search

Helm

Helm and Tiller tips and tricks.

hashtag
Helm init (secure TLS)

hashtag
Generating Certificate Authorities and Certificates

Generate a certificate authority

openssl genrsa -out ./ca.key.pem 4096
openssl req \
  -key ca.key.pem \
  -new -x509 -days 7300 -sha256 \
  -out ca.cert.pem \
  -extensions v3_ca

Generate the Tiller key:

openssl genrsa \
  -out ./tiller.key.pem 4096

Generate the Helm client's key

openssl genrsa \
  -out ./helm.key.pem 4096

Create certificates from these keys

openssl req \
  -key tiller.key.pem \
  -new \
  -sha256 \
  -out tiller.csr.pem

Repeat this step for the Helm client certificate

Now we sign each of these CSRs with the CA certificate we created.

And again for the client certificate.

At this point, the important files for us are these:

hashtag
Setup RBAC

Create a ServiceAccount for Tiller in the kube-system namespace:

Create a ClusterRoleBinding for Tiller:

hashtag
Creating a Custom Tiller Installation

Helm includes full support for creating a deployment configured for SSL. By specifying a few flags, the helm init command can create a new Tiller installation complete with all of our SSL configuration.

To take a look at what this will generate, run this command:

The output will show you a Deployment, a Secret, and a Service. Your SSL information will be preloaded into the Secret, which the Deployment will mount to pods as they start up.

If you want to customise the manifest, you can save that output to a file and then use kubectl create to load it into your cluster.

Otherwise, you can remove the --dry-run and --debug flags.

In a minute or two it should be ready. We can check Tiller like this:

Sample output:

If there is a problem, you may want to use kubectl get pods -n kube-system to find out what went wrong. With the SSL/TLS support, the most common problems all have to do with improperly generated TLS certificates or accidentally swapping the cert and the key.

hashtag
Configuring the Helm Client

For a quick test, we can specify our configuration manually. We'll run a normal Helm command (helm ls), but with SSL/TLS enabled.

This configuration sends our client-side certificate to establish identity, uses the client key for encryption, and uses the CA certificate to validate the remote Tiller's identity.

Typing a line that is cumbersome, though. The shortcut is to move the key, cert, and CA into $HELM_HOME:

With this, you can simply run helm ls --tls to enable TLS.

hashtag
References

https://github.com/helm/helm/blob/master/docs/tiller_ssl.mdarrow-up-right

https://medium.com/google-cloud/install-secure-helm-in-gke-254d520061f7arrow-up-right

https://medium.com/@amimahloof/how-to-setup-helm-and-tiller-with-rbac-and-namespaces-34bf27f7d3c3arrow-up-right

hashtag
Uninstall

hashtag
Using helm command

To uninstall tiller from a kubernetes cluster:

To delete failed tiller from a kubernetes cluster:

hashtag
Manually

hashtag
Restricted namespace

hashtag
References

https://helm.sh/docs/using_helm/#example-deploy-tiller-in-a-namespace-restricted-to-deploying-resources-in-another-namespacearrow-up-right

hashtag
Tools

hashtag
chartpress

LogoGitHub - jupyterhub/chartpress: automate building and publishing images for helm chartsGitHubchevron-right

hashtag
Problems and solutions

hashtag
Broken pipe when using TLS

It might be caused by a previous Tiller instillation that was not deleted properly (especially the tiller-secret), follow the "Uninstall -> Manually" on this page.

hashtag
Configmaps is forbidden

It happens when Tiller Service Account does not have enough permissions.

Helm ls (or any other command) hangs when using TLS

Cause uncertain for me.

Solution:

In one terminal session run and leave it running:

In another terminal session, run:

Or using --host parameter.

hashtag
Helm 3

hashtag
Uninstall/remove chart completely

PreviousELKNextIngress

Last updated