[stable/magic-namespace] Add TLS capabilities to Tiller deployment (h…

…elm#12061) * [stable/magic-namespace] Add TLS capabilities to Tiller deployment Also: * Fix Tiller container name * Make additional service accounts optional Signed-off-by: Ash Caire <[email protected]> * Changes based on review Signed-off-by: Ash Caire <[email protected]> * Restore tiller container name change Signed-off-by: Ash Caire <[email protected]> * Remove service account change Signed-off-by: Ash Caire <[email protected]> * Remove certPath Signed-off-by: Ash Caire <[email protected]>
faraazkhan · Mar 14, 2019 · 375a520 · 375a520
1 parent 8f7b120
commit 375a520
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 1 deletion.
diff --git a/stable/magic-namespace/Chart.yaml b/stable/magic-namespace/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 name: magic-namespace
-version: 0.3.0
+version: 0.4.0
 appVersion: 2.8.1
 home: https://github.com/kubernetes/charts/tree/master/stable/magic-namespace
 description: Elegantly enables a Tiller per namespace in RBAC-enabled clusters

diff --git a/stable/magic-namespace/README.md b/stable/magic-namespace/README.md
@@ -140,6 +140,12 @@ reference the default `values.yaml` to understand further options.
 | `tiller.role.type` | Identify the name of the `Role` or `ClusterRole` that will be referenced in the role binding for Tiller's service account. There is seldom any reason to override this. | `admin` |
 | `tiller.includeService` | This deploys a service resource for Tiller. This is not generally needed. Please understand the security implications of this before overriding the default. | `false` |
 | `tiller.onlyListenOnLocalhost` | This prevents Tiller from binding to `0.0.0.0`. This is generally advisable to close known Tiller-based attack vectors. Please understand the security implications of this before overriding the default. | `true` |
+| `tiller.tls.enabled` | Whether to enable TLS encryption between Helm and Tiller. Specify either `tiller.tls.secretName` to mount an existing secret, or `tiller.tls.ca`, `tiller.tls.cert` and `tiller.tls.key` to create a secret from Base64 provided values | `false` |
+| `tiller.tls.verify` | Whether to verify a remote Tiller certificate. | `true` |
+| `tiller.tls.secretName` | Mount an existing TLS secret into the Tiller container. The secret must include data keys: `ca.crt`, `tls.crt` and `tls.key` | `nil` |
+| `tiller.tls.ca` | Base64 encoded string to mount ca.crt into the Tiller container. This value requires `tiller.tls.cert` and `tiller.tls.key` to also be set. | `nil` |
+| `tiller.tls.cert` | Base64 encoded string to mount tls.cert into the Tiller container. This value requires `tiller.tls.ca and `tiller.tls.key` to also be set. | `nil` |
+| `tiller.tls.key` | Base64 encoded string to mount tls.key into the Tiller container. This value requires `tiller.tls.ca` and `tiller.tls.cert` to also be set. | `nil` |
 | `serviceAccounts` | An optional array of names of additional service account to create | `nil` |
 | `roleBindings` | An optional array of objects that define role bindings | `nil` |
 | `roleBindings[n].role.kind` | Identify the kind of role (`Role` or `ClusterRole`) to be used in the role binding | |

diff --git a/stable/magic-namespace/templates/_helpers.tpl b/stable/magic-namespace/templates/_helpers.tpl
@@ -30,3 +30,14 @@ Create chart name and version as used by the chart label.
 {{- define "magic-namespace.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+Allow a custom secretName to be defined
+*/}}
+{{- define "magic-namespace.tillerTlsSecret" -}}
+{{- if .Values.tiller.tls.secretName -}}
+{{- .Values.tiller.tls.secretName }}
+{{- else -}}
+{{- template "magic-namespace.chart" . }}-tiller-secret
+{{- end -}}
+{{- end -}}
diff --git a/stable/magic-namespace/templates/secret.yaml b/stable/magic-namespace/templates/secret.yaml
@@ -0,0 +1,19 @@
+{{- if (and (.Values.tiller.tls.enabled) (not .Values.tiller.tls.secretName)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ template "magic-namespace.tillerTlsSecret" . }}
+  {{- if hasKey .Values "namespace" }}
+  namespace: {{ .Values.namespace }}
+  {{- end }}
+  labels:
+    app: {{ template "magic-namespace.chart" . }}
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+type: Opaque
+data:
+  ca.crt: {{ required "You need to populate .Values.tiller.tls.ca with a Base64 encoded CA" .Values.tiller.tls.ca }}
+  tls.crt: {{ required "You need to populate .Values.tiller.tls.cert with a Base64 encoded cert" .Values.tiller.tls.cert }}
+  tls.key: {{ required "You need to populate .Values.tiller.tls.key with a Base64 encoded key" .Values.tiller.tls.key}}
+{{- end }}
diff --git a/stable/magic-namespace/templates/tiller-deployment.yaml b/stable/magic-namespace/templates/tiller-deployment.yaml
@@ -42,6 +42,16 @@ spec:
             {{- end }}
           - name: TILLER_HISTORY_MAX
             value: {{ quote .Values.tiller.maxHistory }}
+          {{- if .Values.tiller.tls.enabled }}
+          - name: TILLER_TLS_ENABLE
+            value: "1"
+          {{- if .Values.tiller.tls.verify }}
+          - name: TILLER_TLS_VERIFY
+            value: "1"
+          {{- end }}
+          - name: TILLER_TLS_CERTS
+            value: /etc/certs
+          {{- end }}
           {{- if .Values.tiller.onlyListenOnLocalhost }}
           command: ["/tiller"]
           args: ["--listen=127.0.0.1:44134"]
@@ -74,8 +84,21 @@ spec:
             periodSeconds: 10
             successThreshold: 1
             timeoutSeconds: 1
+          volumeMounts:
+          {{- if .Values.tiller.tls.enabled }}
+          - mountPath: /etc/certs
+            name: tiller-certs
+            readOnly: true
+          {{- end }}
           resources:
 {{ toYaml .Values.tiller.resources | indent 12 }}
+      volumes:
+      {{- if .Values.tiller.tls.enabled }}
+      - name: tiller-certs
+        secret:
+          defaultMode: 420
+          secretName: {{ template "magic-namespace.tillerTlsSecret" . }}
+      {{- end }}
     {{- with .Values.tiller.nodeSelector }}
       nodeSelector:
 {{ toYaml . | indent 8 }}

diff --git a/stable/magic-namespace/values.yaml b/stable/magic-namespace/values.yaml
@@ -23,6 +23,25 @@ tiller:
 
   maxHistory: 0
 
+  tls:
+    ## Enable TLS encryption between Helm and Tiller
+    enabled: false
+
+    ## Verify remote certificate
+    verify: true
+
+    ## A custom secret to mount instead of specifying Base64 Values below
+    secretName: ""
+
+    ## Specify a Base64 encoded CA
+    # ca: "Zm9vCg=="
+
+    ## Specify a Base64 encoded cert
+    # cert: "Zm9vCg=="
+
+    ## Specify a Base64 encoded private key
+    # key: "Zm9vCg=="
+
   ## The following options specify the Role or ClusterRole to assign to the
   ## tiller service account. The ClusterRole "admin" is usually pre-defined in
   ## RBAC-enabled clusters and will allow administration of a namespace by