helm-op: Add support for connecting to tiller using tls

chart/flux/templates/helm-operator-deployment.yaml

@@ -32,6 +32,18 @@ spec:
         secret:
           secretName: {{ template "flux.fullname" . }}-git-deploy
           defaultMode: 0400
+      {{- if .Values.helmOperator.tls.enable }}
+      - name: helm-tls-certs
+        secret:
+          secretName: {{ .Values.helmOperator.tls.secretName }}
+          defaultMode: 0400
+      {{- if .Values.helmOperator.tls.verify }}
+      - name: helm-tls-ca
+        configMap:
+          name: {{ template "flux.fullname" . }}-helm-tls-ca-config
+          defaultMode: 0600
+      {{- end }}
+      {{- end }}
       containers:
       - name: flux-helm-operator
         image: "{{ .Values.helmOperator.repository }}:{{ .Values.helmOperator.tag }}"
@@ -44,8 +56,28 @@ spec:
         - name: git-key
           mountPath: /etc/fluxd/ssh
           readOnly: true
+        {{- if .Values.helmOperator.tls.enable }}
+        - name: helm-tls-certs
+          mountPath: /etc/fluxd/helm
+          readOnly: true
+        {{- if .Values.helmOperator.tls.verify }}
+        - name: helm-tls-ca
+          mountPath: /etc/fluxd/helm-ca
+          readOnly: true
+        {{- end }}
+        {{- end }}
         args:
         - --git-url={{ .Values.git.url }}
         - --git-branch={{ .Values.git.branch }}
         - --git-charts-path={{ .Values.git.chartsPath }}
+        - --tiller-namespace={{ .Values.helmOperator.tillerNamespace }}
+        {{- if .Values.helmOperator.tls.enable }}
+        - --tiller-tls-enable={{ .Values.helmOperator.tls.enable }}
+        - --tiller-tls-key-path={{ .Values.helmOperator.tls.keyPath }}
+        - --tiller-tls-cert-path={{ .Values.helmOperator.tls.certPath }}
+        {{- if .Values.helmOperator.tls.verify }}
+        - --tiller-tls-verify={{ .Values.helmOperator.tls.verify }}
+        - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt
+        {{- end }}
+        {{- end }}
 {{- end -}}

chart/flux/templates/helm-tls.yaml

@@ -0,0 +1,10 @@
+{{- if .Values.helmOperator.tls.enable -}}
+{{- if .Values.helmOperator.tls.verify -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "flux.fullname" . }}-helm-tls-ca-config
+data:
+  ca.crt: {{ .Values.helmOperator.tls.caContent }}
+{{- end -}}
+{{- end -}}

chart/flux/values.yaml

@@ -19,6 +19,14 @@ helmOperator:
   repository: quay.io/weaveworks/helm-operator
   tag: 0.1.0-alpha
   pullPolicy: IfNotPresent
+  tillerNamespace: kube-system
+  tls:
+    secretName: 'helm-client-certs'
+    verify: false
+    enable: false
+    keyPath: '/etc/fluxd/helm/tls.key'
+    certPath: '/etc/fluxd/helm/tls.crt'
+    caContent: ''
 
 rbac:
   # Specifies whether RBAC resources should be created

cmd/helm-operator/main.go

@@ -45,6 +45,12 @@ var (
 	tillerPort      *string
 	tillerNamespace *string
 
+	tillerTLSVerify *bool
+	tillerTLSEnable *bool
+	tillerTLSKey    *string
+	tillerTLSCert   *string
+	tillerTLSCACert *string
+
 	chartsSyncInterval  *time.Duration
 	chartsSyncTimeout   *time.Duration
 	eventHandlerWorkers *uint
@@ -91,6 +97,12 @@ func init() {
 	tillerPort = fs.String("tiller-port", "", "Tiller port.")
 	tillerNamespace = fs.String("tiller-namespace", "kube-system", "Tiller namespace. If not provided, the default is kube-system.")
 
+	tillerTLSVerify = fs.Bool("tiller-tls-verify", false, "Verify TLS certificate from Tiller. Will enable TLS communication when provided.")
+	tillerTLSEnable = fs.Bool("tiller-tls-enable", false, "Enable TLS communication with Tiller. If provided, requires TLSKey and TLSCert to be provided as well.")
+	tillerTLSKey = fs.String("tiller-tls-key-path", "/etc/fluxd/helm/tls.key", "Path to private key file used to communicate with the Tiller server.")
+	tillerTLSCert = fs.String("tiller-tls-cert-path", "/etc/fluxd/helm/tls.crt", "Path to certificate file used to communicate with the Tiller server.")
+	tillerTLSCACert = fs.String("tiller-tls-ca-cert-path", "", "Path to CA certificate file used to validate the Tiller server. Required if tiller-tls-verify is enabled.")
+
 	chartsSyncInterval = fs.Duration("charts-sync-interval", 3*time.Minute, "Interval at which to check for changed charts")
 	chartsSyncTimeout = fs.Duration("charts-sync-timeout", 1*time.Minute, "Timeout when checking for changed charts")
 	eventHandlerWorkers = fs.Uint("event-handler-workers", 2, "Number of workers processing events for Flux-Helm custom resources")
@@ -162,7 +174,17 @@ func main() {
 	}
 
 	// HELM ---------------------------------------------------------------------------------
-	helmClient := fluxhelm.ClientSetup(log.With(logger, "component", "helm"), kubeClient, fluxhelm.TillerOptions{IP: *tillerIP, Port: *tillerPort, Namespace: *tillerNamespace})
+	helmClient := fluxhelm.ClientSetup(log.With(logger, "component", "helm"), kubeClient, fluxhelm.TillerOptions{
+		IP:        *tillerIP,
+		Port:      *tillerPort,
+		Namespace: *tillerNamespace,
+
+		TLSVerify: *tillerTLSVerify,
+		TLSEnable: *tillerTLSEnable,
+		TLSKey:    *tillerTLSKey,
+		TLSCert:   *tillerTLSCert,
+		TLSCACert: *tillerTLSCACert,
+	})
 
 	// The status updater, to keep track the release status for each
 	// FluxHelmRelease. It runs as a separate loop for now.

integrations/helm/helm.go

@@ -10,12 +10,18 @@ import (
 	"k8s.io/client-go/kubernetes"
 	k8shelm "k8s.io/helm/pkg/helm"
 	rls "k8s.io/helm/pkg/proto/hapi/services"
+	"k8s.io/helm/pkg/tlsutil"
 )
 
 type TillerOptions struct {
 	IP        string
 	Port      string
 	Namespace string
+	TLSVerify bool
+	TLSEnable bool
+	TLSKey    string
+	TLSCert   string
+	TLSCACert string
 }
 
 // Helm struct provides access to helm client
@@ -32,7 +38,22 @@ func newClient(kubeClient *kubernetes.Clientset, opts TillerOptions) (*k8shelm.C
 		return &k8shelm.Client{}, err
 	}
 
-	return k8shelm.NewClient(k8shelm.Host(host)), nil
+	options := []k8shelm.Option{k8shelm.Host(host)}
+	if opts.TLSVerify || opts.TLSEnable {
+		tlscfg, err := tlsutil.ClientConfig(tlsutil.Options{
+			KeyFile:            opts.TLSKey,
+			CertFile:           opts.TLSCert,
+			InsecureSkipVerify: !opts.TLSVerify,
+			CaCertFile:         opts.TLSCACert,
+		})
+
+		if err != nil {
+			return &k8shelm.Client{}, err
+		}
+		options = append(options, k8shelm.WithTLS(tlscfg))
+	}
+
+	return k8shelm.NewClient(options...), nil
 }
 
 func ClientSetup(logger log.Logger, kubeClient *kubernetes.Clientset, tillerOpts TillerOptions) *k8shelm.Client {

site/helm/helm-integration.md

@@ -65,24 +65,29 @@ helm-operator requires setup and offers customization though a multitude of flag
 
 |flag                    | default                       | purpose |
 |------------------------|-------------------------------|---------|
-|--kubernetes-kubectl    |                               | Optional, explicit path to kubectl tool.|
-|--kubeconfig            |                               | Path to a kubeconfig. Only required if out-of-cluster.|
-|--master                |                               | The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.|
-|                        |                               | **Tiller options**|
-|--tillerIP              |                               | Tiller IP address. Only required if out-of-cluster.|
-|--tillerPort            |                               | Tiller port.|
-|--tillerNamespace       |                               | Tiller namespace. If not provided, the default is kube-system.|
-|                        |                               | **Git repo & key etc.**|
-|--git-url               |                               | URL of git repo with Helm Charts; e.g., `ssh://git@github.com/weaveworks/flux-example`|
-|--git-branch            | `master`                      | Branch of git repo to use for Kubernetes manifests|
-|--git-charts-path       | `charts`                      | Path within git repo to locate Kubernetes Charts (relative path)|
-|                        |                               | **repo chart changes** (none of these need overriding, usually) |
-|--git-poll-interval     | `5 minutes`                   | period at which to poll git repo for new commits|
-|--chartsSyncInterval    | 3*time.Minute                 | Interval at which to check for changed charts.|
-|--chartsSyncTimeout     | 1*time.Minute                 | Timeout when checking for changed charts.|
-|                        |                               | **k8s-secret backed ssh keyring configuration**|
+|--kubernetes-kubectl          |                               | Optional, explicit path to kubectl tool.|
+|--kubeconfig                  |                               | Path to a kubeconfig. Only required if out-of-cluster.|
+|--master                      |                               | The address of the Kubernetes API server. Overrides any value in kubeconfig. Only required if out-of-cluster.|
+|                              |                               | **Tiller options**|
+|--tillerIP                    |                               | Tiller IP address. Only required if out-of-cluster.|
+|--tillerPort                  |                               | Tiller port.|
+|--tillerNamespace             |                               | Tiller namespace. If not provided, the default is kube-system.| |
+|--tiller-tls-enable           |`false`                        | Enable TLS communication with Tiller. If provided, requires TLSKey and TLSCert to be provided as well. |
+|--tiller-tls-verify           |`false`                        | Verify TLS certificate from Tiller. Will enable TLS communication when provided. |
+|--tiller-tls-tls-key-path     |`/etc/fluxd/helm/tls.key`      | Path to private key file used to communicate with the Tiller server. |
+|--tiller-tls-tls-cert-path    |`/etc/fluxd/helm/tls.crt`      | Path to certificate file used to communicate with the Tiller server. |
+|--tiller-tls-tls-ca-cert-path |                               | Path to CA certificate file used to validate the Tiller server. Required if tiller-tls-verify is enabled. |
+|                              |                               | **Git repo & key etc.**|
+|--git-url                     |                               | URL of git repo with Helm Charts; e.g., `ssh://git@github.com/weaveworks/flux-example`|
+|--git-branch                  | `master`                      | Branch of git repo to use for Kubernetes manifests|
+|--git-charts-path             | `charts`                      | Path within git repo to locate Kubernetes Charts (relative path)|
+|                              |                               | **repo chart changes** (none of these need overriding, usually) |
+|--git-poll-interval           | `5 minutes`                   | period at which to poll git repo for new commits|
+|--chartsSyncInterval          | 3*time.Minute                 | Interval at which to check for changed charts.|
+|--chartsSyncTimeout           | 1*time.Minute                 | Timeout when checking for changed charts.|
+|                              |                               | **k8s-secret backed ssh keyring configuration**|
 |--k8s-secret-volume-mount-path | `/etc/fluxd/ssh`       | Mount location of the k8s secret storing the private SSH key|
-|--k8s-secret-data-key   | `identity`                    | Data key holding the private SSH key within the k8s secret|
-|--queueWorkerCount      |  2                            | Number of workers to process queue with Chart release jobs.|
+|--k8s-secret-data-key         | `identity`                    | Data key holding the private SSH key within the k8s secret|
+|--queueWorkerCount            |  2                            | Number of workers to process queue with Chart release jobs.|
 
 [Requirements](./helm-integration-requirements.md)