Helm - DevOps Buzz

Helm init (secure TLS)
Generating Certificate Authorities and Certificates
Generate a certificate authority
1
openssl genrsa -out ./ca.key.pem 4096
2
openssl req \
3
  -key ca.key.pem \
4
  -new -x509 -days 7300 -sha256 \
5
  -out ca.cert.pem \
6
  -extensions v3_ca
Copied!
Generate the Tiller key:
1
openssl genrsa \
2
  -out ./tiller.key.pem 4096
Copied!
Generate the Helm client's key
1
openssl genrsa \
2
  -out ./helm.key.pem 4096
Copied!
Create certificates from these keys
1
openssl req \
2
  -key tiller.key.pem \
3
  -new \
4
  -sha256 \
5
  -out tiller.csr.pem
Copied!
Repeat this step for the Helm client certificate
1
openssl req \
2
  -key helm.key.pem \
3
  -new \
4
  -sha256 \
5
  -out helm.csr.pem
Copied!
Now we sign each of these CSRs with the CA certificate we created.
1
openssl x509 -req \
2
  -CA ca.cert.pem \
3
  -CAkey ca.key.pem \
4
  -CAcreateserial \
5
  -in tiller.csr.pem \
6
  -out tiller.cert.pem \
7
  -days 365
Copied!
And again for the client certificate.
1
openssl x509 -req \
2
  -CA ca.cert.pem \
3
  -CAkey ca.key.pem \
4
  -CAcreateserial \
5
  -in helm.csr.pem \
6
  -out helm.cert.pem \
7
  -days 365
Copied!
At this point, the important files for us are these:
1
# The CA. Make sure the key is kept secret.
2
ca.cert.pem
3
ca.key.pem
4
# The Helm client files
5
helm.cert.pem
6
helm.key.pem
7
# The Tiller server files.
8
tiller.cert.pem
9
tiller.key.pem
Copied!
Setup RBAC
Create a ServiceAccount for Tiller in the kube-system namespace:
1
kubectl -n kube-system create sa tiller
Copied!
Create a ClusterRoleBinding for Tiller:
1
kubectl create clusterrolebinding tiller \
2
  --clusterrole cluster-admin \
3
  --serviceaccount=kube-system:tiller
Copied!
Creating a Custom Tiller Installation
Helm includes full support for creating a deployment configured for SSL. By specifying a few flags, the helm init command can create a new Tiller installation complete with all of our SSL configuration.
To take a look at what this will generate, run this command:
1
helm init \
2
  --dry-run --debug \
3
  --tiller-tls \
4
  --tiller-tls-cert ./tiller.cert.pem \
5
  --tiller-tls-key ./tiller.key.pem \
6
  --tiller-tls-verify \
7
  --tls-ca-cert ca.cert.pem \
8
  --service-account tiller
Copied!
The output will show you a Deployment, a Secret, and a Service. Your SSL information will be preloaded into the Secret, which the Deployment will mount to pods as they start up.
If you want to customise the manifest, you can save that output to a file and then use kubectl create to load it into your cluster.
Otherwise, you can remove the --dry-run and --debug flags.
1
helm init \
2
  --tiller-tls \
3
  --tiller-tls-cert ./tiller.cert.pem \
4
  --tiller-tls-key ./tiller.key.pem \
5
  --tiller-tls-verify \
6
  --tls-ca-cert ca.cert.pem \
7
  --upgrade \
8
  --service-account tiller
Copied!
In a minute or two it should be ready. We can check Tiller like this:
1
kubectl -n kube-system get deployment
Copied!
Sample output:
1
NAME            DESIRED   CURRENT   UP-TO-DATE   AVAILABLE   AGE
2
... other stuff
3
tiller-deploy   1         1         1            1           2m
Copied!
If there is a problem, you may want to use kubectl get pods -n kube-system to find out what went wrong. With the SSL/TLS support, the most common problems all have to do with improperly generated TLS certificates or accidentally swapping the cert and the key.
Configuring the Helm Client
For a quick test, we can specify our configuration manually. We'll run a normal Helm command (helm ls), but with SSL/TLS enabled.
1
helm ls \
2
  --tls \
3
  --tls-ca-cert ca.cert.pem \
4
  --tls-cert helm.cert.pem \
5
  --tls-key helm.key.pem
Copied!
This configuration sends our client-side certificate to establish identity, uses the client key for encryption, and uses the CA certificate to validate the remote Tiller's identity.
Typing a line that is cumbersome, though. The shortcut is to move the key, cert, and CA into $HELM_HOME:
1
$ cp ca.cert.pem $(helm home)/ca.pem
2
$ cp helm.cert.pem $(helm home)/cert.pem
3
$ cp helm.key.pem $(helm home)/key.pem
Copied!
With this, you can simply run helm ls --tls to enable TLS.
References
​https://github.com/helm/helm/blob/master/docs/tiller_ssl.md​
​https://medium.com/google-cloud/install-secure-helm-in-gke-254d520061f7​
​https://medium.com/@amimahloof/how-to-setup-helm-and-tiller-with-rbac-and-namespaces-34bf27f7d3c3​
Uninstall
Using helm command
To uninstall tiller from a kubernetes cluster:
1
helm reset
Copied!
To delete failed tiller from a kubernetes cluster:
1
helm reset --force
Copied!
Manually
1
kubectl -n kube-system delete deployment tiller-deploy
2
kubectl -n kube-system delete service/tiller-deploy
3
kubectl -n kube-system delete secret/tiller-secret
Copied!
Restricted namespace
References
​https://helm.sh/docs/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-in-another-namespace​
Tools
chartpress
GitHub - jupyterhub/chartpress: automate building and publishing images for helm charts
GitHub
Problems and solutions
Broken pipe when using TLS
It might be caused by a previous Tiller instillation that was not deleted properly (especially the tiller-secret), follow the "Uninstall -> Manually" on this page.
Configmaps is forbidden
It happens when Tiller Service Account does not have enough permissions.
1
kubectl create serviceaccount --namespace kube-system tiller
2
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
3
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'      
4
helm init --service-account tiller --upgrade
Copied!
Helm ls (or any other command) hangs when using TLS
Cause uncertain for me.
Solution:
In one terminal session run and leave it running:
1
kubectl -n tiller-ns port-forward svc/tiller-deploy 44134:44134
Copied!
In another terminal session, run:
1
export HELM_HOST=:44134
2
helm ls \
3
  --tls \
4
  --tls-ca-cert ca.cert.pem \
5
  --tls-cert helm.cert.pem \
6
  --tls-key helm.key.pem \
7
  --tiller-namespace tiller-ns
Copied!
Or using --host parameter.
1
export HELM_HOST=:44134
2
helm ls \
3
  --host :44134 \
4
  --tls \
5
  --tls-ca-cert ca.cert.pem \
6
  --tls-cert helm.cert.pem \
7
  --tls-key helm.key.pem \
8
  --tiller-namespace tiller-ns
Copied!
Helm 3
Uninstall/remove chart completely
1
helm template happy-panda stable/mariadb --namespace kube-system | kubectl delete -f -
Copied!