Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Communicating with Tiller that has TLS enabled

See original GitHub issue

I was trying to figure out how can I use the library in order to communicate with a tiller that has TLS enabled. In order to initialize the Tiller I’m using a command similar to this: helm init --tiller-tls --tiller-tls-verify --tls-ca-cert <path-to-ca-cert> --tiller-tls-cert <path-to-tls-cert> --tiller-tls-key <path-to-tls-key>

From what I see in the Tiller class, there is support only for plain text communication(there is a constructor that accepts a ManagedChannel https://github.com/microbean/microbean-helm/issues/42, but I need to send also the Kubernetes configuration):

return ManagedChannelBuilder.forAddress(hostAddress, portForward.getLocalPort())
      .idleTimeout(5L, TimeUnit.SECONDS)
      .keepAliveTime(30L, TimeUnit.SECONDS)
      .maxInboundMessageSize(MAX_MESSAGE_SIZE)
      .usePlaintext(true)
      .build();

I was curious if I can be able to do something similar to this command in order to list the Helm releases: helm --tls --tls-ca-cert <path-to-ca-cert> --tls-cert <path-to-tls-cert> --tls-key <path-to-tls-key> list

Issue Analytics

State:
Created 5 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

2reactions

gavladcommented, May 25, 2018

@Override
protected ManagedChannel buildChannel(final LocalPortForward portForward)
{
	Objects.requireNonNull(portForward);
	final InetAddress localAddress = portForward.getLocalAddress();
	if (localAddress == null)
	{
		throw new IllegalArgumentException("portForward", new IllegalStateException("portForward.getLocalAddress() == null"));
	}
	final String hostAddress = localAddress.getHostAddress();
	if (hostAddress == null)
	{
		throw new IllegalArgumentException("portForward", new IllegalStateException("portForward.getLocalAddress().getHostAddress() == null"));
	}

	NettyChannelBuilder builder = NettyChannelBuilder.forAddress(hostAddress, portForward.getLocalPort());
	try
	{
		SslContext sslContext = GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)
					.keyManager(new File(<path-to-tls-cert>), new File(<path-to-tls-key>)).build();
		builder.negotiationType(NegotiationType.TLS);
		builder.sslContext(sslContext);
		builder.idleTimeout(5L, TimeUnit.SECONDS);
		builder.keepAliveTime(30L, TimeUnit.SECONDS);
		builder.maxInboundMessageSize(MAX_MESSAGE_SIZE);
	}
	catch (SSLException e)
	{
		System.err.println("failed connect to peer with SSLException" + e.getMessage());
	}
	return builder.build();
}

1reaction

gavladcommented, May 24, 2018

Yes. I will show an example after everything works.

Top Results From Across the Web

Configure Helm TLS communication with multiple ...

Configure Helm TLS communication with multiple Kubernetes clusters. So, finally decided to secure your Helm installation? That`s great!

Support TLS-enabled Tiller · Issue #436 · helm/monocular

I have installed tiller in my namespace test1 with a service ... guide for securing the communication between helm and tiller with tls...

Unable to install Ingress via Helm Tiller - tls error - GitLab

After setting up Connecting GitLab with a Kubernetes cluster, i am able to install Helm Tiller via the one click install button.

Exploring the Security of Helm

We will explore some approaches available to secure tiller within a cluster.

Configuring security | Confluent Platform 5.3.1

All Confluent components running inside the Kubernetes cluster communicate with Kafka brokers using the SSL mechanism with authentication TLS. All components/ ...