Unverified Commit e8e6ac5d authored by Matt Butcher's avatar Matt Butcher Committed by GitHub

Fix/missing ssl params (#3152)

* fix(helm): add TLS params back

During a recent refactor, several TLS flags stopped being processed for
a few of the commands. This fixes those commands, and documents how to
set up TLS.

* fix(tiller): add stricter certificate verification

The older version of Tiller allowed a weaker set of certificate checks
than we intended. This version requires a client certificate, and then
requires that that certificate be signed by a known CA. This works
around the situation where a user could provide a self-signed
certificate.
parent 4167c56a
...@@ -64,7 +64,7 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command { ...@@ -64,7 +64,7 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
} }
get.release = args[0] get.release = args[0]
if get.client == nil { if get.client == nil {
get.client = helm.NewClient(helm.Host(settings.TillerHost)) get.client = newClient()
} }
return get.run() return get.run()
}, },
...@@ -72,9 +72,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command { ...@@ -72,9 +72,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision") cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision")
cmd.AddCommand(newGetValuesCmd(nil, out)) cmd.AddCommand(addFlagsTLS(newGetValuesCmd(nil, out)))
cmd.AddCommand(newGetManifestCmd(nil, out)) cmd.AddCommand(addFlagsTLS(newGetManifestCmd(nil, out)))
cmd.AddCommand(newGetHooksCmd(nil, out)) cmd.AddCommand(addFlagsTLS(newGetHooksCmd(nil, out)))
return cmd return cmd
} }
......
...@@ -45,6 +45,10 @@ var ( ...@@ -45,6 +45,10 @@ var (
tlsVerify bool // enable TLS and verify remote certificates tlsVerify bool // enable TLS and verify remote certificates
tlsEnable bool // enable TLS tlsEnable bool // enable TLS
tlsCaCertDefault = "$HELM_HOME/ca.pem"
tlsCertDefault = "$HELM_HOME/cert.pem"
tlsKeyDefault = "$HELM_HOME/key.pem"
tillerTunnel *kube.Tunnel tillerTunnel *kube.Tunnel
settings helm_env.EnvSettings settings helm_env.EnvSettings
) )
...@@ -263,6 +267,16 @@ func newClient() helm.Interface { ...@@ -263,6 +267,16 @@ func newClient() helm.Interface {
options := []helm.Option{helm.Host(settings.TillerHost)} options := []helm.Option{helm.Host(settings.TillerHost)}
if tlsVerify || tlsEnable { if tlsVerify || tlsEnable {
if tlsCaCertFile == "" {
tlsCaCertFile = os.ExpandEnv(tlsCaCertDefault)
}
if tlsCertFile == "" {
tlsCertFile = os.ExpandEnv(tlsCertDefault)
}
if tlsKeyFile == "" {
tlsKeyFile = os.ExpandEnv(tlsKeyDefault)
}
debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true} tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
if tlsVerify { if tlsVerify {
tlsopts.CaCertFile = tlsCaCertFile tlsopts.CaCertFile = tlsCaCertFile
...@@ -281,12 +295,6 @@ func newClient() helm.Interface { ...@@ -281,12 +295,6 @@ func newClient() helm.Interface {
// addFlagsTLS adds the flags for supporting client side TLS to the // addFlagsTLS adds the flags for supporting client side TLS to the
// helm command (only those that invoke communicate to Tiller.) // helm command (only those that invoke communicate to Tiller.)
func addFlagsTLS(cmd *cobra.Command) *cobra.Command { func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
// defaults
var (
tlsCaCertDefault = "$HELM_HOME/ca.pem"
tlsCertDefault = "$HELM_HOME/cert.pem"
tlsKeyDefault = "$HELM_HOME/key.pem"
)
// add flags // add flags
cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file") cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
......
...@@ -66,7 +66,7 @@ func newHistoryCmd(c helm.Interface, w io.Writer) *cobra.Command { ...@@ -66,7 +66,7 @@ func newHistoryCmd(c helm.Interface, w io.Writer) *cobra.Command {
case len(args) == 0: case len(args) == 0:
return errReleaseRequired return errReleaseRequired
case his.helmc == nil: case his.helmc == nil:
his.helmc = helm.NewClient(helm.Host(settings.TillerHost)) his.helmc = newClient()
} }
his.rls = args[0] his.rls = args[0]
return his.run() return his.run()
......
...@@ -93,7 +93,7 @@ func newListCmd(client helm.Interface, out io.Writer) *cobra.Command { ...@@ -93,7 +93,7 @@ func newListCmd(client helm.Interface, out io.Writer) *cobra.Command {
list.filter = strings.Join(args, " ") list.filter = strings.Join(args, " ")
} }
if list.client == nil { if list.client == nil {
list.client = helm.NewClient(helm.Host(settings.TillerHost)) list.client = newClient()
} }
return list.run() return list.run()
}, },
......
...@@ -67,7 +67,7 @@ func newStatusCmd(client helm.Interface, out io.Writer) *cobra.Command { ...@@ -67,7 +67,7 @@ func newStatusCmd(client helm.Interface, out io.Writer) *cobra.Command {
} }
status.release = args[0] status.release = args[0]
if status.client == nil { if status.client == nil {
status.client = helm.NewClient(helm.Host(settings.TillerHost)) status.client = newClient()
} }
return status.run() return status.run()
}, },
......
...@@ -232,7 +232,11 @@ func tlsOptions() tlsutil.Options { ...@@ -232,7 +232,11 @@ func tlsOptions() tlsutil.Options {
opts := tlsutil.Options{CertFile: *certFile, KeyFile: *keyFile} opts := tlsutil.Options{CertFile: *certFile, KeyFile: *keyFile}
if *tlsVerify { if *tlsVerify {
opts.CaCertFile = *caCertFile opts.CaCertFile = *caCertFile
opts.ClientAuth = tls.VerifyClientCertIfGiven
// We want to force the client to not only provide a cert, but to
// provide a cert that we can validate.
// http://www.bite-code.com/2015/06/25/tls-mutual-auth-in-golang/
opts.ClientAuth = tls.RequireAndVerifyClientCert
} }
return opts return opts
} }
......
...@@ -19,6 +19,11 @@ helm get hooks [flags] RELEASE_NAME ...@@ -19,6 +19,11 @@ helm get hooks [flags] RELEASE_NAME
``` ```
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
...@@ -35,4 +40,4 @@ helm get hooks [flags] RELEASE_NAME ...@@ -35,4 +40,4 @@ helm get hooks [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 7-Nov-2017 ###### Auto generated by spf13/cobra on 15-Nov-2017
...@@ -21,6 +21,11 @@ helm get manifest [flags] RELEASE_NAME ...@@ -21,6 +21,11 @@ helm get manifest [flags] RELEASE_NAME
``` ```
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
...@@ -37,4 +42,4 @@ helm get manifest [flags] RELEASE_NAME ...@@ -37,4 +42,4 @@ helm get manifest [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 7-Nov-2017 ###### Auto generated by spf13/cobra on 15-Nov-2017
...@@ -18,6 +18,11 @@ helm get values [flags] RELEASE_NAME ...@@ -18,6 +18,11 @@ helm get values [flags] RELEASE_NAME
``` ```
-a, --all dump all (computed) values -a, --all dump all (computed) values
--revision int32 get the named release with revision --revision int32 get the named release with revision
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
...@@ -34,4 +39,4 @@ helm get values [flags] RELEASE_NAME ...@@ -34,4 +39,4 @@ helm get values [flags] RELEASE_NAME
### SEE ALSO ### SEE ALSO
* [helm get](helm_get.md) - download a named release * [helm get](helm_get.md) - download a named release
###### Auto generated by spf13/cobra on 7-Nov-2017 ###### Auto generated by spf13/cobra on 15-Nov-2017
...@@ -6,6 +6,8 @@ ...@@ -6,6 +6,8 @@
- [Frequently Asked Questions](install_faq.md) - [Frequently Asked Questions](install_faq.md)
- [Using Helm](using_helm.md) - Learn the Helm tools - [Using Helm](using_helm.md) - Learn the Helm tools
- [Plugins](plugins.md) - [Plugins](plugins.md)
- [Service Accounts for Tiller](service_accounts.md) - Apply RBACs to Tiller
- [TLS/SSL for Helm and Tiller](tiller_ssl.md) - Use Helm-to-Tiller encryption
- [Developing Charts](charts.md) - An introduction to chart development - [Developing Charts](charts.md) - An introduction to chart development
- [Chart Lifecycle Hooks](charts_hooks.md) - [Chart Lifecycle Hooks](charts_hooks.md)
- [Chart Tips and Tricks](charts_tips_and_tricks.md) - [Chart Tips and Tricks](charts_tips_and_tricks.md)
......
This diff is collapsed.
...@@ -65,7 +65,7 @@ func CertPoolFromFile(filename string) (*x509.CertPool, error) { ...@@ -65,7 +65,7 @@ func CertPoolFromFile(filename string) (*x509.CertPool, error) {
func CertFromFilePair(certFile, keyFile string) (*tls.Certificate, error) { func CertFromFilePair(certFile, keyFile string) (*tls.Certificate, error) {
cert, err := tls.LoadX509KeyPair(certFile, keyFile) cert, err := tls.LoadX509KeyPair(certFile, keyFile)
if err != nil { if err != nil {
return nil, fmt.Errorf("can't load key pair from cert %s and key %s", certFile, keyFile) return nil, fmt.Errorf("can't load key pair from cert %s and key %s: %s", certFile, keyFile, err)
} }
return &cert, err return &cert, err
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment