Giovanni Silva
Giovanni Silva

Giovanni Silva

Road to startup infra - Part 4 - Kubernetes Post Installation

Giovanni Silva's photo
Giovanni Silva
·Jul 29, 2018·

1 min read

Helm

Before installing helm, create Certificates to use TLS as auth and security. I assume you create your own certificate authority using vault in the previous post Certificate Authority, if not, proceed as your setup

Generate the Certs

The role below can issue certificates for the tiller server, and have a maximum of one year time life.

vault write pki_helm/roles/tiller allowed_domains=tiller allow_bare_domains=true allow_subdomains=false organization="Company Ltd" max_ttl=8760h 

The role below can issue certificates for client authentication (the helm users), valid for 30 days.

vault write pki_helm/roles/client allow_any_name=true organization="Company Ltd" max_ttl=720h

Generate the certs:

vault write pki_helm/issue/tiller common_name="tiller"
vault write pki_helm/issue/client common_name="user"

Get the certs and key output and generate appropriated files ()

Install Helm

The rbac bellow grants tiller service cluster-admin permissions:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

Perform the installation kubectl apply -f rbac-config.yml helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert issuing_ca.cert.pem --service-account=tiller

Verify tls with helm list, it should error with Error: transport is closing

Copy certs to helm home:

cp issuing_ca.cert.pem $(helm home)/ca.pem
cp helm.cert.pem $(helm home)/cert.pem
helm.key.pem $(helm home)/key.pem

Use helm list --tls

 
Share this