Communicating with Tiller that has TLS enabled

[gavlad]

I was trying to figure out how can I use the library in order to communicate with a tiller that has TLS enabled. In order to initialize the Tiller I'm using a command similar to this:
helm init --tiller-tls --tiller-tls-verify --tls-ca-cert <path-to-ca-cert> --tiller-tls-cert <path-to-tls-cert> --tiller-tls-key <path-to-tls-key>

From what I see in the Tiller class, there is support only for plain text communication(there is a constructor that accepts a ManagedChannel #42, but I need to send also the Kubernetes configuration):

return ManagedChannelBuilder.forAddress(hostAddress, portForward.getLocalPort())
      .idleTimeout(5L, TimeUnit.SECONDS)
      .keepAliveTime(30L, TimeUnit.SECONDS)
      .maxInboundMessageSize(MAX_MESSAGE_SIZE)
      .usePlaintext(true)
      .build();

I was curious if I can be able to do something similar to this command in order to list the Helm releases:
helm --tls --tls-ca-cert <path-to-ca-cert> --tls-cert <path-to-tls-cert> --tls-key <path-to-tls-key> list

[ljnelson]

Hello; thanks for using microBean Helm. You may want to keep track of #42.

In general, I try to stay out of the business of how the gRPC connection is established.

I think you're asking two questions here (correct me if I'm wrong):

• How can I initialize Tiller (install it in my cluster) using microBean Helm such that it will use TLS for subsequent connections?
• Once Tiller is set up one way or another in TLS mode, how can I use microBean Helm to connect to it?

For the first question, you're probably interested in this godawful method.

For the second question, you're probably going to want to override the buildChannel method, where you can do whatever you like to connect to the Tiller at the other end.

[ljnelson]

Ah, I read your issue too quickly. You are not asking about how to install Tiller using microBean Helm, so you may safely disregard my advice there. You are asking about how to set up secure communication with an already-installed Tiller, and for that, yes, you'll want to override the buildChannel method.

[gavlad]

You're right. I was interested only in creating a secure communication with an already-installed Tiller. Thanks!

[ljnelson]

Does this give you what you need? If so, I'll close this issue.

[gavlad]

Yes. I will show an example after everything works.

[gavlad]

@Override
protected ManagedChannel buildChannel(final LocalPortForward portForward)
{
	Objects.requireNonNull(portForward);
	final InetAddress localAddress = portForward.getLocalAddress();
	if (localAddress == null)
	{
		throw new IllegalArgumentException("portForward", new IllegalStateException("portForward.getLocalAddress() == null"));
	}
	final String hostAddress = localAddress.getHostAddress();
	if (hostAddress == null)
	{
		throw new IllegalArgumentException("portForward", new IllegalStateException("portForward.getLocalAddress().getHostAddress() == null"));
	}

	NettyChannelBuilder builder = NettyChannelBuilder.forAddress(hostAddress, portForward.getLocalPort());
	try
	{
		SslContext sslContext = GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE)
					.keyManager(new File(<path-to-tls-cert>), new File(<path-to-tls-key>)).build();
		builder.negotiationType(NegotiationType.TLS);
		builder.sslContext(sslContext);
		builder.idleTimeout(5L, TimeUnit.SECONDS);
		builder.keepAliveTime(30L, TimeUnit.SECONDS);
		builder.maxInboundMessageSize(MAX_MESSAGE_SIZE);
	}
	catch (SSLException e)
	{
		System.err.println("failed connect to peer with SSLException" + e.getMessage());
	}
	return builder.build();
}