Resolve "Mutual SSL Auth For Helm TIller"

5 files changed, 170 insertions, 50 deletions

diff --git a/spec/models/clusters/applications/helm_spec.rb b/spec/models/clusters/applications/helm_spec.rb
index 0eb1e3876e2..e5b2bdc8a4e 100644
--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -6,13 +6,24 @@ describe Clusters::Applications::Helm do
   describe '.installed' do
     subject { described_class.installed }
 
-    let!(:cluster) { create(:clusters_applications_helm, :installed) }
+    let!(:installed_cluster) { create(:clusters_applications_helm, :installed) }
 
     before do
       create(:clusters_applications_helm, :errored)
     end
 
-    it { is_expected.to contain_exactly(cluster) }
+    it { is_expected.to contain_exactly(installed_cluster) }
+  end
+
+  describe '#issue_client_cert' do
+    let(:application) { create(:clusters_applications_helm) }
+    subject { application.issue_client_cert }
+
+    it 'returns a new cert' do
+      is_expected.to be_kind_of(Gitlab::Kubernetes::Helm::Certificate)
+      expect(subject.cert_string).not_to eq(application.ca_cert)
+      expect(subject.key_string).not_to eq(application.ca_key)
+    end
   end
 
   describe '#install_command' do
@@ -25,5 +36,16 @@ describe Clusters::Applications::Helm do
     it 'should be initialized with 1 arguments' do
       expect(subject.name).to eq('helm')
     end
+
+    it 'should have cert files' do
+      expect(subject.files[:'ca.pem']).to be_present
+      expect(subject.files[:'ca.pem']).to eq(helm.ca_cert)
+
+      expect(subject.files[:'cert.pem']).to be_present
+      expect(subject.files[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject.files[:'cert.pem'])
+      expect(cert.not_after).to be > 999.years.from_now
+    end
   end
 end
diff --git a/spec/models/clusters/applications/ingress_spec.rb b/spec/models/clusters/applications/ingress_spec.rb
index d378248d5d6..21f75ced8c3 100644
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -88,7 +88,7 @@ describe Clusters::Applications::Ingress do
       expect(subject.name).to eq('ingress')
       expect(subject.chart).to eq('stable/nginx-ingress')
       expect(subject.version).to eq('0.23.0')
-      expect(subject.values).to eq(ingress.values)
+      expect(subject.files).to eq(ingress.files)
     end
 
     context 'application failed to install previously' do
@@ -100,14 +100,40 @@ describe Clusters::Applications::Ingress do
     end
   end
 
-  describe '#values' do
-    subject { ingress.values }
+  describe '#files' do
+    let(:application) { ingress }
+    let(:values) { subject[:'values.yaml'] }
 
-    it 'should include ingress valid keys' do
-      is_expected.to include('image')
-      is_expected.to include('repository')
-      is_expected.to include('stats')
-      is_expected.to include('podAnnotations')
+    subject { application.files }
+
+    it 'should include ingress valid keys in values' do
+      expect(values).to include('image')
+      expect(values).to include('repository')
+      expect(values).to include('stats')
+      expect(values).to include('podAnnotations')
+    end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
     end
   end
 end
diff --git a/spec/models/clusters/applications/jupyter_spec.rb b/spec/models/clusters/applications/jupyter_spec.rb
index e0d57ac65f7..027b732681b 100644
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -52,7 +52,7 @@ describe Clusters::Applications::Jupyter do
       expect(subject.chart).to eq('jupyter/jupyterhub')
       expect(subject.version).to eq('v0.6')
       expect(subject.repository).to eq('https://jupyterhub.github.io/helm-chart/')
-      expect(subject.values).to eq(jupyter.values)
+      expect(subject.files).to eq(jupyter.files)
     end
 
     context 'application failed to install previously' do
@@ -64,19 +64,43 @@ describe Clusters::Applications::Jupyter do
     end
   end
 
-  describe '#values' do
-    let(:jupyter) { create(:clusters_applications_jupyter) }
+  describe '#files' do
+    let(:application) { create(:clusters_applications_jupyter) }
+    let(:values) { subject[:'values.yaml'] }
 
-    subject { jupyter.values }
+    subject { application.files }
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
+    end
+
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
 
     it 'should include valid values' do
-      is_expected.to include('ingress')
-      is_expected.to include('hub')
-      is_expected.to include('rbac')
-      is_expected.to include('proxy')
-      is_expected.to include('auth')
-      is_expected.to include("clientId: #{jupyter.oauth_application.uid}")
-      is_expected.to include("callbackUrl: #{jupyter.callback_url}")
+      expect(values).to include('ingress')
+      expect(values).to include('hub')
+      expect(values).to include('rbac')
+      expect(values).to include('proxy')
+      expect(values).to include('auth')
+      expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
+      expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
     end
   end
 end
diff --git a/spec/models/clusters/applications/prometheus_spec.rb b/spec/models/clusters/applications/prometheus_spec.rb
index 3812c65b3b6..7454be3ab2f 100644
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -167,7 +167,7 @@ describe Clusters::Applications::Prometheus do
       expect(command.name).to eq('prometheus')
       expect(command.chart).to eq('stable/prometheus')
       expect(command.version).to eq('6.7.3')
-      expect(command.values).to eq(prometheus.values)
+      expect(command.files).to eq(prometheus.files)
     end
 
     context 'application failed to install previously' do
@@ -179,17 +179,41 @@ describe Clusters::Applications::Prometheus do
     end
   end
 
-  describe '#values' do
-    let(:prometheus) { create(:clusters_applications_prometheus) }
+  describe '#files' do
+    let(:application) { create(:clusters_applications_prometheus) }
+    let(:values) { subject[:'values.yaml'] }
+
+    subject { application.files }
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
+    end
 
-    subject { prometheus.values }
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
 
     it 'should include prometheus valid values' do
-      is_expected.to include('alertmanager')
-      is_expected.to include('kubeStateMetrics')
-      is_expected.to include('nodeExporter')
-      is_expected.to include('pushgateway')
-      is_expected.to include('serverFiles')
+      expect(values).to include('alertmanager')
+      expect(values).to include('kubeStateMetrics')
+      expect(values).to include('nodeExporter')
+      expect(values).to include('pushgateway')
+      expect(values).to include('serverFiles')
     end
   end
 end
diff --git a/spec/models/clusters/applications/runner_spec.rb b/spec/models/clusters/applications/runner_spec.rb
index 526300755b5..d84f125e246 100644
--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -47,7 +47,7 @@ describe Clusters::Applications::Runner do
       expect(subject.chart).to eq('runner/gitlab-runner')
       expect(subject.version).to eq('0.1.31')
       expect(subject.repository).to eq('https://charts.gitlab.io')
-      expect(subject.values).to eq(gitlab_runner.values)
+      expect(subject.files).to eq(gitlab_runner.files)
     end
 
     context 'application failed to install previously' do
@@ -59,27 +59,51 @@ describe Clusters::Applications::Runner do
     end
   end
 
-  describe '#values' do
-    let(:gitlab_runner) { create(:clusters_applications_runner, runner: ci_runner) }
+  describe '#files' do
+    let(:application) { create(:clusters_applications_runner, runner: ci_runner) }
+    let(:values) { subject[:'values.yaml'] }
+
+    subject { application.files }
+
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+
+      cert = OpenSSL::X509::Certificate.new(subject[:'cert.pem'])
+      expect(cert.not_after).to be < 60.minutes.from_now
+    end
 
-    subject { gitlab_runner.values }
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
 
     it 'should include runner valid values' do
-      is_expected.to include('concurrent')
-      is_expected.to include('checkInterval')
-      is_expected.to include('rbac')
-      is_expected.to include('runners')
-      is_expected.to include('privileged: true')
-      is_expected.to include('image: ubuntu:16.04')
-      is_expected.to include('resources')
-      is_expected.to include("runnerToken: #{ci_runner.token}")
-      is_expected.to include("gitlabUrl: #{Gitlab::Routing.url_helpers.root_url}")
+      expect(values).to include('concurrent')
+      expect(values).to include('checkInterval')
+      expect(values).to include('rbac')
+      expect(values).to include('runners')
+      expect(values).to include('privileged: true')
+      expect(values).to include('image: ubuntu:16.04')
+      expect(values).to include('resources')
+      expect(values).to match(/runnerToken: '?#{ci_runner.token}/)
+      expect(values).to match(/gitlabUrl: '?#{Gitlab::Routing.url_helpers.root_url}/)
     end
 
     context 'without a runner' do
       let(:project) { create(:project) }
-      let(:cluster) { create(:cluster, projects: [project]) }
-      let(:gitlab_runner) { create(:clusters_applications_runner, cluster: cluster) }
+      let(:cluster) { create(:cluster, :with_installed_helm, projects: [project]) }
+      let(:application) { create(:clusters_applications_runner, cluster: cluster) }
 
       it 'creates a runner' do
         expect do
@@ -88,18 +112,18 @@ describe Clusters::Applications::Runner do
       end
 
       it 'uses the new runner token' do
-        expect(subject).to include("runnerToken: #{gitlab_runner.reload.runner.token}")
+        expect(values).to match(/runnerToken: '?#{application.reload.runner.token}/)
       end
 
       it 'assigns the new runner to runner' do
         subject
 
-        expect(gitlab_runner.reload.runner).to be_project_type
+        expect(application.reload.runner).to be_project_type
       end
     end
 
     context 'with duplicated values on vendor/runner/values.yaml' do
-      let(:values) do
+      let(:stub_values) do
         {
           "concurrent" => 4,
           "checkInterval" => 3,
@@ -118,11 +142,11 @@ describe Clusters::Applications::Runner do
       end
 
       before do
-        allow(gitlab_runner).to receive(:chart_values).and_return(values)
+        allow(application).to receive(:chart_values).and_return(stub_values)
       end
 
       it 'should overwrite values.yaml' do
-        is_expected.to include("privileged: #{gitlab_runner.privileged}")
+        expect(values).to match(/privileged: '?#{application.privileged}/)
       end
     end
   end