Expand install API and deploy/ options

deploy/helm-operator-deployment.yaml

@@ -19,6 +19,20 @@ spec:
     spec:
       serviceAccountName: flux-helm-operator
       volumes:
+      #
+      # You will need these two volumes if you want to establish validated TLS
+      # connections against Tiller
+      #
+      # - name: helm-tls-ca
+      #   configMap:
+      #     name: flux-helm-tls-ca-config
+      #     defaultMode: 0600
+      # Secret type kubernetes.io/tls
+      # - name: flux-helm-tls-cert
+      #   secret:
+      #     secretName: flux-helm-tls-cert
+      #     defaultMode: 0400
+      #
       # The following volume is for using a customised known_hosts file,
       # which you will need to do if you host your own git repo rather
       # than using github or the like. You'll also need to mount it
@@ -83,3 +97,19 @@ spec:
         #   mountPath: /var/fluxd/helm/repository
         # - name: repositories-cache
         #   mountPath: /var/fluxd/helm/repository/cache
+        # - name: helm-tls-certs
+        #   mountPath: /etc/fluxd/helm
+        #   readOnly: true
+        # - name: helm-tls-ca
+        #   mountPath: /etc/fluxd/helm-ca
+        #   readOnly: true
+        args:
+        # How to find Tiller
+        - --tiller-namespace=kube-system
+        # Comment out to to establish validated TLS connections against Tiller
+        # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt
+        # - --tiller-tls-enable=true
+        # - --tiller-tls-key-path=/etc/fluxd/helm/tls.key
+        # - --tiller-tls-cert-path=/etc/fluxd/helm/tls.crt
+        # - --tiller-tls-verify=true
+        # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/googleapis/gnostic v0.3.0 // indirect
 	github.com/gorilla/mux v1.7.1
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
-	github.com/instrumenta/kubeval v0.0.0-20190720105720-70e32d660927
+	github.com/instrumenta/kubeval v0.0.0-20190804145309-805845b47dfc
 	github.com/json-iterator/go v1.1.7 // indirect
 	github.com/ncabatoff/go-seq v0.0.0-20180805175032-b08ef85ed833
 	github.com/prometheus/client_golang v0.9.3-0.20190127221311-3c4408c8b829

go.sum

@@ -126,9 +126,12 @@ github.com/huandu/xstrings v1.2.0/go.mod h1:DvyZB1rfVYsBIigL8HwpZgxHwXozlTgGqn63
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.7 h1:Y+UAYTZ7gDEuOfhxKWy+dvb5dRQ6rJjFSdX2HZY1/gI=
 github.com/imdario/mergo v0.3.7/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/instrumenta/kubeval v0.0.0-20190720105720-70e32d660927 h1:r1cvxQYvoKyFHUbPpDRAJw4QRvfyWyR55cp3mS1fklc=
 github.com/instrumenta/kubeval v0.0.0-20190720105720-70e32d660927/go.mod h1:HeTbS2psckzaIy3V3lGbcCvSGP9f9MvrQV6s9IWGy0w=
+github.com/instrumenta/kubeval v0.0.0-20190804145309-805845b47dfc h1:2wBB02X45LugTLC2M5DtxFCAOK4+jgeV4Gtx1lPZu+4=
+github.com/instrumenta/kubeval v0.0.0-20190804145309-805845b47dfc/go.mod h1:bpiMYvNpVxWjdJsS0hDRu9TrobT5GfWCZwJseGUstxE=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af h1:pmfjZENx5imkbgOkpRUYLnmbU7UEFbjtDA2hxJ1ichM=
 github.com/jmespath/go-jmespath v0.0.0-20180206201540-c2b33e8439af/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
 github.com/json-iterator/go v0.0.0-20180701071628-ab8a2e0c74be/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -222,6 +225,7 @@ github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTd
 github.com/spf13/cast v1.2.0 h1:HHl1DSRbEQN2i8tJmtS6ViPyHx35+p51amrdsiTCrkg=
 github.com/spf13/cast v1.2.0/go.mod h1:r2rcYCSwa1IExKTDiTfzaxqT2FNHs8hODu4LnUfgKEg=
 github.com/spf13/cobra v0.0.0-20180820174524-ff0d02e85550/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cobra v0.0.3 h1:ZlrZ4XsMRm04Fr5pSFxBgfND2EBVa1nLpiy1stUsX/8=
 github.com/spf13/cobra v0.0.3/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
 github.com/spf13/jwalterweatherman v0.0.0-20180814060501-14d3d4c51834 h1:kJI9pPzfsULT/72wy7mxkRQZPtKWgFdCA2RTGZ4v8/E=
 github.com/spf13/jwalterweatherman v0.0.0-20180814060501-14d3d4c51834/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
@@ -312,6 +316,7 @@ golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGm
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
 golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190312170243-e65039ee4138 h1:H3uGjxCR/6Ds0Mjgyp7LMK81+LvmbvWWEnJhzk1Pi9E=
 golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
 google.golang.org/api v0.3.1/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=
 google.golang.org/api v0.3.2/go.mod h1:6wY9I6uQWHQ8EM57III9mq/AjF+i8G65rmVagqKMtkk=

pkg/install/generate.go

@@ -11,7 +11,7 @@ import (
 
 	"github.com/shurcooL/vfsgen"
 
-	"github.com/weaveworks/flux/install"
+	"github.com/fluxcd/helm-operator/pkg/install"
 )
 
 func main() {
@@ -34,11 +34,7 @@ func main() {
 			log.Fatalln(err)
 		}
 	case "deploy":
-		params := install.TemplateParameters{
-			GitURL:    "git@github.com:weaveworks/flux-get-started",
-			GitBranch: "master",
-		}
-		manifests, err := install.FillInTemplates(params)
+		manifests, err := install.FillInTemplates(install.TemplateParameters{})
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "error: failed to fill in templates: %s\n", err)
 			os.Exit(1)

pkg/install/install.go

@@ -2,6 +2,7 @@ package install
 
 import (
 	"bytes"
+	"encoding/base64"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -13,7 +14,12 @@ import (
 )
 
 type TemplateParameters struct {
-	Namespace          string
+	Namespace               string
+	TillerNamespace         string
+	SSHSecretName           string
+	EnableTillerTLS         bool
+	TillerTLSCACertContent  []byte
+	TillerTLSCertSecretName string
 }
 
 func FillInTemplates(params TemplateParameters) (map[string][]byte, error) {
@@ -29,8 +35,9 @@ func FillInTemplates(params TemplateParameters) (map[string][]byte, error) {
 		if err != nil {
 			return fmt.Errorf("cannot read embedded file %q: %s", info.Name(), err)
 		}
+
 		manifestTemplate, err := template.New(info.Name()).
-			Funcs(template.FuncMap{"StringsJoin": strings.Join}).
+			Funcs(template.FuncMap{"Base64Encode": base64.StdEncoding.EncodeToString}).
 			Parse(string(manifestTemplateBytes))
 		if err != nil {
 			return fmt.Errorf("cannot parse embedded file %q: %s", info.Name(), err)
@@ -39,6 +46,9 @@ func FillInTemplates(params TemplateParameters) (map[string][]byte, error) {
 		if err := manifestTemplate.Execute(out, params); err != nil {
 			return fmt.Errorf("cannot execute template for embedded file %q: %s", info.Name(), err)
 		}
+		if len(out.Bytes()) <= 1 { // empty file
+			return nil
+		}
 		result[strings.TrimSuffix(info.Name(), ".tmpl")] = out.Bytes()
 		return nil
 	})

pkg/install/install_test.go

@@ -7,13 +7,19 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-func testFillInTemplates(t *testing.T, params TemplateParameters) {
+func testFillInTemplates(t *testing.T, params TemplateParameters, expectedManifestNum int) {
 	manifests, err := FillInTemplates(params)
 	assert.NoError(t, err)
-	assert.Len(t, manifests, 3)
+	assert.Len(t, manifests, expectedManifestNum)
+
+	config := &kubeval.Config{
+		IgnoreMissingSchemas: true,
+		KubernetesVersion:    "master",
+	}
 	for fileName, contents := range manifests {
-		validationResults, err := kubeval.Validate(contents, fileName)
-		assert.NoError(t, err)
+		config.FileName = fileName
+		validationResults, err := kubeval.Validate(contents, config)
+		assert.NoError(t, err, "contents: %s", string(contents))
 		for _, result := range validationResults {
 			if len(result.Errors) > 0 {
 				t.Errorf("found problems with manifest %s (Kind %s):\ncontent:\n%s\nerrors: %s",
@@ -26,15 +32,17 @@ func testFillInTemplates(t *testing.T, params TemplateParameters) {
 	}
 }
 
-func TestFillInTemplates(t *testing.T) { 
+func TestFillInTemplates(t *testing.T) {
 	testFillInTemplates(t, TemplateParameters{
-		Namespace:          "flux",
-	})
-
+		Namespace:               "flux",
+		TillerNamespace:         "tiller",
+		SSHSecretName:           "mysshsecretname",
+		EnableTillerTLS:         true,
+		TillerTLSCACertContent:  []byte("foo bar"),
+		TillerTLSCertSecretName: "mytlssecretname",
+	}, 4)
 }
 
-func TestFillInTemplatesNoNamespace(t *testing.T) {
-	testFillInTemplates(t, TemplateParameters{
-		Namespace: "",
-	})
+func TestFillInTemplatesEmpty(t *testing.T) {
+	testFillInTemplates(t, TemplateParameters{}, 3)
 }

pkg/install/templates/helm-operator-deployment.yaml.tmpl

@@ -19,7 +19,29 @@ spec:
         prometheus.io/scrape: "true"
     spec:
       serviceAccountName: flux-helm-operator
-      volumes:
+      volumes:{{ if .EnableTillerTLS }}
+        - name: helm-tls-ca
+          configMap:
+            name: flux-helm-tls-ca-config
+            defaultMode: 0600
+        - name: helm-tls-certs
+          secret:
+            secretName: {{ if .TillerTLSCertSecretName }}.TillerTLSCertSecretName{ else }}flux-helm-tls-cert{{ end }}
+            defaultMode: 0400{{ else }}
+      #
+      # You will need these two volumes if you want to establish validated TLS
+      # connections against Tiller
+      #
+      # - name: helm-tls-ca
+      #   configMap:
+      #     name: flux-helm-tls-ca-config
+      #     defaultMode: 0600
+      # Secret type kubernetes.io/tls
+      # - name: flux-helm-tls-cert
+      #   secret:
+      #     secretName: {{ if .TillerTLSCertSecretName }}.TillerTLSCertSecretName{{ else }}flux-helm-tls-cert{{ end }}
+      #     defaultMode: 0400
+      #{{end}}
       # The following volume is for using a customised known_hosts file,
       # which you will need to do if you host your own git repo rather
       # than using github or the like. You'll also need to mount it
@@ -33,7 +55,14 @@ spec:
       # - name: sshdir
       #   configMap:
       #     name: flux-ssh-config
-      #     defaultMode: 0400
+      #     defaultMode: 0400{{ if .SSHSecretName }}
+
+      # SSH key to access the Git repository
+        - name: git-key
+          secret:
+            secretName: {{ .SSHSecretName }}
+            defaultMode: 0400 # when mounted read-only, we won't be able to chmod
+{{ else }}
       #
       # You will need this volume if you're using a git repo that
       # needs an SSH key for access; e.g., a GitHub deploy key. If
@@ -47,7 +76,7 @@ spec:
       #   secret:
       #     secretName: flux-git-deploy
       #     defaultMode: 0400 # when mounted read-only, we won't be able to chmod
-      #
+      #{{end}}
       # These two volumes are for mounting a repositories.yaml file,
       # and providing a cache directory. The latter is needed because
       # mounting the former will make the cache/ directory read-only.
@@ -63,7 +92,7 @@ spec:
         # There are no ":latest" images for helm-operator. Find the most recent
         # release or image version at https://hub.docker.com/r/weaveworks/helm-operator/tags
         # and replace the tag here.
-        image: docker.io/fluxcd/helm-operator:0.10.0
+        image: docker.io/fluxcd/helm-operator:0.10.1
         imagePullPolicy: IfNotPresent
         ports:
         - name: http
@@ -77,10 +106,45 @@ spec:
         # file; you'll also need the volume declared above.
         # - name: sshdir
         #   mountPath: /root/.ssh
-        #   readOnly: true
+        #   readOnly: true{{ if .SSHSecretName }}
+
+          - name: git-key
+            mountPath: /etc/fluxd/ssh
+{{ else }}
         # - name: git-key
-        #   mountPath: /etc/fluxd/ssh
+        #   mountPath: /etc/fluxd/ssh{{ end }}
         # - name: repositories-yaml
         #   mountPath: /var/fluxd/helm/repository
         # - name: repositories-cache
-        #   mountPath: /var/fluxd/helm/repository/cache
+        #   mountPath: /var/fluxd/helm/repository/cache{{ if .EnableTillerTLS }}
+
+          - name: helm-tls-certs
+            mountPath: /etc/fluxd/helm
+            readOnly: true
+          - name: helm-tls-ca
+            mountPath: /etc/fluxd/helm-ca
+            readOnly: true
+{{ else }}
+        # - name: helm-tls-certs
+        #   mountPath: /etc/fluxd/helm
+        #   readOnly: true
+        # - name: helm-tls-ca
+        #   mountPath: /etc/fluxd/helm-ca
+        #   readOnly: true{{ end }}
+        args:
+        # How to find Tiller
+        - --tiller-namespace={{ if .TillerNamespace }}.TillerNamespace{{ else }}kube-system{{ end }}{{ if .EnableTillerTLS }}
+        # TLS configuration
+        - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt
+        - --tiller-tls-enable=true
+        - --tiller-tls-key-path=/etc/fluxd/helm/tls.key
+        - --tiller-tls-cert-path=/etc/fluxd/helm/tls.crt
+        - --tiller-tls-verify=true
+        - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt{{ else }}
+        # Comment out to to establish validated TLS connections against Tiller
+        # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt
+        # - --tiller-tls-enable=true
+        # - --tiller-tls-key-path=/etc/fluxd/helm/tls.key
+        # - --tiller-tls-cert-path=/etc/fluxd/helm/tls.crt
+        # - --tiller-tls-verify=true
+        # - --tiller-tls-ca-cert-path=/etc/fluxd/helm-ca/ca.crt{{ end }}

pkg/install/templates/tiller-ca-cert-configmap.yaml.tmpl

@@ -0,0 +1,11 @@
+{{ if .EnableTillerTLS }}---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: flux-helm-tls-ca-config
+  {{ if .Namespace }}
+  namespace: {{ .Namespace }}{{ end }}
+data:
+  ca.crt: |
+    {{ Base64Encode .TillerTLSCACertContent }}
+{{- end -}}