feat: TLS-based client auth support (#71)

vdesjardins · mumoshu · commit 5abc7b26141e · 2018-07-25T11:39:32.000+09:00
Add support for connecting to a Tiller server secured with TLS. Resolves #35
diff --git a/cmd/helpers.go b/cmd/helpers.go
@@ -0,0 +1,79 @@
+package cmd
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"k8s.io/client-go/util/homedir"
+
+	flag "github.com/spf13/pflag"
+	"k8s.io/helm/pkg/helm"
+	helm_env "k8s.io/helm/pkg/helm/environment"
+	"k8s.io/helm/pkg/tlsutil"
+)
+
+const (
+	tlsCaCertDefault = "$HELM_HOME/ca.pem"
+	tlsCertDefault   = "$HELM_HOME/cert.pem"
+	tlsKeyDefault    = "$HELM_HOME/key.pem"
+)
+
+var (
+	settings        helm_env.EnvSettings
+	DefaultHelmHome = filepath.Join(homedir.HomeDir(), ".helm")
+
+	tlsCaCertFile string // path to TLS CA certificate file
+	tlsCertFile   string // path to TLS certificate file
+	tlsKeyFile    string // path to TLS key file
+	tlsVerify     bool   // enable TLS and verify remote certificates
+	tlsEnable     bool   // enable TLS
+)
+
+func addCommonCmdOptions(f *flag.FlagSet) {
+	f.StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
+	f.StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
+	f.StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")
+	f.BoolVar(&tlsVerify, "tls-verify", false, "enable TLS for request and verify remote")
+	f.BoolVar(&tlsEnable, "tls", false, "enable TLS for request")
+
+	f.StringVar((*string)(&settings.Home), "home", DefaultHelmHome, "location of your Helm config. Overrides $HELM_HOME")
+}
+
+func createHelmClient() helm.Interface {
+	options := []helm.Option{helm.Host(os.Getenv("TILLER_HOST")), helm.ConnectTimeout(int64(30))}
+
+	if tlsVerify || tlsEnable {
+		if tlsCaCertFile == "" {
+			tlsCaCertFile = settings.Home.TLSCaCert()
+		}
+		if tlsCertFile == "" {
+			tlsCertFile = settings.Home.TLSCert()
+		}
+		if tlsKeyFile == "" {
+			tlsKeyFile = settings.Home.TLSKey()
+		}
+
+		tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
+		if tlsVerify {
+			tlsopts.CaCertFile = tlsCaCertFile
+			tlsopts.InsecureSkipVerify = false
+		}
+
+		tlscfg, err := tlsutil.ClientConfig(tlsopts)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(2)
+		}
+
+		options = append(options, helm.WithTLS(tlscfg))
+	}
+
+	return helm.NewClient(options...)
+}
+
+func expandTLSPaths() {
+	tlsCaCertFile = os.ExpandEnv(tlsCaCertFile)
+	tlsCertFile = os.ExpandEnv(tlsCertFile)
+	tlsKeyFile = os.ExpandEnv(tlsKeyFile)
+}
diff --git a/cmd/revision.go b/cmd/revision.go
@@ -23,16 +23,16 @@ type revision struct {
 const revisionCmdLongUsage = `
 This command compares the manifests details of a named release.
 
-It can be used to compare the manifests of 
- 
+It can be used to compare the manifests of
+
  - lastest REVISION with specified REVISION
 	$ helm diff revision [flags] RELEASE REVISION1
-   Example: 
+   Example:
 	$ helm diff revision my-release 2
 
  - REVISION1 with REVISION2
 	$ helm diff revision [flags] RELEASE REVISION1 REVISION2
-   Example: 
+   Example:
 	$ helm diff revision my-release 2 3
 `
 
@@ -42,6 +42,9 @@ func revisionCmd() *cobra.Command {
 		Use:   "revision [flags] RELEASE REVISION1 [REVISION2]",
 		Short: "Shows diff between revision's manifests",
 		Long:  revisionCmdLongUsage,
+		PersistentPreRun: func(*cobra.Command, []string) {
+			expandTLSPaths()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if v, _ := cmd.Flags().GetBool("version"); v {
 				fmt.Println(Version)
@@ -62,7 +65,7 @@ func revisionCmd() *cobra.Command {
 			diff.release = args[0]
 			diff.revisions = args[1:]
 			if diff.client == nil {
-				diff.client = helm.NewClient(helm.Host(os.Getenv("TILLER_HOST")), helm.ConnectTimeout(int64(30)))
+				diff.client = createHelmClient()
 			}
 			return diff.differentiate()
 		},
@@ -72,6 +75,9 @@ func revisionCmd() *cobra.Command {
 	revisionCmd.Flags().StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	revisionCmd.Flags().IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 	revisionCmd.SuggestionsMinimumDistance = 1
+
+	addCommonCmdOptions(revisionCmd.Flags())
+
 	return revisionCmd
 }
 
diff --git a/cmd/rollback.go b/cmd/rollback.go
@@ -20,7 +20,7 @@ type rollback struct {
 }
 
 const rollbackCmdLongUsage = `
-This command compares the laset manifests details of a named release 
+This command compares the laset manifests details of a named release
 with specific revision values to rollback.
 
 It forecasts/visualizes changes, that a helm rollback could perform.
@@ -33,6 +33,9 @@ func rollbackCmd() *cobra.Command {
 		Short:   "Show a diff explaining what a helm rollback could perform",
 		Long:    rollbackCmdLongUsage,
 		Example: "  helm diff rollback my-release 2",
+		PersistentPreRun: func(*cobra.Command, []string) {
+			expandTLSPaths()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			if v, _ := cmd.Flags().GetBool("version"); v {
 				fmt.Println(Version)
@@ -51,7 +54,7 @@ func rollbackCmd() *cobra.Command {
 			diff.revisions = args[1:]
 
 			if diff.client == nil {
-				diff.client = helm.NewClient(helm.Host(os.Getenv("TILLER_HOST")), helm.ConnectTimeout(int64(30)))
+				diff.client = createHelmClient()
 			}
 
 			return diff.backcast()
@@ -62,6 +65,9 @@ func rollbackCmd() *cobra.Command {
 	rollbackCmd.Flags().StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	rollbackCmd.Flags().IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 	rollbackCmd.SuggestionsMinimumDistance = 1
+
+	addCommonCmdOptions(rollbackCmd.Flags())
+
 	return rollbackCmd
 }
 
diff --git a/cmd/upgrade.go b/cmd/upgrade.go
@@ -46,6 +46,9 @@ func newChartCommand() *cobra.Command {
 		Args: func(cmd *cobra.Command, args []string) error {
 			return checkArgsLength(len(args), "release name", "chart path")
 		},
+		PersistentPreRun: func(*cobra.Command, []string) {
+			expandTLSPaths()
+		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 
 			if q, _ := cmd.Flags().GetBool("suppress-secrets"); q {
@@ -55,7 +58,7 @@ func newChartCommand() *cobra.Command {
 			diff.release = args[0]
 			diff.chart = args[1]
 			if diff.client == nil {
-				diff.client = helm.NewClient(helm.Host(os.Getenv("TILLER_HOST")), helm.ConnectTimeout(int64(30)))
+				diff.client = createHelmClient()
 			}
 			return diff.run()
 		},
@@ -73,6 +76,8 @@ func newChartCommand() *cobra.Command {
 	f.StringArrayVar(&diff.suppressedKinds, "suppress", []string{}, "allows suppression of the values listed in the diff output")
 	f.IntVarP(&diff.outputContext, "context", "C", -1, "output NUM lines of context around changes")
 
+	addCommonCmdOptions(f)
+
 	return cmd
 
 }
