WIP48098-add-mutual-tls-to-tiller-for-gitlab-managed-apps-bkp

author: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-18 13:14:23 +0200
committer: Dylan Griffith <dyl.griffith@gmail.com> 2018-07-18 13:14:23 +0200
commit: 78ebddde0dde3d2a013ca43adafbdf7eecd4c4f2 (patch)
tree: 0b95a5b5c9796dd0d7f15fd1a53310d0ccdbaf9c
parent: f64cb04ca8217f77235aa89eb6323ec3e6c7574f (diff)
download: gitlab-ce-48098-add-mutual-tls-to-tiller-for-gitlab-managed-apps-bkp.tar.gz
14 files changed, 54 insertions, 47 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index 12d22ecc897..c18e79bd4b5 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -23,9 +23,14 @@ module Clusters
         self.ca_cert = ca_cert.cert_string
       end
 
-      def issue_cert
+      def ca_cert_obj
+        return unless has_ssl?
         Gitlab::Kubernetes::Helm::Certificate
           .from_strings(ca_key, ca_cert)
+      end
+
+      def issue_cert
+        ca_cert_obj
           .issue
       end
 
@@ -35,19 +40,10 @@ module Clusters
         self.status = 'installable' if cluster&.platform_kubernetes_active?
       end
 
-      def extra_env
-        server_cert = issue_cert
-        {
-          CA_CERT: ca_cert,
-          TILLER_CERT: server_cert.cert_string,
-          TILLER_KEY: server_cert.key_string
-        }
-      end
-
       def install_command
         Gitlab::Kubernetes::Helm::InitCommand.new(
           name,
-          extra_env: extra_env
+          ca_cert: ca_cert_obj
         )
       end
 
diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index b2d031ccf2a..60c97f99181 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -35,7 +35,7 @@ module Clusters
           name,
           chart: chart,
           values: values,
-          extra_env: extra_env
+          ca_cert: ca_cert
         )
       end
 
diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb
index 548f9f700c9..9eb8b37a04b 100644
--- a/app/models/clusters/applications/jupyter.rb
+++ b/app/models/clusters/applications/jupyter.rb
@@ -39,7 +39,7 @@ module Clusters
           chart: chart,
           values: values,
           repository: repository,
-          extra_env: extra_env
+          ca_cert: ca_cert
         )
       end
 
diff --git a/app/models/clusters/applications/prometheus.rb b/app/models/clusters/applications/prometheus.rb
index 69dc26b8f74..1e26d904675 100644
--- a/app/models/clusters/applications/prometheus.rb
+++ b/app/models/clusters/applications/prometheus.rb
@@ -39,7 +39,7 @@ module Clusters
           chart: chart,
           version: version,
           values: values,
-          extra_env: extra_env
+          ca_cert: ca_cert
         )
       end
 
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index b1e9192d92d..f25d1f8425b 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -32,7 +32,7 @@ module Clusters
           chart: chart,
           values: values,
           repository: repository,
-          extra_env: extra_env
+          ca_cert: ca_cert
         )
       end
 
diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb
index 4928aaafa8c..6f5fdc06466 100644
--- a/app/models/clusters/concerns/application_data.rb
+++ b/app/models/clusters/concerns/application_data.rb
@@ -18,15 +18,8 @@ module Clusters
           "#{Rails.root}/vendor/#{name}/values.yaml"
         end
 
-        def extra_env
-          return {} unless cluster.application_helm.has_ssl?
-          client_cert = cluster.application_helm.issue_cert
-
-          {
-            CA_CERT: cluster.application_helm.ca_cert,
-            HELM_CERT: client_cert.cert_string,
-            HELM_KEY: client_cert.key_string
-          }
+        def ca_cert
+          cluster.application_helm.ca_cert_obj
         end
       end
     end
diff --git a/app/models/project_auto_devops.rb b/app/models/project_auto_devops.rb
index faa831b1949..7129e39584f 100644
--- a/app/models/project_auto_devops.rb
+++ b/app/models/project_auto_devops.rb
@@ -24,8 +24,7 @@ class ProjectAutoDevops < ActiveRecord::Base
   def predefined_variables
     Gitlab::Ci::Variables::Collection.new.tap do |variables|
       if has_domain?
-        variables.append(key: 'AUTO_DEVOPS_DOMAIN',
-                         value: domain.presence || instance_domain)
+        variables.append(key: 'AUTO_DEVOPS_DOMAIN', value: domain.presence || instance_domain)
       end
 
       if manual?
diff --git a/lib/gitlab/kubernetes/helm/api.rb b/lib/gitlab/kubernetes/helm/api.rb
index 2edd34109ba..c258ef3e01a 100644
--- a/lib/gitlab/kubernetes/helm/api.rb
+++ b/lib/gitlab/kubernetes/helm/api.rb
@@ -29,7 +29,7 @@ module Gitlab
         end
 
         def delete_installation_pod!(pod_name)
-          @kubeclient.delete_pod(pod_name, @namespace.name)
+          #@kubeclient.delete_pod(pod_name, @namespace.name)
         end
 
         private
diff --git a/lib/gitlab/kubernetes/helm/base_command.rb b/lib/gitlab/kubernetes/helm/base_command.rb
index f5162658016..fddb18ef4c9 100644
--- a/lib/gitlab/kubernetes/helm/base_command.rb
+++ b/lib/gitlab/kubernetes/helm/base_command.rb
@@ -2,15 +2,15 @@ module Gitlab
   module Kubernetes
     module Helm
       class BaseCommand
-        attr_reader :name, :chart, :repository, :values, :extra_env
+        attr_reader :name, :chart, :repository, :values, :ca_cert
 
-        def initialize(name, chart: nil, values: nil, version: nil, repository: nil, extra_env: {})
+        def initialize(name, chart: nil, values: nil, version: nil, repository: nil, ca_cert: nil)
           @name = name
           @chart = chart
           @version = version
           @values = values
           @repository = repository
-          @extra_env = extra_env
+          @ca_cert = ca_cert
         end
 
         def pod_resource
diff --git a/lib/gitlab/kubernetes/helm/init_command.rb b/lib/gitlab/kubernetes/helm/init_command.rb
index 80f37e5bf92..11e44ad4a86 100644
--- a/lib/gitlab/kubernetes/helm/init_command.rb
+++ b/lib/gitlab/kubernetes/helm/init_command.rb
@@ -13,8 +13,8 @@ module Gitlab
         def init_helm_command
           <<~CMD
             echo "$CA_CERT" > ca.cert.pem
-            echo "$TILLER_CERT" > tiller.cert.pem
-            echo "$TILLER_KEY" > tiller.key.pem
+            echo "$HELM_CERT" > tiller.cert.pem
+            echo "$HELM_KEY" > tiller.key.pem
             helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert ca.cert.pem >/dev/null
           CMD
         end
diff --git a/lib/gitlab/kubernetes/helm/install_command.rb b/lib/gitlab/kubernetes/helm/install_command.rb
index 2e998cc0168..388c5e8c4fd 100644
--- a/lib/gitlab/kubernetes/helm/install_command.rb
+++ b/lib/gitlab/kubernetes/helm/install_command.rb
@@ -24,7 +24,7 @@ module Gitlab
         private
 
         def configure_certs_command
-          return "" unless extra_env.present?
+          return "" unless ca_cert.present?
           <<~CMD
           echo "$CA_CERT" > $(helm home)/ca.pem
           echo "$HELM_CERT" > $(helm home)/cert.pem
@@ -41,7 +41,7 @@ module Gitlab
         end
 
         def script_command
-          tls_flag = " --tls" if extra_env.present?
+          tls_flag = " --tls" if ca_cert.present?
           <<~HEREDOC
           helm install#{tls_flag} #{chart} --name #{name}#{optional_version_flag} --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} -f /data/helm/#{name}/config/values.yaml >/dev/null
           HEREDOC
diff --git a/lib/gitlab/kubernetes/helm/pod.rb b/lib/gitlab/kubernetes/helm/pod.rb
index bdf176534e6..23cf0cd6d71 100644
--- a/lib/gitlab/kubernetes/helm/pod.rb
+++ b/lib/gitlab/kubernetes/helm/pod.rb
@@ -51,8 +51,8 @@ module Gitlab
           {
             HELM_VERSION: Gitlab::Kubernetes::Helm::HELM_VERSION,
             TILLER_NAMESPACE: namespace_name,
-            COMMAND_SCRIPT: command.generate_script
-          }.merge(command.extra_env)
+            COMMAND_SCRIPT: command.generate_script,
+          }
             .map { |key, value| { name: key, value: value } }
         end
 
@@ -65,6 +65,18 @@ module Gitlab
                 items: [{ key: 'values', path: 'values.yaml' }]
               }
             }
+          ] + tls_volumes
+        end
+
+        def tls_volumes
+          return [] unless command.ca_cert
+          [
+            {
+              name: 'tls_certs',
+              secret: {
+                secretName: "tls-certs-#{command.name}"
+              }
+            }
           ]
         end
 
@@ -74,6 +86,12 @@ module Gitlab
               name: 'configuration-volume',
               mountPath: "/data/helm/#{command.name}/config"
             }
+          ] + tls_mounts
+        end
+
+        def tls_mounts
+          return [] unless command.ca_cert
+          [
           ]
         end
       end
diff --git a/qa/qa/factory/resource/kubernetes_cluster.rb b/qa/qa/factory/resource/kubernetes_cluster.rb
index f32cf985e9d..5fabe3fcfe5 100644
--- a/qa/qa/factory/resource/kubernetes_cluster.rb
+++ b/qa/qa/factory/resource/kubernetes_cluster.rb
@@ -40,6 +40,7 @@ module QA
               page.install!(:helm)
               page.await_installed(:helm)
 
+              require 'pry'; binding.pry
               page.install!(:ingress) if @install_ingress
               page.await_installed(:ingress) if @install_ingress
               page.install!(:prometheus) if @install_prometheus
diff --git a/qa/qa/specs/features/project/auto_devops_spec.rb b/qa/qa/specs/features/project/auto_devops_spec.rb
index bc713b46d81..54c26660022 100644
--- a/qa/qa/specs/features/project/auto_devops_spec.rb
+++ b/qa/qa/specs/features/project/auto_devops_spec.rb
@@ -15,17 +15,6 @@ module QA
         p.description = 'Project with Auto Devops'
       end
 
-      # Create Auto Devops compatible repo
-      Factory::Repository::ProjectPush.fabricate! do |push|
-        push.project = project
-        push.directory = Pathname
-          .new(__dir__)
-          .join('../../../fixtures/auto_devops_rack')
-        push.commit_message = 'Create Auto DevOps compatible rack application'
-      end
-
-      Page::Project::Show.act { wait_for_push }
-
       # Create and connect K8s cluster
       @cluster = Service::KubernetesCluster.new.create!
       kubernetes_cluster = Factory::Resource::KubernetesCluster.fabricate! do |cluster|
@@ -37,6 +26,17 @@ module QA
         cluster.install_runner = true
       end
 
+      # Create Auto Devops compatible repo
+      Factory::Repository::ProjectPush.fabricate! do |push|
+        push.project = project
+        push.directory = Pathname
+          .new(__dir__)
+          .join('../../../fixtures/auto_devops_rack')
+        push.commit_message = 'Create Auto DevOps compatible rack application'
+      end
+
+      Page::Project::Show.act { wait_for_push }
+
       project.visit!
       Page::Menu::Side.act { click_ci_cd_settings }
       Page::Project::Settings::CICD.perform do |p|
author	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-18 13:14:23 +0200
committer	Dylan Griffith <dyl.griffith@gmail.com>	2018-07-18 13:14:23 +0200
commit	78ebddde0dde3d2a013ca43adafbdf7eecd4c4f2 (patch)
tree	0b95a5b5c9796dd0d7f15fd1a53310d0ccdbaf9c
parent	f64cb04ca8217f77235aa89eb6323ec3e6c7574f (diff)
download	gitlab-ce-48098-add-mutual-tls-to-tiller-for-gitlab-managed-apps-bkp.tar.gz