diff options
author | Mayra Cabrera <mcabrera@gitlab.com> | 2018-08-07 12:39:38 +0000 |
---|---|---|
committer | Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com> | 2018-08-07 12:39:38 +0000 |
commit | fc134096370c94bc1312060c42ed69b2665f0f95 (patch) | |
tree | 7e2a8764e590ae7128058cad67165f8ff1c66722 /app | |
parent | b3deca7a2606a6b2cef464ed08417be4ffb0cb6b (diff) | |
download | gitlab-ce-fc134096370c94bc1312060c42ed69b2665f0f95.tar.gz |
Resolve "Mutual SSL Auth For Helm TIller"
Diffstat (limited to 'app')
-rw-r--r-- | app/models/clusters/applications/helm.rb | 49 | ||||
-rw-r--r-- | app/models/clusters/applications/ingress.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/applications/jupyter.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/applications/prometheus.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/applications/runner.rb | 4 | ||||
-rw-r--r-- | app/models/clusters/concerns/application_data.rb | 26 |
6 files changed, 82 insertions, 9 deletions
diff --git a/app/models/clusters/applications/helm.rb b/app/models/clusters/applications/helm.rb index 61df6174c86..55bbf7cae7e 100644 --- a/app/models/clusters/applications/helm.rb +++ b/app/models/clusters/applications/helm.rb @@ -1,15 +1,28 @@ # frozen_string_literal: true +require 'openssl' + module Clusters module Applications class Helm < ActiveRecord::Base self.table_name = 'clusters_applications_helm' + attr_encrypted :ca_key, + mode: :per_attribute_iv, + key: Settings.attr_encrypted_db_key_base_truncated, + algorithm: 'aes-256-cbc' + include ::Clusters::Concerns::ApplicationCore include ::Clusters::Concerns::ApplicationStatus default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION + before_create :create_keys_and_certs + + def issue_client_cert + ca_cert_obj.issue + end + def set_initial_status return unless not_installable? @@ -17,7 +30,41 @@ module Clusters end def install_command - Gitlab::Kubernetes::Helm::InitCommand.new(name) + Gitlab::Kubernetes::Helm::InitCommand.new( + name: name, + files: files + ) + end + + def has_ssl? + ca_key.present? && ca_cert.present? + end + + private + + def files + { + 'ca.pem': ca_cert, + 'cert.pem': tiller_cert.cert_string, + 'key.pem': tiller_cert.key_string + } + end + + def create_keys_and_certs + ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root + self.ca_key = ca_cert.key_string + self.ca_cert = ca_cert.cert_string + end + + def tiller_cert + @tiller_cert ||= ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY) + end + + def ca_cert_obj + return unless has_ssl? + + Gitlab::Kubernetes::Helm::Certificate + .from_strings(ca_key, ca_cert) end end end diff --git a/app/models/clusters/applications/ingress.rb b/app/models/clusters/applications/ingress.rb index 2440efe76ab..93f654e0638 100644 --- a/app/models/clusters/applications/ingress.rb +++ b/app/models/clusters/applications/ingress.rb @@ -37,10 +37,10 @@ module Clusters def install_command Gitlab::Kubernetes::Helm::InstallCommand.new( - name, + name: name, version: VERSION, chart: chart, - values: values + files: files ) end diff --git a/app/models/clusters/applications/jupyter.rb b/app/models/clusters/applications/jupyter.rb index 33d54ba86fe..ef1c76c03bd 100644 --- a/app/models/clusters/applications/jupyter.rb +++ b/app/models/clusters/applications/jupyter.rb @@ -38,10 +38,10 @@ module Clusters def install_command Gitlab::Kubernetes::Helm::InstallCommand.new( - name, + name: name, version: VERSION, chart: chart, - values: values, + files: files, repository: repository ) end diff --git a/app/models/clusters/applications/prometheus.rb b/app/models/clusters/applications/prometheus.rb index ccb415b3fe2..88399dbbb95 100644 --- a/app/models/clusters/applications/prometheus.rb +++ b/app/models/clusters/applications/prometheus.rb @@ -46,10 +46,10 @@ module Clusters def install_command Gitlab::Kubernetes::Helm::InstallCommand.new( - name, + name: name, version: VERSION, chart: chart, - values: values + files: files ) end diff --git a/app/models/clusters/applications/runner.rb b/app/models/clusters/applications/runner.rb index 426aed91089..bde255723c8 100644 --- a/app/models/clusters/applications/runner.rb +++ b/app/models/clusters/applications/runner.rb @@ -31,10 +31,10 @@ module Clusters def install_command Gitlab::Kubernetes::Helm::InstallCommand.new( - name, + name: name, version: VERSION, chart: chart, - values: values, + files: files, repository: repository ) end diff --git a/app/models/clusters/concerns/application_data.rb b/app/models/clusters/concerns/application_data.rb index 14e004b9a57..52498f123ff 100644 --- a/app/models/clusters/concerns/application_data.rb +++ b/app/models/clusters/concerns/application_data.rb @@ -14,8 +14,34 @@ module Clusters File.read(chart_values_file) end + def files + @files ||= begin + files = { 'values.yaml': values } + + files.merge!(certificate_files) if cluster.application_helm.has_ssl? + + files + end + end + private + def certificate_files + { + 'ca.pem': ca_cert, + 'cert.pem': helm_cert.cert_string, + 'key.pem': helm_cert.key_string + } + end + + def ca_cert + cluster.application_helm.ca_cert + end + + def helm_cert + @helm_cert ||= cluster.application_helm.issue_client_cert + end + def chart_values_file "#{Rails.root}/vendor/#{name}/values.yaml" end |