Merge pull request #75 from pelotech/repo-ca-file

Add a setting for chart repository CA certificates

docs/parameter_reference.md

@@ -1,13 +1,14 @@
 # Parameter reference
 
 ## Global
-| Param name          | Type            | Purpose |
-|---------------------|-----------------|---------|
-| mode                | string          | Indicates the operation to perform. Recommended, but not required. Valid options are `upgrade`, `uninstall`, `lint`, and `help`. |
-| update_dependencies | boolean         | Calls `helm dependency update` before running the main command.|
-| add_repos           | list\<string\>  | Calls `helm repo add $repo` before running the main command. Each string should be formatted as `repo_name=https://repo.url/`. |
-| namespace           | string          | Kubernetes namespace to use for this operation. |
-| debug               | boolean         | Generate debug output within drone-helm3 and pass `--debug` to all helm commands. Use with care, since the debug output may include secrets. |
+| Param name          | Type            | Alias        | Purpose |
+|---------------------|-----------------|--------------|---------|
+| mode                | string          | helm_command | Indicates the operation to perform. Recommended, but not required. Valid options are `upgrade`, `uninstall`, `lint`, and `help`. |
+| update_dependencies | boolean         |              | Calls `helm dependency update` before running the main command.|
+| add_repos           | list\<string\>  | helm_repos   | Calls `helm repo add $repo` before running the main command. Each string should be formatted as `repo_name=https://repo.url/`. |
+| repo_ca_file        | string          |              | TLS certificate for a chart repository certificate authority. |
+| namespace           | string          |              | Kubernetes namespace to use for this operation. |
+| debug               | boolean         |              | Generate debug output within drone-helm3 and pass `--debug` to all helm commands. Use with care, since the debug output may include secrets. |
 
 ## Linting
 
@@ -25,43 +26,43 @@ Linting is only triggered when the `mode` setting is "lint".
 
 Installations are triggered when the `mode` setting is "upgrade." They can also be triggered when the build was triggered by a `push`, `tag`, `deployment`, `pull_request`, `promote`, or `rollback` Drone event.
 
-| Param name             | Type           | Required | Purpose |
-|------------------------|----------------|----------|---------|
-| chart                  | string         | yes      | The chart to use for this installation. |
-| release                | string         | yes      | The release name for helm to use. |
-| kube_api_server        | string         | yes      | API endpoint for the Kubernetes cluster. |
-| kube_token             | string         | yes      | Token for authenticating to Kubernetes. |
-| kube_service_account   | string         |          | Service account for authenticating to Kubernetes. Default is `helm`. |
-| kube_certificate       | string         |          | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
-| chart_version          | string         |          | Specific chart version to install. |
-| dry_run                | boolean        |          | Pass `--dry-run` to `helm upgrade`. |
-| wait_for_upgrade       | boolean        |          | Wait until kubernetes resources are in a ready state before marking the installation successful. |
-| timeout                | duration       |          | Timeout for any *individual* Kubernetes operation. The installation's full runtime may exceed this duration. |
-| force_upgrade          | boolean        |          | Pass `--force` to `helm upgrade`. |
-| atomic_upgrade         | boolean        |          | Pass `--atomic` to `helm upgrade`. |
-| cleanup_failed_upgrade | boolean        |          | Pass `--cleanup-on-fail` to `helm upgrade`. |
-| values                 | list\<string\> |          | Chart values to use as the `--set` argument to `helm upgrade`. |
-| string_values          | list\<string\> |          | Chart values to use as the `--set-string` argument to `helm upgrade`. |
-| values_files           | list\<string\> |          | Values to use as `--values` arguments to `helm upgrade`. |
-| reuse_values           | boolean        |          | Reuse the values from a previous release. |
-| skip_tls_verify        | boolean        |          | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
+| Param name             | Type           | Required | Alias                  | Purpose |
+|------------------------|----------------|----------|------------------------|---------|
+| chart                  | string         | yes      |                        | The chart to use for this installation. |
+| release                | string         | yes      |                        | The release name for helm to use. |
+| kube_api_server        | string         | yes      | api_server             | API endpoint for the Kubernetes cluster. |
+| kube_token             | string         | yes      | kubernetes_token       | Token for authenticating to Kubernetes. |
+| kube_service_account   | string         |          | service_account        | Service account for authenticating to Kubernetes. Default is `helm`. |
+| kube_certificate       | string         |          | kubernetes_certificate | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
+| chart_version          | string         |          |                        | Specific chart version to install. |
+| dry_run                | boolean        |          |                        | Pass `--dry-run` to `helm upgrade`. |
+| wait_for_upgrade       | boolean        |          | wait                   | Wait until kubernetes resources are in a ready state before marking the installation successful. |
+| timeout                | duration       |          |                        | Timeout for any *individual* Kubernetes operation. The installation's full runtime may exceed this duration. |
+| force_upgrade          | boolean        |          | force                  | Pass `--force` to `helm upgrade`. |
+| atomic_upgrade         | boolean        |          |                        | Pass `--atomic` to `helm upgrade`. |
+| cleanup_failed_upgrade | boolean        |          |                        | Pass `--cleanup-on-fail` to `helm upgrade`. |
+| values                 | list\<string\> |          |                        | Chart values to use as the `--set` argument to `helm upgrade`. |
+| string_values          | list\<string\> |          |                        | Chart values to use as the `--set-string` argument to `helm upgrade`. |
+| values_files           | list\<string\> |          |                        | Values to use as `--values` arguments to `helm upgrade`. |
+| reuse_values           | boolean        |          |                        | Reuse the values from a previous release. |
+| skip_tls_verify        | boolean        |          |                        | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
 
 ## Uninstallation
 
 Uninstallations are triggered when the `mode` setting is "uninstall" or "delete." They can also be triggered when the build was triggered by a `delete` Drone event.
 
-| Param name             | Type     | Required | Purpose |
-|------------------------|----------|----------|---------|
-| release                | string   | yes      | The release name for helm to use. |
-| kube_api_server        | string   | yes      | API endpoint for the Kubernetes cluster. |
-| kube_token             | string   | yes      | Token for authenticating to Kubernetes. |
-| kube_service_account   | string   |          | Service account for authenticating to Kubernetes. Default is `helm`. |
-| kube_certificate       | string   |          | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
-| keep_history           | boolean  |          | Pass `--keep-history` to `helm uninstall`, to retain the release history. |
-| dry_run                | boolean  |          | Pass `--dry-run` to `helm uninstall`. |
-| timeout                | duration |          | Timeout for any *individual* Kubernetes operation. The uninstallation's full runtime may exceed this duration. |
-| skip_tls_verify        | boolean  |          | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
-| chart                  | string   |          | Required when the global `update_dependencies` parameter is true. No effect otherwise. |
+| Param name             | Type     | Required | Alias                  | Purpose |
+|------------------------|----------|----------|------------------------|---------|
+| release                | string   | yes      |                        | The release name for helm to use. |
+| kube_api_server        | string   | yes      | api_server             | API endpoint for the Kubernetes cluster. |
+| kube_token             | string   | yes      | kubernetes_token       | Token for authenticating to Kubernetes. |
+| kube_service_account   | string   |          | service_account        | Service account for authenticating to Kubernetes. Default is `helm`. |
+| kube_certificate       | string   |          | kubernetes_certificate | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
+| keep_history           | boolean  |          |                        | Pass `--keep-history` to `helm uninstall`, to retain the release history. |
+| dry_run                | boolean  |          |                        | Pass `--dry-run` to `helm uninstall`. |
+| timeout                | duration |          |                        | Timeout for any *individual* Kubernetes operation. The uninstallation's full runtime may exceed this duration. |
+| skip_tls_verify        | boolean  |          |                        | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
+| chart                  | string   |          |                        | Required when the global `update_dependencies` parameter is true. No effect otherwise. |
 
 ### Where to put settings
 
@@ -92,3 +93,18 @@ Note that **list members must not contain commas**. Both of the following are eq
 values_files: [ "./over_9,000.yml" ]
 values_files: [ "./over_9", "000.yml" ]
 ```
+
+### Backward-compatibility aliases
+
+Some settings have alternate names, for backward-compatibility with drone-helm. We recommend using the canonical name unless you require the backward-compatible form.
+
+| Canonical name       | Alias |
+|----------------------|-------|
+| mode                 | helm_command |
+| add_repos            | helm_repos |
+| kube_api_server      | api_server |
+| kube_service_account | service_account |
+| kube_token           | kubernetes_token |
+| kube_certificate     | kubernetes_certificate |
+| wait_for_upgrade     | wait |
+| force_upgrade        | force |

internal/helm/config.go

@@ -21,16 +21,17 @@ var (
 type Config struct {
 	// Configuration for drone-helm itself
 	Command            string   `envconfig:"mode"`                   // Helm command to run
-	DroneEvent         string   `envconfig:"DRONE_BUILD_EVENT"`      // Drone event that invoked this plugin.
+	DroneEvent         string   `envconfig:"drone_build_event"`      // Drone event that invoked this plugin.
 	UpdateDependencies bool     `split_words:"true"`                 // Call `helm dependency update` before the main command
 	AddRepos           []string `split_words:"true"`                 // Call `helm repo add` before the main command
+	RepoCAFile         string   `envconfig:"repo_ca_file"`           // CA certificate for `helm repo add`
 	Debug              bool     ``                                   // Generate debug output and pass --debug to all helm commands
 	Values             string   ``                                   // Argument to pass to --set in applicable helm commands
 	StringValues       string   `split_words:"true"`                 // Argument to pass to --set-string in applicable helm commands
 	ValuesFiles        []string `split_words:"true"`                 // Arguments to pass to --values in applicable helm commands
 	Namespace          string   ``                                   // Kubernetes namespace for all helm commands
 	KubeToken          string   `split_words:"true"`                 // Kubernetes authentication token to put in .kube/config
-	SkipTLSVerify      bool     `envconfig:"SKIP_TLS_VERIFY"`        // Put insecure-skip-tls-verify in .kube/config
+	SkipTLSVerify      bool     `envconfig:"skip_tls_verify"`        // Put insecure-skip-tls-verify in .kube/config
 	Certificate        string   `envconfig:"kube_certificate"`       // The Kubernetes cluster CA's self-signed certificate (must be base64-encoded)
 	APIServer          string   `envconfig:"kube_api_server"`        // The Kubernetes cluster's API endpoint
 	ServiceAccount     string   `envconfig:"kube_service_account"`   // Account to use for connecting to the Kubernetes cluster
@@ -44,7 +45,7 @@ type Config struct {
 	Release            string   ``                                   // Release argument to use in applicable helm commands
 	Force              bool     `envconfig:"force_upgrade"`          // Pass --force to applicable helm commands
 	AtomicUpgrade      bool     `split_words:"true"`                 // Pass --atomic to `helm upgrade`
-	CleanupOnFail      bool     `envconfig:"CLEANUP_FAILED_UPGRADE"` // Pass --cleanup-on-fail to `helm upgrade`
+	CleanupOnFail      bool     `envconfig:"cleanup_failed_upgrade"` // Pass --cleanup-on-fail to `helm upgrade`
 	LintStrictly       bool     `split_words:"true"`                 // Pass --strict to `helm lint`
 
 	Stdout io.Writer `ignored:"true"`

internal/helm/plan.go

@@ -111,6 +111,7 @@ var upgrade = func(cfg Config) []Step {
 		Force:         cfg.Force,
 		Atomic:        cfg.AtomicUpgrade,
 		CleanupOnFail: cfg.CleanupOnFail,
+		CAFile:        cfg.RepoCAFile,
 	})
 
 	return steps
@@ -172,6 +173,7 @@ func addRepos(cfg Config) []Step {
 	for _, repo := range cfg.AddRepos {
 		steps = append(steps, &run.AddRepo{
 			Repo:   repo,
+			CAFile: cfg.RepoCAFile,
 		})
 	}
 

internal/helm/plan_test.go

@@ -143,6 +143,7 @@ func (suite *PlanTestSuite) TestUpgrade() {
 		Force:         true,
 		AtomicUpgrade: true,
 		CleanupOnFail: true,
+		RepoCAFile:    "state_licensure.repo.cert",
 	}
 
 	steps := upgrade(cfg)
@@ -166,6 +167,7 @@ func (suite *PlanTestSuite) TestUpgrade() {
 		Force:         cfg.Force,
 		Atomic:        true,
 		CleanupOnFail: true,
+		CAFile:        "state_licensure.repo.cert",
 	}
 
 	suite.Equal(expected, upgrade)
@@ -291,6 +293,7 @@ func (suite *PlanTestSuite) TestAddRepos() {
 			"first=https://add.repos/one",
 			"second=https://add.repos/two",
 		},
+		RepoCAFile: "state_licensure.repo.cert",
 	}
 	steps := addRepos(cfg)
 	suite.Require().Equal(2, len(steps), "addRepos should add one step per repo")
@@ -301,6 +304,8 @@ func (suite *PlanTestSuite) TestAddRepos() {
 
 	suite.Equal(first.Repo, "first=https://add.repos/one")
 	suite.Equal(second.Repo, "second=https://add.repos/two")
+	suite.Equal(first.CAFile, "state_licensure.repo.cert")
+	suite.Equal(second.CAFile, "state_licensure.repo.cert")
 }
 
 func (suite *PlanTestSuite) TestLint() {

internal/run/addrepo.go

@@ -8,6 +8,7 @@ import (
 // AddRepo is an execution step that calls `helm repo add` when executed.
 type AddRepo struct {
 	Repo   string
+	CAFile string
 	cmd    cmd
 }
 
@@ -38,7 +39,11 @@ func (a *AddRepo) Prepare(cfg Config) error {
 		args = append(args, "--debug")
 	}
 
-	args = append(args, "repo", "add", name, url)
+	args = append(args, "repo", "add")
+	if a.CAFile != "" {
+		args = append(args, "--ca-file", a.CAFile)
+	}
+	args = append(args, name, url)
 
 	a.cmd = command(helmBin, args...)
 	a.cmd.Stdout(cfg.Stdout)

internal/run/addrepo_test.go

@@ -97,6 +97,19 @@ func (suite *AddRepoTestSuite) TestPrepareWithEqualSignInURL() {
 	suite.Contains(suite.commandArgs, "https://github.com/arthur_claypool/samaritan?version=2.1")
 }
 
+func (suite *AddRepoTestSuite) TestRepoAddFlags() {
+	suite.mockCmd.EXPECT().Stdout(gomock.Any()).AnyTimes()
+	suite.mockCmd.EXPECT().Stderr(gomock.Any()).AnyTimes()
+	cfg := Config{}
+	a := AddRepo{
+		Repo:   "machine=https://github.com/harold_finch/themachine",
+		CAFile: "./helm/reporepo.cert",
+	}
+	suite.NoError(a.Prepare(cfg))
+	suite.Equal([]string{"repo", "add", "--ca-file", "./helm/reporepo.cert",
+		"machine", "https://github.com/harold_finch/themachine"}, suite.commandArgs)
+}
+
 func (suite *AddRepoTestSuite) TestNamespaceFlag() {
 	suite.mockCmd.EXPECT().Stdout(gomock.Any()).AnyTimes()
 	suite.mockCmd.EXPECT().Stderr(gomock.Any()).AnyTimes()

internal/run/upgrade.go

@@ -20,6 +20,7 @@ type Upgrade struct {
 	Force         bool
 	Atomic        bool
 	CleanupOnFail bool
+	CAFile        string
 
 	cmd cmd
 }
@@ -82,6 +83,9 @@ func (u *Upgrade) Prepare(cfg Config) error {
 	for _, vFile := range u.ValuesFiles {
 		args = append(args, "--values", vFile)
 	}
+	if u.CAFile != "" {
+		args = append(args, "--ca-file", u.CAFile)
+	}
 
 	args = append(args, u.Release, u.Chart)
 	u.cmd = command(helmBin, args...)

internal/run/upgrade_test.go

@@ -102,6 +102,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 		Force:         true,
 		Atomic:        true,
 		CleanupOnFail: true,
+		CAFile:        "local_ca.cert",
 	}
 
 	cfg := Config{}
@@ -121,6 +122,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 			"--set-string", "height=5ft10in",
 			"--values", "/usr/local/stats",
 			"--values", "/usr/local/grades",
+			"--ca-file", "local_ca.cert",
 			"maroon_5_memories", "hot_ac"}, args)
 
 		return suite.mockCmd