Merge pull request #75 from pelotech/repo-ca-file

Add a setting for chart repository CA certificates
Use lowercase envconfig tags throughout Config
2020-01-20 11:03:00 -08:00 · 2020-01-20 10:54:52 -08:00 · 2020-01-20 10:48:21 -08:00 · 2020-01-20 09:15:56 -08:00 · 2020-01-09 11:45:11 -08:00 · 2020-01-09 10:20:20 -08:00
12 changed files with 194 additions and 445 deletions
--- a/cmd/drone-helm/main.go
+++ b/cmd/drone-helm/main.go
@@ -9,7 +9,7 @@ import (
 )

 func main() {
-	cfg, err := helm.NewConfig(os.Stdout, os.Stderr, os.Args...)
+	cfg, err := helm.NewConfig(os.Stdout, os.Stderr)

 	if err != nil {
 		fmt.Fprintf(os.Stderr, "%s\n", err.Error())
--- a/docs/parameter_reference.md
+++ b/docs/parameter_reference.md
@@ -1,13 +1,14 @@
 # Parameter reference

 ## Global
-| Param name          | Type            | Purpose |
-|---------------------|-----------------|---------|
-| mode                | string          | Indicates the operation to perform. Recommended, but not required. Valid options are `upgrade`, `uninstall`, `lint`, and `help`. |
-| update_dependencies | boolean         | Calls `helm dependency update` before running the main command.|
-| add_repos           | list\<string\>  | Calls `helm repo add $repo` before running the main command. Each string should be formatted as `repo_name=https://repo.url/`. |
-| namespace           | string          | Kubernetes namespace to use for this operation. |
-| debug               | boolean         | Generate debug output within drone-helm3 and pass `--debug` to all helm commands. Use with care, since the debug output may include secrets. |
+| Param name          | Type            | Alias        | Purpose |
+|---------------------|-----------------|--------------|---------|
+| mode                | string          | helm_command | Indicates the operation to perform. Recommended, but not required. Valid options are `upgrade`, `uninstall`, `lint`, and `help`. |
+| update_dependencies | boolean         |              | Calls `helm dependency update` before running the main command.|
+| add_repos           | list\<string\>  | helm_repos   | Calls `helm repo add $repo` before running the main command. Each string should be formatted as `repo_name=https://repo.url/`. |
+| repo_ca_file        | string          |              | TLS certificate for a chart repository certificate authority. |
+| namespace           | string          |              | Kubernetes namespace to use for this operation. |
+| debug               | boolean         |              | Generate debug output within drone-helm3 and pass `--debug` to all helm commands. Use with care, since the debug output may include secrets. |

 ## Linting

@@ -25,43 +26,43 @@ Linting is only triggered when the `mode` setting is "lint".

 Installations are triggered when the `mode` setting is "upgrade." They can also be triggered when the build was triggered by a `push`, `tag`, `deployment`, `pull_request`, `promote`, or `rollback` Drone event.

-| Param name             | Type           | Required | Purpose |
-|------------------------|----------------|----------|---------|
-| chart                  | string         | yes      | The chart to use for this installation. |
-| release                | string         | yes      | The release name for helm to use. |
-| kube_api_server        | string         | yes      | API endpoint for the Kubernetes cluster. |
-| kube_token             | string         | yes      | Token for authenticating to Kubernetes. |
-| kube_service_account   | string         |          | Service account for authenticating to Kubernetes. Default is `helm`. |
-| kube_certificate       | string         |          | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
-| chart_version          | string         |          | Specific chart version to install. |
-| dry_run                | boolean        |          | Pass `--dry-run` to `helm upgrade`. |
-| wait_for_upgrade       | boolean        |          | Wait until kubernetes resources are in a ready state before marking the installation successful. |
-| timeout                | duration       |          | Timeout for any *individual* Kubernetes operation. The installation's full runtime may exceed this duration. |
-| force_upgrade          | boolean        |          | Pass `--force` to `helm upgrade`. |
-| atomic_upgrade         | boolean        |          | Pass `--atomic` to `helm upgrade`. |
-| cleanup_failed_upgrade | boolean        |          | Pass `--cleanup-on-fail` to `helm upgrade`. |
-| values                 | list\<string\> |          | Chart values to use as the `--set` argument to `helm upgrade`. |
-| string_values          | list\<string\> |          | Chart values to use as the `--set-string` argument to `helm upgrade`. |
-| values_files           | list\<string\> |          | Values to use as `--values` arguments to `helm upgrade`. |
-| reuse_values           | boolean        |          | Reuse the values from a previous release. |
-| skip_tls_verify        | boolean        |          | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
+| Param name             | Type           | Required | Alias                  | Purpose |
+|------------------------|----------------|----------|------------------------|---------|
+| chart                  | string         | yes      |                        | The chart to use for this installation. |
+| release                | string         | yes      |                        | The release name for helm to use. |
+| kube_api_server        | string         | yes      | api_server             | API endpoint for the Kubernetes cluster. |
+| kube_token             | string         | yes      | kubernetes_token       | Token for authenticating to Kubernetes. |
+| kube_service_account   | string         |          | service_account        | Service account for authenticating to Kubernetes. Default is `helm`. |
+| kube_certificate       | string         |          | kubernetes_certificate | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
+| chart_version          | string         |          |                        | Specific chart version to install. |
+| dry_run                | boolean        |          |                        | Pass `--dry-run` to `helm upgrade`. |
+| wait_for_upgrade       | boolean        |          | wait                   | Wait until kubernetes resources are in a ready state before marking the installation successful. |
+| timeout                | duration       |          |                        | Timeout for any *individual* Kubernetes operation. The installation's full runtime may exceed this duration. |
+| force_upgrade          | boolean        |          | force                  | Pass `--force` to `helm upgrade`. |
+| atomic_upgrade         | boolean        |          |                        | Pass `--atomic` to `helm upgrade`. |
+| cleanup_failed_upgrade | boolean        |          |                        | Pass `--cleanup-on-fail` to `helm upgrade`. |
+| values                 | list\<string\> |          |                        | Chart values to use as the `--set` argument to `helm upgrade`. |
+| string_values          | list\<string\> |          |                        | Chart values to use as the `--set-string` argument to `helm upgrade`. |
+| values_files           | list\<string\> |          |                        | Values to use as `--values` arguments to `helm upgrade`. |
+| reuse_values           | boolean        |          |                        | Reuse the values from a previous release. |
+| skip_tls_verify        | boolean        |          |                        | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |

 ## Uninstallation

 Uninstallations are triggered when the `mode` setting is "uninstall" or "delete." They can also be triggered when the build was triggered by a `delete` Drone event.

-| Param name             | Type     | Required | Purpose |
-|------------------------|----------|----------|---------|
-| release                | string   | yes      | The release name for helm to use. |
-| kube_api_server        | string   | yes      | API endpoint for the Kubernetes cluster. |
-| kube_token             | string   | yes      | Token for authenticating to Kubernetes. |
-| kube_service_account   | string   |          | Service account for authenticating to Kubernetes. Default is `helm`. |
-| kube_certificate       | string   |          | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
-| keep_history           | boolean  |          | Pass `--keep-history` to `helm uninstall`, to retain the release history. |
-| dry_run                | boolean  |          | Pass `--dry-run` to `helm uninstall`. |
-| timeout                | duration |          | Timeout for any *individual* Kubernetes operation. The uninstallation's full runtime may exceed this duration. |
-| skip_tls_verify        | boolean  |          | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
-| chart                  | string   |          | Required when the global `update_dependencies` parameter is true. No effect otherwise. |
+| Param name             | Type     | Required | Alias                  | Purpose |
+|------------------------|----------|----------|------------------------|---------|
+| release                | string   | yes      |                        | The release name for helm to use. |
+| kube_api_server        | string   | yes      | api_server             | API endpoint for the Kubernetes cluster. |
+| kube_token             | string   | yes      | kubernetes_token       | Token for authenticating to Kubernetes. |
+| kube_service_account   | string   |          | service_account        | Service account for authenticating to Kubernetes. Default is `helm`. |
+| kube_certificate       | string   |          | kubernetes_certificate | Base64 encoded TLS certificate used by the Kubernetes cluster's certificate authority. |
+| keep_history           | boolean  |          |                        | Pass `--keep-history` to `helm uninstall`, to retain the release history. |
+| dry_run                | boolean  |          |                        | Pass `--dry-run` to `helm uninstall`. |
+| timeout                | duration |          |                        | Timeout for any *individual* Kubernetes operation. The uninstallation's full runtime may exceed this duration. |
+| skip_tls_verify        | boolean  |          |                        | Connect to the Kubernetes cluster without checking for a valid TLS certificate. Not recommended in production. |
+| chart                  | string   |          |                        | Required when the global `update_dependencies` parameter is true. No effect otherwise. |

 ### Where to put settings

@@ -92,3 +93,18 @@ Note that **list members must not contain commas**. Both of the following are eq
 values_files: [ "./over_9,000.yml" ]
 values_files: [ "./over_9", "000.yml" ]
 ```
+
+### Backward-compatibility aliases
+
+Some settings have alternate names, for backward-compatibility with drone-helm. We recommend using the canonical name unless you require the backward-compatible form.
+
+| Canonical name       | Alias |
+|----------------------|-------|
+| mode                 | helm_command |
+| add_repos            | helm_repos |
+| kube_api_server      | api_server |
+| kube_service_account | service_account |
+| kube_token           | kubernetes_token |
+| kube_certificate     | kubernetes_certificate |
+| wait_for_upgrade     | wait |
+| force_upgrade        | force |
--- a/go.mod
+++ b/go.mod
@@ -5,7 +5,9 @@ go 1.13
 require (
 	github.com/golang/mock v1.3.1
 	github.com/joho/godotenv v1.3.0
+	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/stretchr/testify v1.4.0
-	github.com/urfave/cli/v2 v2.1.1
+	golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f // indirect
+	golang.org/x/tools v0.0.0-20191209225234-22774f7dae43 // indirect
 	gopkg.in/yaml.v2 v2.2.2
 )
--- a/go.sum
+++ b/go.sum
@@ -1,30 +1,33 @@
-github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d h1:U+s90UTSYgptZMwQh2aRr3LuazLJIa+Pg3Kc1ylSYVY=
-github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang/mock v1.3.1 h1:qGJ6qTW+x6xX/my+8YUVl4WNpX9B7+/l2tRsHGZ7f2s=
 github.com/golang/mock v1.3.1/go.mod h1:sBzyDLLjw3U8JLTeZvSv8jJB+tU5PVekmnlKIyFUx0Y=
 github.com/joho/godotenv v1.3.0 h1:Zjp+RcGpHhGlrMbJzXTrZZPrWj+1vfm90La1wgB6Bhc=
 github.com/joho/godotenv v1.3.0/go.mod h1:7hK45KPybAkOC6peb+G5yklZfMxEjkZhHbwpqxOKXbg=
+github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=
+github.com/kelseyhightower/envconfig v1.4.0/go.mod h1:cccZRl6mQpaq41TPp5QxidR+Sa3axMbJDNb//FQX6Gg=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/russross/blackfriday/v2 v2.0.1 h1:lPqVAte+HuHNfhJ/0LC98ESWRz8afy9tM/0RK8m9o+Q=
-github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
-github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/urfave/cli/v2 v2.1.1 h1:Qt8FeAtxE/vfdrLmR3rxR6JRE0RoVmbXu8+6kZtYU4k=
-github.com/urfave/cli/v2 v2.1.1/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f h1:J5lckAjkw6qYlOZNj90mLYNTEKDvWeuc1yieZ8qUzUE=
+golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRuDixDT3tpyyb+LUpUlRWLxfhWrs=
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262 h1:qsl9y/CJx34tuA7QCPNp86JNJe4spst6Ff8MjvPUdPg=
 golang.org/x/tools v0.0.0-20190425150028-36563e24a262/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f h1:kDxGY2VmgABOe55qheT/TFqUMtcTHnomIPS1iv3G4Ms=
+golang.org/x/tools v0.0.0-20191125144606-a911d9008d1f/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191206204035-259af5ff87bd h1:Zc7EU2PqpsNeIfOoVA7hvQX4cS3YDJEs5KlfatT3hLo=
+golang.org/x/tools v0.0.0-20191206204035-259af5ff87bd/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20191209225234-22774f7dae43 h1:NfPq5mgc5ArFgVLCpeS4z07IoxSAqVfV/gQ5vxdgaxI=
+golang.org/x/tools v0.0.0-20191209225234-22774f7dae43/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
--- a/internal/helm/config.go
+++ b/internal/helm/config.go
@@ -2,7 +2,7 @@ package helm

 import (
 	"fmt"
-	"github.com/urfave/cli/v2"
+	"github.com/kelseyhightower/envconfig"
 	"io"
 	"os"
 	"regexp"
@@ -20,190 +20,68 @@ var (
 // not have the `PLUGIN_` prefix.
 type Config struct {
 	// Configuration for drone-helm itself
-	Command            string   // Helm command to run
-	DroneEvent         string   // Drone event that invoked this plugin.
-	UpdateDependencies bool     // Call `helm dependency update` before the main command
-	AddRepos           []string // Call `helm repo add` before the main command
-	Debug              bool     // Generate debug output and pass --debug to all helm commands
-	Values             string   // Argument to pass to --set in applicable helm commands
-	StringValues       string   // Argument to pass to --set-string in applicable helm commands
-	ValuesFiles        []string // Arguments to pass to --values in applicable helm commands
-	Namespace          string   // Kubernetes namespace for all helm commands
-	KubeToken          string   // Kubernetes authentication token to put in .kube/config
-	SkipTLSVerify      bool     // Put insecure-skip-tls-verify in .kube/config
-	Certificate        string   // The Kubernetes cluster CA's self-signed certificate (must be base64-encoded)
-	APIServer          string   // The Kubernetes cluster's API endpoint
-	ServiceAccount     string   // Account to use for connecting to the Kubernetes cluster
-	ChartVersion       string   // Specific chart version to use in `helm upgrade`
-	DryRun             bool     // Pass --dry-run to applicable helm commands
-	Wait               bool     // Pass --wait to applicable helm commands
-	ReuseValues        bool     // Pass --reuse-values to `helm upgrade`
-	KeepHistory        bool     // Pass --keep-history to `helm uninstall`
-	Timeout            string   // Argument to pass to --timeout in applicable helm commands
-	Chart              string   // Chart argument to use in applicable helm commands
-	Release            string   // Release argument to use in applicable helm commands
-	Force              bool     // Pass --force to applicable helm commands
-	AtomicUpgrade      bool     // Pass --atomic to `helm upgrade`
-	CleanupOnFail      bool     // Pass --cleanup-on-fail to `helm upgrade`
-	LintStrictly       bool     // Pass --strict to `helm lint`
+	Command            string   `envconfig:"mode"`                   // Helm command to run
+	DroneEvent         string   `envconfig:"drone_build_event"`      // Drone event that invoked this plugin.
+	UpdateDependencies bool     `split_words:"true"`                 // Call `helm dependency update` before the main command
+	AddRepos           []string `split_words:"true"`                 // Call `helm repo add` before the main command
+	RepoCAFile         string   `envconfig:"repo_ca_file"`           // CA certificate for `helm repo add`
+	Debug              bool     ``                                   // Generate debug output and pass --debug to all helm commands
+	Values             string   ``                                   // Argument to pass to --set in applicable helm commands
+	StringValues       string   `split_words:"true"`                 // Argument to pass to --set-string in applicable helm commands
+	ValuesFiles        []string `split_words:"true"`                 // Arguments to pass to --values in applicable helm commands
+	Namespace          string   ``                                   // Kubernetes namespace for all helm commands
+	KubeToken          string   `split_words:"true"`                 // Kubernetes authentication token to put in .kube/config
+	SkipTLSVerify      bool     `envconfig:"skip_tls_verify"`        // Put insecure-skip-tls-verify in .kube/config
+	Certificate        string   `envconfig:"kube_certificate"`       // The Kubernetes cluster CA's self-signed certificate (must be base64-encoded)
+	APIServer          string   `envconfig:"kube_api_server"`        // The Kubernetes cluster's API endpoint
+	ServiceAccount     string   `envconfig:"kube_service_account"`   // Account to use for connecting to the Kubernetes cluster
+	ChartVersion       string   `split_words:"true"`                 // Specific chart version to use in `helm upgrade`
+	DryRun             bool     `split_words:"true"`                 // Pass --dry-run to applicable helm commands
+	Wait               bool     `envconfig:"wait_for_upgrade"`       // Pass --wait to applicable helm commands
+	ReuseValues        bool     `split_words:"true"`                 // Pass --reuse-values to `helm upgrade`
+	KeepHistory        bool     `split_words:"true"`                 // Pass --keep-history to `helm uninstall`
+	Timeout            string   ``                                   // Argument to pass to --timeout in applicable helm commands
+	Chart              string   ``                                   // Chart argument to use in applicable helm commands
+	Release            string   ``                                   // Release argument to use in applicable helm commands
+	Force              bool     `envconfig:"force_upgrade"`          // Pass --force to applicable helm commands
+	AtomicUpgrade      bool     `split_words:"true"`                 // Pass --atomic to `helm upgrade`
+	CleanupOnFail      bool     `envconfig:"cleanup_failed_upgrade"` // Pass --cleanup-on-fail to `helm upgrade`
+	LintStrictly       bool     `split_words:"true"`                 // Pass --strict to `helm lint`

-	Stdout io.Writer
-	Stderr io.Writer
+	Stdout io.Writer `ignored:"true"`
+	Stderr io.Writer `ignored:"true"`
 }

 // NewConfig creates a Config and reads environment variables into it, accounting for several possible formats.
-func NewConfig(stdout, stderr io.Writer, argv ...string) (*Config, error) {
+func NewConfig(stdout, stderr io.Writer) (*Config, error) {
+	var aliases settingAliases
+	if err := envconfig.Process("plugin", &aliases); err != nil {
+		return nil, err
+	}
+
+	if err := envconfig.Process("", &aliases); err != nil {
+		return nil, err
+	}
+
 	cfg := Config{
+		Command:        aliases.Command,
+		AddRepos:       aliases.AddRepos,
+		APIServer:      aliases.APIServer,
+		ServiceAccount: aliases.ServiceAccount,
+		Wait:           aliases.Wait,
+		Force:          aliases.Force,
+		KubeToken:      aliases.KubeToken,
+		Certificate:    aliases.Certificate,
+
 		Stdout: stdout,
 		Stderr: stderr,
 	}
-	// cli doesn't support Destination for string slices, so we'll use bare
-	// strings as an intermediate value and split them on commas ourselves.
-	var addRepos, valuesFiles string
-	app := &cli.App{
-		Name:   "drone-helm3",
-		Action: func(*cli.Context) error { return nil },
-		Flags: []cli.Flag{
-			&cli.StringFlag{
-				Name:        "mode",
-				Destination: &cfg.Command,
-				EnvVars:     []string{"MODE", "PLUGIN_MODE", "HELM_COMMAND", "PLUGIN_HELM_COMMAND"},
-			},
-			&cli.StringFlag{
-				Name:        "drone-event",
-				Destination: &cfg.DroneEvent,
-				EnvVars:     []string{"DRONE_BUILD_EVENT"},
-			},
-			&cli.BoolFlag{
-				Name:        "update-dependencies",
-				Destination: &cfg.UpdateDependencies,
-				EnvVars:     []string{"UPDATE_DEPENDENCIES", "PLUGIN_UPDATE_DEPENDENCIES"},
-			},
-			&cli.StringFlag{
-				Name:        "add-repos",
-				Destination: &addRepos,
-				EnvVars:     []string{"ADD_REPOS", "PLUGIN_ADD_REPOS", "HELM_REPOS", "PLUGIN_HELM_REPOS"},
-			},
-			&cli.BoolFlag{
-				Name:        "debug",
-				Destination: &cfg.Debug,
-				EnvVars:     []string{"DEBUG", "PLUGIN_DEBUG"},
-			},
-			&cli.StringFlag{
-				Name:        "values",
-				Destination: &cfg.Values,
-				EnvVars:     []string{"VALUES", "PLUGIN_VALUES"},
-			},
-			&cli.StringFlag{
-				Name:        "string-values",
-				Destination: &cfg.StringValues,
-				EnvVars:     []string{"STRING_VALUES", "PLUGIN_STRING_VALUES"},
-			},
-			&cli.StringFlag{
-				Name:        "values-files",
-				Destination: &valuesFiles,
-				EnvVars:     []string{"VALUES_FILES", "PLUGIN_VALUES_FILES"},
-			},
-			&cli.StringFlag{
-				Name:        "namespace",
-				Destination: &cfg.Namespace,
-				EnvVars:     []string{"NAMESPACE", "PLUGIN_NAMESPACE"},
-			},
-			&cli.StringFlag{
-				Name:        "kube-token",
-				Destination: &cfg.KubeToken,
-				EnvVars:     []string{"KUBE_TOKEN", "PLUGIN_KUBE_TOKEN", "KUBERNETES_TOKEN", "PLUGIN_KUBERNETES_TOKEN"},
-			},
-			&cli.BoolFlag{
-				Name:        "skip-tls-verify",
-				Destination: &cfg.SkipTLSVerify,
-				EnvVars:     []string{"SKIP_TLS_VERIFY", "PLUGIN_SKIP_TLS_VERIFY"},
-			},
-			&cli.StringFlag{
-				Name:        "kube-certificate",
-				Destination: &cfg.Certificate,
-				EnvVars:     []string{"KUBE_CERTIFICATE", "PLUGIN_KUBE_CERTIFICATE", "KUBERNETES_CERTIFICATE", "PLUGIN_KUBERNETES_CERTIFICATE"},
-			},
-			&cli.StringFlag{
-				Name:        "kube-api-server",
-				Destination: &cfg.APIServer,
-				EnvVars:     []string{"KUBE_API_SERVER", "PLUGIN_KUBE_API_SERVER", "API_SERVER", "PLUGIN_API_SERVER"},
-			},
-			&cli.StringFlag{
-				Name:        "service-account",
-				Destination: &cfg.ServiceAccount,
-				EnvVars:     []string{"KUBE_SERVICE_ACCOUNT", "PLUGIN_KUBE_SERVICE_ACCOUNT", "SERVICE_ACCOUNT", "PLUGIN_SERVICE_ACCOUNT"},
-			},
-			&cli.StringFlag{
-				Name:        "chart-version",
-				Destination: &cfg.ChartVersion,
-				EnvVars:     []string{"CHART_VERSION", "PLUGIN_CHART_VERSION"},
-			},
-			&cli.BoolFlag{
-				Name:        "dry-run",
-				Destination: &cfg.DryRun,
-				EnvVars:     []string{"DRY_RUN", "PLUGIN_DRY_RUN"},
-			},
-			&cli.BoolFlag{
-				Name:        "wait-for-upgrade",
-				Destination: &cfg.Wait,
-				EnvVars:     []string{"WAIT_FOR_UPGRADE", "PLUGIN_WAIT_FOR_UPGRADE", "WAIT", "PLUGIN_WAIT"},
-			},
-			&cli.BoolFlag{
-				Name:        "reuse-values",
-				Destination: &cfg.ReuseValues,
-				EnvVars:     []string{"REUSE_VALUES", "PLUGIN_REUSE_VALUES"},
-			},
-			&cli.BoolFlag{
-				Name:        "keep-history",
-				Destination: &cfg.KeepHistory,
-				EnvVars:     []string{"KEEP_HISTORY", "PLUGIN_KEEP_HISTORY"},
-			},
-			&cli.StringFlag{
-				Name:        "timeout",
-				Destination: &cfg.Timeout,
-				EnvVars:     []string{"TIMEOUT", "PLUGIN_TIMEOUT"},
-			},
-			&cli.StringFlag{
-				Name:        "chart",
-				Destination: &cfg.Chart,
-				EnvVars:     []string{"CHART", "PLUGIN_CHART"},
-			},
-			&cli.StringFlag{
-				Name:        "release",
-				Destination: &cfg.Release,
-				EnvVars:     []string{"RELEASE", "PLUGIN_RELEASE"},
-			},
-			&cli.BoolFlag{
-				Name:        "force-upgrade",
-				Destination: &cfg.Force,
-				EnvVars:     []string{"FORCE_UPGRADE", "PLUGIN_FORCE_UPGRADE", "FORCE", "PLUGIN_FORCE"},
-			},
-			&cli.BoolFlag{
-				Name:        "atomic-upgrade",
-				Destination: &cfg.AtomicUpgrade,
-				EnvVars:     []string{"ATOMIC_UPGRADE", "PLUGIN_ATOMIC_UPGRADE"},
-			},
-			&cli.BoolFlag{
-				Name:        "cleanup-failed-upgrade",
-				Destination: &cfg.CleanupOnFail,
-				EnvVars:     []string{"CLEANUP_FAILED_UPGRADE", "PLUGIN_CLEANUP_FAILED_UPGRADE"},
-			},
-			&cli.BoolFlag{
-				Name:        "lint-strictly",
-				Destination: &cfg.LintStrictly,
-				EnvVars:     []string{"LINT_STRICTLY", "PLUGIN_LINT_STRICTLY"},
-			},
-		},
-	}
-	if err := app.Run(argv); err != nil {
+	if err := envconfig.Process("plugin", &cfg); err != nil {
 		return nil, err
 	}
-	if addRepos != "" {
-		cfg.AddRepos = strings.Split(addRepos, ",")
-	}
-	if valuesFiles != "" {
-		cfg.ValuesFiles = strings.Split(valuesFiles, ",")
+
+	if err := envconfig.Process("", &cfg); err != nil {
+		return nil, err
 	}

 	if justNumbers.MatchString(cfg.Timeout) {
@@ -235,3 +113,14 @@ func (cfg *Config) deprecationWarn() {
 		}
 	}
 }
+
+type settingAliases struct {
+	Command        string   `envconfig:"helm_command"`
+	AddRepos       []string `envconfig:"helm_repos"`
+	APIServer      string   `envconfig:"api_server"`
+	ServiceAccount string   `split_words:"true"`
+	Wait           bool     ``
+	Force          bool     ``
+	KubeToken      string   `envconfig:"kubernetes_token"`
+	Certificate    string   `envconfig:"kubernetes_certificate"`
+}
--- a/internal/helm/config_test.go
+++ b/internal/helm/config_test.go
@@ -20,236 +20,44 @@ func TestConfigTestSuite(t *testing.T) {
 }

 func (suite *ConfigTestSuite) TestNewConfigWithPluginPrefix() {
-	stdout := strings.Builder{}
-	stderr := strings.Builder{}
-	for _, varname := range []string{
-		"MODE",
-		"DRONE_BUILD_EVENT",
-		"HELM_COMMAND",
-		"PLUGIN_HELM_COMMAND",
-		"UPDATE_DEPENDENCIES",
-		"ADD_REPOS",
-		"HELM_REPOS",
-		"PLUGIN_HELM_REPOS",
-		"DEBUG",
-		"VALUES",
-		"STRING_VALUES",
-		"VALUES_FILES",
-		"NAMESPACE",
-		"KUBE_TOKEN",
-		"KUBERNETES_TOKEN",
-		"PLUGIN_KUBERNETES_TOKEN",
-		"SKIP_TLS_VERIFY",
-		"KUBE_CERTIFICATE",
-		"KUBERNETES_CERTIFICATE",
-		"PLUGIN_KUBERNETES_CERTIFICATE",
-		"KUBE_API_SERVER",
-		"API_SERVER",
-		"PLUGIN_API_SERVER",
-		"KUBE_SERVICE_ACCOUNT",
-		"SERVICE_ACCOUNT",
-		"PLUGIN_SERVICE_ACCOUNT",
-		"CHART_VERSION",
-		"DRY_RUN",
-		"WAIT_FOR_UPGRADE",
-		"WAIT",
-		"PLUGIN_WAIT",
-		"REUSE_VALUES",
-		"KEEP_HISTORY",
-		"TIMEOUT",
-		"CHART",
-		"RELEASE",
-		"FORCE",
-		"FORCE_UPGRADE",
-		"PLUGIN_FORCE_UPGRADE",
-		"ATOMIC_UPGRADE",
-		"CLEANUP_FAILED_UPGRADE",
-		"LINT_STRICTLY",
-	} {
-		suite.unsetenv(varname)
-	}
+	suite.unsetenv("MODE")
+	suite.unsetenv("UPDATE_DEPENDENCIES")
+	suite.unsetenv("DEBUG")

-	suite.setenv("PLUGIN_MODE", "upgrade")
+	suite.setenv("PLUGIN_MODE", "iambic")
 	suite.setenv("PLUGIN_UPDATE_DEPENDENCIES", "true")
-	suite.setenv("PLUGIN_ADD_REPOS", "foo=http://bar,goo=http://baz")
 	suite.setenv("PLUGIN_DEBUG", "true")
-	suite.setenv("PLUGIN_VALUES", "dog=husky")
-	suite.setenv("PLUGIN_STRING_VALUES", "version=1.0")
-	suite.setenv("PLUGIN_VALUES_FILES", "underrides.yml,overrides.yml")
-	suite.setenv("PLUGIN_NAMESPACE", "myapp")
-	suite.setenv("PLUGIN_KUBE_TOKEN", "cGxlYXNlIHNpciwgbGV0IG1lIGlu")
-	suite.setenv("PLUGIN_SKIP_TLS_VERIFY", "true")
-	suite.setenv("PLUGIN_KUBE_CERTIFICATE", "SSBhbSB0b3RhbGx5IHRoZSBzZXJ2ZXIgeW91IHdhbnQ=")
-	suite.setenv("PLUGIN_KUBE_API_SERVER", "http://my.kube/cluster")
-	suite.setenv("PLUGIN_KUBE_SERVICE_ACCOUNT", "deploybot")
-	suite.setenv("PLUGIN_CHART_VERSION", "six")
-	suite.setenv("PLUGIN_DRY_RUN", "true")
-	suite.setenv("PLUGIN_WAIT_FOR_UPGRADE", "true")
-	suite.setenv("PLUGIN_REUSE_VALUES", "true")
-	suite.setenv("PLUGIN_KEEP_HISTORY", "true")
-	suite.setenv("PLUGIN_TIMEOUT", "5m20s")
-	suite.setenv("PLUGIN_CHART", "./helm/myapp/")
-	suite.setenv("PLUGIN_RELEASE", "my_app")
-	suite.setenv("PLUGIN_FORCE_UPGRADE", "true")
-	suite.setenv("PLUGIN_ATOMIC_UPGRADE", "true")
-	suite.setenv("PLUGIN_CLEANUP_FAILED_UPGRADE", "true")
-	suite.setenv("PLUGIN_LINT_STRICTLY", "true")

-	cfg, err := NewConfig(&stdout, &stderr, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)

-	want := Config{
-		Command:            "upgrade",
-		DroneEvent:         "",
-		UpdateDependencies: true,
-		AddRepos:           []string{"foo=http://bar", "goo=http://baz"},
-		Debug:              true,
-		Values:             "dog=husky",
-		StringValues:       "version=1.0",
-		ValuesFiles:        []string{"underrides.yml", "overrides.yml"},
-		Namespace:          "myapp",
-		KubeToken:          "cGxlYXNlIHNpciwgbGV0IG1lIGlu",
-		SkipTLSVerify:      true,
-		Certificate:        "SSBhbSB0b3RhbGx5IHRoZSBzZXJ2ZXIgeW91IHdhbnQ=",
-		APIServer:          "http://my.kube/cluster",
-		ServiceAccount:     "deploybot",
-		ChartVersion:       "six",
-		DryRun:             true,
-		Wait:               true,
-		ReuseValues:        true,
-		KeepHistory:        true,
-		Timeout:            "5m20s",
-		Chart:              "./helm/myapp/",
-		Release:            "my_app",
-		Force:              true,
-		AtomicUpgrade:      true,
-		CleanupOnFail:      true,
-		LintStrictly:       true,
-		Stdout:             &stdout,
-		Stderr:             &stderr,
-	}
-
-	suite.Equal(&want, cfg)
+	suite.Equal("iambic", cfg.Command)
+	suite.True(cfg.UpdateDependencies)
+	suite.True(cfg.Debug)
 }

 func (suite *ConfigTestSuite) TestNewConfigWithNoPrefix() {
-	stdout := strings.Builder{}
-	stderr := strings.Builder{}
-	for _, varname := range []string{
-		"PLUGIN_MODE",
-		"PLUGIN_HELM_COMMAND",
-		"HELM_COMMAND",
-		"PLUGIN_UPDATE_DEPENDENCIES",
-		"PLUGIN_ADD_REPOS",
-		"PLUGIN_HELM_REPOS",
-		"HELM_REPOS",
-		"PLUGIN_DEBUG",
-		"PLUGIN_VALUES",
-		"PLUGIN_STRING_VALUES",
-		"PLUGIN_VALUES_FILES",
-		"PLUGIN_NAMESPACE",
-		"PLUGIN_KUBE_TOKEN",
-		"PLUGIN_KUBERNETES_TOKEN",
-		"KUBERNETES_TOKEN",
-		"PLUGIN_SKIP_TLS_VERIFY",
-		"PLUGIN_KUBE_CERTIFICATE",
-		"PLUGIN_KUBERNETES_CERTIFICATE",
-		"KUBERNETES_CERTIFICATE",
-		"PLUGIN_KUBE_API_SERVER",
-		"PLUGIN_API_SERVER",
-		"API_SERVER",
-		"PLUGIN_KUBE_SERVICE_ACCOUNT",
-		"PLUGIN_SERVICE_ACCOUNT",
-		"SERVICE_ACCOUNT",
-		"PLUGIN_CHART_VERSION",
-		"PLUGIN_DRY_RUN",
-		"PLUGIN_WAIT_FOR_UPGRADE",
-		"PLUGIN_WAIT",
-		"WAIT",
-		"PLUGIN_REUSE_VALUES",
-		"PLUGIN_KEEP_HISTORY",
-		"PLUGIN_TIMEOUT",
-		"PLUGIN_CHART",
-		"PLUGIN_RELEASE",
-		"PLUGIN_FORCE",
-		"PLUGIN_FORCE_UPGRADE",
-		"FORCE_UPGRADE",
-		"PLUGIN_ATOMIC_UPGRADE",
-		"PLUGIN_CLEANUP_FAILED_UPGRADE",
-		"PLUGIN_LINT_STRICTLY",
-	} {
-		suite.unsetenv(varname)
-	}
+	suite.unsetenv("PLUGIN_MODE")
+	suite.unsetenv("PLUGIN_UPDATE_DEPENDENCIES")
+	suite.unsetenv("PLUGIN_DEBUG")

-	suite.setenv("MODE", "upgrade")
-	suite.setenv("DRONE_BUILD_EVENT", "tag")
+	suite.setenv("MODE", "iambic")
 	suite.setenv("UPDATE_DEPENDENCIES", "true")
-	suite.setenv("ADD_REPOS", "foo=http://bar,goo=http://baz")
 	suite.setenv("DEBUG", "true")
-	suite.setenv("VALUES", "dog=husky")
-	suite.setenv("STRING_VALUES", "version=1.0")
-	suite.setenv("VALUES_FILES", "underrides.yml,overrides.yml")
-	suite.setenv("NAMESPACE", "myapp")
-	suite.setenv("KUBE_TOKEN", "cGxlYXNlIHNpciwgbGV0IG1lIGlu")
-	suite.setenv("SKIP_TLS_VERIFY", "true")
-	suite.setenv("KUBE_CERTIFICATE", "SSBhbSB0b3RhbGx5IHRoZSBzZXJ2ZXIgeW91IHdhbnQ=")
-	suite.setenv("KUBE_API_SERVER", "http://my.kube/cluster")
-	suite.setenv("KUBE_SERVICE_ACCOUNT", "deploybot")
-	suite.setenv("CHART_VERSION", "six")
-	suite.setenv("DRY_RUN", "true")
-	suite.setenv("WAIT_FOR_UPGRADE", "true")
-	suite.setenv("REUSE_VALUES", "true")
-	suite.setenv("KEEP_HISTORY", "true")
-	suite.setenv("TIMEOUT", "5m20s")
-	suite.setenv("CHART", "./helm/myapp/")
-	suite.setenv("RELEASE", "my_app")
-	suite.setenv("FORCE_UPGRADE", "true")
-	suite.setenv("ATOMIC_UPGRADE", "true")
-	suite.setenv("CLEANUP_FAILED_UPGRADE", "true")
-	suite.setenv("LINT_STRICTLY", "true")

-	cfg, err := NewConfig(&stdout, &stderr, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)

-	want := Config{
-		Command:            "upgrade",
-		DroneEvent:         "tag",
-		UpdateDependencies: true,
-		AddRepos:           []string{"foo=http://bar", "goo=http://baz"},
-		Debug:              true,
-		Values:             "dog=husky",
-		StringValues:       "version=1.0",
-		ValuesFiles:        []string{"underrides.yml", "overrides.yml"},
-		Namespace:          "myapp",
-		KubeToken:          "cGxlYXNlIHNpciwgbGV0IG1lIGlu",
-		SkipTLSVerify:      true,
-		Certificate:        "SSBhbSB0b3RhbGx5IHRoZSBzZXJ2ZXIgeW91IHdhbnQ=",
-		APIServer:          "http://my.kube/cluster",
-		ServiceAccount:     "deploybot",
-		ChartVersion:       "six",
-		DryRun:             true,
-		Wait:               true,
-		ReuseValues:        true,
-		KeepHistory:        true,
-		Timeout:            "5m20s",
-		Chart:              "./helm/myapp/",
-		Release:            "my_app",
-		Force:              true,
-		AtomicUpgrade:      true,
-		CleanupOnFail:      true,
-		LintStrictly:       true,
-		Stdout:             &stdout,
-		Stderr:             &stderr,
-	}
-
-	suite.Equal(&want, cfg)
+	suite.Equal("iambic", cfg.Command)
+	suite.True(cfg.UpdateDependencies)
+	suite.True(cfg.Debug)
 }

 func (suite *ConfigTestSuite) TestNewConfigWithConflictingVariables() {
 	suite.setenv("PLUGIN_MODE", "iambic")
 	suite.setenv("MODE", "haiku") // values from the `environment` block override those from `settings`

-	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{}, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)

 	suite.Equal("haiku", cfg.Command)
@@ -257,7 +65,7 @@ func (suite *ConfigTestSuite) TestNewConfigWithConflictingVariables() {

 func (suite *ConfigTestSuite) TestNewConfigInfersNumbersAreSeconds() {
 	suite.setenv("PLUGIN_TIMEOUT", "42")
-	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{}, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)
 	suite.Equal("42s", cfg.Timeout)
 }
@@ -285,7 +93,7 @@ func (suite *ConfigTestSuite) TestNewConfigWithAliases() {
 	suite.setenv("PLUGIN_KUBERNETES_TOKEN", "Y29tZSB0byBteSBhcm1z")
 	suite.setenv("PLUGIN_KUBERNETES_CERTIFICATE", "d2l0aCBpdHMgaGVhZA==")

-	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{}, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)
 	suite.Equal("beware the jabberwock", cfg.Command)
 	suite.Equal([]string{"chortle=http://calloo.callay/frabjous/day"}, cfg.AddRepos)
@@ -303,7 +111,7 @@ func (suite *ConfigTestSuite) TestAliasedSettingWithoutPluginPrefix() {
 	suite.unsetenv("PLUGIN_FORCE")
 	suite.setenv("FORCE", "true")

-	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{}, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.Require().NoError(err)
 	suite.True(cfg.Force)
 }
@@ -313,7 +121,7 @@ func (suite *ConfigTestSuite) TestNewConfigWithAliasConflicts() {
 	suite.setenv("PLUGIN_FORCE", "true")
 	suite.setenv("PLUGIN_FORCE_UPGRADE", "false") // should override even when set to the zero value

-	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{}, "test")
+	cfg, err := NewConfig(&strings.Builder{}, &strings.Builder{})
 	suite.NoError(err)
 	suite.False(cfg.Force, "official names should override alias names")
 }
@@ -321,7 +129,7 @@ func (suite *ConfigTestSuite) TestNewConfigWithAliasConflicts() {
 func (suite *ConfigTestSuite) TestNewConfigSetsWriters() {
 	stdout := &strings.Builder{}
 	stderr := &strings.Builder{}
-	cfg, err := NewConfig(stdout, stderr, "test")
+	cfg, err := NewConfig(stdout, stderr)
 	suite.Require().NoError(err)

 	suite.Equal(stdout, cfg.Stdout)
@@ -338,7 +146,7 @@ func (suite *ConfigTestSuite) TestDeprecatedSettingWarnings() {
 	suite.setenv("UPGRADE", "")          // entries should cause warnings even when set to empty string

 	stderr := &strings.Builder{}
-	_, err := NewConfig(&strings.Builder{}, stderr, "test")
+	_, err := NewConfig(&strings.Builder{}, stderr)
 	suite.NoError(err)

 	for _, varname := range deprecatedVars {
@@ -352,7 +160,7 @@ func (suite *ConfigTestSuite) TestLogDebug() {

 	stderr := strings.Builder{}
 	stdout := strings.Builder{}
-	_, err := NewConfig(&stdout, &stderr, "test")
+	_, err := NewConfig(&stdout, &stderr)
 	suite.Require().NoError(err)

 	suite.Equal("", stdout.String())
--- a/internal/helm/plan.go
+++ b/internal/helm/plan.go
@@ -111,6 +111,7 @@ var upgrade = func(cfg Config) []Step {
 		Force:         cfg.Force,
 		Atomic:        cfg.AtomicUpgrade,
 		CleanupOnFail: cfg.CleanupOnFail,
+		CAFile:        cfg.RepoCAFile,
 	})

 	return steps
@@ -172,6 +173,7 @@ func addRepos(cfg Config) []Step {
 	for _, repo := range cfg.AddRepos {
 		steps = append(steps, &run.AddRepo{
 			Repo:   repo,
+			CAFile: cfg.RepoCAFile,
 		})
 	}

--- a/internal/helm/plan_test.go
+++ b/internal/helm/plan_test.go
@@ -143,6 +143,7 @@ func (suite *PlanTestSuite) TestUpgrade() {
 		Force:         true,
 		AtomicUpgrade: true,
 		CleanupOnFail: true,
+		RepoCAFile:    "state_licensure.repo.cert",
 	}

 	steps := upgrade(cfg)
@@ -166,6 +167,7 @@ func (suite *PlanTestSuite) TestUpgrade() {
 		Force:         cfg.Force,
 		Atomic:        true,
 		CleanupOnFail: true,
+		CAFile:        "state_licensure.repo.cert",
 	}

 	suite.Equal(expected, upgrade)
@@ -291,6 +293,7 @@ func (suite *PlanTestSuite) TestAddRepos() {
 			"first=https://add.repos/one",
 			"second=https://add.repos/two",
 		},
+		RepoCAFile: "state_licensure.repo.cert",
 	}
 	steps := addRepos(cfg)
 	suite.Require().Equal(2, len(steps), "addRepos should add one step per repo")
@@ -301,6 +304,8 @@ func (suite *PlanTestSuite) TestAddRepos() {

 	suite.Equal(first.Repo, "first=https://add.repos/one")
 	suite.Equal(second.Repo, "second=https://add.repos/two")
+	suite.Equal(first.CAFile, "state_licensure.repo.cert")
+	suite.Equal(second.CAFile, "state_licensure.repo.cert")
 }

 func (suite *PlanTestSuite) TestLint() {
--- a/internal/run/addrepo.go
+++ b/internal/run/addrepo.go
@@ -8,6 +8,7 @@ import (
 // AddRepo is an execution step that calls `helm repo add` when executed.
 type AddRepo struct {
 	Repo   string
+	CAFile string
 	cmd    cmd
 }

@@ -38,7 +39,11 @@ func (a *AddRepo) Prepare(cfg Config) error {
 		args = append(args, "--debug")
 	}

-	args = append(args, "repo", "add", name, url)
+	args = append(args, "repo", "add")
+	if a.CAFile != "" {
+		args = append(args, "--ca-file", a.CAFile)
+	}
+	args = append(args, name, url)

 	a.cmd = command(helmBin, args...)
 	a.cmd.Stdout(cfg.Stdout)
--- a/internal/run/addrepo_test.go
+++ b/internal/run/addrepo_test.go
@@ -97,6 +97,19 @@ func (suite *AddRepoTestSuite) TestPrepareWithEqualSignInURL() {
 	suite.Contains(suite.commandArgs, "https://github.com/arthur_claypool/samaritan?version=2.1")
 }

+func (suite *AddRepoTestSuite) TestRepoAddFlags() {
+	suite.mockCmd.EXPECT().Stdout(gomock.Any()).AnyTimes()
+	suite.mockCmd.EXPECT().Stderr(gomock.Any()).AnyTimes()
+	cfg := Config{}
+	a := AddRepo{
+		Repo:   "machine=https://github.com/harold_finch/themachine",
+		CAFile: "./helm/reporepo.cert",
+	}
+	suite.NoError(a.Prepare(cfg))
+	suite.Equal([]string{"repo", "add", "--ca-file", "./helm/reporepo.cert",
+		"machine", "https://github.com/harold_finch/themachine"}, suite.commandArgs)
+}
+
 func (suite *AddRepoTestSuite) TestNamespaceFlag() {
 	suite.mockCmd.EXPECT().Stdout(gomock.Any()).AnyTimes()
 	suite.mockCmd.EXPECT().Stderr(gomock.Any()).AnyTimes()
--- a/internal/run/upgrade.go
+++ b/internal/run/upgrade.go
@@ -20,6 +20,7 @@ type Upgrade struct {
 	Force         bool
 	Atomic        bool
 	CleanupOnFail bool
+	CAFile        string

 	cmd cmd
 }
@@ -82,6 +83,9 @@ func (u *Upgrade) Prepare(cfg Config) error {
 	for _, vFile := range u.ValuesFiles {
 		args = append(args, "--values", vFile)
 	}
+	if u.CAFile != "" {
+		args = append(args, "--ca-file", u.CAFile)
+	}

 	args = append(args, u.Release, u.Chart)
 	u.cmd = command(helmBin, args...)
--- a/internal/run/upgrade_test.go
+++ b/internal/run/upgrade_test.go
@@ -102,6 +102,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 		Force:         true,
 		Atomic:        true,
 		CleanupOnFail: true,
+		CAFile:        "local_ca.cert",
 	}

 	cfg := Config{}
@@ -121,6 +122,7 @@ func (suite *UpgradeTestSuite) TestPrepareWithUpgradeFlags() {
 			"--set-string", "height=5ft10in",
 			"--values", "/usr/local/stats",
 			"--values", "/usr/local/grades",
+			"--ca-file", "local_ca.cert",
 			"maroon_5_memories", "hot_ac"}, args)

 		return suite.mockCmd
Author	SHA1	Message	Date
Erin Call	c4b11795e3	Merge pull request #75 from pelotech/repo-ca-file Add a setting for chart repository CA certificates	2020-01-20 11:03:00 -08:00
Erin Call	ffa636ce47	Use lowercase envconfig tags throughout Config Followup to discussion on #75. The important part is to have them consistent, and I like the lowercase a little better since it matches the casing in parameter_reference.md (and the code doesn't yell at me :))	2020-01-20 10:54:52 -08:00
Erin Call	c38537ac32	Pass --ca-file to `helm upgrade` when applicable [#74 ]	2020-01-20 10:48:21 -08:00
Erin Call	1f7b6bb389	Add a setting for chart repository CA certificates [#74 ]	2020-01-20 09:15:56 -08:00
Erin Call	8a9cf23ab9	Merge pull request #71 from pelotech/alias-settings Use clearer setting names, with backward-compatibility aliases	2020-01-09 11:45:11 -08:00
Erin Call	3d1a2227da	Mention aliased settings in parameter_reference [#66 ]	2020-01-09 10:20:20 -08:00