[7.0.x] Backport 'Add Helm 3 binary' (#787) (#799)

* [7.0.x] Backport 'Add Helm 3 binary' (#787) * Add helm 3 binary * Change helm download urls * Fix helm 3 target * Add helm3 bash wrapper * Set owner read only mask for kubectl.kubeconfig * Set diferrent permissions for host and planet * Change type to uint32 * Cast os.FileMode * Use simple set of permissions * Fix indentation * Delete extra empty line
gravitational · Nov 26, 2020 · e07c1ab · e07c1ab
1 parent 1b19f1d
commit e07c1ab
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 5 deletions.
diff --git a/Makefile b/Makefile
@@ -41,6 +41,7 @@ DOCKER_VER ?= 19.03.12
 # we currently use our own flannel fork: gravitational/flannel
 FLANNEL_VER := v0.10.3-gravitational
 HELM_VER := 2.16.12
+HELM3_VER := 3.3.4
 COREDNS_VER := 1.7.0
 NODE_PROBLEM_DETECTOR_VER := v0.6.4
 CNI_VER := 0.8.6

diff --git a/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json b/build.assets/docker/os-rootfs/etc/planet/orbit.manifest.json
@@ -25,6 +25,10 @@
  "name": "version-helm",
  "value": "REPLACE_HELM_LATEST_VERSION"
  },
+ {
+ "name": "version-helm3",
+ "value": "REPLACE_HELM3_LATEST_VERSION"
+ },
  {
  "name": "version-coredns",
  "value": "REPLACE_COREDNS_LATEST_VERSION"
@@ -497,4 +501,4 @@
  }
  ]
  }
-}
+}
diff --git a/build.assets/docker/os-rootfs/usr/local/bin/helm3 b/build.assets/docker/os-rootfs/usr/local/bin/helm3
@@ -0,0 +1,19 @@
+#!/bin/bash
+set -eu
+
+# find out the real absolute path to this script, it may include the planet rootfs path
+if [ -L $0 ]; then
+ # invoked from host via a helm symlink set up during installation
+ DIR=$(dirname $(readlink $0))
+ KUBE_CONFIG=/etc/kubernetes/kubectl-host.kubeconfig
+else
+ # invoked directly, e.g. from inside the planet
+ DIR=$(dirname $0)
+ KUBE_CONFIG=/etc/kubernetes/kubectl.kubeconfig
+fi
+
+# determine the absolute path to the planet rootfs
+PLANET_ROOT=$(realpath ${DIR}/../../../)
+
+# invoke the real helm binary with a proper config and propagate all arguments as-is
+KUBECONFIG=${PLANET_ROOT}${KUBE_CONFIG} ${PLANET_ROOT}/usr/bin/helm3 "$@"
diff --git a/build.assets/makefiles/buildbox.mk b/build.assets/makefiles/buildbox.mk
@@ -10,7 +10,7 @@ BUILDBOX_NAME ?= planet/buildbox
 BUILDBOX_IMAGE ?= $(BUILDBOX_NAME):$(PLANET_BUILD_TAG)
 export
 TMPFS_SIZE ?= 900m
-VER_UPDATES = ETCD_LATEST_VER KUBE_VER FLANNEL_VER DOCKER_VER HELM_VER COREDNS_VER NODE_PROBLEM_DETECTOR_VER
+VER_UPDATES = ETCD_LATEST_VER KUBE_VER FLANNEL_VER DOCKER_VER HELM_VER HELM3_VER COREDNS_VER NODE_PROBLEM_DETECTOR_VER
 
 .PHONY: all
 all: $(ROOTFS)/bin/bash build planet-image
@@ -35,6 +35,7 @@ build: | $(ASSETDIR)
  dumb-init make -e \
  KUBE_VER=$(KUBE_VER) \
  HELM_VER=$(HELM_VER) \
+ HELM3_VER=$(HELM3_VER) \
  COREDNS_VER=$(COREDNS_VER) \
  CNI_VER=$(CNI_VER) \
  FLANNEL_VER=$(FLANNEL_VER) \
@@ -58,6 +59,7 @@ planet-image:
  sed -i "s/REPLACE_FLANNEL_LATEST_VERSION/$(FLANNEL_VER)/g" $(TARGETDIR)/orbit.manifest.json
  sed -i "s/REPLACE_DOCKER_LATEST_VERSION/$(DOCKER_VER)/g" $(TARGETDIR)/orbit.manifest.json
  sed -i "s/REPLACE_HELM_LATEST_VERSION/$(HELM_VER)/g" $(TARGETDIR)/orbit.manifest.json
+ sed -i "s/REPLACE_HELM3_LATEST_VERSION/$(HELM3_VER)/g" $(TARGETDIR)/orbit.manifest.json
  sed -i "s/REPLACE_COREDNS_LATEST_VERSION/$(COREDNS_VER)/g" $(TARGETDIR)/orbit.manifest.json
  sed -i "s/REPLACE_NODE_PROBLEM_DETECTOR_LATEST_VERSION/$(NODE_PROBLEM_DETECTOR_VER)/g" $(TARGETDIR)/orbit.manifest.json
  cp $(TARGETDIR)/orbit.manifest.json $(ROOTFS)/etc/planet/

diff --git a/build.assets/makefiles/kubernetes/kubernetes.mk b/build.assets/makefiles/kubernetes/kubernetes.mk
@@ -5,6 +5,7 @@ DOWNLOAD_URL := https://storage.googleapis.com/kubernetes-release/release/$(KUBE
 REPODIR := $(GOPATH)/src/github.com/kubernetes/kubernetes
 OUTPUTDIR := $(ASSETDIR)/k8s-$(KUBE_VER)
 HELM_TARBALL:= $(ASSETDIR)/helm-$(HELM_VER).tgz
+HELM3_TARBALL:= $(ASSETDIR)/helm-$(HELM3_VER).tgz
 COREDNS_TARBALL := $(ASSETDIR)/coredns-$(COREDNS_VER).tgz
 BINARIES := kube-apiserver \
  kube-controller-manager \
@@ -13,11 +14,12 @@ BINARIES := kube-apiserver \
  kube-proxy \
  kubelet
 KUBE_OUTPUTS := $(addprefix $(OUTPUTDIR)/, $(BINARIES))
-OUTPUTS := $(KUBE_OUTPUTS) $(HELM_TARBALL) $(COREDNS_TARBALL)
+OUTPUTS := $(KUBE_OUTPUTS) $(HELM_TARBALL) $(HELM3_TARBALL) $(COREDNS_TARBALL)
 
 all: kubernetes.mk $(OUTPUTS)
  tar xvzf $(COREDNS_TARBALL) -C $(ROOTFS)/usr/bin coredns
  tar xvzf $(HELM_TARBALL) --strip-components=1 -C $(ROOTFS)/usr/bin linux-amd64/helm
+ tar --transform='flags=r;s|helm|helm3|' -xvzf $(HELM3_TARBALL) --strip-components=1 -C $(ROOTFS)/usr/bin linux-amd64/helm
 
 $(OUTPUTDIR):
  mkdir -p $@
@@ -28,7 +30,11 @@ $(KUBE_OUTPUTS): | $(OUTPUTDIR)
  chmod +x $@
 
 $(HELM_TARBALL):
- curl https://kubernetes-helm.storage.googleapis.com/helm-v$(HELM_VER)-linux-amd64.tar.gz \
+ curl https://get.helm.sh/helm-v$(HELM_VER)-linux-amd64.tar.gz \
+ -o $@
+
+$(HELM3_TARBALL):
+ curl https://get.helm.sh/helm-v$(HELM3_VER)-linux-amd64.tar.gz \
  -o $@
 
 $(COREDNS_TARBALL):

diff --git a/lib/constants/constants.go b/lib/constants/constants.go
@@ -56,6 +56,9 @@ const (
  // GroupReadWriteMask is a file mask for owder/group read/write
  GroupReadWriteMask = 0660
 
+ // OwnerReadMask is a file mask for owner read-only
+ OwnerReadMask = 0400
+
  // DeviceReadWritePerms specifies the read/write permissions for a device
  DeviceReadWritePerms = "rwm"
 

diff --git a/tool/planet/start.go b/tool/planet/start.go
@@ -617,7 +617,9 @@ func addKubeConfig(config *Config) error {
  if err != nil {
  return trace.Wrap(err)
  }
- err = utils.SafeWriteFile(path, kubeConfig, constants.SharedReadMask)
+ // set read-only permissions for kubectl.kubeconfig to avoid annoying warning from Helm 3
+ // 'WARNING: Kubernetes configuration file is group-readable. This is insecure. Location: /etc/kubernetes/kubectl.kubeconfig'
+ err = utils.SafeWriteFile(path, kubeConfig, constants.OwnerReadMask)
  if err != nil {
  return trace.Wrap(err)
  }