Skip to content

Commit 2e55dbe

Browse files
author
Matthew Fisher
committed
fix(helm): fix regression with TLS flags/environment variables not being parsed (helm#4657)
* fix(helm): fix regression with TLS flags/envvars This change fixes some of the assumptions made in an earlier commit. Helm's TLS flags and environment variables were not respected because they were parsed well before execution (during settings.AddFlagsTLS()), causing erroneous behaviour at runtime. By re-introducing environment.Init(), Helm can properly parse environment variables at the correct time. One change that had to occur in this PR is the fact that we need to call settings.Init() each time we call settings.AddFlagsTLS(). This is because each command owns its own FlagSet, so we need to parse each flagset to read and propagate the environment variables correctly. I also noticed that we were maintaining two separate variables for each TLS value. Refactoring out some of the older code to all use the settings object makes the code much cleaner to read and fixes an issue where setting a flag or environment variable would propagate to the settings object, but we'd be reading from tlsEnable. I've also added some unit tests to ensure this regression doesn't occur again. Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com> * fix bug where os.ExpandEnv() on the default value causes differing behaviour Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com> * add more context to the TODO/FIXME messages Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com> (cherry picked from commit 8be42ba)
1 parent 19467a5 commit 2e55dbe

20 files changed

+429
-46
lines changed

cmd/helm/delete.go

+3
Original file line numberDiff line numberDiff line change
@@ -85,6 +85,9 @@ func newDeleteCmd(c helm.Interface, out io.Writer) *cobra.Command {
8585
f.Int64Var(&del.timeout, "timeout", 300, "time in seconds to wait for any individual Kubernetes operation (like Jobs for hooks)")
8686
f.StringVar(&del.description, "description", "", "specify a description for the release")
8787

88+
// set defaults from environment
89+
settings.InitTLS(f)
90+
8891
return cmd
8992
}
9093

cmd/helm/get.go

+3
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,9 @@ func newGetCmd(client helm.Interface, out io.Writer) *cobra.Command {
7979
cmd.AddCommand(newGetHooksCmd(nil, out))
8080
cmd.AddCommand(newGetNotesCmd(nil, out))
8181

82+
// set defaults from environment
83+
settings.InitTLS(f)
84+
8285
return cmd
8386
}
8487

cmd/helm/get_hooks.go

+4
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,10 @@ func newGetHooksCmd(client helm.Interface, out io.Writer) *cobra.Command {
6060
f := cmd.Flags()
6161
settings.AddFlagsTLS(f)
6262
f.Int32Var(&ghc.version, "revision", 0, "get the named release with revision")
63+
64+
// set defaults from environment
65+
settings.InitTLS(f)
66+
6367
return cmd
6468
}
6569

cmd/helm/get_manifest.go

+4
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,10 @@ func newGetManifestCmd(client helm.Interface, out io.Writer) *cobra.Command {
6363
f := cmd.Flags()
6464
settings.AddFlagsTLS(f)
6565
f.Int32Var(&get.version, "revision", 0, "get the named release with revision")
66+
67+
// set defaults from environment
68+
settings.InitTLS(f)
69+
6670
return cmd
6771
}
6872

cmd/helm/get_notes.go

+3
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,9 @@ func newGetNotesCmd(client helm.Interface, out io.Writer) *cobra.Command {
6363
settings.AddFlagsTLS(f)
6464
f.Int32Var(&get.version, "revision", 0, "get the notes of the named release with revision")
6565

66+
// set defaults from environment
67+
settings.InitTLS(f)
68+
6669
return cmd
6770
}
6871

cmd/helm/get_values.go

+4
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,10 @@ func newGetValuesCmd(client helm.Interface, out io.Writer) *cobra.Command {
6262
settings.AddFlagsTLS(f)
6363
f.Int32Var(&get.version, "revision", 0, "get the named release with revision")
6464
f.BoolVarP(&get.allValues, "all", "a", false, "dump all (computed) values")
65+
66+
// set defaults from environment
67+
settings.InitTLS(f)
68+
6569
return cmd
6670
}
6771

cmd/helm/helm.go

+24-25
Original file line numberDiff line numberDiff line change
@@ -40,13 +40,6 @@ import (
4040
)
4141

4242
var (
43-
tlsServerName string // overrides the server name used to verify the hostname on the returned certificates from the server.
44-
tlsCaCertFile string // path to TLS CA certificate file
45-
tlsCertFile string // path to TLS certificate file
46-
tlsKeyFile string // path to TLS key file
47-
tlsVerify bool // enable TLS and verify remote certificates
48-
tlsEnable bool // enable TLS
49-
5043
tillerTunnel *kube.Tunnel
5144
settings helm_env.EnvSettings
5245
)
@@ -87,9 +80,21 @@ func newRootCmd(args []string) *cobra.Command {
8780
Long: globalUsage,
8881
SilenceUsage: true,
8982
PersistentPreRun: func(*cobra.Command, []string) {
90-
tlsCaCertFile = os.ExpandEnv(tlsCaCertFile)
91-
tlsCertFile = os.ExpandEnv(tlsCertFile)
92-
tlsKeyFile = os.ExpandEnv(tlsKeyFile)
83+
if settings.TLSCaCertFile == helm_env.DefaultTLSCaCert || settings.TLSCaCertFile == "" {
84+
settings.TLSCaCertFile = settings.Home.TLSCaCert()
85+
} else {
86+
settings.TLSCaCertFile = os.ExpandEnv(settings.TLSCaCertFile)
87+
}
88+
if settings.TLSCertFile == helm_env.DefaultTLSCert || settings.TLSCertFile == "" {
89+
settings.TLSCertFile = settings.Home.TLSCert()
90+
} else {
91+
settings.TLSCertFile = os.ExpandEnv(settings.TLSCertFile)
92+
}
93+
if settings.TLSKeyFile == helm_env.DefaultTLSKeyFile || settings.TLSKeyFile == "" {
94+
settings.TLSKeyFile = settings.Home.TLSKey()
95+
} else {
96+
settings.TLSKeyFile = os.ExpandEnv(settings.TLSKeyFile)
97+
}
9398
},
9499
PersistentPostRun: func(*cobra.Command, []string) {
95100
teardown()
@@ -143,6 +148,9 @@ func newRootCmd(args []string) *cobra.Command {
143148

144149
flags.Parse(args)
145150

151+
// set defaults from environment
152+
settings.Init(flags)
153+
146154
// Find and add plugins
147155
loadPlugins(cmd, out)
148156

@@ -275,24 +283,15 @@ func newClient() helm.Interface {
275283
options := []helm.Option{helm.Host(settings.TillerHost), helm.ConnectTimeout(settings.TillerConnectionTimeout)}
276284

277285
if settings.TLSVerify || settings.TLSEnable {
278-
if tlsCaCertFile == "" {
279-
tlsCaCertFile = settings.Home.TLSCaCert()
280-
}
281-
if tlsCertFile == "" {
282-
tlsCertFile = settings.Home.TLSCert()
283-
}
284-
if tlsKeyFile == "" {
285-
tlsKeyFile = settings.Home.TLSKey()
286-
}
287-
debug("Host=%q, Key=%q, Cert=%q, CA=%q\n", tlsServerName, tlsKeyFile, tlsCertFile, tlsCaCertFile)
286+
debug("Host=%q, Key=%q, Cert=%q, CA=%q\n", settings.TLSServerName, settings.TLSKeyFile, settings.TLSCertFile, settings.TLSCaCertFile)
288287
tlsopts := tlsutil.Options{
289-
ServerName: tlsServerName,
290-
KeyFile: tlsKeyFile,
291-
CertFile: tlsCertFile,
288+
ServerName: settings.TLSServerName,
289+
KeyFile: settings.TLSKeyFile,
290+
CertFile: settings.TLSCertFile,
292291
InsecureSkipVerify: true,
293292
}
294-
if tlsVerify {
295-
tlsopts.CaCertFile = tlsCaCertFile
293+
if settings.TLSVerify {
294+
tlsopts.CaCertFile = settings.TLSCaCertFile
296295
tlsopts.InsecureSkipVerify = false
297296
}
298297
tlscfg, err := tlsutil.ClientConfig(tlsopts)

0 commit comments

Comments
 (0)