Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

helm configure #7

Merged
merged 15 commits into from
Jan 31, 2019
Merged

helm configure #7

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
0f16b4b
RDD: helm configure command
yorinasub17 Jan 17, 2019
52f0e87
Update README.md
yorinasub17 Jan 17, 2019
9e8c840
WIP: helm configure skeleton
yorinasub17 Jan 24, 2019
1447b75
Implement grant command and relevant tests
yorinasub17 Jan 25, 2019
cab460a
Implement the TLS section of the configure command
yorinasub17 Jan 26, 2019
d068aaa
Adjust names and labels
yorinasub17 Jan 26, 2019
2554ffb
Implement remaining test
yorinasub17 Jan 28, 2019
44533b2
Environment file generation
yorinasub17 Jan 28, 2019
cf9654c
Fix pathing issue
yorinasub17 Jan 28, 2019
2c807f7
Implement and test configure set namespace
yorinasub17 Jan 28, 2019
22b04ef
use dot sourcing
yorinasub17 Jan 28, 2019
c05bce7
Fix bugs
yorinasub17 Jan 29, 2019
05e9a7a
Address commentS
yorinasub17 Jan 29, 2019
32eddd8
Refactor to remove switch cases
yorinasub17 Jan 31, 2019
3d36430
Clean up logging
yorinasub17 Jan 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 53 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,14 @@ Alternatively, you can download the corresponding binary for your platform direc
The following commands are available as part of `kubergrunt`:

1. [eks](#eks)
* [verify](#verify)
* [configure](#configure)
* [token](#token)
* [deploy](#deploy)
1. [helm](#helm)
* [deploy](#helm-deploy)
* [undeploy](#undeploy)
* [configure](#helm-configure)
* [grant](#grant)
* [revoke](#revoke)

Expand Down Expand Up @@ -172,7 +174,7 @@ For example, to setup a basic install of helm in the Kubernetes namespace `tille
```bash
# Note that most of the arguments here are used to setup the Certificate Authority for TLS
kubergrunt helm deploy \
--namespace tiller-world \
--tiller-namespace tiller-world \
--service-account tiller \
--tls-common-name tiller \
--tls-org Gruntwork \
Expand Down Expand Up @@ -209,25 +211,67 @@ wanted to uninstall it:
kubergrunt helm undeploy --helm-home $HOME/.helm
```

#### (helm) configure

This subcommand will setup the installed `helm` client to be able to access the specified Helm server. Specifically,
this will:

- Download the client TLS certificate key pair generated with the [`grant`](#grant) command.
- Install the TLS certificate key pair in the helm home directory.
- Install an environment file that sets up environment variables to target the specific helm server. This environment
file needs to be loaded before issuing any commands, at it sets the necessary environment variables to signal to the
helm client which helm server to use. The environment variables it sets are:
- `HELM_HOME`: The helm client home directory where the TLS certs are located.
- `TILLER_NAMESPACE`: The namespace where the helm server is installed.
- `HELM_TLS_VERIFY`: This will be set to true to enable TLS verification.
- `HELM_TLS_ENABLE`: This will be set to true to enable TLS authentication.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is annoying, but helm doesn't have a concept of a config file. The default way for the user is:

helm --tiller-namespace NAMESPACE --tls --tls-verify

everytime they want to use helm. If they want multiple helm configs, this is even worse:

helm --home HELM_HOME_DIR --tiller-namespace NAMESPACE --tls --tls-verify
# or if they want to share home dir but use different certs
helm --tiller-namespace NAMESPACE --tls --tls-verify --tls-ca-cert ca.cert.pem --tls-cert helm.cert.pem --tls-key helm.key.pem

So the proposal here is to instead provide an environment file they can source that sets these as environment variables. Then this becomes:

source ~/.helm/env
helm


You can also optionally set the current kubectl context to set the default namespace to be compatible with this Tiller
install.

Afterwards, you can source the environment file to setup your shell to access the proper helm client.

For example, if you want to setup helm to target a server install in the namespace `dev` with the default helm home
directory:

```bash
# This is for linux
# Setup helm
kubergrunt helm configure --home-dir $HOME/.helm --tiller-namespace dev --rbac-user me
# Source the environment file
source $HOME/.helm/env
# Verify connection. This should display info about both the client and server.
helm version
```

See the command help for all the available options: `kubergrunt helm configure --help`.

#### grant

This subcommand will grant access to an installed helm server to a given RBAC role. This will:
This subcommand will grant access to an installed helm server to a given RBAC entity (`User`, `Group`, or
`ServiceAccount`). This will:

- Download the corresponding CA keypair for the Tiller deployment from Kubernetes.
- Issue a new TLS certificate keypair using the CA keypair.
- Upload the new TLS certificate keypair to a new Secret in a new Namespace that only the granted RBAC role has access
- Upload the new TLS certificate keypair to a new Secret in a new Namespace that only the granted RBAC entity has access
to. This access is readonly.
- Remove the local copies of the downloaded and generated certificates.

This command assumes that the authenticated entitiy running the command has enough permissions to access the generated
CA `Secret`.

For example, to grant access to a Tiller server deployed in the namespace `tiller-world` to the RBAC role `dev`:
For example, to grant access to a Tiller server deployed in the namespace `tiller-world` to the RBAC group `developers`:

```bash
kubergrunt helm grant --tiller-namespace tiller-world --rbac-role dev
kubergrunt helm grant \
--tls-common-name developers \
--tls-org YourCo \
--tiller-namespace tiller-world \
--rbac-group developers
```

See the command help for all the available options: `kubergrunt helm grant --help`.

#### revoke

This subcommand will revoke access to an installed helm server for a given RBAC role. This will:
Expand All @@ -241,9 +285,12 @@ This subcommand will revoke access to an installed helm server for a given RBAC
For example, to revoke access to a Tiller server deployed in the namespace `tiller-world` from the RBAC role `dev`:

```bash
kubergrunt helm revoke --tiller-namespace tiller-world --rbac-role dev
kubergrunt helm revoke --tiller-namespace tiller-world --rbac-user dev
```

See the command help for all the available options: `kubergrunt helm revoke --help`.


## Who maintains this project?

`kubergrunt` is maintained by [Gruntwork](http://www.gruntwork.io/). If you are looking for help or commercial support,
Expand Down
10 changes: 10 additions & 0 deletions cmd/errors.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
package main

// MutualExclusiveFlagError is returned when there is a violation of a mutually exclusive flag set.
type MutuallyExclusiveFlagError struct {
Message string
}

func (err MutuallyExclusiveFlagError) Error() string {
return err.Message
}
Loading