diff --git a/cmd/helm/helm.go b/cmd/helm/helm.go
index 8607129e49aaeebb6458b1652787bfc68b0b99e7..cdb6313e218aed732252a06524162bb16114dd98 100644
--- a/cmd/helm/helm.go
+++ b/cmd/helm/helm.go
@@ -40,6 +40,7 @@ import (
)
var (
+ tlsServerName string // overrides the server name used to verify the hostname on the returned certificates from the server.
tlsCaCertFile string // path to TLS CA certificate file
tlsCertFile string // path to TLS certificate file
tlsKeyFile string // path to TLS key file
@@ -285,8 +286,13 @@ func newClient() helm.Interface {
if tlsKeyFile == "" {
tlsKeyFile = settings.Home.TLSKey()
}
- debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
- tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
+ debug("Host=%q, Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
+ tlsopts := tlsutil.Options{
+ ServerName: tlsServerName,
+ KeyFile: tlsKeyFile,
+ CertFile: tlsCertFile,
+ InsecureSkipVerify: true,
+ }
if tlsVerify {
tlsopts.CaCertFile = tlsCaCertFile
tlsopts.InsecureSkipVerify = false
@@ -306,6 +312,7 @@ func newClient() helm.Interface {
func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
// add flags
+ cmd.Flags().StringVar(&tlsServerName, "tls-hostname", settings.TillerHost, "the server name used to verify the hostname on the returned certificates from the server")
cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")
cmd.Flags().StringVar(&tlsCertFile, "tls-cert", tlsCertDefault, "path to TLS certificate file")
cmd.Flags().StringVar(&tlsKeyFile, "tls-key", tlsKeyDefault, "path to TLS key file")
diff --git a/docs/helm/helm_delete.md b/docs/helm/helm_delete.md
index e181f439e7ec70c767758dfaf25d0978bac93b66..442e5e96c1074187b28231013ddc0f63f249b6bf 100644
--- a/docs/helm/helm_delete.md
+++ b/docs/helm/helm_delete.md
@@ -20,16 +20,17 @@ helm delete [flags] RELEASE_NAME [...]
### Options
```
- --description string specify a description for the release
- --dry-run simulate a delete
- --no-hooks prevent hooks from running during deletion
- --purge remove the release from the store and make its name free for later use
- --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --description string specify a description for the release
+ --dry-run simulate a delete
+ --no-hooks prevent hooks from running during deletion
+ --purge remove the release from the store and make its name free for later use
+ --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -47,4 +48,4 @@ helm delete [flags] RELEASE_NAME [...]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_get.md b/docs/helm/helm_get.md
index f233cd2a75cb54666c0b5dca24c96cad441bf138..3a1b3d44215f23af6b72a50db0409ee135a2cc79 100644
--- a/docs/helm/helm_get.md
+++ b/docs/helm/helm_get.md
@@ -25,12 +25,13 @@ helm get [flags] RELEASE_NAME
### Options
```
- --revision int32 get the named release with revision
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --revision int32 get the named release with revision
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -51,4 +52,4 @@ helm get [flags] RELEASE_NAME
* [helm get manifest](helm_get_manifest.md) - download the manifest for a named release
* [helm get values](helm_get_values.md) - download the values file for a named release
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_get_hooks.md b/docs/helm/helm_get_hooks.md
index 4f9fa1887b9e44db031b281a0f30e9f2f7e2c70d..9f3d5b0b26ad0d5e19890e14151210d29178277a 100644
--- a/docs/helm/helm_get_hooks.md
+++ b/docs/helm/helm_get_hooks.md
@@ -18,12 +18,13 @@ helm get hooks [flags] RELEASE_NAME
### Options
```
- --revision int32 get the named release with revision
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --revision int32 get the named release with revision
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -41,4 +42,4 @@ helm get hooks [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_get_manifest.md b/docs/helm/helm_get_manifest.md
index 3ae55ef3e7076ff82be1d4b7e395ed27348e2d54..6cae9001f1941bdb721ac419c1ccddb1a05a9791 100644
--- a/docs/helm/helm_get_manifest.md
+++ b/docs/helm/helm_get_manifest.md
@@ -20,12 +20,13 @@ helm get manifest [flags] RELEASE_NAME
### Options
```
- --revision int32 get the named release with revision
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --revision int32 get the named release with revision
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -43,4 +44,4 @@ helm get manifest [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_get_values.md b/docs/helm/helm_get_values.md
index 12d9731227f0a75c1473395e5b01813470644bfe..01fee2cd2140caf975c74bb87273209bb760eff6 100644
--- a/docs/helm/helm_get_values.md
+++ b/docs/helm/helm_get_values.md
@@ -16,13 +16,14 @@ helm get values [flags] RELEASE_NAME
### Options
```
- -a, --all dump all (computed) values
- --revision int32 get the named release with revision
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ -a, --all dump all (computed) values
+ --revision int32 get the named release with revision
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -40,4 +41,4 @@ helm get values [flags] RELEASE_NAME
### SEE ALSO
* [helm get](helm_get.md) - download a named release
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_history.md b/docs/helm/helm_history.md
index 437e70f0320bcc97d31301eec29b1bdb0b13ac5b..e5028f9cbe9b69c057a19212443278863d40b897 100755
--- a/docs/helm/helm_history.md
+++ b/docs/helm/helm_history.md
@@ -28,14 +28,15 @@ helm history [flags] RELEASE_NAME
### Options
```
- --col-width uint specifies the max column width of output (default 60)
- --max int32 maximum number of revision to include in history (default 256)
- -o, --output string prints the output in the specified format (json|table|yaml) (default "table")
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --col-width uint specifies the max column width of output (default 60)
+ --max int32 maximum number of revision to include in history (default 256)
+ -o, --output string prints the output in the specified format (json|table|yaml) (default "table")
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -53,4 +54,4 @@ helm history [flags] RELEASE_NAME
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_install.md b/docs/helm/helm_install.md
index c266222b8ac3db13a45cab28c7b2981d1289fe61..6e0948e8f9b0774b56c00803d3fab19e1763e5e7 100644
--- a/docs/helm/helm_install.md
+++ b/docs/helm/helm_install.md
@@ -102,6 +102,7 @@ helm install [CHART]
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
--username string chart repository username where to locate the requested chart
@@ -126,4 +127,4 @@ helm install [CHART]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jul-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_list.md b/docs/helm/helm_list.md
index c7e99e40349c8bc93d1772aa2c6ef440fd264d28..17b2573b8db2c1ebd799b0c396b499c905c89f5c 100755
--- a/docs/helm/helm_list.md
+++ b/docs/helm/helm_list.md
@@ -39,25 +39,26 @@ helm list [flags] [FILTER]
### Options
```
- -a, --all show all releases, not just the ones marked DEPLOYED
- --col-width uint specifies the max column width of output (default 60)
- -d, --date sort by release date
- --deleted show deleted releases
- --deleting show releases that are currently being deleted
- --deployed show deployed releases. If no other is specified, this will be automatically enabled
- --failed show failed releases
- -m, --max int maximum number of releases to fetch (default 256)
- --namespace string show releases within a specific namespace
- -o, --offset string next release name in the list, used to offset from start value
- --output string output the specified format (json or yaml)
- --pending show pending releases
- -r, --reverse reverse the sort order
- -q, --short output short (quiet) listing format
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ -a, --all show all releases, not just the ones marked DEPLOYED
+ --col-width uint specifies the max column width of output (default 60)
+ -d, --date sort by release date
+ --deleted show deleted releases
+ --deleting show releases that are currently being deleted
+ --deployed show deployed releases. If no other is specified, this will be automatically enabled
+ --failed show failed releases
+ -m, --max int maximum number of releases to fetch (default 256)
+ --namespace string show releases within a specific namespace
+ -o, --offset string next release name in the list, used to offset from start value
+ --output string output the specified format (json or yaml)
+ --pending show pending releases
+ -r, --reverse reverse the sort order
+ -q, --short output short (quiet) listing format
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -75,4 +76,4 @@ helm list [flags] [FILTER]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_reset.md b/docs/helm/helm_reset.md
index 507a94bfdfaf38dcd5f9c9f460448ba58f281bf4..74d5ecc0e95cddfd5558d05486ca11e2e6829a5b 100644
--- a/docs/helm/helm_reset.md
+++ b/docs/helm/helm_reset.md
@@ -18,13 +18,14 @@ helm reset
### Options
```
- -f, --force forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.)
- --remove-helm-home if set deletes $HELM_HOME
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ -f, --force forces Tiller uninstall even if there are releases installed, or if Tiller is not in ready state. Releases are not deleted.)
+ --remove-helm-home if set deletes $HELM_HOME
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -42,4 +43,4 @@ helm reset
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_rollback.md b/docs/helm/helm_rollback.md
index b40fb883adad9300268fbb23b5968642d1e99354..40d3ad83b3b167e1482265fc47a805486231638e 100644
--- a/docs/helm/helm_rollback.md
+++ b/docs/helm/helm_rollback.md
@@ -20,18 +20,19 @@ helm rollback [flags] [RELEASE] [REVISION]
### Options
```
- --description string specify a description for the release
- --dry-run simulate a rollback
- --force force resource update through delete/recreate if needed
- --no-hooks prevent hooks from running during rollback
- --recreate-pods performs pods restart for the resource if applicable
- --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
- --wait if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout
+ --description string specify a description for the release
+ --dry-run simulate a rollback
+ --force force resource update through delete/recreate if needed
+ --no-hooks prevent hooks from running during rollback
+ --recreate-pods performs pods restart for the resource if applicable
+ --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
+ --wait if set, will wait until all Pods, PVCs, Services, and minimum number of Pods of a Deployment are in a ready state before marking the release as successful. It will wait for as long as --timeout
```
### Options inherited from parent commands
@@ -49,4 +50,4 @@ helm rollback [flags] [RELEASE] [REVISION]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_status.md b/docs/helm/helm_status.md
index 5317875e6371dc3286011a95fff11837a1ee2995..22b47c851560453ffc8725046eb52d5cba371634 100644
--- a/docs/helm/helm_status.md
+++ b/docs/helm/helm_status.md
@@ -23,13 +23,14 @@ helm status [flags] RELEASE_NAME
### Options
```
- -o, --output string output the status in the specified format (json or yaml)
- --revision int32 if set, display the status of the named release with revision
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ -o, --output string output the status in the specified format (json or yaml)
+ --revision int32 if set, display the status of the named release with revision
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -47,4 +48,4 @@ helm status [flags] RELEASE_NAME
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_test.md b/docs/helm/helm_test.md
index 688b67a3404f7faddce5b0eb1e76fd0b94e5b16b..5a84c3b18957ce613d65d1ebb92c042f99698a91 100644
--- a/docs/helm/helm_test.md
+++ b/docs/helm/helm_test.md
@@ -19,13 +19,14 @@ helm test [RELEASE]
### Options
```
- --cleanup delete test pods upon completion
- --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ --cleanup delete test pods upon completion
+ --timeout int time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks) (default 300)
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -43,4 +44,4 @@ helm test [RELEASE]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_upgrade.md b/docs/helm/helm_upgrade.md
index ecd51e65ca30548994fd85b55298e776a67e1d24..6790702330425d8c57b7f9852482f615b04104c7 100644
--- a/docs/helm/helm_upgrade.md
+++ b/docs/helm/helm_upgrade.md
@@ -62,6 +62,7 @@ helm upgrade [RELEASE] [CHART]
--tls enable TLS for request
--tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
--tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
--tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
--tls-verify enable TLS for request and verify remote
--username string chart repository username where to locate the requested chart
@@ -86,4 +87,4 @@ helm upgrade [RELEASE] [CHART]
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-May-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/helm/helm_version.md b/docs/helm/helm_version.md
index 61636c4042f20ef0fde274700452d984ab66040c..3db529120dcf07d5e049d829f971292f7111594d 100644
--- a/docs/helm/helm_version.md
+++ b/docs/helm/helm_version.md
@@ -30,15 +30,16 @@ helm version
### Options
```
- -c, --client client version only
- -s, --server server version only
- --short print the version number
- --template string template for version string format
- --tls enable TLS for request
- --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
- --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
- --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
- --tls-verify enable TLS for request and verify remote
+ -c, --client client version only
+ -s, --server server version only
+ --short print the version number
+ --template string template for version string format
+ --tls enable TLS for request
+ --tls-ca-cert string path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+ --tls-cert string path to TLS certificate file (default "$HELM_HOME/cert.pem")
+ --tls-hostname string the server name used to verify the hostname on the returned certificates from the server
+ --tls-key string path to TLS key file (default "$HELM_HOME/key.pem")
+ --tls-verify enable TLS for request and verify remote
```
### Options inherited from parent commands
@@ -56,4 +57,4 @@ helm version
### SEE ALSO
* [helm](helm.md) - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 17-Jun-2018
+###### Auto generated by spf13/cobra on 7-Aug-2018
diff --git a/docs/tiller_ssl.md b/docs/tiller_ssl.md
index 6db195507263c20ba833496263cb296bbf6387c4..41e704653b5b355f07391e095122e246970d2642 100644
--- a/docs/tiller_ssl.md
+++ b/docs/tiller_ssl.md
@@ -284,6 +284,23 @@ the host name that Helm connects to matches the host name on the certificate. In
some cases this is awkward, since Helm will connect over localhost, or the FQDN is
not available for public resolution.
+*If I use `--tls-verify` on the client, I get `Error: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs`*
+
+By default, the Helm client connects to Tiller via tunnel (i.e. kube proxy) at 127.0.0.1. During the TLS handshake,
+a target, usually provided as a hostname (e.g. example.com), is checked against the subject and subject alternative
+names of the certificate (i.e. hostname verficiation). However, because of the tunnel, the target is an IP address.
+Therefore, to validate the certificate, the IP address 127.0.0.1 must be listed as an IP subject alternative name
+(IP SAN) in the Tiller certificate.
+
+For example, to list 127.0.0.1 as an IP SAN when generating the Tiller certificate:
+
+```console
+$ echo subjectAltName=IP:127.0.0.1 > extfile.cnf
+$ openssl x509 -req -CA ca.cert.pem -CAkey ca.key.pem -CAcreateserial -in tiller.csr.pem -out tiller.cert.pem -days 365 -extfile extfile.cnf
+```
+
+Alternatively, you can override the expected hostname of the tiller certificate using the `--tls-hostname` flag.
+
*If I use `--tls-verify` on the client, I get `Error: x509: certificate has expired or is not yet valid`*
Your helm certificate has expired, you need to sign a new certificate using your private key and the CA (and consider increasing the number of days)
diff --git a/pkg/tlsutil/cfg.go b/pkg/tlsutil/cfg.go
index 408867db1d31b0cfe51508457fe301fddb60fc08..2c1dfd340f5e8e7d7778cdd1d44b7758e0a78e13 100644
--- a/pkg/tlsutil/cfg.go
+++ b/pkg/tlsutil/cfg.go
@@ -33,6 +33,9 @@ type Options struct {
CertFile string
// Client-only options
InsecureSkipVerify bool
+ // Overrides the server name used to verify the hostname on the returned
+ // certificates from the server.
+ ServerName string
// Server-only options
ClientAuth tls.ClientAuthType
}
@@ -55,8 +58,12 @@ func ClientConfig(opts Options) (cfg *tls.Config, err error) {
return nil, err
}
}
-
- cfg = &tls.Config{InsecureSkipVerify: opts.InsecureSkipVerify, Certificates: []tls.Certificate{*cert}, RootCAs: pool}
+ cfg = &tls.Config{
+ InsecureSkipVerify: opts.InsecureSkipVerify,
+ Certificates: []tls.Certificate{*cert},
+ ServerName: opts.ServerName,
+ RootCAs: pool,
+ }
return cfg, nil
}