Get mutual SSL working with helm tiller

author: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-24 14:02:35 +0300
committer: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-30 16:08:30 +0300
commit: 11edbcccef37f08b089386c41d3914df7f48a677 (patch)
tree: 3017e5e2904d11023075c5e84ddba5320e2b623f /app/models/clusters
parent: ce897f11a0650b0d6938cb506a030ef00160ab7a (diff)
2 files changed, 51 insertions, 4 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index 06d85a69b29..f08224e94c2 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -1,13 +1,40 @@
+require 'openssl'
+
 module Clusters
   module Applications
     class Helm < ActiveRecord::Base
       self.table_name = 'clusters_applications_helm'
 
+      attr_encrypted :ca_key,
+        mode: :per_attribute_iv,
+        key: Settings.attr_encrypted_db_key_base_truncated,
+        algorithm: 'aes-256-cbc'
+
       include ::Clusters::Concerns::ApplicationCore
       include ::Clusters::Concerns::ApplicationStatus
 
       default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION
 
+      before_create :create_keys_and_certs
+
+      def create_keys_and_certs
+        ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root
+        self.ca_key = ca_cert.key_string
+        self.ca_cert = ca_cert.cert_string
+      end
+
+      def ca_cert_obj
+        return unless has_ssl?
+
+        Gitlab::Kubernetes::Helm::Certificate
+          .from_strings(ca_key, ca_cert)
+      end
+
+      def issue_cert
+        ca_cert_obj
+          .issue
+      end
+
       def set_initial_status
         return unless not_installable?
 
@@ -15,11 +42,20 @@ module Clusters
       end
 
       def install_command
+        tiller_cert = issue_cert
         Gitlab::Kubernetes::Helm::InitCommand.new(
           name: name,
-          files: {}
+          files: {
+            'ca.pem': ca_cert,
+            'cert.pem': tiller_cert.cert_string,
+            'key.pem': tiller_cert.key_string
+          }
         )
       end
+
+      def has_ssl?
+        ca_key.present? && ca_cert.present?
+      end
     end
   end
 end
diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb
index 215a299dd03..7738138e753 100644
--- a/app/models/clusters/concerns/application_data.rb
+++ b/app/models/clusters/concerns/application_data.rb
@@ -13,9 +13,20 @@ module Clusters
         end
 
         def files
-          {
-            'values.yaml': values
-          }
+          @files ||= begin
+            files = { 'values.yaml': values }
+            if cluster.application_helm.has_ssl?
+              ca_cert = cluster.application_helm.ca_cert
+              helm_cert = cluster.application_helm.issue_cert
+              files.merge!({
+                'ca.pem': ca_cert,
+                'cert.pem': helm_cert.cert_string,
+                'key.pem': helm_cert.key_string
+              })
+            end
+
+            files
+          end
         end
 
         private
author	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-24 14:02:35 +0300
committer	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-30 16:08:30 +0300
commit	11edbcccef37f08b089386c41d3914df7f48a677 (patch)
tree	3017e5e2904d11023075c5e84ddba5320e2b623f /app/models/clusters
parent	ce897f11a0650b0d6938cb506a030ef00160ab7a (diff)