Revert Helm TLS Authrevert-helm-tls-auth

13 files changed, 8 insertions, 209 deletions

diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index 55bbf7cae7e..70bfe3f2783 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -7,22 +7,11 @@ module Clusters
     class Helm < ActiveRecord::Base
       self.table_name = 'clusters_applications_helm'
 
-      attr_encrypted :ca_key,
-        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
-        algorithm: 'aes-256-cbc'
-
       include ::Clusters::Concerns::ApplicationCore
       include ::Clusters::Concerns::ApplicationStatus
 
       default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION
 
-      before_create :create_keys_and_certs
-
-      def issue_client_cert
-        ca_cert_obj.issue
-      end
-
       def set_initial_status
         return unless not_installable?
 
@@ -36,35 +25,10 @@ module Clusters
         )
       end
 
-      def has_ssl?
-        ca_key.present? && ca_cert.present?
-      end
-
       private
 
       def files
-        {
-          'ca.pem': ca_cert,
-          'cert.pem': tiller_cert.cert_string,
-          'key.pem': tiller_cert.key_string
-        }
-      end
-
-      def create_keys_and_certs
-        ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root
-        self.ca_key = ca_cert.key_string
-        self.ca_cert = ca_cert.cert_string
-      end
-
-      def tiller_cert
-        @tiller_cert ||= ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
-      end
-
-      def ca_cert_obj
-        return unless has_ssl?
-
-        Gitlab::Kubernetes::Helm::Certificate
-          .from_strings(ca_key, ca_cert)
+        {}
       end
     end
   end
diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb
index 52498f123ff..fc0f13e2a37 100644
--- a/app/models/clusters/concerns/application_data.rb
+++ b/app/models/clusters/concerns/application_data.rb
@@ -15,33 +15,11 @@ module Clusters
         end
 
         def files
-          @files ||= begin
-            files = { 'values.yaml': values }
-
-            files.merge!(certificate_files) if cluster.application_helm.has_ssl?
-
-            files
-          end
+          @files ||= { 'values.yaml': values }
         end
 
         private
 
-        def certificate_files
-          {
-            'ca.pem': ca_cert,
-            'cert.pem': helm_cert.cert_string,
-            'key.pem': helm_cert.key_string
-          }
-        end
-
-        def ca_cert
-          cluster.application_helm.ca_cert
-        end
-
-        def helm_cert
-          @helm_cert ||= cluster.application_helm.issue_client_cert
-        end
-
         def chart_values_file
           "#{Rails.root}/vendor/#{name}/values.yaml"
         end
diff --git a/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb b/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb
deleted file mode 100644
index 57cea18abcd..00000000000
--- a/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb
+++ /dev/null
@@ -1,12 +0,0 @@
-# frozen_string_literal: true
-class AddColumnsForHelmTillerCertificates < ActiveRecord::Migration
-  include Gitlab::Database::MigrationHelpers
-
-  DOWNTIME = false
-
-  def change
-    add_column :clusters_applications_helm, :encrypted_ca_key, :text
-    add_column :clusters_applications_helm, :encrypted_ca_key_iv, :text
-    add_column :clusters_applications_helm, :ca_cert, :text
-  end
-end
diff --git a/db/schema.rb b/db/schema.rb
index f1d8f4df3b7..0b756cd8ca8 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -637,9 +637,6 @@ ActiveRecord::Schema.define(version: 20180807153545) do
     t.integer "status", null: false
     t.string "version", null: false
     t.text "status_reason"
-    t.text "encrypted_ca_key"
-    t.text "encrypted_ca_key_iv"
-    t.text "ca_cert"
   end
 
   create_table "clusters_applications_ingress", force: :cascade do |t|
diff --git a/lib/gitlab/kubernetes/helm/init_command.rb b/lib/gitlab/kubernetes/helm/init_command.rb
index a4546509515..2f2b3e930ae 100644
--- a/lib/gitlab/kubernetes/helm/init_command.rb
+++ b/lib/gitlab/kubernetes/helm/init_command.rb
@@ -20,12 +20,7 @@ module Gitlab
         private
 
         def init_helm_command
-          tls_flags = "--tiller-tls" \
-            " --tiller-tls-verify --tls-ca-cert #{files_dir}/ca.pem" \
-            " --tiller-tls-cert #{files_dir}/cert.pem" \
-            " --tiller-tls-key #{files_dir}/key.pem"
-
-          "helm init #{tls_flags} >/dev/null"
+          "helm init >/dev/null"
         end
       end
     end
diff --git a/lib/gitlab/kubernetes/helm/install_command.rb b/lib/gitlab/kubernetes/helm/install_command.rb
index 9672f80687e..d827e8e1090 100644
--- a/lib/gitlab/kubernetes/helm/install_command.rb
+++ b/lib/gitlab/kubernetes/helm/install_command.rb
@@ -33,7 +33,7 @@ module Gitlab
         end
 
         def script_command
-          init_flags = "--name #{name}#{optional_tls_flags}#{optional_version_flag}" \
+          init_flags = "--name #{name}#{optional_version_flag}" \
             " --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE}" \
             " -f /data/helm/#{name}/config/values.yaml"
 
@@ -43,15 +43,6 @@ module Gitlab
         def optional_version_flag
           " --version #{version}" if version
         end
-
-        def optional_tls_flags
-          return unless files.key?(:'ca.pem')
-
-          " --tls" \
-            " --tls-ca-cert #{files_dir}/ca.pem" \
-            " --tls-cert #{files_dir}/cert.pem" \
-            " --tls-key #{files_dir}/key.pem"
-        end
       end
     end
   end
diff --git a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
index dcbc046cf00..7550e23259b 100644
--- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 
 describe Gitlab::Kubernetes::Helm::InitCommand do
   let(:application) { create(:clusters_applications_helm) }
-  let(:commands) { 'helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem >/dev/null' }
+  let(:commands) { 'helm init >/dev/null' }
 
   subject { described_class.new(name: application.name, files: {}) }
 
diff --git a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
index 982e2f41043..023799db40f 100644
--- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
@@ -21,7 +21,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
       <<~EOS
       helm init --client-only >/dev/null
       helm repo add app-name https://repository.example.com
-      helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
+      helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
       EOS
     end
   end
@@ -33,7 +33,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
       let(:commands) do
         <<~EOS
          helm init --client-only >/dev/null
-         helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
+         helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
         EOS
       end
     end
@@ -61,7 +61,7 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
         <<~EOS
          helm init --client-only >/dev/null
          helm repo add app-name https://repository.example.com
-         helm install chart-name --name app-name --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
+         helm install chart-name --name app-name --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
         EOS
       end
     end
diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb
index e5b2bdc8a4e..3c3df618b5f 100644
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -15,17 +15,6 @@ describe Clusters::Applications::Helm do
     it { is_expected.to contain_exactly(installed_cluster) }
   end
 
-  describe '#issue_client_cert' do
-    let(:application) { create(:clusters_applications_helm) }
-    subject { application.issue_client_cert }
-
-    it 'returns a new cert' do
-      is_expected.to be_kind_of(Gitlab::Kubernetes::Helm::Certificate)
-      expect(subject.cert_string).not_to eq(application.ca_cert)
-      expect(subject.key_string).not_to eq(application.ca_key)
-    end
-  end
-
   describe '#install_command' do
     let(:helm) { create(:clusters_applications_helm) }
 
@@ -36,16 +25,5 @@ describe Clusters::Applications::Helm do
     it 'should be initialized with 1 arguments' do
       expect(subject.name).to eq('helm')
     end
-
-    it 'should have cert files' do
-      expect(subject.files[:'ca.pem']).to be_present
-      expect(subject.files[:'ca.pem']).to eq(helm.ca_cert)
-
-      expect(subject.files[:'cert.pem']).to be_present
-      expect(subject.files[:'key.pem']).to be_present
-
-      cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
-      expect(cert.not_after).to be > 999.years.from_now
-    end
   end
 end
diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb
index 21f75ced8c3..7dacf973d99 100644
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -112,28 +112,5 @@ describe Clusters::Applications::Ingress do
       expect(values).to include('stats')
       expect(values).to include('podAnnotations')
     end
-
-    context 'when the helm application does not have a ca_cert' do
-      before do
-        application.cluster.application_helm.ca_cert = nil
-      end
-
-      it 'should not include cert files' do
-        expect(subject[:'ca.pem']).not_to be_present
-        expect(subject[:'cert.pem']).not_to be_present
-        expect(subject[:'key.pem']).not_to be_present
-      end
-    end
-
-    it 'should include cert files' do
-      expect(subject[:'ca.pem']).to be_present
-      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
-
-      expect(subject[:'cert.pem']).to be_present
-      expect(subject[:'key.pem']).to be_present
-
-      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
-      expect(cert.not_after).to be < 60.minutes.from_now
-    end
   end
 end
diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb
index 027b732681b..9c65253a5f6 100644
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -70,29 +70,6 @@ describe Clusters::Applications::Jupyter do
 
     subject { application.files }
 
-    it 'should include cert files' do
-      expect(subject[:'ca.pem']).to be_present
-      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
-
-      expect(subject[:'cert.pem']).to be_present
-      expect(subject[:'key.pem']).to be_present
-
-      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
-      expect(cert.not_after).to be < 60.minutes.from_now
-    end
-
-    context 'when the helm application does not have a ca_cert' do
-      before do
-        application.cluster.application_helm.ca_cert = nil
-      end
-
-      it 'should not include cert files' do
-        expect(subject[:'ca.pem']).not_to be_present
-        expect(subject[:'cert.pem']).not_to be_present
-        expect(subject[:'key.pem']).not_to be_present
-      end
-    end
-
     it 'should include valid values' do
       expect(values).to include('ingress')
       expect(values).to include('hub')
diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb
index 7454be3ab2f..4eda5452af6 100644
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -185,29 +185,6 @@ describe Clusters::Applications::Prometheus do
 
     subject { application.files }
 
-    it 'should include cert files' do
-      expect(subject[:'ca.pem']).to be_present
-      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
-
-      expect(subject[:'cert.pem']).to be_present
-      expect(subject[:'key.pem']).to be_present
-
-      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
-      expect(cert.not_after).to be < 60.minutes.from_now
-    end
-
-    context 'when the helm application does not have a ca_cert' do
-      before do
-        application.cluster.application_helm.ca_cert = nil
-      end
-
-      it 'should not include cert files' do
-        expect(subject[:'ca.pem']).not_to be_present
-        expect(subject[:'cert.pem']).not_to be_present
-        expect(subject[:'key.pem']).not_to be_present
-      end
-    end
-
     it 'should include prometheus valid values' do
       expect(values).to include('alertmanager')
       expect(values).to include('kubeStateMetrics')
diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb
index d84f125e246..1ddabbabca4 100644
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -65,29 +65,6 @@ describe Clusters::Applications::Runner do
 
     subject { application.files }
 
-    it 'should include cert files' do
-      expect(subject[:'ca.pem']).to be_present
-      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
-
-      expect(subject[:'cert.pem']).to be_present
-      expect(subject[:'key.pem']).to be_present
-
-      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
-      expect(cert.not_after).to be < 60.minutes.from_now
-    end
-
-    context 'when the helm application does not have a ca_cert' do
-      before do
-        application.cluster.application_helm.ca_cert = nil
-      end
-
-      it 'should not include cert files' do
-        expect(subject[:'ca.pem']).not_to be_present
-        expect(subject[:'cert.pem']).not_to be_present
-        expect(subject[:'key.pem']).not_to be_present
-      end
-    end
-
     it 'should include runner valid values' do
       expect(values).to include('concurrent')
       expect(values).to include('checkInterval')