ones marked DEPLOYED
--col-width uint specifies the max column width of output (default 60) --col-width uint specifies the max column width of output (default 60)
-d, --date sort by release date -d, --date sort by release date
--deleted show deleted releases --deleted show deleted releases
--deleting show releases that are currently being deleted --deleting show releases that are currently being deleted
--deployed show deployed releases. If no other is specified, this will be automatically enabled --deployed show deployed releases. If no other is specified, this will be automatically enabled
--failed show failed releases --failed show failed releases
-m, --max int maximum number of releases to fetch (default 256) -m, --max int maximum number of releases to fetch (default 256)
--namespace string show releases within a specific namespace --namespace string show releases within a specific namespace
-o, --offset string next release name in the list, used to offset from start value -o, --offset string next release name in the list, used to offset from start value
--output string output the specified format (json or yaml) --output string output the specified format (json or yaml)
--pending show pending releases --pending show pending releases
-r, --reverse reverse the sort order -r, --reverse reverse the sort order
-q, --short output short (quiet) listing format -q, --short output short (quiet) listing format
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -75,4 +76,4 @@ helm list [flags] [FILTER]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

17
docs/helm/helm_reset.md
Unescape View File

@ -18,13 +18,14 @@ helm reset
### Options ### Options
``` ```
-f, --force forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.) -f, --force forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.)
--remove-helm-home if set deletes $HELM_HOME --remove-helm-home if set deletes $HELM_HOME
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -42,4 +43,4 @@ helm reset
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

27
docs/helm/helm_rollback.md
Unescape View File

@ -20,18 +20,19 @@ helm rollback [flags] [RELEASE] [REVISION]
### Options ### Options
``` ```
--description string specify a description for the release --description string specify a description for the release
--dry-run simulate a rollback --dry-run simulate a rollback
--force force resource update through delete/recreate if needed --force force resource update through delete/recreate if needed
--no-hooks prevent hooks from running during rollback --no-hooks prevent hooks from running during rollback
--recreate-pods performs pods restart for the resource if applicable --recreate-pods performs pods restart for the resource if applicable
--timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300) --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--wait if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout --tls-verify enable TLS for request and verify remote
--wait if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -49,4 +50,4 @@ helm rollback [flags] [RELEASE] [REVISION]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

17
docs/helm/helm_status.md
Unescape View File

@ -23,13 +23,14 @@ helm status [flags] RELEASE_NAME
### Options ### Options
``` ```
-o, --output string output the status in the specified format (json or yaml) -o, --output string output the status in the specified format (json or yaml)
--revision int32 if set, display the status of the named release with revision --revision int32 if set, display the status of the named release with revision
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -47,4 +48,4 @@ helm status [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

17
docs/helm/helm_test.md
Unescape View File

@ -19,13 +19,14 @@ helm test [RELEASE]
### Options ### Options
``` ```
--cleanup delete test pods upon completion --cleanup delete test pods upon completion
--timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300) --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -43,4 +44,4 @@ helm test [RELEASE]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

3
docs/helm/helm_upgrade.md
Unescape View File

@ -62,6 +62,7 @@ helm upgrade [RELEASE] [CHART]
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote --tls-verify enable TLS for request and verify remote
--username string chart repository username where to locate the requested chart --username string chart repository username where to locate the requested chart
@ -86,4 +87,4 @@ helm upgrade [RELEASE] [CHART]
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-May-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

21
docs/helm/helm_version.md
Unescape View File

@ -30,15 +30,16 @@ helm version
### Options ### Options
``` ```
-c, --client client version only -c, --client client version only
-s, --server server version only -s, --server server version only
--short print the version number --short print the version number
--template string template for version string format --template string template for version string format
--tls enable TLS for request --tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem") --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem") --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem") --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-verify enable TLS for request and verify remote --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -56,4 +57,4 @@ helm version
### SEE ALSO ### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 17-Jun-2018 ###### Auto generated by spf13/cobra on 7-Aug-2018

17
docs/tiller_ssl.md
Unescape View File

@ -284,6 +284,23 @@ the host name that Helm connects to matches the host name on the certificate. In
some cases this is awkward, since Helm will connect over localhost, or the FQDN is some cases this is awkward, since Helm will connect over localhost, or the FQDN is
not available for public resolution. not available for public resolution.
*If I use `--tls-verify` on the client, I get `Error: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs`*
By default, the Helm client connects to Tiller via tunnel (i.e. kube proxy) at 127.0.0.1. During the TLS handshake,
a target, usually provided as a hostname (e.g. example.com), is checked against the subject and subject alternative
names of the certificate (i.e. hostname verficiation). However, because of the tunnel, the target is an IP address.
Therefore, to validate the certificate, the IP address 127.0.0.1 must be listed as an IP subject alternative name
(IP SAN) in the Tiller certificate.
For example, to list 127.0.0.1 as an IP SAN when generating the Tiller certificate:
```console
$ echo subjectAltName=IP:127.0.0.1 > extfile.cnf
$ openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 365 -extfile extfile.cnf
```
Alternatively, you can override the expected hostname of the tiller certificate using the `--tls-hostname` flag.
*If I use `--tls-verify` on the client, I get `Error: x509: certificate has expired or is not yet valid`* *If I use `--tls-verify` on the client, I get `Error: x509: certificate has expired or is not yet valid`*
Your helm certificate has expired, you need to sign a new certificate using your private key and the CA (and consider increasing the number of days) Your helm certificate has expired, you need to sign a new certificate using your private key and the CA (and consider increasing the number of days)

11
pkg/tlsutil/cfg.go
Unescape View File

@ -33,6 +33,9 @@ type Options struct {
CertFile string CertFile string
// Client-only options // Client-only options
InsecureSkipVerify bool InsecureSkipVerify bool
// Overrides the server name used to verify the hostname on the returned
// certificates from the server.
ServerName string
// Server-only options // Server-only options
ClientAuth tls.ClientAuthType ClientAuth tls.ClientAuthType
} }
@ -55,8 +58,12 @@ func ClientConfig(opts Options) (cfg *tls.Config, err error) {
return nil, err return nil, err
} }
} }
cfg = &tls.Config{
cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool} InsecureSkipVerify: opts.InsecureSkipVerify,
Certificates: []tls.Certificate{*cert},
ServerName: opts.ServerName,
RootCAs: pool,
}
return cfg, nil return cfg, nil
} }

Write Preview
Loading…
Cancel
Save