Get mutual SSL working with helm tiller

11edbccc · Dylan Griffith · ce897f11 · 11edbccc · 11edbccc · 11edbccc
Commit 11edbccc authored Jul 24, 2018 by Dylan Griffith
19 changed files
--- a/app/models/clusters/applications/helm.rb
+++ b/app/models/clusters/applications/helm.rb
+require 'openssl'
 module Clusters
  module Applications
    class Helm < ActiveRecord::Base
      self.table_name = 'clusters_applications_helm'
+      attr_encrypted :ca_key,
+        mode: :per_attribute_iv,
+        key: Settings.attr_encrypted_db_key_base_truncated,
+        algorithm: 'aes-256-cbc'
      include ::Clusters::Concerns::ApplicationCore
      include ::Clusters::Concerns::ApplicationStatus
      default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION
+      before_create :create_keys_and_certs
+      def create_keys_and_certs
+        ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root
+        self.ca_key = ca_cert.key_string
+        self.ca_cert = ca_cert.cert_string
+      end
+      def ca_cert_obj
+        return unless has_ssl?
+        Gitlab::Kubernetes::Helm::Certificate
+          .from_strings(ca_key, ca_cert)
+      end
+      def issue_cert
+        ca_cert_obj
+          .issue
+      end
      def set_initial_status
        return unless not_installable?
@@ -15,11 +42,20 @@ module Clusters
      end
      def install_command
+        tiller_cert = issue_cert
        Gitlab::Kubernetes::Helm::InitCommand.new(
          name: name,
-          files: {}
+          files: {
+            'ca.pem': ca_cert,
+            'cert.pem': tiller_cert.cert_string,
+            'key.pem': tiller_cert.key_string
+          }
        )
      end
+      def has_ssl?
+        ca_key.present? && ca_cert.present?
+      end
    end
  end
 end
--- a/app/models/clusters/concerns/application_data.rb
+++ b/app/models/clusters/concerns/application_data.rb
@@ -13,9 +13,20 @@ module Clusters
        end
        def files
-          {
+          @files ||= begin
-            'values.yaml': values
+            files = { 'values.yaml': values }
-          }
+            if cluster.application_helm.has_ssl?
+              ca_cert = cluster.application_helm.ca_cert
+              helm_cert = cluster.application_helm.issue_cert
+              files.merge!({
+                'ca.pem': ca_cert,
+                'cert.pem': helm_cert.cert_string,
+                'key.pem': helm_cert.key_string
+              })
+            end
+            files
+          end
        end
        private

--- a/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb
+++ b/db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb
+class AddColumnsForHelmTillerCertificates < ActiveRecord::Migration
+  include Gitlab::Database::MigrationHelpers
+  DOWNTIME = false
+  def change
+    add_column :clusters_applications_helm, :encrypted_ca_key, :text
+    add_column :clusters_applications_helm, :encrypted_ca_key_iv, :text
+    add_column :clusters_applications_helm, :ca_cert, :text
+  end
+end
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -635,6 +635,9 @@ ActiveRecord::Schema.define(version: 20180722103201) do
    t.integer "status", null: false
    t.string "version", null: false
    t.text "status_reason"
+    t.text "encrypted_ca_key"
+    t.text "encrypted_ca_key_iv"
+    t.text "ca_cert"
  end
  create_table "clusters_applications_ingress", force: :cascade do |t|

--- a/lib/gitlab/kubernetes/helm/base_command.rb
+++ b/lib/gitlab/kubernetes/helm/base_command.rb
@@ -36,6 +36,10 @@ module Gitlab
        private
+        def files_dir
+          "/data/helm/#{name}/config"
+        end
        def namespace
          Gitlab::Kubernetes::Helm::NAMESPACE
        end

--- a/lib/gitlab/kubernetes/helm/certificate.rb
+++ b/lib/gitlab/kubernetes/helm/certificate.rb
+module Gitlab
+  module Kubernetes
+    module Helm
+      class Certificate
+        attr_reader :key, :cert
+        def key_string
+          @key.to_s
+        end
+        def cert_string
+          @cert.to_pem
+        end
+        def self.from_strings(key_string, cert_string)
+          key = OpenSSL::PKey::RSA.new(key_string)
+          cert = OpenSSL::X509::Certificate.new(cert_string)
+          new(key, cert)
+        end
+        def self.generate_root
+          key = OpenSSL::PKey::RSA.new(4096)
+          public_key = key.public_key
+          subject = "/C=US"
+          cert = OpenSSL::X509::Certificate.new
+          cert.subject = cert.issuer = OpenSSL::X509::Name.parse(subject)
+          cert.not_before = Time.now
+          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.public_key = public_key
+          cert.serial = 0x0
+          cert.version = 2
+          extension_factory = OpenSSL::X509::ExtensionFactory.new
+          extension_factory.subject_certificate = cert
+          extension_factory.issuer_certificate = cert
+          cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
+          cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
+          cert.add_extension(extension_factory.create_extension('keyUsage', 'cRLSign,keyCertSign', true))
+          cert.sign key, OpenSSL::Digest::SHA256.new
+          new(key, cert)
+        end
+        def issue
+          key = OpenSSL::PKey::RSA.new(4096)
+          public_key = key.public_key
+          subject = "/C=US"
+          cert = OpenSSL::X509::Certificate.new
+          cert.subject = OpenSSL::X509::Name.parse(subject)
+          cert.issuer = self.cert.subject
+          cert.not_before = Time.now
+          cert.not_after = Time.now + 365 * 24 * 60 * 60
+          cert.public_key = public_key
+          cert.serial = 0x0
+          cert.version = 2
+          cert.sign self.key, OpenSSL::Digest::SHA256.new
+          self.class.new(key, cert)
+        end
+        private
+        def initialize(key, cert)
+          @key = key
+          @cert = cert
+        end
+      end
+    end
+  end
+end
--- a/lib/gitlab/kubernetes/helm/init_command.rb
+++ b/lib/gitlab/kubernetes/helm/init_command.rb
@@ -20,7 +20,12 @@ module Gitlab
        private
        def init_helm_command
-          "helm init >/dev/null"
+          tls_opts = "--tiller-tls" \
+            " --tiller-tls-verify --tls-ca-cert #{files_dir}/ca.pem" \
+            " --tiller-tls-cert #{files_dir}/cert.pem" \
+            " --tiller-tls-key #{files_dir}/key.pem"
+          "helm init #{tls_opts} >/dev/null"
        end
      end
    end

--- a/lib/gitlab/kubernetes/helm/install_command.rb
+++ b/lib/gitlab/kubernetes/helm/install_command.rb
@@ -34,8 +34,15 @@ module Gitlab
        end
        def script_command
+          if files.key?(:'ca.pem')
+            tls_opts = " --tls" \
+              " --tls-ca-cert #{files_dir}/ca.pem" \
+              " --tls-cert #{files_dir}/cert.pem" \
+              " --tls-key #{files_dir}/key.pem"
+          end
          <<~HEREDOC
-          helm install #{chart} --name #{name}#{optional_version_flag} --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} -f /data/helm/#{name}/config/values.yaml >/dev/null
+          helm install#{tls_opts} #{chart} --name #{name}#{optional_version_flag} --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} -f /data/helm/#{name}/config/values.yaml >/dev/null
          HEREDOC
        end

--- a/spec/factories/clusters/applications/helm.rb
+++ b/spec/factories/clusters/applications/helm.rb
@@ -32,11 +32,18 @@ FactoryBot.define do
      updated_at ClusterWaitForAppInstallationWorker::TIMEOUT.ago
    end
-    factory :clusters_applications_ingress, class: Clusters::Applications::Ingress
+    factory :clusters_applications_ingress, class: Clusters::Applications::Ingress do
-    factory :clusters_applications_prometheus, class: Clusters::Applications::Prometheus
+      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
-    factory :clusters_applications_runner, class: Clusters::Applications::Runner
+    end
+    factory :clusters_applications_prometheus, class: Clusters::Applications::Prometheus do
+      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
+    end
+    factory :clusters_applications_runner, class: Clusters::Applications::Runner do
+      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
+    end
    factory :clusters_applications_jupyter, class: Clusters::Applications::Jupyter do
      oauth_application factory: :oauth_application
+      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
    end
  end
 end
--- a/spec/factories/clusters/clusters.rb
+++ b/spec/factories/clusters/clusters.rb
@@ -36,5 +36,9 @@ FactoryBot.define do
    trait :production_environment do
      sequence(:environment_scope) { |n| "production#{n}/*" }
    end
+    trait :with_installed_helm do
+      application_helm factory: %i(clusters_applications_helm installed)
+    end
  end
 end
--- a/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/init_command_spec.rb
@@ -2,7 +2,7 @@ require 'spec_helper'
 describe Gitlab::Kubernetes::Helm::InitCommand do
  let(:application) { create(:clusters_applications_helm) }
-  let(:commands) { 'helm init >/dev/null' }
+  let(:commands) { 'helm init --tiller-tls --tiller-tls-verify --tls-ca-cert /data/helm/helm/config/ca.pem --tiller-tls-cert /data/helm/helm/config/cert.pem --tiller-tls-key /data/helm/helm/config/key.pem >/dev/null' }
  subject { described_class.new(name: application.name, files: {}) }

--- a/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/install_command_spec.rb
 require 'rails_helper'
 describe Gitlab::Kubernetes::Helm::InstallCommand do
-  let(:application) { create(:clusters_applications_prometheus) }
+  let(:files) { { 'ca.pem': 'some file content' } }
-  let(:namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }
+  let(:repository) { 'https://repository.example.com' }
-  let(:install_command) { application.install_command }
+  let(:version) { '1.2.3' }
-  subject { install_command }
+  let(:install_command) do
+    described_class.new(
+      name: 'app-name',
+      chart: 'chart-name',
+      files: files,
+      version: version, repository: repository
+    )
+  end
-  context 'for ingress' do
+  subject { install_command }
-    let(:application) { create(:clusters_applications_ingress) }
-    it_behaves_like 'helm commands' do
+  it_behaves_like 'helm commands' do
-      let(:commands) do
+    let(:commands) do
-        <<~EOS
+      <<~EOS
-         helm init --client-only >/dev/null
+      helm init --client-only >/dev/null
-         helm install #{application.chart} --name #{application.name} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+      helm repo add app-name https://repository.example.com
-        EOS
+      helm install --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
-      end
+      EOS
    end
  end
-  context 'for prometheus' do
+  context 'when there is no repository' do
-    let(:application) { create(:clusters_applications_prometheus) }
+    let(:repository) { nil }
    it_behaves_like 'helm commands' do
      let(:commands) do
        <<~EOS
         helm init --client-only >/dev/null
-         helm install #{application.chart} --name #{application.name} --version #{application.version} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm install --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
        EOS
      end
    end
  end
-  context 'for runner' do
+  context 'when there is no ca.pem file' do
-    let(:ci_runner) { create(:ci_runner) }
+    let(:files) { { 'file.txt': 'some content' } }
-    let(:application) { create(:clusters_applications_runner, runner: ci_runner) }
    it_behaves_like 'helm commands' do
      let(:commands) do
        <<~EOS
         helm init --client-only >/dev/null
-         helm repo add #{application.name} #{application.repository}
+         helm repo add app-name https://repository.example.com
-         helm install #{application.chart} --name #{application.name} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm install chart-name --name app-name --version 1.2.3 --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
        EOS
      end
    end
  end
-  context 'for jupyter' do
+  context 'when there is no version' do
-    let(:application) { create(:clusters_applications_jupyter) }
+    let(:version) { nil }
    it_behaves_like 'helm commands' do
      let(:commands) do
        <<~EOS
         helm init --client-only >/dev/null
-         helm repo add #{application.name} #{application.repository}
+         helm repo add app-name https://repository.example.com
-         helm install #{application.chart} --name #{application.name} --namespace #{namespace} -f /data/helm/#{application.name}/config/values.yaml >/dev/null
+         helm install --tls --tls-ca-cert /data/helm/app-name/config/ca.pem --tls-cert /data/helm/app-name/config/cert.pem --tls-key /data/helm/app-name/config/key.pem chart-name --name app-name --namespace gitlab-managed-apps -f /data/helm/app-name/config/values.yaml >/dev/null
        EOS
      end
    end
@@ -65,13 +70,13 @@ describe Gitlab::Kubernetes::Helm::InstallCommand do
  describe '#config_map_resource' do
    let(:metadata) do
      {
-        name: "values-content-configuration-#{application.name}",
+        name: "values-content-configuration-app-name",
-        namespace: namespace,
+        namespace: 'gitlab-managed-apps',
-        labels: { name: "values-content-configuration-#{application.name}" }
+        labels: { name: "values-content-configuration-app-name" }
      }
    end
-    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: application.files) }
+    let(:resource) { ::Kubeclient::Resource.new(metadata: metadata, data: files) }
    subject { install_command.config_map_resource }

--- a/spec/lib/gitlab/kubernetes/helm/pod_spec.rb
+++ b/spec/lib/gitlab/kubernetes/helm/pod_spec.rb
@@ -2,8 +2,7 @@ require 'rails_helper'
 describe Gitlab::Kubernetes::Helm::Pod do
  describe '#generate' do
-    let(:cluster) { create(:cluster) }
+    let(:app) {  create(:clusters_applications_prometheus) }
-    let(:app) {  create(:clusters_applications_prometheus, cluster: cluster) }
    let(:command) {  app.install_command }
    let(:namespace) { Gitlab::Kubernetes::Helm::NAMESPACE }

--- a/spec/models/clusters/applications/helm_spec.rb
+++ b/spec/models/clusters/applications/helm_spec.rb
@@ -6,13 +6,24 @@ describe Clusters::Applications::Helm do
  describe '.installed' do
    subject { described_class.installed }
-    let!(:cluster) { create(:clusters_applications_helm, :installed) }
+    let!(:installed_cluster) { create(:clusters_applications_helm, :installed) }
    before do
      create(:clusters_applications_helm, :errored)
    end
-    it { is_expected.to contain_exactly(cluster) }
+    it { is_expected.to contain_exactly(installed_cluster) }
+  end
+  describe '#issue_cert' do
+    let(:application) { create(:clusters_applications_helm) }
+    subject { application.issue_cert }
+    it 'returns a new cert' do
+      is_expected.to be_kind_of(Gitlab::Kubernetes::Helm::Certificate)
+      expect(subject.cert_string).not_to eq(application.ca_cert)
+      expect(subject.key_string).not_to eq(application.ca_key)
+    end
  end
  describe '#install_command' do
@@ -25,5 +36,13 @@ describe Clusters::Applications::Helm do
    it 'should be initialized with 1 arguments' do
      expect(subject.name).to eq('helm')
    end
+    it 'should have cert files' do
+      expect(subject.files[:'ca.pem']).to be_present
+      expect(subject.files[:'ca.pem']).to eq(helm.ca_cert)
+      expect(subject.files[:'cert.pem']).to be_present
+      expect(subject.files[:'key.pem']).to be_present
+    end
  end
 end
--- a/spec/models/clusters/applications/ingress_spec.rb
+++ b/spec/models/clusters/applications/ingress_spec.rb
@@ -79,7 +79,9 @@ describe Clusters::Applications::Ingress do
  end
  describe '#files' do
-    let(:values) { ingress.files[:'values.yaml'] }
+    let(:application) { ingress }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
    it 'should include ingress valid keys in values' do
      expect(values).to include('image')
@@ -87,5 +89,25 @@ describe Clusters::Applications::Ingress do
      expect(values).to include('stats')
      expect(values).to include('podAnnotations')
    end
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
  end
 end
--- a/spec/models/clusters/applications/jupyter_spec.rb
+++ b/spec/models/clusters/applications/jupyter_spec.rb
@@ -43,9 +43,29 @@ describe Clusters::Applications::Jupyter do
  end
  describe '#files' do
-    let(:jupyter) { create(:clusters_applications_jupyter) }
+    let(:application) { create(:clusters_applications_jupyter) }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
-    let(:values) { jupyter.files[:'values.yaml'] }
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
    it 'should include valid values' do
      expect(values).to include('ingress')
@@ -53,8 +73,8 @@ describe Clusters::Applications::Jupyter do
      expect(values).to include('rbac')
      expect(values).to include('proxy')
      expect(values).to include('auth')
-      expect(values).to match(/clientId: '?#{jupyter.oauth_application.uid}/)
+      expect(values).to match(/clientId: '?#{application.oauth_application.uid}/)
-      expect(values).to match(/callbackUrl: '?#{jupyter.callback_url}/)
+      expect(values).to match(/callbackUrl: '?#{application.callback_url}/)
    end
  end
 end
--- a/spec/models/clusters/applications/prometheus_spec.rb
+++ b/spec/models/clusters/applications/prometheus_spec.rb
@@ -158,9 +158,29 @@ describe Clusters::Applications::Prometheus do
  end
  describe '#files' do
-    let(:prometheus) { create(:clusters_applications_prometheus) }
+    let(:application) { create(:clusters_applications_prometheus) }
+    subject { application.files }
+    let(:values) { subject[:'values.yaml'] }
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
-    let(:values) { prometheus.files[:'values.yaml'] }
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
    it 'should include prometheus valid values' do
      expect(values).to include('alertmanager')

--- a/spec/models/clusters/applications/runner_spec.rb
+++ b/spec/models/clusters/applications/runner_spec.rb
@@ -38,11 +38,31 @@ describe Clusters::Applications::Runner do
  end
  describe '#files' do
-    let(:gitlab_runner) { create(:clusters_applications_runner, runner: ci_runner) }
+    let(:application) { create(:clusters_applications_runner, runner: ci_runner) }
-    subject { gitlab_runner.files }
+    subject { application.files }
    let(:values) { subject[:'values.yaml'] }
+    it 'should include cert files' do
+      expect(subject[:'ca.pem']).to be_present
+      expect(subject[:'ca.pem']).to eq(application.cluster.application_helm.ca_cert)
+      expect(subject[:'cert.pem']).to be_present
+      expect(subject[:'key.pem']).to be_present
+    end
+    context 'when the helm application does not have a ca_cert' do
+      before do
+        application.cluster.application_helm.ca_cert = nil
+      end
+      it 'should not include cert files' do
+        expect(subject[:'ca.pem']).not_to be_present
+        expect(subject[:'cert.pem']).not_to be_present
+        expect(subject[:'key.pem']).not_to be_present
+      end
+    end
    it 'should include runner valid values' do
      expect(values).to include('concurrent')
      expect(values).to include('checkInterval')
@@ -57,8 +77,8 @@ describe Clusters::Applications::Runner do
    context 'without a runner' do
      let(:project) { create(:project) }
-      let(:cluster) { create(:cluster, projects: [project]) }
+      let(:cluster) { create(:cluster, :with_installed_helm, projects: [project]) }
-      let(:gitlab_runner) { create(:clusters_applications_runner, cluster: cluster) }
+      let(:application) { create(:clusters_applications_runner, cluster: cluster) }
      it 'creates a runner' do
        expect do
@@ -67,13 +87,13 @@ describe Clusters::Applications::Runner do
      end
      it 'uses the new runner token' do
-        expect(values).to match(/runnerToken: '?#{gitlab_runner.reload.runner.token}/)
+        expect(values).to match(/runnerToken: '?#{application.reload.runner.token}/)
      end
      it 'assigns the new runner to runner' do
        subject
-        expect(gitlab_runner.reload.runner).to be_project_type
+        expect(application.reload.runner).to be_project_type
      end
    end
@@ -97,11 +117,11 @@ describe Clusters::Applications::Runner do
      end
      before do
-        allow(gitlab_runner).to receive(:chart_values).and_return(stub_values)
+        allow(application).to receive(:chart_values).and_return(stub_values)
      end
      it 'should overwrite values.yaml' do
-        expect(values).to match(/privileged: '?#{gitlab_runner.privileged}/)
+        expect(values).to match(/privileged: '?#{application.privileged}/)
      end
    end
  end

--- a/spec/services/clusters/applications/install_service_spec.rb
+++ b/spec/services/clusters/applications/install_service_spec.rb
@@ -47,7 +47,7 @@ describe Clusters::Applications::InstallService do
    end
    context 'when application cannot be persisted' do
-      let(:application) { build(:clusters_applications_helm, :scheduled) }
+      let(:application) { create(:clusters_applications_helm, :scheduled) }
      it 'make the application errored' do
        expect(application).to receive(:make_installing!).once.and_raise(ActiveRecord::RecordInvalid)