Road to startup infra - Part 4 - Kubernetes Post Installation


Before installing helm, create Certificates to use TLS as auth and security. I assume you create your own certificate authority using vault in the previous post Certificate Authority, if not, proceed as your setup

Generate the Certs

The role below can issue certificates for the tiller server, and have a maximum of one year time life.

vault write pki_helm/roles/tiller allowed_domains=tiller allow_bare_domains=true allow_subdomains=false organization="Company Ltd" max_ttl=8760h 

The role below can issue certificates for client authentication (the helm users), valid for 30 days.

vault write pki_helm/roles/client allow_any_name=true organization="Company Ltd" max_ttl=720h

Generate the certs:

vault write pki_helm/issue/tiller common_name="tiller"
vault write pki_helm/issue/client common_name="user"

Get the certs and key output and generate appropriated files ()

Install Helm

The rbac bellow grants tiller service cluster-admin permissions:

apiVersion: v1
kind: ServiceAccount
  name: tiller
  namespace: kube-system
kind: ClusterRoleBinding
  name: tiller
  kind: ClusterRole
  name: cluster-admin
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Perform the installation kubectl apply -f rbac-config.yml helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert issuing_ca.cert.pem --service-account=tiller

Verify tls with helm list, it should error with Error: transport is closing

Copy certs to helm home:

cp issuing_ca.cert.pem $(helm home)/ca.pem
cp helm.cert.pem $(helm home)/cert.pem
helm.key.pem $(helm home)/key.pem

Use helm list --tls