- Sponsor
-
Notifications
You must be signed in to change notification settings - Fork 88
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm configure #7
Changes from 1 commit
0f16b4b
52f0e87
9e8c840
1447b75
cab460a
d068aaa
2554ffb
44533b2
cf9654c
2c807f7
22b04ef
c05bce7
05e9a7a
32eddd8
3d36430
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -11,19 +11,26 @@ import ( | |
"github.com/urfave/cli" | ||
|
||
"github.com/gruntwork-io/kubergrunt/helm" | ||
"github.com/gruntwork-io/kubergrunt/logging" | ||
"github.com/gruntwork-io/kubergrunt/tls" | ||
) | ||
|
||
var ( | ||
// Shared configurations | ||
tillerNamespaceFlag = cli.StringFlag{ | ||
Name: "namespace", | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: I wonder if There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. fixed |
||
Usage: "Kubernetes namespace that Tiller will reside in.", | ||
} | ||
resourceNamespaceFlag = cli.StringFlag{ | ||
Name: "resource-namespace", | ||
Usage: "Kubernetes namespace where the resources deployed by Tiller reside. If unspecified, defaults to the Tiller namespace.", | ||
} | ||
|
||
// Configurations for how helm is installed | ||
serviceAccountFlag = cli.StringFlag{ | ||
Name: "service-account", | ||
Usage: "The name of the ServiceAccount that Tiller should use.", | ||
} | ||
namespaceFlag = cli.StringFlag{ | ||
Name: "namespace", | ||
Usage: "Kubernetes namespace to install Tiller in.", | ||
} | ||
|
||
// Configurations for how to authenticate with the Kubernetes cluster. | ||
// NOTE: this is the same as eksKubectlContextNameFlag and eksKubeconfigFlag, except the descriptions are updated to | ||
|
@@ -109,9 +116,16 @@ var ( | |
Name: "undeploy-releases", | ||
Usage: "Undeploy all releases managed by the target Helm server before undeploying the server.", | ||
} | ||
// This is also used in configure | ||
helmHomeFlag = cli.StringFlag{ | ||
Name: "home", | ||
Usage: "Home directory that is configured for accessing the helm server being removed.", | ||
Usage: "Home directory that is configured for accessing deployed Tiller server.", | ||
} | ||
|
||
// Configurations for configuring the helm client | ||
setKubectlNamespaceFlag = cli.BoolFlag{ | ||
Name: "set-kubectl-namespace", | ||
Usage: "Set the kubectl context default namespace to match the namespace that Tiller deploys resources into.", | ||
} | ||
) | ||
|
||
|
@@ -134,7 +148,7 @@ func SetupHelmCommand() cli.Command { | |
Action: deployHelmServer, | ||
Flags: []cli.Flag{ | ||
serviceAccountFlag, | ||
namespaceFlag, | ||
tillerNamespaceFlag, | ||
tlsCommonNameFlag, | ||
tlsOrgFlag, | ||
tlsOrgUnitFlag, | ||
|
@@ -160,7 +174,26 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
forceUndeployFlag, | ||
undeployReleasesFlag, | ||
helmHomeFlag, | ||
namespaceFlag, | ||
tillerNamespaceFlag, | ||
helmKubectlContextNameFlag, | ||
helmKubeconfigFlag, | ||
}, | ||
}, | ||
cli.Command{ | ||
Name: "configure", | ||
Usage: "Setup local helm client to be able to access Tiller.", | ||
Description: `Setup local helm client to be able to access the deployed Tiller located at the provided namespace. This assumes that an administrator has granted you access to the Tiller install already. This will: | ||
|
||
- Download the client TLS certificate key pair that you have access to. | ||
- Install the TLS certificate key pair in the helm home directory. The helm home directory can be modified with the --helm-home option. | ||
- Install an environment file compatible with your platform that can be sourced to setup variables to configure default parameters for the helm client to access the Tiller install. | ||
- Optionally set the kubectl context default namespace to be the one that Tiller manages.`, | ||
Action: configureHelmClient, | ||
Flags: []cli.Flag{ | ||
helmHomeFlag, | ||
tillerNamespaceFlag, | ||
resourceNamespaceFlag, | ||
setKubectlNamespaceFlag, | ||
helmKubectlContextNameFlag, | ||
helmKubeconfigFlag, | ||
}, | ||
|
@@ -171,7 +204,7 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
Description: "Grant access to a deployed Helm server to a client by issuing new TLS certificate keypairs that is accessible by the provided RBAC role.", | ||
Action: grantHelmAccess, | ||
Flags: []cli.Flag{ | ||
namespaceFlag, | ||
tillerNamespaceFlag, | ||
grantedRbacRoleFlag, | ||
helmKubectlContextNameFlag, | ||
helmKubeconfigFlag, | ||
|
@@ -183,7 +216,7 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
Description: "Revoke access to a deployed Helm server to a client by issuing new TLS certificate keypairs that is accessible by the provided RBAC role.", | ||
Action: revokeHelmAccess, | ||
Flags: []cli.Flag{ | ||
namespaceFlag, | ||
tillerNamespaceFlag, | ||
grantedRbacRoleFlag, | ||
helmKubectlContextNameFlag, | ||
helmKubeconfigFlag, | ||
|
@@ -193,6 +226,7 @@ Note: By default, this will not undeploy the Helm server if there are any deploy | |
} | ||
} | ||
|
||
// deployHelmServer is the action function for helm deploy command. | ||
func deployHelmServer(cliContext *cli.Context) error { | ||
// Check if the required commands are installed | ||
if err := shell.CommandInstalledE("helm"); err != nil { | ||
|
@@ -207,7 +241,7 @@ func deployHelmServer(cliContext *cli.Context) error { | |
if err != nil { | ||
return err | ||
} | ||
namespace, err := entrypoint.StringFlagRequiredE(cliContext, namespaceFlag.Name) | ||
tillerNamespace, err := entrypoint.StringFlagRequiredE(cliContext, tillerNamespaceFlag.Name) | ||
if err != nil { | ||
return err | ||
} | ||
|
@@ -241,12 +275,13 @@ func deployHelmServer(cliContext *cli.Context) error { | |
|
||
return helm.Deploy( | ||
kubectlOptions, | ||
namespace, | ||
tillerNamespace, | ||
serviceAccount, | ||
tlsOptions, | ||
) | ||
} | ||
|
||
// undeployHelmServer is the action command for the helm undeploy command. | ||
func undeployHelmServer(cliContext *cli.Context) error { | ||
// Check if the required commands are installed | ||
if err := shell.CommandInstalledE("helm"); err != nil { | ||
|
@@ -258,7 +293,7 @@ func undeployHelmServer(cliContext *cli.Context) error { | |
if err != nil { | ||
return err | ||
} | ||
namespace, err := entrypoint.StringFlagRequiredE(cliContext, namespaceFlag.Name) | ||
tillerNamespace, err := entrypoint.StringFlagRequiredE(cliContext, tillerNamespaceFlag.Name) | ||
if err != nil { | ||
return err | ||
} | ||
|
@@ -267,21 +302,59 @@ func undeployHelmServer(cliContext *cli.Context) error { | |
return err | ||
} | ||
|
||
// Get optional info | ||
force := cliContext.Bool(forceUndeployFlag.Name) | ||
undeployReleases := cliContext.Bool(undeployReleasesFlag.Name) | ||
|
||
return helm.Undeploy( | ||
kubectlOptions, | ||
namespace, | ||
tillerNamespace, | ||
helmHome, | ||
force, | ||
undeployReleases, | ||
) | ||
} | ||
|
||
// configureHelmClient is the action function for the helm configure command. | ||
func configureHelmClient(cliContext *cli.Context) error { | ||
logger := logging.GetProjectLogger() | ||
|
||
// Check if the required commands are installed | ||
if err := shell.CommandInstalledE("helm"); err != nil { | ||
return err | ||
} | ||
|
||
// Get required info | ||
helmHome, err := entrypoint.StringFlagRequiredE(cliContext, helmHomeFlag.Name) | ||
if err != nil { | ||
return err | ||
} | ||
tillerNamespace, err := entrypoint.StringFlagRequiredE(cliContext, tillerNamespaceFlag.Name) | ||
if err != nil { | ||
return err | ||
} | ||
kubectlOptions, err := parseKubectlOptions(cliContext) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Get optional info | ||
setKubectlNamespace := cliContext.Bool(setKubectlNamespaceFlag.Name) | ||
resourceNamespace := cliContext.String(resourceNamespaceFlag.Name) | ||
if resourceNamespace == "" { | ||
logger.Warnf("Did not get a specific resource namespace. Defaulting to the provided Tiller namespace.") | ||
resourceNamespace = tillerNamespace | ||
} | ||
|
||
return helm.ConfigureClient(kubectlOptions, helmHome, tillerNamespace, resourceNamespace, setKubectlNamespace) | ||
} | ||
|
||
// grantHelmAccess is the action function for the helm grant command. | ||
func grantHelmAccess(cliContext *cli.Context) error { | ||
return nil | ||
} | ||
|
||
// revokeHelmAccess is the action function for the helm revoke command. | ||
func revokeHelmAccess(cliContext *cli.Context) error { | ||
return nil | ||
} | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
package helm | ||
|
||
import ( | ||
"github.com/gruntwork-io/kubergrunt/kubectl" | ||
"github.com/gruntwork-io/kubergrunt/logging" | ||
) | ||
|
||
// ConfigureClient will configure the local helm client to be able to communicate with the Tiller server installed in | ||
// the provided Tiller namespace. Note that this supports the notion where Tiller is deployed in a different namespace | ||
// from where resources should go. This is to address the risk where access to the tiller-secret will grant admin access | ||
// by using the tiller server TLS certs. | ||
func ConfigureClient( | ||
kubectlOptions *kubectl.KubectlOptions, | ||
helmHome string, | ||
tillerNamespace string, | ||
resourceNamespace string, | ||
setKubectlNamespace bool, | ||
) error { | ||
logger := logging.GetProjectLogger() | ||
logger.Infof("Setting up local helm client to access Tiller server deployed in namespace %s.", tillerNamespace) | ||
|
||
logger.Info("Checking if authorized to access specified Tiller server.") | ||
// TODO: Check for | ||
// - Access to TLS certs. If unavailable, mention they need to be granted access. | ||
// - Access to Tiller pod. If unavailable, mention they need to be granted access, pod should be deployed, or change | ||
// namespace. | ||
logger.Info("Confirmed authorized to access specified Tiller server.") | ||
|
||
logger.Info("Downloading TLS certificates to access specified Tiller server.") | ||
// TODO | ||
logger.Info("Successfully downloaded TLS certificates.") | ||
|
||
logger.Info("Generating environment file to setup helm client.") | ||
// TODO | ||
logger.Info("Successfully generated environment file.") | ||
|
||
if setKubectlNamespace { | ||
logger.Info("Requested to set default kubectl namespace.") | ||
// TODO | ||
logger.Infof("Updated context %s to use namespace %s as default.", kubectlOptions.ContextName, resourceNamespace) | ||
} | ||
|
||
logger.Infof("Successfully set up local helm client to access Tiller server deployed in namespace %s. Be sure to source the environment file (%s/env) before using the helm client.", tillerNamespace, helmHome) | ||
return nil | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is annoying, but helm doesn't have a concept of a config file. The default way for the user is:
everytime they want to use
helm
. If they want multiple helm configs, this is even worse:So the proposal here is to instead provide an environment file they can source that sets these as environment variables. Then this becomes: