Fix/missing ssl params (#3152)

* fix(helm): add TLS params back

During a recent refactor, several TLS flags stopped being processed for
a few of the commands. This fixes those commands, and documents how to
set up TLS.

* fix(tiller): add stricter certificate verification

The older version of Tiller allowed a weaker set of certificate checks
than we intended. This version requires a client certificate, and then
requires that that certificate be signed by a known CA. This works
around the situation where a user could provide a self-signed
certificate.

(cherry picked from commit e8e6ac5d)

cmd/helm/get.go

@@ -64,7 +64,7 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
 			}
 			get.release = args[0]
 			if get.client == nil {
-				get.client = helm.NewClient(helm.Host(settings.TillerHost))
+				get.client = newClient()
 			}
 			return get.run()
 		},
@@ -72,9 +72,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
 
 	cmd.Flags().Int32Var(&get.version, "revision", 0, "get the named release with revision")
 
-	cmd.AddCommand(newGetValuesCmd(nil, out))
-	cmd.AddCommand(newGetManifestCmd(nil, out))
-	cmd.AddCommand(newGetHooksCmd(nil, out))
+	cmd.AddCommand(addFlagsTLS(newGetValuesCmd(nil, out)))
+	cmd.AddCommand(addFlagsTLS(newGetManifestCmd(nil, out)))
+	cmd.AddCommand(addFlagsTLS(newGetHooksCmd(nil, out)))
 
 	return cmd
 }

cmd/helm/helm.go

@@ -45,6 +45,10 @@ var (
 	tlsVerify     bool   // enable TLS and verify remote certificates
 	tlsEnable     bool   // enable TLS
 
+	tlsCaCertDefault = "$HELM_HOME/ca.pem"
+	tlsCertDefault   = "$HELM_HOME/cert.pem"
+	tlsKeyDefault    = "$HELM_HOME/key.pem"
+
 	tillerTunnel *kube.Tunnel
 	settings     helm_env.EnvSettings
 )
@@ -263,6 +267,16 @@ func newClient() helm.Interface {
 	options := []helm.Option{helm.Host(settings.TillerHost)}
 
 	if tlsVerify || tlsEnable {
+		if tlsCaCertFile == "" {
+			tlsCaCertFile = os.ExpandEnv(tlsCaCertDefault)
+		}
+		if tlsCertFile == "" {
+			tlsCertFile = os.ExpandEnv(tlsCertDefault)
+		}
+		if tlsKeyFile == "" {
+			tlsKeyFile = os.ExpandEnv(tlsKeyDefault)
+		}
+		debug("Key=%q, Cert=%q, CA=%q\n", tlsKeyFile, tlsCertFile, tlsCaCertFile)
 		tlsopts := tlsutil.Options{KeyFile: tlsKeyFile, CertFile: tlsCertFile, InsecureSkipVerify: true}
 		if tlsVerify {
 			tlsopts.CaCertFile = tlsCaCertFile
@@ -281,12 +295,6 @@ func newClient() helm.Interface {
 // addFlagsTLS adds the flags for supporting client side TLS to the
 // helm command (only those that invoke communicate to Tiller.)
 func addFlagsTLS(cmd *cobra.Command) *cobra.Command {
-	// defaults
-	var (
-		tlsCaCertDefault = "$HELM_HOME/ca.pem"
-		tlsCertDefault   = "$HELM_HOME/cert.pem"
-		tlsKeyDefault    = "$HELM_HOME/key.pem"
-	)
 
 	// add flags
 	cmd.Flags().StringVar(&tlsCaCertFile, "tls-ca-cert", tlsCaCertDefault, "path to TLS CA certificate file")

cmd/helm/history.go

@@ -66,7 +66,7 @@ func newHistoryCmd(c helm.Interface, w io.Writer) *cobra.Command {
 			case len(args) == 0:
 				return errReleaseRequired
 			case his.helmc == nil:
-				his.helmc = helm.NewClient(helm.Host(settings.TillerHost))
+				his.helmc = newClient()
 			}
 			his.rls = args[0]
 			return his.run()

cmd/helm/list.go

@@ -93,7 +93,7 @@ func newListCmd(client helm.Interface, out io.Writer) *cobra.Command {
 				list.filter = strings.Join(args, " ")
 			}
 			if list.client == nil {
-				list.client = helm.NewClient(helm.Host(settings.TillerHost))
+				list.client = newClient()
 			}
 			return list.run()
 		},

cmd/helm/status.go

@@ -67,7 +67,7 @@ func newStatusCmd(client helm.Interface, out io.Writer) *cobra.Command {
 			}
 			status.release = args[0]
 			if status.client == nil {
-				status.client = helm.NewClient(helm.Host(settings.TillerHost))
+				status.client = newClient()
 			}
 			return status.run()
 		},

cmd/tiller/tiller.go

@@ -225,7 +225,11 @@ func tlsOptions() tlsutil.Options {
 	opts := tlsutil.Options{CertFile: *certFile, KeyFile: *keyFile}
 	if *tlsVerify {
 		opts.CaCertFile = *caCertFile
-		opts.ClientAuth = tls.VerifyClientCertIfGiven
+
+		// We want to force the client to not only provide a cert, but to
+		// provide a cert that we can validate.
+		// http://www.bite-code.com/2015/06/25/tls-mutual-auth-in-golang/
+		opts.ClientAuth = tls.RequireAndVerifyClientCert
 	}
 	return opts
 }

docs/helm/helm.md

@@ -67,4 +67,4 @@ Environment:
 * [helm verify](helm_verify.md)	 - verify that a chart at the given path has been signed and is valid
 * [helm version](helm_version.md)	 - print the client/server version information
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_completion.md

@@ -34,4 +34,4 @@ helm completion SHELL
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_create.md

@@ -53,4 +53,4 @@ helm create NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_delete.md

@@ -44,4 +44,4 @@ helm delete [flags] RELEASE_NAME [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_dependency.md

@@ -70,4 +70,4 @@ for this case.
 * [helm dependency list](helm_dependency_list.md)	 - list the dependencies for the given chart
 * [helm dependency update](helm_dependency_update.md)	 - update charts/ based on the contents of requirements.yaml
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_dependency_build.md

@@ -40,4 +40,4 @@ helm dependency build [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_dependency_list.md

@@ -32,4 +32,4 @@ helm dependency list [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_dependency_update.md

@@ -45,4 +45,4 @@ helm dependency update [flags] CHART
 ### SEE ALSO
 * [helm dependency](helm_dependency.md)	 - manage a chart's dependencies
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_fetch.md

@@ -54,4 +54,4 @@ helm fetch [flags] [chart URL | repo/chartname] [...]
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_get.md

@@ -49,4 +49,4 @@ helm get [flags] RELEASE_NAME
 * [helm get manifest](helm_get_manifest.md)	 - download the manifest for a named release
 * [helm get values](helm_get_values.md)	 - download the values file for a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_get_hooks.md

@@ -18,7 +18,12 @@ helm get hooks [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32   get the named release with revision
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -34,4 +39,4 @@ helm get hooks [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_get_manifest.md

@@ -20,7 +20,12 @@ helm get manifest [flags] RELEASE_NAME
 ### Options
 
 ```
-      --revision int32   get the named release with revision
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -36,4 +41,4 @@ helm get manifest [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_get_values.md

@@ -16,8 +16,13 @@ helm get values [flags] RELEASE_NAME
 ### Options
 
 ```
-  -a, --all              dump all (computed) values
-      --revision int32   get the named release with revision
+  -a, --all                  dump all (computed) values
+      --revision int32       get the named release with revision
+      --tls                  enable TLS for request
+      --tls-ca-cert string   path to TLS CA certificate file (default "$HELM_HOME/ca.pem")
+      --tls-cert string      path to TLS certificate file (default "$HELM_HOME/cert.pem")
+      --tls-key string       path to TLS key file (default "$HELM_HOME/key.pem")
+      --tls-verify           enable TLS for request and verify remote
 ```
 
 ### Options inherited from parent commands
@@ -33,4 +38,4 @@ helm get values [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm get](helm_get.md)	 - download a named release
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017

docs/helm/helm_history.md

@@ -49,4 +49,4 @@ helm history [flags] RELEASE_NAME
 ### SEE ALSO
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 14-Nov-2017
+###### Auto generated by spf13/cobra on 15-Nov-2017