diff options
author | Thong Kuah <tkuah@gitlab.com> | 2018-08-09 20:31:22 +1200 |
---|---|---|
committer | Thong Kuah <tkuah@gitlab.com> | 2018-08-09 20:38:40 +1200 |
commit | bf28a454f24417e2316fee2dbc16573df50c2885 (patch) | |
tree | bb233653102f1e5f051e5384644cc7f7f6b350d7 | |
parent | 68082d352516b5367fce76453b8992f4e44d127e (diff) | |
download | gitlab-ce-revert-helm-tls-auth.tar.gz |
Revert Helm TLS Authrevert-helm-tls-auth
-rw-r--r-- | app/models/clusters/applications/helm.rb | 38 | ||||
-rw-r--r-- | app/models/clusters/concerns/application_data.rb | 24 | ||||
-rw-r--r-- | db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb | 12 | ||||
-rw-r--r-- | db/schema.rb | 3 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/init_command.rb | 7 | ||||
-rw-r--r-- | lib/gitlab/kubernetes/helm/install_command.rb | 11 | ||||
-rw-r--r-- | spec/lib/gitlab/kubernetes/helm/init_command_spec.rb | 2 | ||||
-rw-r--r-- | spec/lib/gitlab/kubernetes/helm/install_command_spec.rb | 6 | ||||
-rw-r--r-- | spec/models/clusters/applications/helm_spec.rb | 22 | ||||
-rw-r--r-- | spec/models/clusters/applications/ingress_spec.rb | 23 | ||||
-rw-r--r-- | spec/models/clusters/applications/jupyter_spec.rb | 23 | ||||
-rw-r--r-- | spec/models/clusters/applications/prometheus_spec.rb | 23 | ||||
-rw-r--r-- | spec/models/clusters/applications/runner_spec.rb | 23 |
13 files changed, 8 insertions, 209 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb index 55bbf7cae7e..70bfe3f2783 100644 --- a/app/models/clusters/applications/helm.rb +++ b/app/models/clusters/applications/helm.rb @@ -7,22 +7,11 @@ module Clusters class Helm < ActiveRecord::Base self.table_name = 'clusters_applications_helm' - attr_encrypted :ca_key, - mode: :per_attribute_iv, - key: Settings.attr_encrypted_db_key_base_truncated, - algorithm: 'aes-256-cbc' - include ::Clusters::Concerns::ApplicationCore include ::Clusters::Concerns::ApplicationStatus default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION - before_create :create_keys_and_certs - - def issue_client_cert - ca_cert_obj.issue - end - def set_initial_status return unless not_installable? @@ -36,35 +25,10 @@ module Clusters ) end - def has_ssl? - ca_key.present? && ca_cert.present? - end - private def files - { - 'ca.pem': ca_cert, - 'cert.pem': tiller_cert.cert_string, - 'key.pem': tiller_cert.key_string - } - end - - def create_keys_and_certs - ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root - self.ca_key = ca_cert.key_string - self.ca_cert = ca_cert.cert_string - end - - def tiller_cert - @tiller_cert ||= ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY) - end - - def ca_cert_obj - return unless has_ssl? - - Gitlab::Kubernetes::Helm::Certificate - .from_strings(ca_key, ca_cert) + {} end end end diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb index 52498f123ff..fc0f13e2a37 100644 --- a/app/models/clusters/concerns/application_data.rb +++ b/app/models/clusters/concerns/application_data.rb @@ -15,33 +15,11 @@ module Clusters end def files - @files ||= begin - files = { 'values.yaml': values } - - files.merge!(certificate_files) if cluster.application_helm.has_ssl? - - files - end + @files ||= { 'values.yaml': values } end private - def certificate_files - { - 'ca.pem': ca_cert, - 'cert.pem': helm_cert.cert_string, - 'key.pem': helm_cert.key_string - } - end - - def ca_cert - cluster.application_helm.ca_cert - end - - def helm_cert - @helm_cert ||= cluster.application_helm.issue_client_cert - end - def chart_values_file "#{Rails.root}/vendor/#{name}/values.yaml" end diff --git a/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb b/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb deleted file mode 100644 index 57cea18abcd..00000000000 --- a/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb +++ /dev/null @@ -1,12 +0,0 @@ -# frozen_string_literal: true -class AddColumnsForHelmTillerCertificates < ActiveRecord::Migration - include Gitlab::Database::MigrationHelpers - - DOWNTIME = false - - def change - add_column :clusters_applications_helm, :encrypted_ca_key, :text - add_column :clusters_applications_helm, :encrypted_ca_key_iv, :text - add_column :clusters_applications_helm, :ca_cert, :text - end -end diff --git a/db/schema.rb b/db/schema.rb index f1d8f4df3b7..0b756cd8ca8 100644 --- a/db/schema.rb +++ b/db/schema.rb @@ -637,9 +637,6 @@ ActiveRecord::Schema.define(version: 20180807153545) do t.integer "status", null: false t.string "version", null: false t.text "status_reason" - t.text "encrypted_ca_key" - t.text "encrypted_ca_key_iv" - t.text "ca_cert" end create_table "clusters_applications_ingress", force: :cascade do |t| diff --git a/lib/gitlab/kubernetes/helm/init_command.rb b/lib/gitlab/kubernetes/helm/init_command.rb index a4546509515..2f2b3e930ae 100644 --- a/lib/gitlab/kubernetes/helm/init_command.rb +++ b/lib/gitlab/kubernetes/helm/init_command.rb @@ -20,12 +20,7 @@ module Gitlab private def init_helm_command - tls_flags = "--tiller-tls" \ - " --tiller-tls-verify --tls-ca-cert #{files_dir}/ca.pem" \ - " --tiller-tls-cert #{files_dir}/cert.pem" \ - " --tiller-tls-key #{files_dir}/key.pem" - - "helm init #{tls_flags} >/dev/null" + "helm init >/dev/null" end end end diff --git a/lib/gitlab/kubernetes/helm/install_command.rb b/lib/gitlab/kubernetes/helm/install_command.rb index 9672f80687e..d827e8e1090 100644 --- a/lib/gitlab/kubernetes/helm/install_command.rb +++ b/lib/gitlab/kubernetes/helm/install_command.rb @@ -33,7 +33,7 @@ module Gitlab end def script_command - init_flags = "--name #{name}#{optional_tls_flags}#{optional_version_flag}" \ + init_flags = "--name #{name}#{optional_version_flag}" \ " --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE}" \ " -f /data/helm/#{name}/config/values.yaml" @@ -43,15 +43,6 @@ module Gitlab def optional_version_flag " --version #{version}" if version end - - def optional_tls_flags - return unless files.key?(:'ca.pem') - - " --tls" \ - " --tls-ca-cert #{files_dir}/ca.pem" \ - " --tls-cert #{files_dir}/cert.pem" \ - " --tls-key #{files_dir}/key.pem" - end end end end diff --git a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb index dcbc046cf00..7550e23259b 100644 --- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb @@ -2,7 +2,7 @@ require 'spec_helper' describe Gitlab::Kubernetes::Helm::InitCommand do let(:application) { create(:clusters_applications_helm) } - let(:commands) { 'helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem >/dev/null' } + let(:commands) { 'helm init >/dev/null' } subject { described_class.new(name: application.name, files: {}) } diff --git a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb index 982e2f41043..023799db40f 100644 --- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb +++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb @@ -21,7 +21,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do <<~EOS helm init --client-only >/dev/null helm repo add app-name https://repository.example.com - helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null + helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null EOS end end @@ -33,7 +33,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do let(:commands) do <<~EOS helm init --client-only >/dev/null - helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null + helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null EOS end end @@ -61,7 +61,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do <<~EOS helm init --client-only >/dev/null helm repo add app-name https://repository.example.com - helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null + helm install chart-name --name app-name --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null EOS end end diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb index e5b2bdc8a4e..3c3df618b5f 100644 --- a/spec/models/clusters/applications/helm_spec.rb +++ b/spec/models/clusters/applications/helm_spec.rb @@ -15,17 +15,6 @@ describe Clusters::Applications::Helm do it { is_expected.to contain_exactly(installed_cluster) } end - describe '#issue_client_cert' do - let(:application) { create(:clusters_applications_helm) } - subject { application.issue_client_cert } - - it 'returns a new cert' do - is_expected.to be_kind_of(Gitlab::Kubernetes::Helm::Certificate) - expect(subject.cert_string).not_to eq(application.ca_cert) - expect(subject.key_string).not_to eq(application.ca_key) - end - end - describe '#install_command' do let(:helm) { create(:clusters_applications_helm) } @@ -36,16 +25,5 @@ describe Clusters::Applications::Helm do it 'should be initialized with 1 arguments' do expect(subject.name).to eq('helm') end - - it 'should have cert files' do - expect(subject.files[:'ca.pem']).to be_present - expect(subject.files[:'ca.pem']).to eq(helm.ca_cert) - - expect(subject.files[:'cert.pem']).to be_present - expect(subject.files[:'key.pem']).to be_present - - cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem']) - expect(cert.not_after).to be > 999.years.from_now - end end end diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb index 21f75ced8c3..7dacf973d99 100644 --- a/spec/models/clusters/applications/ingress_spec.rb +++ b/spec/models/clusters/applications/ingress_spec.rb @@ -112,28 +112,5 @@ describe Clusters::Applications::Ingress do expect(values).to include('stats') expect(values).to include('podAnnotations') end - - context 'when the helm application does not have a ca_cert' do - before do - application.cluster.application_helm.ca_cert = nil - end - - it 'should not include cert files' do - expect(subject[:'ca.pem']).not_to be_present - expect(subject[:'cert.pem']).not_to be_present - expect(subject[:'key.pem']).not_to be_present - end - end - - it 'should include cert files' do - expect(subject[:'ca.pem']).to be_present - expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert) - - expect(subject[:'cert.pem']).to be_present - expect(subject[:'key.pem']).to be_present - - cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) - expect(cert.not_after).to be < 60.minutes.from_now - end end end diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb index 027b732681b..9c65253a5f6 100644 --- a/spec/models/clusters/applications/jupyter_spec.rb +++ b/spec/models/clusters/applications/jupyter_spec.rb @@ -70,29 +70,6 @@ describe Clusters::Applications::Jupyter do subject { application.files } - it 'should include cert files' do - expect(subject[:'ca.pem']).to be_present - expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert) - - expect(subject[:'cert.pem']).to be_present - expect(subject[:'key.pem']).to be_present - - cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) - expect(cert.not_after).to be < 60.minutes.from_now - end - - context 'when the helm application does not have a ca_cert' do - before do - application.cluster.application_helm.ca_cert = nil - end - - it 'should not include cert files' do - expect(subject[:'ca.pem']).not_to be_present - expect(subject[:'cert.pem']).not_to be_present - expect(subject[:'key.pem']).not_to be_present - end - end - it 'should include valid values' do expect(values).to include('ingress') expect(values).to include('hub') diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb index 7454be3ab2f..4eda5452af6 100644 --- a/spec/models/clusters/applications/prometheus_spec.rb +++ b/spec/models/clusters/applications/prometheus_spec.rb @@ -185,29 +185,6 @@ describe Clusters::Applications::Prometheus do subject { application.files } - it 'should include cert files' do - expect(subject[:'ca.pem']).to be_present - expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert) - - expect(subject[:'cert.pem']).to be_present - expect(subject[:'key.pem']).to be_present - - cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) - expect(cert.not_after).to be < 60.minutes.from_now - end - - context 'when the helm application does not have a ca_cert' do - before do - application.cluster.application_helm.ca_cert = nil - end - - it 'should not include cert files' do - expect(subject[:'ca.pem']).not_to be_present - expect(subject[:'cert.pem']).not_to be_present - expect(subject[:'key.pem']).not_to be_present - end - end - it 'should include prometheus valid values' do expect(values).to include('alertmanager') expect(values).to include('kubeStateMetrics') diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb index d84f125e246..1ddabbabca4 100644 --- a/spec/models/clusters/applications/runner_spec.rb +++ b/spec/models/clusters/applications/runner_spec.rb @@ -65,29 +65,6 @@ describe Clusters::Applications::Runner do subject { application.files } - it 'should include cert files' do - expect(subject[:'ca.pem']).to be_present - expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert) - - expect(subject[:'cert.pem']).to be_present - expect(subject[:'key.pem']).to be_present - - cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem']) - expect(cert.not_after).to be < 60.minutes.from_now - end - - context 'when the helm application does not have a ca_cert' do - before do - application.cluster.application_helm.ca_cert = nil - end - - it 'should not include cert files' do - expect(subject[:'ca.pem']).not_to be_present - expect(subject[:'cert.pem']).not_to be_present - expect(subject[:'key.pem']).not_to be_present - end - end - it 'should include runner valid values' do expect(values).to include('concurrent') expect(values).to include('checkInterval') |