From 1843cc447e2d38733110927d4e4efa12f0078efe Mon Sep 17 00:00:00 2001 From: yxxhero <11087727+yxxhero@users.noreply.github.com> Date: Sun, 4 Jun 2023 16:34:24 +0800 Subject: [PATCH] Add insecure skip tls verify support (#882) * feat: add insecure-skip-tls-verify support Signed-off-by: yxxhero --- .github/workflows/ci.yaml | 8 +++--- Dockerfile | 2 +- Dockerfile.debian-stable-slim | 2 +- Dockerfile.ubuntu | 2 +- docs/index.md | 4 +++ pkg/app/init.go | 2 +- pkg/state/create.go | 3 +-- pkg/state/envvals_loader_test.go | 2 +- pkg/state/state.go | 44 +++++++++++++++++++++++++++----- pkg/state/state_test.go | 41 +++++++++++++++++++++++++++++ pkg/state/temp_test.go | 12 ++++----- test/integration/run.sh | 2 +- 12 files changed, 100 insertions(+), 24 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e3be126e..229f455a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -72,7 +72,7 @@ jobs: # we will mark this combination as failable, # and instruct users to upgrade helm and helm-secrets at once. plugin-secrets-version: 4.0.0 - plugin-diff-version: 3.8.0 + plugin-diff-version: 3.8.1 extra-helmfile-flags: v1mode: - helm-version: v3.12.0 @@ -84,14 +84,14 @@ jobs: - helm-version: v3.12.0 kustomize-version: v4.5.7 plugin-secrets-version: 4.0.0 - plugin-diff-version: 3.8.0 + plugin-diff-version: 3.8.1 extra-helmfile-flags: v1mode: # Helmfile v1 - helm-version: v3.12.0 kustomize-version: v4.5.7 plugin-secrets-version: 4.0.0 - plugin-diff-version: 3.8.0 + plugin-diff-version: 3.8.1 extra-helmfile-flags: v1mode: "true" # In case you need to test some optional helmfile features, @@ -99,7 +99,7 @@ jobs: - helm-version: v3.12.0 kustomize-version: v4.5.7 plugin-secrets-version: 4.0.0 - plugin-diff-version: 3.8.0 + plugin-diff-version: 3.8.1 extra-helmfile-flags: "--enable-live-output" v1mode: steps: diff --git a/Dockerfile b/Dockerfile index 996ceec0..574018b2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -92,7 +92,7 @@ RUN set -x && \ [ "$(age --version)" = "${AGE_VERSION}" ] && \ [ "$(age-keygen --version)" = "${AGE_VERSION}" ] -RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \ +RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ diff --git a/Dockerfile.debian-stable-slim b/Dockerfile.debian-stable-slim index f5caa9bf..0a8e6dda 100644 --- a/Dockerfile.debian-stable-slim +++ b/Dockerfile.debian-stable-slim @@ -97,7 +97,7 @@ RUN set -x && \ [ "$(age --version)" = "${AGE_VERSION}" ] && \ [ "$(age-keygen --version)" = "${AGE_VERSION}" ] -RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \ +RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ diff --git a/Dockerfile.ubuntu b/Dockerfile.ubuntu index 48d12ac6..0b84776b 100644 --- a/Dockerfile.ubuntu +++ b/Dockerfile.ubuntu @@ -97,7 +97,7 @@ RUN set -x && \ [ "$(age --version)" = "${AGE_VERSION}" ] && \ [ "$(age-keygen --version)" = "${AGE_VERSION}" ] -RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.0 && \ +RUN helm plugin install https://github.com/databus23/helm-diff --version v3.8.1 && \ helm plugin install https://github.com/jkroepke/helm-secrets --version v4.1.1 && \ helm plugin install https://github.com/hypnoglow/helm-s3.git --version v0.14.0 && \ helm plugin install https://github.com/aslafy-z/helm-git.git --version v0.12.0 && \ diff --git a/docs/index.md b/docs/index.md index 1810dec5..ab2488ca 100644 --- a/docs/index.md +++ b/docs/index.md @@ -211,6 +211,8 @@ helmDefaults: postRenderer: "path/to/postRenderer" # cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background cascade: "background" + # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart + insecureSkipTLSVerify: false # these labels will be applied to all releases in a Helmfile. Useful in templating if you have a helmfile per environment or customer and don't want to copy the same label to each release commonLabels: @@ -311,6 +313,8 @@ releases: postRenderer: "path/to/postRenderer" # cascade `--cascade` to helmv3 delete, available values: background, foreground, or orphan, default: background cascade: "background" + # insecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart + insecureSkipTLSVerify: false # Local chart example - name: grafana # name of this release diff --git a/pkg/app/init.go b/pkg/app/init.go index ce76f442..cb7964d7 100644 --- a/pkg/app/init.go +++ b/pkg/app/init.go @@ -19,7 +19,7 @@ import ( const ( HelmRequiredVersion = "v3.10.3" HelmRecommendedVersion = "v3.12.0" - HelmDiffRecommendedVersion = "v3.4.0" + HelmDiffRecommendedVersion = "v3.8.1" HelmSecretsRecommendedVersion = "v4.1.1" HelmGitRecommendedVersion = "v0.12.0" HelmS3RecommendedVersion = "v0.14.0" diff --git a/pkg/state/create.go b/pkg/state/create.go index 7b5c3514..efd4348f 100644 --- a/pkg/state/create.go +++ b/pkg/state/create.go @@ -309,8 +309,7 @@ func (c *StateCreator) scatterGatherEnvSecretFiles(st *HelmState, envSecretFiles func(id int) { for secret := range secrets { release := &ReleaseSpec{} - flags := st.appendConnectionFlags([]string{}, release) - decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path, flags...) + decFile, err := helm.DecryptSecret(st.createHelmContext(release, 0), secret.path) if err != nil { results <- secretResult{secret.id, nil, err, secret.path} continue diff --git a/pkg/state/envvals_loader_test.go b/pkg/state/envvals_loader_test.go index a2f7d308..34523046 100644 --- a/pkg/state/envvals_loader_test.go +++ b/pkg/state/envvals_loader_test.go @@ -103,7 +103,7 @@ func TestEnvValsLoad_EnvironmentNameFile(t *testing.T) { func TestEnvValsLoad_SingleValuesFileRemote(t *testing.T) { l := newLoader() - actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.0"}, nil, "") + actual, err := l.LoadEnvironmentValues(nil, []interface{}{"git::https://github.com/helm/helm.git@cmd/helm/testdata/output/values.yaml?ref=v3.8.1"}, nil, "") if err != nil { t.Fatal(err) } diff --git a/pkg/state/state.go b/pkg/state/state.go index 25cce33e..69813ea2 100644 --- a/pkg/state/state.go +++ b/pkg/state/state.go @@ -18,11 +18,13 @@ import ( "text/template" "time" + "github.com/Masterminds/semver/v3" "github.com/helmfile/chartify" "github.com/helmfile/vals" "github.com/imdario/mergo" "github.com/tatsushid/go-prettytable" "go.uber.org/zap" + "helm.sh/helm/v3/pkg/cli" "github.com/helmfile/helmfile/pkg/environment" "github.com/helmfile/helmfile/pkg/event" @@ -192,6 +194,8 @@ type HelmSpec struct { DisableValidation *bool `yaml:"disableValidation,omitempty"` DisableOpenAPIValidation *bool `yaml:"disableOpenAPIValidation,omitempty"` + // InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart + InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"` } // RepositorySpec that defines values for a helm repo @@ -310,6 +314,9 @@ type ReleaseSpec struct { KubeContext string `yaml:"kubeContext,omitempty"` + // InsecureSkipTLSVerify is true if the TLS verification should be skipped when fetching remote chart. + InsecureSkipTLSVerify bool `yaml:"insecureSkipTLSVerify,omitempty"` + // These values are used in templating VerifyTemplate *string `yaml:"verifyTemplate,omitempty"` WaitTemplate *string `yaml:"waitTemplate,omitempty"` @@ -983,7 +990,7 @@ func (st *HelmState) SyncReleases(affectedReleases *AffectedReleases, helm helme } func (st *HelmState) listReleases(context helmexec.HelmContext, helm helmexec.Interface, release *ReleaseSpec) (string, error) { - flags := st.connectionFlags(release) + flags := st.kubeConnectionFlags(release) if release.Namespace != "" { flags = append(flags, "--namespace", release.Namespace) } @@ -2113,6 +2120,7 @@ func (st *HelmState) TestReleases(helm helmexec.Interface, cleanup bool, timeout } flags = st.appendConnectionFlags(flags, &release) + flags = st.appendChartDownloadTLSFlags(flags, &release) return helm.TestRelease(st.createHelmContext(&release, workerIndex), release.Name, flags...) }) @@ -2428,12 +2436,12 @@ func findChartDirectory(topLevelDir string) (string, error) { // appendConnectionFlags append all the helm command-line flags related to K8s API including the kubecontext func (st *HelmState) appendConnectionFlags(flags []string, release *ReleaseSpec) []string { - adds := st.connectionFlags(release) - flags = append(flags, adds...) + kubeFlagAdds := st.kubeConnectionFlags(release) + flags = append(flags, kubeFlagAdds...) return flags } -func (st *HelmState) connectionFlags(release *ReleaseSpec) []string { +func (st *HelmState) kubeConnectionFlags(release *ReleaseSpec) []string { flags := []string{} if release.KubeContext != "" { flags = append(flags, "--kube-context", release.KubeContext) @@ -2442,7 +2450,16 @@ func (st *HelmState) connectionFlags(release *ReleaseSpec) []string { } else if st.HelmDefaults.KubeContext != "" { flags = append(flags, "--kube-context", st.HelmDefaults.KubeContext) } + return flags +} +func (st *HelmState) appendChartDownloadTLSFlags(flags []string, release *ReleaseSpec) []string { + switch { + case release.InsecureSkipTLSVerify: + flags = append(flags, "--insecure-skip-tls-verify") + case st.HelmDefaults.InsecureSkipTLSVerify: + flags = append(flags, "--insecure-skip-tls-verify") + } return flags } @@ -2515,6 +2532,7 @@ func (st *HelmState) flagsForUpgrade(helm helmexec.Interface, release *ReleaseSp } flags = st.appendConnectionFlags(flags, release) + flags = st.appendChartDownloadTLSFlags(flags, release) flags = st.appendHelmXFlags(flags, release) @@ -2555,6 +2573,7 @@ func (st *HelmState) flagsForTemplate(helm helmexec.Interface, release *ReleaseS } func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec, disableValidation bool, workerIndex int, opt *DiffOpts) ([]string, []string, error) { + settings := cli.New() flags := st.chartVersionFlags(release) disableOpenAPIValidation := false @@ -2586,6 +2605,20 @@ func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec, flags = st.appendConnectionFlags(flags, release) + if st.HelmDefaults.InsecureSkipTLSVerify || release.InsecureSkipTLSVerify { + diffVersion, err := helmexec.GetPluginVersion("diff", settings.PluginsDirectory) + if err != nil { + return nil, nil, err + } + dv, _ := semver.NewVersion("v3.8.1") + + if diffVersion.LessThan(dv) { + return nil, nil, fmt.Errorf("insecureSkipTLSVerify is not supported by helm-diff plugin version %s, please use at least v3.8.1", diffVersion) + } + } + + flags = st.appendChartDownloadTLSFlags(flags, release) + flags = st.appendHelmXFlags(flags, release) postRenderer := "" @@ -2930,8 +2963,7 @@ func (st *HelmState) generateSecretValuesFiles(helm helmexec.Interface, release } path := paths[0] - decryptFlags := st.appendConnectionFlags([]string{}, release) - valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path, decryptFlags...) + valfile, err := helm.DecryptSecret(st.createHelmContext(release, workerIndex), path) if err != nil { return nil, err } diff --git a/pkg/state/state_test.go b/pkg/state/state_test.go index 3e3d2c27..eb368460 100644 --- a/pkg/state/state_test.go +++ b/pkg/state/state_test.go @@ -3344,3 +3344,44 @@ func TestCommonDiffFlags(t *testing.T) { require.Equal(t, tt.expected, result) } } + +func TestAppendChartDownloadTLSFlags(t *testing.T) { + tests := []struct { + name string + defaultInsecureSkipTLSVerify bool + releaseInsecureSkipTLSVerify bool + expected []string + }{ + { + name: "defaultInsecureSkipTLSVerify is true and releaseInsecureSkipTLSVerify is false", + defaultInsecureSkipTLSVerify: true, + releaseInsecureSkipTLSVerify: false, + expected: []string{"--insecure-skip-tls-verify"}, + }, + { + name: "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is true", + defaultInsecureSkipTLSVerify: false, + releaseInsecureSkipTLSVerify: true, + expected: []string{"--insecure-skip-tls-verify"}, + }, + { + name: "defaultInsecureSkipTLSVerify is false and releaseInsecureSkipTLSVerify is false", + defaultInsecureSkipTLSVerify: false, + releaseInsecureSkipTLSVerify: false, + expected: []string{}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + st := &HelmState{} + release := &ReleaseSpec{} + st.HelmDefaults.InsecureSkipTLSVerify = tt.defaultInsecureSkipTLSVerify + release.InsecureSkipTLSVerify = tt.releaseInsecureSkipTLSVerify + + result := st.appendChartDownloadTLSFlags([]string{}, release) + + require.Equal(t, tt.expected, result) + }) + } +} diff --git a/pkg/state/temp_test.go b/pkg/state/temp_test.go index a749a408..c66c8ce0 100644 --- a/pkg/state/temp_test.go +++ b/pkg/state/temp_test.go @@ -38,39 +38,39 @@ func TestGenerateID(t *testing.T) { run(testcase{ subject: "baseline", release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"}, - want: "foo-values-fc7df494d", + want: "foo-values-58d856f487", }) run(testcase{ subject: "different bytes content", release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"}, data: []byte(`{"k":"v"}`), - want: "foo-values-56b47664f5", + want: "foo-values-6d96d874f6", }) run(testcase{ subject: "different map content", release: ReleaseSpec{Name: "foo", Chart: "incubator/raw"}, data: map[string]interface{}{"k": "v"}, - want: "foo-values-558ff84c89", + want: "foo-values-77cdb7dbb6", }) run(testcase{ subject: "different chart", release: ReleaseSpec{Name: "foo", Chart: "stable/envoy"}, - want: "foo-values-5595f4fc5c", + want: "foo-values-66cd476bbb", }) run(testcase{ subject: "different name", release: ReleaseSpec{Name: "bar", Chart: "incubator/raw"}, - want: "bar-values-5bf654bff9", + want: "bar-values-5d59565d5b", }) run(testcase{ subject: "specific ns", release: ReleaseSpec{Name: "foo", Chart: "incubator/raw", Namespace: "myns"}, - want: "myns-foo-values-c685d945", + want: "myns-foo-values-644b7dfd78", }) for id, n := range ids { diff --git a/test/integration/run.sh b/test/integration/run.sh index 90630cc7..1000906f 100755 --- a/test/integration/run.sh +++ b/test/integration/run.sh @@ -26,7 +26,7 @@ export HELM_DATA_HOME="${helm_dir}/data" export HELM_HOME="${HELM_DATA_HOME}" export HELM_PLUGINS="${HELM_DATA_HOME}/plugins" export HELM_CONFIG_HOME="${helm_dir}/config" -HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.0}" +HELM_DIFF_VERSION="${HELM_DIFF_VERSION:-3.8.1}" HELM_SECRETS_VERSION="${HELM_SECRETS_VERSION:-3.15.0}" export GNUPGHOME="${PWD}/${dir}/.gnupg" export SOPS_PGP_FP="B2D6D7BBEC03B2E66571C8C00AD18E16CFDEF700"