Revert "Merge branch '48098-mutual-auth-cluster-applications' into 'master'"

This reverts merge request !20801

app/models/clusters/applications/helm.rb

-require 'openssl'
-
 module Clusters
   module Applications
     class Helm < ActiveRecord::Base
       self.table_name = 'clusters_applications_helm'
-      attr_encrypted :ca_key,
-        mode: :per_attribute_iv,
-        key: Settings.attr_encrypted_db_key_base_truncated,
-        algorithm: 'aes-256-cbc'
-
       include ::Clusters::Concerns::ApplicationCore
       include ::Clusters::Concerns::ApplicationStatus
       default_value_for :version, Gitlab::Kubernetes::Helm::HELM_VERSION
-      before_create :create_keys_and_certs
-
-      def issue_client_cert
-        ca_cert_obj.issue
-      end
-
       def set_initial_status
         return unless not_installable?
@@ -28,41 +15,7 @@ module Clusters
       end
       def install_command
-        Gitlab::Kubernetes::Helm::InitCommand.new(
-          name: name,
-          files: files
-        )
-      end
-
-      def has_ssl?
-        ca_key.present? && ca_cert.present?
-      end
-
-      private
-
-      def files
-        {
-          'ca.pem': ca_cert,
-          'cert.pem': tiller_cert.cert_string,
-          'key.pem': tiller_cert.key_string
-        }
-      end
-
-      def create_keys_and_certs
-        ca_cert = Gitlab::Kubernetes::Helm::Certificate.generate_root
-        self.ca_key = ca_cert.key_string
-        self.ca_cert = ca_cert.cert_string
-      end
-
-      def tiller_cert
-        @tiller_cert ||= ca_cert_obj.issue(expires_in: Gitlab::Kubernetes::Helm::Certificate::INFINITE_EXPIRY)
-      end
-
-      def ca_cert_obj
-        return unless has_ssl?
-
-        Gitlab::Kubernetes::Helm::Certificate
-          .from_strings(ca_key, ca_cert)
+        Gitlab::Kubernetes::Helm::InitCommand.new(name)
       end
     end
   end

app/models/clusters/applications/ingress.rb

@@ -32,9 +32,9 @@ module Clusters
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name: name,
+          name,
           chart: chart,
-          files: files
+          values: values
         )
       end

app/models/clusters/applications/jupyter.rb

@@ -35,9 +35,9 @@ module Clusters
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name: name,
+          name,
           chart: chart,
-          files: files,
+          values: values,
           repository: repository
         )
       end

app/models/clusters/applications/prometheus.rb

@@ -43,10 +43,10 @@ module Clusters
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name: name,
+          name,
           chart: chart,
           version: version,
-          files: files
+          values: values
         )
       end

app/models/clusters/applications/runner.rb

@@ -28,9 +28,9 @@ module Clusters
       def install_command
         Gitlab::Kubernetes::Helm::InstallCommand.new(
-          name: name,
+          name,
           chart: chart,
-          files: files,
+          values: values,
           repository: repository
         )
       end

app/models/clusters/concerns/application_data.rb

@@ -12,34 +12,8 @@ module Clusters
           File.read(chart_values_file)
         end
-        def files
-          @files ||= begin
-            files = { 'values.yaml': values }
-
-            files.merge!(certificate_files) if cluster.application_helm.has_ssl?
-
-            files
-          end
-        end
-
         private
-        def certificate_files
-          {
-            'ca.pem': ca_cert,
-            'cert.pem': helm_cert.cert_string,
-            'key.pem': helm_cert.key_string
-          }
-        end
-
-        def ca_cert
-          cluster.application_helm.ca_cert
-        end
-
-        def helm_cert
-          @helm_cert ||= cluster.application_helm.issue_client_cert
-        end
-
         def chart_values_file
           "#{Rails.root}/vendor/#{name}/values.yaml"
         end

changelogs/unreleased/48098-mutual-auth-cluster-applications.yml

----
-title: Ensure installed Helm Tiller For GitLab Managed Apps Is protected by mutual
-  auth
-merge_request: 20801
-author:
-type: changed

db/migrate/20180612103626_add_columns_for_helm_tiller_certificates.rb

-class AddColumnsForHelmTillerCertificates < ActiveRecord::Migration
-  include Gitlab::Database::MigrationHelpers
-
-  DOWNTIME = false
-
-  def change
-    add_column :clusters_applications_helm, :encrypted_ca_key, :text
-    add_column :clusters_applications_helm, :encrypted_ca_key_iv, :text
-    add_column :clusters_applications_helm, :ca_cert, :text
-  end
-end

db/schema.rb

@@ -636,9 +636,6 @@ ActiveRecord::Schema.define(version: 20180722103201) do
     t.integer "status", null: false
     t.string "version", null: false
     t.text "status_reason"
-    t.text "encrypted_ca_key"
-    t.text "encrypted_ca_key_iv"
-    t.text "ca_cert"
   end
   create_table "clusters_applications_ingress", force: :cascade do |t|

lib/gitlab/kubernetes/config_map.rb

 module Gitlab
   module Kubernetes
     class ConfigMap
-      def initialize(name, files)
+      def initialize(name, values = "")
         @name = name
-        @files = files
+        @values = values
       end
       def generate
         resource = ::Kubeclient::Resource.new
         resource.metadata = metadata
-        resource.data = files
+        resource.data = { values: values }
         resource
       end
@@ -19,7 +19,7 @@ module Gitlab
       private
-      attr_reader :name, :files
+      attr_reader :name, :values
       def metadata
         {

lib/gitlab/kubernetes/helm/api.rb

@@ -9,7 +9,7 @@ module Gitlab
         def install(command)
           namespace.ensure_exists!
-          create_config_map(command)
+          create_config_map(command) if command.config_map?
           kubeclient.create_pod(command.pod_resource)
         end

lib/gitlab/kubernetes/helm/base_command.rb

 module Gitlab
   module Kubernetes
     module Helm
-      module BaseCommand
+      class BaseCommand
+        attr_reader :name
+
+        def initialize(name)
+          @name = name
+        end
+
         def pod_resource
           Gitlab::Kubernetes::Helm::Pod.new(self, namespace).generate
         end
@@ -18,32 +24,16 @@ module Gitlab
           HEREDOC
         end
-        def pod_name
-          "install-#{name}"
-        end
-
-        def config_map_resource
-          Gitlab::Kubernetes::ConfigMap.new(name, files).generate
+        def config_map?
+          false
         end
-        def file_names
-          files.keys
-        end
-
-        def name
-          raise "Not implemented"
-        end
-
-        def files
-          raise "Not implemented"
+        def pod_name
+          "install-#{name}"
         end
         private
-        def files_dir
-          "/data/helm/#{name}/config"
-        end
-
         def namespace
           Gitlab::Kubernetes::Helm::NAMESPACE
         end

lib/gitlab/kubernetes/helm/certificate.rb

-module Gitlab
-  module Kubernetes
-    module Helm
-      class Certificate
-        INFINITE_EXPIRY = 1000.years
-        SHORT_EXPIRY = 30.minutes
-
-        attr_reader :key, :cert
-
-        def key_string
-          @key.to_s
-        end
-
-        def cert_string
-          @cert.to_pem
-        end
-
-        def self.from_strings(key_string, cert_string)
-          key = OpenSSL::PKey::RSA.new(key_string)
-          cert = OpenSSL::X509::Certificate.new(cert_string)
-          new(key, cert)
-        end
-
-        def self.generate_root
-          _issue(signed_by: nil, expires_in: INFINITE_EXPIRY, certificate_authority: true)
-        end
-
-        def issue(expires_in: SHORT_EXPIRY)
-          self.class._issue(signed_by: self, expires_in: expires_in, certificate_authority: false)
-        end
-
-        private
-
-        def self._issue(signed_by:, expires_in:, certificate_authority:)
-          key = OpenSSL::PKey::RSA.new(4096)
-          public_key = key.public_key
-
-          subject = OpenSSL::X509::Name.parse("/C=US")
-
-          cert = OpenSSL::X509::Certificate.new
-          cert.subject = subject
-
-          cert.issuer = signed_by&.cert&.subject || subject
-
-          cert.not_before = Time.now
-          cert.not_after = expires_in.from_now
-          cert.public_key = public_key
-          cert.serial = 0x0
-          cert.version = 2
-
-          if certificate_authority
-            extension_factory = OpenSSL::X509::ExtensionFactory.new
-            extension_factory.subject_certificate = cert
-            extension_factory.issuer_certificate = cert
-            cert.add_extension(extension_factory.create_extension('subjectKeyIdentifier', 'hash'))
-            cert.add_extension(extension_factory.create_extension('basicConstraints', 'CA:TRUE', true))
-            cert.add_extension(extension_factory.create_extension('keyUsage', 'cRLSign,keyCertSign', true))
-          end
-
-          cert.sign(signed_by&.key || key, OpenSSL::Digest::SHA256.new)
-
-          new(key, cert)
-        end
-
-        def initialize(key, cert)
-          @key = key
-          @cert = cert
-        end
-      end
-    end
-  end
-end

lib/gitlab/kubernetes/helm/init_command.rb

 module Gitlab
   module Kubernetes
     module Helm
-      class InitCommand
-        include BaseCommand
-
-        attr_reader :name, :files
-
-        def initialize(name:, files:)
-          @name = name
-          @files = files
-        end
-
+      class InitCommand < BaseCommand
         def generate_script
           super + [
             init_helm_command
@@ -20,12 +11,7 @@ module Gitlab
         private
         def init_helm_command
-          tls_flags = "--tiller-tls" \
-            " --tiller-tls-verify --tls-ca-cert #{files_dir}/ca.pem" \
-            " --tiller-tls-cert #{files_dir}/cert.pem" \
-            " --tiller-tls-key #{files_dir}/key.pem"
-
-          "helm init #{tls_flags} >/dev/null"
+          "helm init >/dev/null"
         end
       end
     end

lib/gitlab/kubernetes/helm/install_command.rb

 module Gitlab
   module Kubernetes
     module Helm
-      class InstallCommand
-        include BaseCommand
-        attr_reader :name, :files, :chart, :version, :repository
-
-        def initialize(name:, chart:, files:, version: nil, repository: nil)
+      class InstallCommand < BaseCommand
+        attr_reader :name, :chart, :version, :repository, :values
+        def initialize(name, chart:, values:, version: nil, repository: nil)
           @name = name
           @chart = chart
           @version = version
-          @files = files
+          @values = values
           @repository = repository
         end
@@ -22,6 +20,14 @@ module Gitlab
           ].compact.join("\n")
         end
+        def config_map?
+          true
+        end
+
+        def config_map_resource
+          Gitlab::Kubernetes::ConfigMap.new(name, values).generate
+        end
+
         private
         def init_command
@@ -33,27 +39,14 @@ module Gitlab
         end
         def script_command
-          "helm install" \
-          "#{optional_tls_flags} " \
-          "#{chart} " \
-          "--name #{name}" \
-          "#{optional_version_flag} " \
-          "--namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} " \
-          "-f /data/helm/#{name}/config/values.yaml >/dev/null\n"
+          <<~HEREDOC
+          helm install #{chart} --name #{name}#{optional_version_flag} --namespace #{Gitlab::Kubernetes::Helm::NAMESPACE} -f /data/helm/#{name}/config/values.yaml >/dev/null
+          HEREDOC
         end
         def optional_version_flag
           " --version #{version}" if version
         end
-
-        def optional_tls_flags
-          return unless files.key?(:'ca.pem')
-
-          " --tls" \
-            " --tls-ca-cert #{files_dir}/ca.pem" \
-            " --tls-cert #{files_dir}/cert.pem" \
-            " --tls-key #{files_dir}/key.pem"
-        end
       end
     end
   end

lib/gitlab/kubernetes/helm/pod.rb

@@ -10,8 +10,10 @@ module Gitlab
         def generate
           spec = { containers: [container_specification], restartPolicy: 'Never' }
-          spec[:volumes] = volumes_specification
-          spec[:containers][0][:volumeMounts] = volume_mounts_specification
+          if command.config_map?
+            spec[:volumes] = volumes_specification
+            spec[:containers][0][:volumeMounts] = volume_mounts_specification
+          end
           ::Kubeclient::Resource.new(metadata: metadata, spec: spec)
         end
@@ -59,7 +61,7 @@ module Gitlab
               name: 'configuration-volume',
               configMap: {
                 name: "values-content-configuration-#{command.name}",
-                items: command.file_names.map { |name| { key: name, path: name } }
+                items: [{ key: 'values', path: 'values.yaml' }]
               }
             }
           ]

qa/qa/factory/resource/kubernetes_cluster.rb

@@ -44,11 +44,10 @@ module QA
               page.await_installed(:helm)
               page.install!(:ingress) if @install_ingress
-              page.install!(:prometheus) if @install_prometheus
-              page.install!(:runner) if @install_runner
-
               page.await_installed(:ingress) if @install_ingress
+              page.install!(:prometheus) if @install_prometheus
               page.await_installed(:prometheus) if @install_prometheus
+              page.install!(:runner) if @install_runner
               page.await_installed(:runner) if @install_runner
             end
           end

qa/qa/page/project/operations/kubernetes/show.rb

@@ -16,7 +16,6 @@ module QA
             def install!(application_name)
               within(".js-cluster-application-row-#{application_name}") do
-                page.has_button?('Install', wait: 30)
                 click_on 'Install'
               end
             end

spec/factories/clusters/applications/helm.rb

@@ -32,21 +32,11 @@ FactoryBot.define do
       updated_at ClusterWaitForAppInstallationWorker::TIMEOUT.ago
     end
-    factory :clusters_applications_ingress, class: Clusters::Applications::Ingress do
-      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
-    end
-
-    factory :clusters_applications_prometheus, class: Clusters::Applications::Prometheus do
-      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
-    end
-
-    factory :clusters_applications_runner, class: Clusters::Applications::Runner do
-      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
-    end
-
+    factory :clusters_applications_ingress, class: Clusters::Applications::Ingress
+    factory :clusters_applications_prometheus, class: Clusters::Applications::Prometheus
+    factory :clusters_applications_runner, class: Clusters::Applications::Runner
     factory :clusters_applications_jupyter, class: Clusters::Applications::Jupyter do
       oauth_application factory: :oauth_application
-      cluster factory: %i(cluster with_installed_helm provided_by_gcp)
     end
   end
 end

spec/factories/clusters/clusters.rb

@@ -36,9 +36,5 @@ FactoryBot.define do
     trait :production_environment do
       sequence(:environment_scope) { |n| "production#{n}/*" }
     end
-
-    trait :with_installed_helm do
-      application_helm factory: %i(clusters_applications_helm installed)
-    end
   end
 end