Merge pull request #2108 from fibonacci1729/feat/tls

feat/tls: Support optional TLS for helm / tiller

Author: fibonacci1729

cmd/helm/get.go

@@ -87,10 +87,3 @@ func (g *getCmd) run() error {
 	}
 	return printRelease(g.out, res.Release)
 }
-
-func ensureHelmClient(h helm.Interface) helm.Interface {
-	if h != nil {
-		return h
-	}
-	return helm.NewClient(helm.Host(tillerHost))
-}

cmd/helm/helm.go

@@ -32,10 +32,12 @@ import (
 	"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
 	"k8s.io/kubernetes/pkg/client/restclient"
 
+	"k8s.io/helm/pkg/helm"
 	"k8s.io/helm/pkg/helm/helmpath"
 	"k8s.io/helm/pkg/helm/portforwarder"
 	"k8s.io/helm/pkg/kube"
 	"k8s.io/helm/pkg/tiller/environment"
+	"k8s.io/helm/pkg/tlsutil"
 )
 
 const (
@@ -95,6 +97,11 @@ func newRootCmd(out io.Writer) *cobra.Command {
 		Short:        "The Helm package manager for Kubernetes.",
 		Long:         globalUsage,
 		SilenceUsage: true,
+		PersistentPreRun: func(cmd *cobra.Command, args []string) {
+			tlsCaCertFile = os.ExpandEnv(tlsCaCertFile)
+			tlsCertFile = os.ExpandEnv(tlsCertFile)
+			tlsKeyFile = os.ExpandEnv(tlsKeyFile)
+		},
 		PersistentPostRun: func(cmd *cobra.Command, args []string) {
 			teardown()
 		},
@@ -120,21 +127,21 @@ func newRootCmd(out io.Writer) *cobra.Command {
 		newVerifyCmd(out),
 
 		// release commands
-		newDeleteCmd(nil, out),
-		newGetCmd(nil, out),
-		newHistoryCmd(nil, out),
-		newInstallCmd(nil, out),
-		newListCmd(nil, out),
-		newRollbackCmd(nil, out),
-		newStatusCmd(nil, out),
-		newUpgradeCmd(nil, out),
+		addFlagsTLS(newDeleteCmd(nil, out)),
+		addFlagsTLS(newGetCmd(nil, out)),
+		addFlagsTLS(newHistoryCmd(nil, out)),
+		addFlagsTLS(newInstallCmd(nil, out)),
+		addFlagsTLS(newListCmd(nil, out)),
+		addFlagsTLS(newRollbackCmd(nil, out)),
+		addFlagsTLS(newStatusCmd(nil, out)),
+		addFlagsTLS(newUpgradeCmd(nil, out)),
 
 		newCompletionCmd(out),
 		newHomeCmd(out),
 		newInitCmd(out),
-		newResetCmd(nil, out),
-		newVersionCmd(nil, out),
-		newReleaseTestCmd(nil, out),
+		addFlagsTLS(newResetCmd(nil, out)),
+		addFlagsTLS(newVersionCmd(nil, out)),
+		addFlagsTLS(newReleaseTestCmd(nil, out)),
 
 		// Hidden documentation generator command: 'helm docs'
 		newDocsCmd(out),
@@ -229,7 +236,9 @@ func defaultHelmHome() string {
 }
 
 func homePath() string {
-	return os.ExpandEnv(helmHome)
+	s := os.ExpandEnv(helmHome)
+	os.Setenv(homeEnvVar, s)
+	return s
 }
 
 func defaultHelmHost() string {
@@ -262,3 +271,49 @@ func getKubeClient(context string) (*restclient.Config, *internalclientset.Clien
 func getKubeCmd(context string) *kube.Client {
 	return kube.New(kube.GetConfig(context))
 }
+
+// ensureHelmClient returns a new helm client impl. if h is not nil.
+func ensureHelmClient(h helm.Interface) helm.Interface {
+	if h != nil {
+		return h
+	}
+	return newClient()
+}
+
+func newClient() helm.Interface {
+	options := []helm.Option{helm.Host(tillerHost)}
+
+	if tlsVerify || tlsEnable {
+		tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
+		if tlsVerify {
+			tlsopts.CaCertFile = tlsCaCertFile
+			tlsopts.InsecureSkipVerify = false
+		}
+		tlscfg, err := tlsutil.ClientConfig(tlsopts)
+		if err != nil {
+			fmt.Fprintln(os.Stderr, err)
+			os.Exit(2)
+		}
+		options = append(options, helm.WithTLS(tlscfg))
+	}
+	return helm.NewClient(options...)
+}
+
+// addFlagsTLS adds the flags for supporting client side TLS to the
+// helm command (only those that invoke communicate to Tiller.)
+func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
+	// defaults
+	var (
+		tlsCaCertDefault = "$HELM_HOME/ca.pem"
+		tlsCertDefault   = "$HELM_HOME/cert.pem"
+		tlsKeyDefault    = "$HELM_HOME/key.pem"
+	)
+
+	// add flags
+	cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
+	cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
+	cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")
+	cmd.Flags().BoolVar(&tlsVerify, "tls-verify", false, "enable TLS for request and verify remote")
+	cmd.Flags().BoolVar(&tlsEnable, "tls", false, "enable TLS for request")
+	return cmd
+}

cmd/helm/init.go

@@ -102,11 +102,11 @@ func newInitCmd(out io.Writer) *cobra.Command {
 	f.BoolVar(&i.dryRun, "dry-run", false, "do not install local or remote")
 	f.BoolVar(&i.skipRefresh, "skip-refresh", false, "do not refresh (download) the local repository cache")
 
-	// f.BoolVar(&tlsEnable, "tiller-tls", false, "install tiller with TLS enabled")
-	// f.BoolVar(&tlsVerify, "tiller-tls-verify", false, "install tiller with TLS enabled and to verify remote certificates")
-	// f.StringVar(&tlsKeyFile, "tiller-tls-key", "", "path to TLS key file to install with tiller")
-	// f.StringVar(&tlsCertFile, "tiller-tls-cert", "", "path to TLS certificate file to install with tiller")
-	// f.StringVar(&tlsCaCertFile, "tls-ca-cert", "", "path to CA root certificate")
+	f.BoolVar(&tlsEnable, "tiller-tls", false, "install tiller with TLS enabled")
+	f.BoolVar(&tlsVerify, "tiller-tls-verify", false, "install tiller with TLS enabled and to verify remote certificates")
+	f.StringVar(&tlsKeyFile, "tiller-tls-key", "", "path to TLS key file to install with tiller")
+	f.StringVar(&tlsCertFile, "tiller-tls-cert", "", "path to TLS certificate file to install with tiller")
+	f.StringVar(&tlsCaCertFile, "tls-ca-cert", "", "path to CA root certificate")
 
 	return cmd
 }

cmd/tiller/tiller.go

@@ -17,25 +17,42 @@ limitations under the License.
 package main // import "k8s.io/helm/cmd/tiller"
 
 import (
+	"crypto/tls"
 	"fmt"
 	"io/ioutil"
 	"log"
 	"net"
 	"net/http"
 	"os"
+	"path/filepath"
 	"strings"
 
 	"github.com/spf13/cobra"
 
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+
 	"k8s.io/helm/pkg/kube"
 	"k8s.io/helm/pkg/proto/hapi/services"
 	"k8s.io/helm/pkg/storage"
 	"k8s.io/helm/pkg/storage/driver"
 	"k8s.io/helm/pkg/tiller"
 	"k8s.io/helm/pkg/tiller/environment"
+	"k8s.io/helm/pkg/tlsutil"
 	"k8s.io/helm/pkg/version"
 )
 
+const (
+	// tlsEnableEnvVar names the environment variable that enables TLS.
+	tlsEnableEnvVar = "TILLER_TLS_ENABLE"
+	// tlsVerifyEnvVar names the environment variable that enables
+	// TLS, as well as certificate verification of the remote.
+	tlsVerifyEnvVar = "TILLER_TLS_VERIFY"
+	// tlsCertsEnvVar names the environment variable that points to
+	// the directory where Tiller's TLS certificates are located.
+	tlsCertsEnvVar = "TILLER_TLS_CERTS"
+)
+
 const (
 	storageMemory    = "memory"
 	storageConfigMap = "configmap"
@@ -44,7 +61,7 @@ const (
 // rootServer is the root gRPC server.
 //
 // Each gRPC service registers itself to this server during init().
-var rootServer = tiller.NewServer()
+var rootServer *grpc.Server
 
 // env is the default environment.
 //
@@ -59,6 +76,14 @@ var (
 	store         = storageConfigMap
 )
 
+var (
+	tlsEnable  bool
+	tlsVerify  bool
+	keyFile    string
+	certFile   string
+	caCertFile string
+)
+
 const globalUsage = `The Kubernetes Helm server.
 
 Tiller is the server for Helm. It provides in-cluster resource management.
@@ -83,6 +108,12 @@ func main() {
 	p.StringVar(&store, "storage", storageConfigMap, "storage driver to use. One of 'configmap' or 'memory'")
 	p.BoolVar(&enableTracing, "trace", false, "enable rpc tracing")
 
+	p.BoolVar(&tlsEnable, "tls", tlsEnableEnvVarDefault(), "enable TLS")
+	p.BoolVar(&tlsVerify, "tls-verify", tlsVerifyEnvVarDefault(), "enable TLS and verify remote certificate")
+	p.StringVar(&keyFile, "tls-key", tlsDefaultsFromEnv("tls-key"), "path to TLS private key file")
+	p.StringVar(&certFile, "tls-cert", tlsDefaultsFromEnv("tls-cert"), "path to TLS certificate file")
+	p.StringVar(&caCertFile, "tls-ca-cert", tlsDefaultsFromEnv("tls-ca-cert"), "trust certificates signed by this CA")
+
 	if err := rootCommand.Execute(); err != nil {
 		fmt.Fprint(os.Stderr, err)
 		os.Exit(1)
@@ -103,13 +134,33 @@ func start(c *cobra.Command, args []string) {
 		env.Releases = storage.Init(driver.NewConfigMaps(clientset.Core().ConfigMaps(namespace())))
 	}
 
+	if tlsEnable || tlsVerify {
+		opts := tlsutil.Options{CertFile: certFile, KeyFile: keyFile}
+		if tlsVerify {
+			opts.CaCertFile = caCertFile
+		}
+
+	}
+
+	var opts []grpc.ServerOption
+	if tlsEnable || tlsVerify {
+		cfg, err := tlsutil.ServerConfig(tlsOptions())
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Could not create server TLS configuration: %v\n", err)
+			os.Exit(1)
+		}
+		opts = append(opts, grpc.Creds(credentials.NewTLS(cfg)))
+	}
+
+	rootServer = tiller.NewServer(opts...)
+
 	lstn, err := net.Listen("tcp", grpcAddr)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Server died: %s\n", err)
 		os.Exit(1)
 	}
 
-	fmt.Printf("Starting Tiller %s\n", version.GetVersion())
+	fmt.Printf("Starting Tiller %s (tls=%t)\n", version.GetVersion(), tlsEnable || tlsVerify)
 	fmt.Printf("GRPC listening on %s\n", grpcAddr)
 	fmt.Printf("Probes listening on %s\n", probeAddr)
 	fmt.Printf("Storage driver is %s\n", env.Releases.Name())
@@ -159,3 +210,27 @@ func namespace() string {
 
 	return environment.DefaultTillerNamespace
 }
+
+func tlsOptions() tlsutil.Options {
+	opts := tlsutil.Options{CertFile: certFile, KeyFile: keyFile}
+	if tlsVerify {
+		opts.CaCertFile = caCertFile
+		opts.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+	return opts
+}
+
+func tlsDefaultsFromEnv(name string) (value string) {
+	switch certsDir := os.Getenv(tlsCertsEnvVar); name {
+	case "tls-key":
+		return filepath.Join(certsDir, "tls.key")
+	case "tls-cert":
+		return filepath.Join(certsDir, "tls.crt")
+	case "tls-ca-cert":
+		return filepath.Join(certsDir, "ca.crt")
+	}
+	return ""
+}
+
+func tlsEnableEnvVarDefault() bool { return os.Getenv(tlsEnableEnvVar) != "" }
+func tlsVerifyEnvVarDefault() bool { return os.Getenv(tlsVerifyEnvVar) != "" }