Adds the option kube-cafile and env variable HELM_KUBECAFILE for a overwrite of the certificate authority file

Signed-off-by: Lüchinger Dominic <dev@snowgarden.ch>
2026-04-23 07:07:30 -04:00 · 2020-10-29 10:34:47 +01:00 · 2020-10-29 10:34:47 +01:00 · cc1d2d62e9
commit cc1d2d62e9
parent 8be6bc076f
5 changed files with 20 additions and 5 deletions
--- a/cmd/helm/load_plugins.go
+++ b/cmd/helm/load_plugins.go
@ -154,7 +154,7 @@ func callPluginExecutable(pluginName string, main string, argv []string, out io.
 func manuallyProcessArgs(args []string) ([]string, []string) {
 	known := []string{}
 	unknown := []string{}
-	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--registry-config", "--repository-cache", "--repository-config"}
+	kvargs := []string{"--kube-context", "--namespace", "-n", "--kubeconfig", "--kube-apiserver", "--kube-token", "--kube-as-user", "--kube-as-group", "--kube-ca-file", "--registry-config", "--repository-cache", "--repository-config"}
 	knownArg := func(a string) bool {
 		for _, pre := range kvargs {
 			if strings.HasPrefix(a, pre+"=") {
--- a/cmd/helm/root.go
+++ b/cmd/helm/root.go
@ -62,6 +62,7 @@ Environment variables:
 | $HELM_REPOSITORY_CONFIG            | set the path to the repositories file.                                            |
 | $KUBECONFIG                        | set an alternative Kubernetes configuration file (default "~/.kube/config")       |
 | $HELM_KUBEAPISERVER                | set the Kubernetes API Server Endpoint for authentication                         |
+| $HELM_KUBECAFILE                   | set the Kubernetes certificate authority file.                                    |
 | $HELM_KUBEASGROUPS                 | set the Groups to use for impersonation using a comma-separated list.             |
 | $HELM_KUBEASUSER                   | set the Username to impersonate for the operation.                                |
 | $HELM_KUBECONTEXT                  | set the name of the kubeconfig context.                                           |
--- a/cmd/helm/testdata/output/env-comp.txt
+++ b/cmd/helm/testdata/output/env-comp.txt
@ -6,6 +6,7 @@ HELM_DEBUG
 HELM_KUBEAPISERVER
 HELM_KUBEASGROUPS
 HELM_KUBEASUSER
+HELM_KUBECAFILE
 HELM_KUBECONTEXT
 HELM_KUBETOKEN
 HELM_MAX_HISTORY
--- a/pkg/cli/environment.go
+++ b/pkg/cli/environment.go
@ -54,6 +54,8 @@ type EnvSettings struct {
 	KubeAsGroups []string
 	// Kubernetes API Server Endpoint for authentication
 	KubeAPIServer string
+	// Custom certificate authority file.
+	KubeCaFile string
 	// Debug indicates whether or not Helm is running in Debug mode.
 	Debug bool
 	// RegistryConfig is the path to the registry config file.
@ -77,6 +79,7 @@ func New() *EnvSettings {
 		KubeAsUser:       os.Getenv("HELM_KUBEASUSER"),
 		KubeAsGroups:     envCSV("HELM_KUBEASGROUPS"),
 		KubeAPIServer:    os.Getenv("HELM_KUBEAPISERVER"),
+		KubeCaFile:       os.Getenv("HELM_KUBECAFILE"),
 		PluginsDirectory: envOr("HELM_PLUGINS", helmpath.DataPath("plugins")),
 		RegistryConfig:   envOr("HELM_REGISTRY_CONFIG", helmpath.ConfigPath("registry.json")),
 		RepositoryConfig: envOr("HELM_REPOSITORY_CONFIG", helmpath.ConfigPath("repositories.yaml")),
@ -90,6 +93,7 @@ func New() *EnvSettings {
 		Context:          &env.KubeContext,
 		BearerToken:      &env.KubeToken,
 		APIServer:        &env.KubeAPIServer,
+		CAFile:           &env.KubeCaFile,
 		KubeConfig:       &env.KubeConfig,
 		Impersonate:      &env.KubeAsUser,
 		ImpersonateGroup: &env.KubeAsGroups,
@ -106,6 +110,7 @@ func (s *EnvSettings) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.KubeAsUser, "kube-as-user", s.KubeAsUser, "username to impersonate for the operation")
 	fs.StringArrayVar(&s.KubeAsGroups, "kube-as-group", s.KubeAsGroups, "group to impersonate for the operation, this flag can be repeated to specify multiple groups.")
 	fs.StringVar(&s.KubeAPIServer, "kube-apiserver", s.KubeAPIServer, "the address and the port for the Kubernetes API server")
+	fs.StringVar(&s.KubeCaFile, "kube-ca-file", s.KubeCaFile, "the certificate authority file for the Kubernetes API server connection")
 	fs.BoolVar(&s.Debug, "debug", s.Debug, "enable verbose output")
 	fs.StringVar(&s.RegistryConfig, "registry-config", s.RegistryConfig, "path to the registry config file")
 	fs.StringVar(&s.RepositoryConfig, "repository-config", s.RepositoryConfig, "path to the file containing repository names and URLs")
@ -159,6 +164,7 @@ func (s *EnvSettings) EnvVars() map[string]string {
 		"HELM_KUBEASUSER":    s.KubeAsUser,
 		"HELM_KUBEASGROUPS":  strings.Join(s.KubeAsGroups, ","),
 		"HELM_KUBEAPISERVER": s.KubeAPIServer,
+		"HELM_KUBECAFILE":    s.KubeCaFile,
 	}
 	if s.KubeConfig != "" {
 		envvars["KUBECONFIG"] = s.KubeConfig
--- a/pkg/cli/environment_test.go
+++ b/pkg/cli/environment_test.go
@ -39,6 +39,7 @@ func TestEnvSettings(t *testing.T) {
 		maxhistory   int
 		kAsUser      string
 		kAsGroups    []string
+		kCaFile      string
 	}{
 		{
 			name:       "defaults",
@ -47,31 +48,34 @@ func TestEnvSettings(t *testing.T) {
 		},
 		{
 			name:       "with flags set",
-			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters",
+			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters --kube-ca-file=/tmp/ca.crt",
 			ns:         "myns",
 			debug:      true,
 			maxhistory: defaultMaxHistory,
 			kAsUser:    "poro",
 			kAsGroups:  []string{"admins", "teatime", "snackeaters"},
+			kCaFile:    "/tmp/ca.crt",
 		},
 		{
 			name:       "with envvars set",
-			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5"},
+			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5", "HELM_KUBECAFILE": "/tmp/ca.crt"},
 			ns:         "yourns",
 			maxhistory: 5,
 			debug:      true,
 			kAsUser:    "pikachu",
 			kAsGroups:  []string{"operators", "snackeaters", "partyanimals"},
+			kCaFile:    "/tmp/ca.crt",
 		},
 		{
 			name:       "with flags and envvars set",
-			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters",
-			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5"},
+			args:       "--debug --namespace=myns --kube-as-user=poro --kube-as-group=admins --kube-as-group=teatime --kube-as-group=snackeaters --kube-ca-file=/my/ca.crt",
+			envvars:    map[string]string{"HELM_DEBUG": "1", "HELM_NAMESPACE": "yourns", "HELM_KUBEASUSER": "pikachu", "HELM_KUBEASGROUPS": ",,,operators,snackeaters,partyanimals", "HELM_MAX_HISTORY": "5", "HELM_KUBECAFILE": "/tmp/ca.crt"},
 			ns:         "myns",
 			debug:      true,
 			maxhistory: 5,
 			kAsUser:    "poro",
 			kAsGroups:  []string{"admins", "teatime", "snackeaters"},
+			kCaFile:    "/my/ca.crt",
 		},
 	}

@ -107,6 +111,9 @@ func TestEnvSettings(t *testing.T) {
 			if !reflect.DeepEqual(tt.kAsGroups, settings.KubeAsGroups) {
 				t.Errorf("expected kAsGroups %+v, got %+v", len(tt.kAsGroups), len(settings.KubeAsGroups))
 			}
+			if tt.kCaFile != settings.KubeCaFile {
+				t.Errorf("expected kCaFile %q, got %q", tt.kCaFile, settings.KubeCaFile)
+			}
 		})
 	}
 }