diff --git a/README.md b/README.md index 6f9fd6c0..cecbf7b3 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,14 @@ helmDefaults: timeout: 600 recreatePods: true force: true + # enable TLS for request to Tiller + tls: true + # path to TLS CA certificate file (default "$HELM_HOME/ca.pem") + tlsCACert: "path/to/ca.pem" + # path to TLS certificate file (default "$HELM_HOME/cert.pem") + tlsCert: "path/to/cert.pem" + # path to TLS key file (default "$HELM_HOME/key.pem") + tlsKey: "path/to/key.pem" releases: # Published chart example @@ -101,6 +109,14 @@ releases: installed: true # restores previous state in case of failed release atomic: true + # enable TLS for request to Tiller + tls: true + # path to TLS CA certificate file (default "$HELM_HOME/ca.pem") + tlsCACert: "path/to/ca.pem" + # path to TLS certificate file (default "$HELM_HOME/cert.pem") + tlsCert: "path/to/cert.pem" + # path to TLS key file (default "$HELM_HOME/key.pem") + tlsKey: "path/to/key.pem" # Local chart example - name: grafana # name of this release diff --git a/args/args.go b/args/args.go index 9c27ef5f..075351a0 100644 --- a/args/args.go +++ b/args/args.go @@ -83,9 +83,6 @@ func GetArgs(args string, state *state.HelmState) []string { } } - if state.HelmDefaults.TillerNamespace != "" { - argsMap.SetArg("--tiller-namespace", state.HelmDefaults.TillerNamespace, false) - } if state.HelmDefaults.KubeContext != "" { argsMap.SetArg("--kube-context", state.HelmDefaults.KubeContext, false) } diff --git a/state/state.go b/state/state.go index b4af6d94..b3d467c7 100644 --- a/state/state.go +++ b/state/state.go @@ -68,6 +68,11 @@ type HelmSpec struct { Force bool `yaml:"force"` // Atomic, when set to true, restore previous state in case of a failed install/upgrade attempt Atomic bool `yaml:"atomic"` + + TLS bool `yaml:"tls"` + TLSCACert string `yaml:"tlsCACert"` + TLSKey string `yaml:"tlsKey"` + TLSCert string `yaml:"tlsCert"` } // RepositorySpec that defines values for a helm repo @@ -121,6 +126,13 @@ type ReleaseSpec struct { ValuesPathPrefix string `yaml:"valuesPathPrefix"` + TillerNamespace string `yaml:"tillerNamespace"` + + TLS *bool `yaml:"tls"` + TLSCACert string `yaml:"tlsCACert"` + TLSKey string `yaml:"tlsKey"` + TLSCert string `yaml:"tlsCert"` + // generatedValues are values that need cleaned up on exit generatedValues []string } @@ -929,6 +941,38 @@ func findChartDirectory(topLevelDir string) (string, error) { return topLevelDir, errors.New("No Chart.yaml found") } +func (st *HelmState) appendTillerFlags(flags []string, release *ReleaseSpec) []string { + if release.TillerNamespace != "" { + flags = append(flags, "--tiller-namespace", release.TillerNamespace) + } else if st.HelmDefaults.TillerNamespace != "" { + flags = append(flags, "--tiller-namespace", st.HelmDefaults.TillerNamespace) + } + + if release.TLS != nil && *release.TLS || release.TLS == nil && st.HelmDefaults.TLS { + flags = append(flags, "--tls") + } + + if release.TLSKey != "" { + flags = append(flags, "--tls-key", release.TLSKey) + } else if st.HelmDefaults.TLSKey != "" { + flags = append(flags, "--tls-key", st.HelmDefaults.TLSKey) + } + + if release.TLSCert != "" { + flags = append(flags, "--tls-cert", release.TLSCert) + } else if st.HelmDefaults.TLSCert != "" { + flags = append(flags, "--tls-cert", st.HelmDefaults.TLSCert) + } + + if release.TLSCACert != "" { + flags = append(flags, "--tls-ca-cert", release.TLSCACert) + } else if st.HelmDefaults.TLSCACert != "" { + flags = append(flags, "--tls-ca-cert", st.HelmDefaults.TLSCACert) + } + + return flags +} + func (st *HelmState) flagsForUpgrade(helm helmexec.Interface, release *ReleaseSpec) ([]string, error) { flags := []string{} if release.Version != "" { @@ -967,6 +1011,8 @@ func (st *HelmState) flagsForUpgrade(helm helmexec.Interface, release *ReleaseSp flags = append(flags, "--atomic") } + flags = st.appendTillerFlags(flags, release) + common, err := st.namespaceAndValuesFlags(helm, release) if err != nil { return nil, err @@ -995,6 +1041,8 @@ func (st *HelmState) flagsForDiff(helm helmexec.Interface, release *ReleaseSpec) flags = append(flags, "--devel") } + flags = st.appendTillerFlags(flags, release) + common, err := st.namespaceAndValuesFlags(helm, release) if err != nil { return nil, err diff --git a/state/state_test.go b/state/state_test.go index 7706453c..05881eb8 100644 --- a/state/state_test.go +++ b/state/state_test.go @@ -129,6 +129,10 @@ func TestHelmState_applyDefaultsTo(t *testing.T) { } } +func boolValue(v bool) *bool { + return &v +} + func TestHelmState_flagsForUpgrade(t *testing.T) { enable := true disable := false @@ -424,6 +428,79 @@ func TestHelmState_flagsForUpgrade(t *testing.T) { "--namespace", "test-namespace", }, }, + { + name: "tiller", + defaults: HelmSpec{}, + release: &ReleaseSpec{ + Chart: "test/chart", + Version: "0.1", + Name: "test-charts", + TLS: boolValue(true), + TillerNamespace: "tiller-system", + TLSKey: "key.pem", + TLSCert: "cert.pem", + TLSCACert: "ca.pem", + }, + want: []string{ + "--version", "0.1", + "--tiller-namespace", "tiller-system", + "--tls", + "--tls-key", "key.pem", + "--tls-cert", "cert.pem", + "--tls-ca-cert", "ca.pem", + }, + }, + { + name: "tiller-override-defaults", + defaults: HelmSpec{ + TLS: false, + TillerNamespace: "a", + TLSKey: "b.pem", + TLSCert: "c.pem", + TLSCACert: "d.pem", + }, + release: &ReleaseSpec{ + Chart: "test/chart", + Version: "0.1", + Name: "test-charts", + TLS: boolValue(true), + TillerNamespace: "tiller-system", + TLSKey: "key.pem", + TLSCert: "cert.pem", + TLSCACert: "ca.pem", + }, + want: []string{ + "--version", "0.1", + "--tiller-namespace", "tiller-system", + "--tls", + "--tls-key", "key.pem", + "--tls-cert", "cert.pem", + "--tls-ca-cert", "ca.pem", + }, + }, + { + name: "tiller-from-defaults", + defaults: HelmSpec{ + TLS: true, + TillerNamespace: "tiller-system", + TLSKey: "key.pem", + TLSCert: "cert.pem", + TLSCACert: "ca.pem", + }, + release: &ReleaseSpec{ + Chart: "test/chart", + Version: "0.1", + Name: "test-charts", + }, + want: []string{ + "--version", "0.1", + "--tiller-namespace", "tiller-system", + "--tls", + "--tls-key", "key.pem", + "--tls-cert", "cert.pem", + "--tls-ca-cert", "ca.pem", + }, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {