Merge pull request #1484 from hiddeco/1465-tiller-tls

TLS verification Helm operator

Gopkg.toml

@@ -40,7 +40,7 @@ required = ["k8s.io/code-generator/cmd/client-gen"]
 
 [[constraint]]
   name = "k8s.io/helm"
-  version = "v2.8.1"
+  version = "~v2.10.0"
 
 [[constraint]]
 	name = "github.com/justinbarrick/go-k8s-portforward"

chart/flux/templates/helm-operator-deployment.yaml

@@ -98,6 +98,9 @@ spec:
         {{- if .Values.helmOperator.tls.verify }}
         - --tiller-tls-verify={{ .Values.helmOperator.tls.verify }}
         - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt
+        {{- if .Values.helmOperator.tls.hostname }}
+        - --tiller-tls-hostname={{ .Values.helmOperator.tls.hostname }}
+        {{- end }}
         {{- end }}
         {{- end }}
       {{- if .Values.helmOperator.extraEnvs }}

chart/flux/templates/helm-tls.yaml

@@ -6,6 +6,6 @@ metadata:
   name: {{ template "flux.fullname" . }}-helm-tls-ca-config
 data:
   ca.crt: |
-    {{ .Values.helmOperator.tls.caContent | indent 4 }}
+{{ .Values.helmOperator.tls.caContent | indent 4 }}
 {{- end -}}
 {{- end -}}

chart/flux/values.yaml

@@ -37,6 +37,7 @@ helmOperator:
     keyFile: "tls.key"
     certFile: "tls.crt"
     caContent: ""
+    hostname: ""
   # Override Flux git settings
   git:
     url: ""

cmd/helm-operator/main.go

@@ -42,11 +42,12 @@ var (
 	tillerPort      *string
 	tillerNamespace *string
 
-	tillerTLSVerify *bool
-	tillerTLSEnable *bool
-	tillerTLSKey    *string
-	tillerTLSCert   *string
-	tillerTLSCACert *string
+	tillerTLSVerify   *bool
+	tillerTLSEnable   *bool
+	tillerTLSKey      *string
+	tillerTLSCert     *string
+	tillerTLSCACert   *string
+	tillerTLSHostname *string
 
 	chartsSyncInterval *time.Duration
 	chartsSyncTimeout  *time.Duration
@@ -100,6 +101,7 @@ func init() {
 	tillerTLSKey = fs.String("tiller-tls-key-path", "/etc/fluxd/helm/tls.key", "Path to private key file used to communicate with the Tiller server.")
 	tillerTLSCert = fs.String("tiller-tls-cert-path", "/etc/fluxd/helm/tls.crt", "Path to certificate file used to communicate with the Tiller server.")
 	tillerTLSCACert = fs.String("tiller-tls-ca-cert-path", "", "Path to CA certificate file used to validate the Tiller server. Required if tiller-tls-verify is enabled.")
+	tillerTLSHostname = fs.String("tiller-tls-hostname", "", "The server name used to verify the hostname on the returned certificates from the server.")
 
 	chartsSyncInterval = fs.Duration("charts-sync-interval", 3*time.Minute, "Interval at which to check for changed charts")
 	chartsSyncTimeout = fs.Duration("charts-sync-timeout", 1*time.Minute, "Timeout when checking for changed charts")
@@ -177,14 +179,15 @@ func main() {
 
 	// HELM ---------------------------------------------------------------------------------
 	helmClient := fluxhelm.ClientSetup(log.With(logger, "component", "helm"), kubeClient, fluxhelm.TillerOptions{
-		IP:        *tillerIP,
-		Port:      *tillerPort,
-		Namespace: *tillerNamespace,
-		TLSVerify: *tillerTLSVerify,
-		TLSEnable: *tillerTLSEnable,
-		TLSKey:    *tillerTLSKey,
-		TLSCert:   *tillerTLSCert,
-		TLSCACert: *tillerTLSCACert,
+		Host:        *tillerIP,
+		Port:        *tillerPort,
+		Namespace:   *tillerNamespace,
+		TLSVerify:   *tillerTLSVerify,
+		TLSEnable:   *tillerTLSEnable,
+		TLSKey:      *tillerTLSKey,
+		TLSCert:     *tillerTLSCert,
+		TLSCACert:   *tillerTLSCACert,
+		TLSHostname: *tillerTLSHostname,
 	})
 
 	// The status updater, to keep track the release status for each

integrations/helm/helm.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	"github.com/go-kit/kit/log"
-	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
 	k8shelm "k8s.io/helm/pkg/helm"
@@ -26,14 +25,15 @@ type RepoConfig struct {
 }
 
 type TillerOptions struct {
-	IP        string
-	Port      string
-	Namespace string
-	TLSVerify bool
-	TLSEnable bool
-	TLSKey    string
-	TLSCert   string
-	TLSCACert string
+	Host        string
+	Port        string
+	Namespace   string
+	TLSVerify   bool
+	TLSEnable   bool
+	TLSKey      string
+	TLSCert     string
+	TLSCACert   string
+	TLSHostname string
 }
 
 // Helm struct provides access to helm client
@@ -52,13 +52,19 @@ func newClient(kubeClient *kubernetes.Clientset, opts TillerOptions) (*k8shelm.C
 
 	options := []k8shelm.Option{k8shelm.Host(host)}
 	if opts.TLSVerify || opts.TLSEnable {
-		tlscfg, err := tlsutil.ClientConfig(tlsutil.Options{
+		tlsopts := tlsutil.Options{
 			KeyFile:            opts.TLSKey,
 			CertFile:           opts.TLSCert,
-			InsecureSkipVerify: !opts.TLSVerify,
-			CaCertFile:         opts.TLSCACert,
-		})
-
+			InsecureSkipVerify: true,
+		}
+		if opts.TLSVerify {
+			tlsopts.CaCertFile = opts.TLSCACert
+			tlsopts.InsecureSkipVerify = false
+		}
+		if opts.TLSHostname != "" {
+			tlsopts.ServerName = opts.TLSHostname
+		}
+		tlscfg, err := tlsutil.ClientConfig(tlsopts)
 		if err != nil {
 			return &k8shelm.Client{}, err
 		}
@@ -98,26 +104,13 @@ func GetTillerVersion(cl k8shelm.Client, h string) (string, error) {
 
 // TODO ... set up based on the tiller existing in the cluster, if no ops given
 func tillerHost(kubeClient *kubernetes.Clientset, opts TillerOptions) (string, error) {
-	var ts *corev1.Service
-	var err error
-	var ip string
-	var port string
-
-	if opts.IP == "" {
-		ts, err = kubeClient.CoreV1().Services(opts.Namespace).Get("tiller-deploy", metav1.GetOptions{})
+	if opts.Host == "" || opts.Port == "" {
+		ts, err := kubeClient.CoreV1().Services(opts.Namespace).Get("tiller-deploy", metav1.GetOptions{})
 		if err != nil {
 			return "", err
 		}
-		ip = ts.Spec.ClusterIP
-		port = fmt.Sprintf("%v", ts.Spec.Ports[0].Port)
-	}
-
-	if opts.IP != "" {
-		ip = opts.IP
-	}
-	if opts.Port != "" {
-		port = fmt.Sprintf("%v", opts.Port)
+		return fmt.Sprintf("%s.%s:%v", ts.Name, ts.Namespace, ts.Spec.Ports[0].Port), nil
 	}
 
-	return fmt.Sprintf("%s:%s", ip, port), nil
+	return fmt.Sprintf("%s:%s", opts.Host, opts.Port), nil
 }

site/helm-operator.md

@@ -23,6 +23,7 @@ helm-operator requires setup and offers customization though a multitude of flag
 |--tiller-tls-tls-key-path     |`/etc/fluxd/helm/tls.key`      | Path to private key file used to communicate with the Tiller server. |
 |--tiller-tls-tls-cert-path    |`/etc/fluxd/helm/tls.crt`      | Path to certificate file used to communicate with the Tiller server. |
 |--tiller-tls-tls-ca-cert-path |                               | Path to CA certificate file used to validate the Tiller server. Required if tiller-tls-verify is enabled. |
+|--tiller-tls-hostname         |                               | The server name used to verify the hostname on the returned certificates from the Tiller server. |
 |                              |                               | **Git repo & key etc.**|
 |--git-url                     |                               | URL of git repo with Helm Charts; e.g., `ssh://git@github.com/weaveworks/flux-example`|
 |--git-branch                  | `master`                      | Branch of git repo to use for Kubernetes manifests|
@@ -41,12 +42,15 @@ helm-operator requires setup and offers customization though a multitude of flag
 
 ### Installing Helm / Tiller
 
-Generate certificates for Tiller and Flux. This will provide a CA, servercerts for tiller and client certs for helm / weave flux.
+Generate certificates for Tiller and Flux. This will provide a CA, servercerts for Tiller and client certs for Helm / Weave Flux.
+
+> **Note**: When creating the certificate for Tiller the Common Name should match the hostname you are connecting to from the Helm operator.
 
 The following script can be used for that (requires [cfssl](https://github.com/cloudflare/cfssl)):
 
 ```bash
-export TILLER_HOSTNAME=tiller-server
+# TILLER_HOSTNAME=<service>.<namespace>
+export TILLER_HOSTNAME=tiller-deploy.kube-system
 export TILLER_SERVER=server
 export USER_NAME=flux-helm-operator
 
@@ -163,10 +167,11 @@ Error: transport is closing
 When providing the certificates, it should work correctly:
 
 ```bash
-helm --tls \
+helm --tls --tls-verify \
   --tls-ca-cert ./tls/ca.pem \
   --tls-cert ./tls/flux-helm-operator.pem \
   --tls-key ././tls/flux-helm-operator-key.pem \
+  --tls-hostname tiller-deploy.kube-system \
   ls
 ```