Add insecure skip tls verify support (#882)

* feat: add insecure-skip-tls-verify support Signed-off-by: yxxhero <aiopsclub@163.com>
2023-06-04 16:34:24 +08:00 · 2023-06-04 16:34:24 +08:00 · 1843cc447e
parent e67eb0c973
commit 1843cc447e
12 changed files with 100 additions and 24 deletions
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@ -72,7 +72,7 @@ jobs:
           # we will mark this combination as failable,
           # and instruct users to upgrade helm and helm-secrets at once.
           plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
           extra-helmfile-flags:
           v1mode:
         - helm-version: v3.12.0
@ -84,14 +84,14 @@ jobs:
         - helm-version: v3.12.0
           kustomize-version: v4.5.7
           plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
           extra-helmfile-flags:
           v1mode:
         # Helmfile v1
         - helm-version: v3.12.0
           kustomize-version: v4.5.7
           plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
           extra-helmfile-flags:
           v1mode: "true"
         # In case you need to test some optional helmfile features,
@ -99,7 +99,7 @@ jobs:
         - helm-version: v3.12.0
           kustomize-version: v4.5.7
           plugin-secrets-version: 4.0.0
-           plugin-diff-version: 3.8.0
+           plugin-diff-version: 3.8.1
           extra-helmfile-flags: "--enable-live-output"
           v1mode:
    steps:
--- a/2
+++ b/2
@ -92,7 +92,7 @@ RUN set -x && \
    [ "$(age --version)" = "${AGE_VERSION}" ] && \
    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]

-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \
--- a/Dockerfile.debian-stable-slim
+++ b/Dockerfile.debian-stable-slim
@ -97,7 +97,7 @@ RUN set -x && \
    [ "$(age --version)" = "${AGE_VERSION}" ] && \
    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]

-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \
--- a/Dockerfile.ubuntu
+++ b/Dockerfile.ubuntu
@ -97,7 +97,7 @@ RUN set -x && \
    [ "$(age --version)" = "${AGE_VERSION}" ] && \
    [ "$(age-keygen --version)" = "${AGE_VERSION}" ]

-RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \
+RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \
    helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \
    helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \
    helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \
--- a/docs/index.md
+++ b/docs/index.md
@ -211,6 +211,8 @@ helmDefaults:
  postRenderer: "path/to/postRenderer"
  #	cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background
  cascade: "background" 
+  # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+  insecureSkipTLSVerify: false

 # these labels will be applied to all releases in a Helmfile. Useful in templating if you have a helmfile per environment or customer and don't want to copy the same label to each release
 commonLabels:
@ -311,6 +313,8 @@ releases:
    postRenderer: "path/to/postRenderer"
    # cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background
    cascade: "background" 
+    # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+    insecureSkipTLSVerify: false

  # Local chart example
  - name: grafana                            # name of this release
--- a/pkg/app/init.go
+++ b/pkg/app/init.go
@ -19,7 +19,7 @@ import (
 const (
 	HelmRequiredVersion           = "v3.10.3"
 	HelmRecommendedVersion        = "v3.12.0"
-	HelmDiffRecommendedVersion    = "v3.4.0"
+	HelmDiffRecommendedVersion    = "v3.8.1"
 	HelmSecretsRecommendedVersion = "v4.1.1"
 	HelmGitRecommendedVersion     = "v0.12.0"
 	HelmS3RecommendedVersion      = "v0.14.0"
--- a/pkg/state/create.go
+++ b/pkg/state/create.go
@ -309,8 +309,7 @@ func (c *StateCreator) scatterGatherEnvSecretFiles(st *HelmState, envSecretFiles
 		func(id int) {
 			for secret := range secrets {
 				release := &ReleaseSpec{}
-				flags := st.appendConnectionFlags([]string{}, release)
-				decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path, flags...)
+				decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path)
 				if err != nil {
 					results <- secretResult{secret.id, nil, err, secret.path}
 					continue
--- a/pkg/state/envvals_loader_test.go
+++ b/pkg/state/envvals_loader_test.go
@ -103,7 +103,7 @@ func TestEnvValsLoad_EnvironmentNameFile(t *testing.T) {
 func TestEnvValsLoad_SingleValuesFileRemote(t *testing.T) {
 	l := newLoader()

-	actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.0"}, nil, "")
+	actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.1"}, nil, "")
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/pkg/state/state.go
+++ b/pkg/state/state.go
@ -18,11 +18,13 @@ import (
 	"text/template"
 	"time"

+	"github.com/Masterminds/semver/v3"
 	"github.com/helmfile/chartify"
 	"github.com/helmfile/vals"
 	"github.com/imdario/mergo"
 	"github.com/tatsushid/go-prettytable"
 	"go.uber.org/zap"
+	"helm.sh/helm/v3/pkg/cli"

 	"github.com/helmfile/helmfile/pkg/environment"
 	"github.com/helmfile/helmfile/pkg/event"
@ -192,6 +194,8 @@ type HelmSpec struct {

 	DisableValidation        *bool `yaml:"disableValidation,omitempty"`
 	DisableOpenAPIValidation *bool `yaml:"disableOpenAPIValidation,omitempty"`
+	// InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`
 }

 // RepositorySpec that defines values for a helm repo
@ -310,6 +314,9 @@ type ReleaseSpec struct {

 	KubeContext string `yaml:"kubeContext,omitempty"`

+	// InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart.
+	InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"`
+
 	// These values are used in templating
 	VerifyTemplate    *string `yaml:"verifyTemplate,omitempty"`
 	WaitTemplate      *string `yaml:"waitTemplate,omitempty"`
@ -983,7 +990,7 @@ func (st *HelmState) SyncReleases(affectedReleases *AffectedReleases, helm helme
 }

 func (st *HelmState) listReleases(context helmexec.HelmContext, helm helmexec.Interface, release *ReleaseSpec) (string, error) {
-	flags := st.connectionFlags(release)
+	flags := st.kubeConnectionFlags(release)
 	if release.Namespace != "" {
 		flags = append(flags, "--namespace", release.Namespace)
 	}
@ -2113,6 +2120,7 @@ func (st *HelmState) TestReleases(helm helmexec.Interface, cleanup bool, timeout
 		}

 		flags = st.appendConnectionFlags(flags, &release)
+		flags = st.appendChartDownloadTLSFlags(flags, &release)

 		return helm.TestRelease(st.createHelmContext(&release, workerIndex), release.Name, flags...)
 	})
@ -2428,12 +2436,12 @@ func findChartDirectory(topLevelDir string) (string, error) {

 // appendConnectionFlags append all the helm command-line flags related to K8s API including the kubecontext
 func (st *HelmState) appendConnectionFlags(flags []string, release *ReleaseSpec) []string {
-	adds := st.connectionFlags(release)
-	flags = append(flags, adds...)
+	kubeFlagAdds := st.kubeConnectionFlags(release)
+	flags = append(flags, kubeFlagAdds...)
 	return flags
 }

-func (st *HelmState) connectionFlags(release *ReleaseSpec) []string {
+func (st *HelmState) kubeConnectionFlags(release *ReleaseSpec) []string {
 	flags := []string{}
 	if release.KubeContext != "" {
 		flags = append(flags, "--kube-context", release.KubeContext)
@ -2442,7 +2450,16 @@ func (st *HelmState) connectionFlags(release *ReleaseSpec) []string {
 	} else if st.HelmDefaults.KubeContext != "" {
 		flags = append(flags, "--kube-context", st.HelmDefaults.KubeContext)
 	}
+	return flags
+}

+func (st *HelmState) appendChartDownloadTLSFlags(flags []string, release *ReleaseSpec) []string {
+	switch {
+	case release.InsecureSkipTLSVerify:
+		flags = append(flags, "--insecure-skip-tls-verify")
+	case st.HelmDefaults.InsecureSkipTLSVerify:
+		flags = append(flags, "--insecure-skip-tls-verify")
+	}
 	return flags
 }

@ -2515,6 +2532,7 @@ func (st *HelmState) flagsForUpgrade(helm helmexec.Interface, release *ReleaseSp
 	}

 	flags = st.appendConnectionFlags(flags, release)
+	flags = st.appendChartDownloadTLSFlags(flags, release)

 	flags = st.appendHelmXFlags(flags, release)

@ -2555,6 +2573,7 @@ func (st *HelmState) flagsForTemplate(helm helmexec.Interface, release *ReleaseS
 }

 func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec, disableValidation bool, workerIndex int, opt *DiffOpts) ([]string, []string, error) {
+	settings := cli.New()
 	flags := st.chartVersionFlags(release)

 	disableOpenAPIValidation := false
@ -2586,6 +2605,20 @@ func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec,

 	flags = st.appendConnectionFlags(flags, release)

+	if st.HelmDefaults.InsecureSkipTLSVerify || release.InsecureSkipTLSVerify {
+		diffVersion, err := helmexec.GetPluginVersion("diff", settings.PluginsDirectory)
+		if err != nil {
+			return nil, nil, err
+		}
+		dv, _ := semver.NewVersion("v3.8.1")
+
+		if diffVersion.LessThan(dv) {
+			return nil, nil, fmt.Errorf("insecureSkipTLSVerify is not supported by helm-diff plugin version %s, please use at least v3.8.1", diffVersion)
+		}
+	}
+
+	flags = st.appendChartDownloadTLSFlags(flags, release)
+
 	flags = st.appendHelmXFlags(flags, release)

 	postRenderer := ""
@ -2930,8 +2963,7 @@ func (st *HelmState) generateSecretValuesFiles(helm helmexec.Interface, release
 		}
 		path := paths[0]

-		decryptFlags := st.appendConnectionFlags([]string{}, release)
-		valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path, decryptFlags...)
+		valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path)
 		if err != nil {
 			return nil, err
 		}
--- a/pkg/state/state_test.go
+++ b/pkg/state/state_test.go
@ -3344,3 +3344,44 @@ func TestCommonDiffFlags(t *testing.T) {
 		require.Equal(t, tt.expected, result)
 	}
 }
+
+func TestAppendChartDownloadTLSFlags(t *testing.T) {
+	tests := []struct {
+		name                         string
+		defaultInsecureSkipTLSVerify bool
+		releaseInsecureSkipTLSVerify bool
+		expected                     []string
+	}{
+		{
+			name:                         "defaultInsecureSkipTLSVerify is true and releaseInsecureSkipTLSVerify is false",
+			defaultInsecureSkipTLSVerify: true,
+			releaseInsecureSkipTLSVerify: false,
+			expected:                     []string{"--insecure-skip-tls-verify"},
+		},
+		{
+			name:                         "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is true",
+			defaultInsecureSkipTLSVerify: false,
+			releaseInsecureSkipTLSVerify: true,
+			expected:                     []string{"--insecure-skip-tls-verify"},
+		},
+		{
+			name:                         "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is false",
+			defaultInsecureSkipTLSVerify: false,
+			releaseInsecureSkipTLSVerify: false,
+			expected:                     []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			st := &HelmState{}
+			release := &ReleaseSpec{}
+			st.HelmDefaults.InsecureSkipTLSVerify = tt.defaultInsecureSkipTLSVerify
+			release.InsecureSkipTLSVerify = tt.releaseInsecureSkipTLSVerify
+
+			result := st.appendChartDownloadTLSFlags([]string{}, release)
+
+			require.Equal(t, tt.expected, result)
+		})
+	}
+}
--- a/pkg/state/temp_test.go
+++ b/pkg/state/temp_test.go
@ -38,39 +38,39 @@ func TestGenerateID(t *testing.T) {
 	run(testcase{
 		subject: "baseline",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
-		want:    "foo-values-fc7df494d",
+		want:    "foo-values-58d856f487",
 	})

 	run(testcase{
 		subject: "different bytes content",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
 		data:    []byte(`{"k":"v"}`),
-		want:    "foo-values-56b47664f5",
+		want:    "foo-values-6d96d874f6",
 	})

 	run(testcase{
 		subject: "different map content",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"},
 		data:    map[string]interface{}{"k": "v"},
-		want:    "foo-values-558ff84c89",
+		want:    "foo-values-77cdb7dbb6",
 	})

 	run(testcase{
 		subject: "different chart",
 		release: ReleaseSpec{Name: "foo", Chart: "stable/envoy"},
-		want:    "foo-values-5595f4fc5c",
+		want:    "foo-values-66cd476bbb",
 	})

 	run(testcase{
 		subject: "different name",
 		release: ReleaseSpec{Name: "bar", Chart: "incubator/raw"},
-		want:    "bar-values-5bf654bff9",
+		want:    "bar-values-5d59565d5b",
 	})

 	run(testcase{
 		subject: "specific ns",
 		release: ReleaseSpec{Name: "foo", Chart: "incubator/raw", Namespace: "myns"},
-		want:    "myns-foo-values-c685d945",
+		want:    "myns-foo-values-644b7dfd78",
 	})

 	for id, n := range ids {
--- a/test/integration/run.sh
+++ b/test/integration/run.sh
@ -26,7 +26,7 @@ export HELM_DATA_HOME="${helm_dir}/data"
 export HELM_HOME="${HELM_DATA_HOME}"
 export HELM_PLUGINS="${HELM_DATA_HOME}/plugins"
 export HELM_CONFIG_HOME="${helm_dir}/config"
-HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.0}"
+HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.1}"
 HELM_SECRETS_VERSION="${HELM_SECRETS_VERSION:-3.15.0}"
 export GNUPGHOME="${PWD}/${dir}/.gnupg"
 export SOPS_PGP_FP="B2D6D7BBEC03B2E66571C8C00AD18E16CFDEF700"