Resolve "Mutual SSL Auth For Helm TIller"

6 files changed, 82 insertions, 9 deletions

diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb
index 61df6174c86..55bbf7cae7e 100644
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
@@ -1,15 +1,28 @@
 # frozen_string_literal: true
 
+require 'openssl'
+
 module Clusters
   module Applications
     class Helm < ActiveRecord::Base
       self.table_name = 'clusters_applications_helm'
 
+      attr_encrypted :ca_key,
+        mode: :per_attribute_iv,
+        key: Settings.attr_encrypted_db_key_base_truncated,
+        algorithm: 'aes-256-cbc'
+
       include ::Clusters::Concerns::ApplicationCore
       include ::Clusters::Concerns::ApplicationStatus
 
       default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION
 
+      before_create :create_keys_and_certs
+
+      def issue_client_cert
+        ca_cert_obj.issue
+      end
+
       def set_initial_status
         return unless not_installable?
 
@@ -17,7 +30,41 @@ module Clusters
       end
 
       def install_command
-        Gitlab::Kubernetes::Helm::InitCommand.new(name)
+        Gitlab::Kubernetes::Helm::InitCommand.new(
+          name: name,
+          files: files
+        )
+      end
+
+      def has_ssl?
+        ca_key.present? && ca_cert.present?
+      end
+
+      private
+
+      def files
+        {
+          'ca.pem': ca_cert,
+          'cert.pem': tiller_cert.cert_string,
+          'key.pem': tiller_cert.key_string
+        }
+      end
+
+      def create_keys_and_certs
+        ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root
+        self.ca_key = ca_cert.key_string
+        self.ca_cert = ca_cert.cert_string
+      end
+
+      def tiller_cert
+        @tiller_cert ||= ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
+      end
+
+      def ca_cert_obj
+        return unless has_ssl?
+
+        Gitlab::Kubernetes::Helm::Certificate
+          .from_strings(ca_key, ca_cert)
       end
     end
   end
diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb
index 2440efe76ab..93f654e0638 100644
--- a/app/models/clusters/applications/ingress.rb
+++ b/app/models/clusters/applications/ingress.rb
@@ -37,10 +37,10 @@ module Clusters
 
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name,
+          name: name,
           version: VERSION,
           chart: chart,
-          values: values
+          files: files
         )
       end
 
diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb
index 33d54ba86fe..ef1c76c03bd 100644
--- a/app/models/clusters/applications/jupyter.rb
+++ b/app/models/clusters/applications/jupyter.rb
@@ -38,10 +38,10 @@ module Clusters
 
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name,
+          name: name,
           version: VERSION,
           chart: chart,
-          values: values,
+          files: files,
           repository: repository
         )
       end
diff --git a/app/models/clusters/applications/prometheus.rb b/app/models/clusters/applications/prometheus.rb
index ccb415b3fe2..88399dbbb95 100644
--- a/app/models/clusters/applications/prometheus.rb
+++ b/app/models/clusters/applications/prometheus.rb
@@ -46,10 +46,10 @@ module Clusters
 
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name,
+          name: name,
           version: VERSION,
           chart: chart,
-          values: values
+          files: files
         )
       end
 
diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb
index 426aed91089..bde255723c8 100644
--- a/app/models/clusters/applications/runner.rb
+++ b/app/models/clusters/applications/runner.rb
@@ -31,10 +31,10 @@ module Clusters
 
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name,
+          name: name,
           version: VERSION,
           chart: chart,
-          values: values,
+          files: files,
           repository: repository
         )
       end
diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb
index 14e004b9a57..52498f123ff 100644
--- a/app/models/clusters/concerns/application_data.rb
+++ b/app/models/clusters/concerns/application_data.rb
@@ -14,8 +14,34 @@ module Clusters
           File.read(chart_values_file)
         end
 
+        def files
+          @files ||= begin
+            files = { 'values.yaml': values }
+
+            files.merge!(certificate_files) if cluster.application_helm.has_ssl?
+
+            files
+          end
+        end
+
         private
 
+        def certificate_files
+          {
+            'ca.pem': ca_cert,
+            'cert.pem': helm_cert.cert_string,
+            'key.pem': helm_cert.key_string
+          }
+        end
+
+        def ca_cert
+          cluster.application_helm.ca_cert
+        end
+
+        def helm_cert
+          @helm_cert ||= cluster.application_helm.issue_client_cert
+        end
+
         def chart_values_file
           "#{Rails.root}/vendor/#{name}/values.yaml"
         end