fix(helm): fix(helm): add `--tls-hostname` flag to tls flags

docs(*): update tiller_ssl.md to reflect IP SAN usage.
When using helm/tiller in tls-verify mode, 127.0.0.1 should
be listed as an IP SAN in the tiller certificate to pass
hostname verficiation of the TLS handshake.

Closes #4149

cmd/helm/helm.go

@@ -40,6 +40,7 @@ import (
 )
 
 var (
+	tlsServerName string // overrides the server name used to verify the hostname on the returned certificates from the server.
 	tlsCaCertFile string // path to TLS CA certificate file
 	tlsCertFile   string // path to TLS certificate file
 	tlsKeyFile    string // path to TLS key file
@@ -285,8 +286,13 @@ func newClient() helm.Interface {
 		if tlsKeyFile == "" {
 			tlsKeyFile = settings.Home.TLSKey()
 		}
-		debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
-		tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
+		debug("Host=%q, Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
+		tlsopts := tlsutil.Options{
+			ServerName:         tlsServerName,
+			KeyFile:            tlsKeyFile,
+			CertFile:           tlsCertFile,
+			InsecureSkipVerify: true,
+		}
 		if tlsVerify {
 			tlsopts.CaCertFile = tlsCaCertFile
 			tlsopts.InsecureSkipVerify = false
@@ -306,6 +312,7 @@ func newClient() helm.Interface {
 func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
 
 	// add flags
+	cmd.Flags().StringVar(&tlsServerName, "tls-hostname", settings.TillerHost, "the server name used to verify the hostname on the returned certificates from the server")
 	cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
 	cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
 	cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")

docs/helm/helm_delete.md

@@ -20,16 +20,17 @@ helm delete [flags] RELEASE_NAME [...]
 ### Options
 
 ```
-      --description string   specify a description for the release
-      --dry-run              simulate a delete
-      --no-hooks             prevent hooks from running during deletion
-      --purge                remove the release from the store and make its name free for later use
-      --timeout int          time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --description string    specify a description for the release
+      --dry-run               simulate a delete
+      --no-hooks              prevent hooks from running during deletion
+      --purge                 remove the release from the store and make its name free for later use
+      --timeout int           time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -47,4 +48,4 @@ helm delete [flags] RELEASE_NAME [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_get.md

@@ -25,12 +25,13 @@ helm get [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32       get the named release with revision
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --revision int32        get the named release with revision
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -51,4 +52,4 @@ helm get [flags] RELEASE_NAME
 * [helm get manifest](helm_get_manifest.md)	 - download the manifest for a named release
 * [helm get values](helm_get_values.md)	 - download the values file for a named release
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_get_hooks.md

@@ -18,12 +18,13 @@ helm get hooks [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32       get the named release with revision
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --revision int32        get the named release with revision
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -41,4 +42,4 @@ helm get hooks [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_get_manifest.md

@@ -20,12 +20,13 @@ helm get manifest [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32       get the named release with revision
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --revision int32        get the named release with revision
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -43,4 +44,4 @@ helm get manifest [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_get_values.md

@@ -16,13 +16,14 @@ helm get values [flags] RELEASE_NAME
 ### Options
 
 ```
-  -a, --all                  dump all (computed) values
-      --revision int32       get the named release with revision
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+  -a, --all                   dump all (computed) values
+      --revision int32        get the named release with revision
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -40,4 +41,4 @@ helm get values [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_history.md

@@ -28,14 +28,15 @@ helm history [flags] RELEASE_NAME
 ### Options
 
 ```
-      --col-width uint       specifies the max column width of output (default 60)
-      --max int32            maximum number of revision to include in history (default 256)
-  -o, --output string        prints the output in the specified format (json|table|yaml) (default "table")
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --col-width uint        specifies the max column width of output (default 60)
+      --max int32             maximum number of revision to include in history (default 256)
+  -o, --output string         prints the output in the specified format (json|table|yaml) (default "table")
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -53,4 +54,4 @@ helm history [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_install.md

@@ -102,6 +102,7 @@ helm install [CHART]
       --tls                      enable TLS for request
       --tls-ca-cert string       path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
       --tls-cert string          path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string      the server name used to verify the hostname on the returned certificates from the server
       --tls-key string           path to TLS key file (default "$HELM_HOME/key.pem")
       --tls-verify               enable TLS for request and verify remote
       --username string          chart repository username where to locate the requested chart
@@ -126,4 +127,4 @@ helm install [CHART]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jul-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_list.md

@@ -39,25 +39,26 @@ helm list [flags] [FILTER]
 ### Options
 
 ```
-  -a, --all                  show all releases, not just the ones marked DEPLOYED
-      --col-width uint       specifies the max column width of output (default 60)
-  -d, --date                 sort by release date
-      --deleted              show deleted releases
-      --deleting             show releases that are currently being deleted
-      --deployed             show deployed releases. If no other is specified, this will be automatically enabled
-      --failed               show failed releases
-  -m, --max int              maximum number of releases to fetch (default 256)
-      --namespace string     show releases within a specific namespace
-  -o, --offset string        next release name in the list, used to offset from start value
-      --output string        output the specified format (json or yaml)
-      --pending              show pending releases
-  -r, --reverse              reverse the sort order
-  -q, --short                output short (quiet) listing format
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+  -a, --all                   show all releases, not just the ones marked DEPLOYED
+      --col-width uint        specifies the max column width of output (default 60)
+  -d, --date                  sort by release date
+      --deleted               show deleted releases
+      --deleting              show releases that are currently being deleted
+      --deployed              show deployed releases. If no other is specified, this will be automatically enabled
+      --failed                show failed releases
+  -m, --max int               maximum number of releases to fetch (default 256)
+      --namespace string      show releases within a specific namespace
+  -o, --offset string         next release name in the list, used to offset from start value
+      --output string         output the specified format (json or yaml)
+      --pending               show pending releases
+  -r, --reverse               reverse the sort order
+  -q, --short                 output short (quiet) listing format
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -75,4 +76,4 @@ helm list [flags] [FILTER]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_reset.md

@@ -18,13 +18,14 @@ helm reset
 ### Options
 
 ```
-  -f, --force                forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.)
-      --remove-helm-home     if set deletes $HELM_HOME
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+  -f, --force                 forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.)
+      --remove-helm-home      if set deletes $HELM_HOME
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -42,4 +43,4 @@ helm reset
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_rollback.md

@@ -20,18 +20,19 @@ helm rollback [flags] [RELEASE] [REVISION]
 ### Options
 
 ```
-      --description string   specify a description for the release
-      --dry-run              simulate a rollback
-      --force                force resource update through delete/recreate if needed
-      --no-hooks             prevent hooks from running during rollback
-      --recreate-pods        performs pods restart for the resource if applicable
-      --timeout int          time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
-      --wait                 if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout
+      --description string    specify a description for the release
+      --dry-run               simulate a rollback
+      --force                 force resource update through delete/recreate if needed
+      --no-hooks              prevent hooks from running during rollback
+      --recreate-pods         performs pods restart for the resource if applicable
+      --timeout int           time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
+      --wait                  if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout
 ```
 
 ### Options inherited from parent commands
@@ -49,4 +50,4 @@ helm rollback [flags] [RELEASE] [REVISION]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_status.md

@@ -23,13 +23,14 @@ helm status [flags] RELEASE_NAME
 ### Options
 
 ```
-  -o, --output string        output the status in the specified format (json or yaml)
-      --revision int32       if set, display the status of the named release with revision
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+  -o, --output string         output the status in the specified format (json or yaml)
+      --revision int32        if set, display the status of the named release with revision
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -47,4 +48,4 @@ helm status [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_test.md

@@ -19,13 +19,14 @@ helm test [RELEASE]
 ### Options
 
 ```
-      --cleanup              delete test pods upon completion
-      --timeout int          time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+      --cleanup               delete test pods upon completion
+      --timeout int           time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -43,4 +44,4 @@ helm test [RELEASE]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_upgrade.md

@@ -62,6 +62,7 @@ helm upgrade [RELEASE] [CHART]
       --tls                      enable TLS for request
       --tls-ca-cert string       path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
       --tls-cert string          path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string      the server name used to verify the hostname on the returned certificates from the server
       --tls-key string           path to TLS key file (default "$HELM_HOME/key.pem")
       --tls-verify               enable TLS for request and verify remote
       --username string          chart repository username where to locate the requested chart
@@ -86,4 +87,4 @@ helm upgrade [RELEASE] [CHART]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-May-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/helm/helm_version.md

@@ -30,15 +30,16 @@ helm version
 ### Options
 
 ```
-  -c, --client               client version only
-  -s, --server               server version only
-      --short                print the version number
-      --template string      template for version string format
-      --tls                  enable TLS for request
-      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
-      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
-      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
-      --tls-verify           enable TLS for request and verify remote
+  -c, --client                client version only
+  -s, --server                server version only
+      --short                 print the version number
+      --template string       template for version string format
+      --tls                   enable TLS for request
+      --tls-ca-cert string    path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string       path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-hostname string   the server name used to verify the hostname on the returned certificates from the server
+      --tls-key string        path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify            enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -56,4 +57,4 @@ helm version
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018

docs/tiller_ssl.md

@@ -284,6 +284,23 @@ the host name that Helm connects to matches the host name on the certificate. In
 some cases this is awkward, since Helm will connect over localhost, or the FQDN is
 not available for public resolution.
 
+*If I use `--tls-verify` on the client, I get `Error: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs`*
+
+By default, the Helm client connects to Tiller via tunnel (i.e. kube proxy) at 127.0.0.1. During the TLS handshake,
+a target, usually provided as a hostname (e.g. example.com), is checked against the subject and subject alternative
+names of the certificate (i.e. hostname verficiation). However, because of the tunnel, the target is an IP address.
+Therefore, to validate the certificate, the IP address 127.0.0.1 must be listed as an IP subject alternative name
+(IP SAN) in the Tiller certificate.
+
+For example, to list 127.0.0.1 as an IP SAN when generating the Tiller certificate:
+
+```console
+$ echo subjectAltName=IP:127.0.0.1 > extfile.cnf
+$ openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 365 -extfile extfile.cnf
+```
+
+Alternatively, you can override the expected hostname of the tiller certificate using the `--tls-hostname` flag.
+
 *If I use `--tls-verify` on the client, I get `Error: x509: certificate has expired or is not yet valid`*
 
 Your helm certificate has expired, you need to sign a new certificate using your private key and the CA (and consider increasing the number of days)

pkg/tlsutil/cfg.go

@@ -33,6 +33,9 @@ type Options struct {
 	CertFile string
 	// Client-only options
 	InsecureSkipVerify bool
+	// Overrides the server name used to verify the hostname on the returned
+	// certificates from the server.
+	ServerName string
 	// Server-only options
 	ClientAuth tls.ClientAuthType
 }
@@ -55,8 +58,12 @@ func ClientConfig(opts Options) (cfg *tls.Config, err error) {
 			return nil, err
 		}
 	}
-
-	cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool}
+	cfg = &tls.Config{
+		InsecureSkipVerify: opts.InsecureSkipVerify,
+		Certificates:       []tls.Certificate{*cert},
+		ServerName:         opts.ServerName,
+		RootCAs:            pool,
+	}
 	return cfg, nil
 }