Road to startup infra - Part 4 - Kubernetes Post Installation
Helm
Before installing helm, create Certificates to use TLS as auth and security. I assume you create your own certificate authority using vault in the previous post Certificate Authority, if not, proceed as your setup
Generate the Certs
The role below can issue certificates for the tiller server, and have a maximum of one year time life.
vault write pki_helm/roles/tiller allowed_domains=tiller allow_bare_domains=true allow_subdomains=false organization="Company Ltd" max_ttl=8760h
The role below can issue certificates for client authentication (the helm users), valid for 30 days.
vault write pki_helm/roles/client allow_any_name=true organization="Company Ltd" max_ttl=720h
Generate the certs:
vault write pki_helm/issue/tiller common_name="tiller"
vault write pki_helm/issue/client common_name="user"
Get the certs and key output and generate appropriated files ()
Install Helm
The rbac bellow grants tiller service cluster-admin permissions:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
Perform the installation kubectl apply -f rbac-config.yml helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert issuing_ca.cert.pem --service-account=tiller
Verify tls with helm list
, it should error with Error: transport is closing
Copy certs to helm home:
cp issuing_ca.cert.pem $(helm home)/ca.pem
cp helm.cert.pem $(helm home)/cert.pem
helm.key.pem $(helm home)/key.pem
Use helm list --tls