Allow users to connect to tiller installed via GitLab

Problem to solve

Sometimes users need fine grained control over the installed Tiller instance. At the moment we make it hard or impossible for them to do this because we install tiller with mutual SSL.

We have a hacky approach to getting a client cert documented in gitlab-development-kit!595 (diffs) but this is only applicable to people with access to the GitLab rails console (or DB access) and so it will not work for customers.

We should consider somehow allowing customers to connect to Tiller. One problem we may wish to consider, however, is that the reason for mutual auth to begin with is to restrict access to Tiller as anybody with access can basically do anything they want to the cluster.

Target audience

Operators

Further details

Original issue to add mutual auth: https://gitlab.com/gitlab-org/gitlab-ce/issues/48098

Proposal

TBD (should we even do this?). Solution will need to not compromise security of the cluster.

What does success look like, and how can we measure that?

Links / references

Slack thread discussing this: https://gitlab.slack.com/archives/C3UCHUA76/p1547933342078100

Workaround for now

export TILLER_NAMESPACE="gitlab-managed-apps"

# get certs for the tiller in the gitlab-managed-apps namespace
kubectl get secrets/tiller-secret -n "$TILLER_NAMESPACE" -o "jsonpath={.data['ca\.crt']}" | base64 --decode > tiller-ca.crt
kubectl get secrets/tiller-secret -n "$TILLER_NAMESPACE" -o "jsonpath={.data['tls\.crt']}" | base64 --decode > tiller.crt
kubectl get secrets/tiller-secret -n "$TILLER_NAMESPACE" -o "jsonpath={.data['tls\.key']}" | base64 --decode > tiller.key

# connect  to the tiller in the gitlab-managed-apps namespace with the extra certs
helm list --tiller-connection-timeout 30 --tls --tls-ca-cert tiller-ca.crt --tls-cert tiller.crt --tls-key tiller.key --all --tiller-namespace gitlab-managed-apps

Edited Jun 19, 2019 by Thong Kuah