# Road to startup infra - Part 4 - Kubernetes Post Installation


# Helm

Before installing helm, create Certificates to use TLS as auth and security. I assume you create your own certificate authority using vault
in the previous post [Certificate Authority](./certificate-authority.md), if not, proceed as your setup

Generate the Certs
-----------------------

The role below can issue certificates for the tiller server, and have a maximum of one year time life.

    vault write pki_helm/roles/tiller allowed_domains=tiller allow_bare_domains=true allow_subdomains=false organization="Company Ltd" max_ttl=8760h 

The role below can issue certificates for client authentication (the helm users), valid for 30 days.

    vault write pki_helm/roles/client allow_any_name=true organization="Company Ltd" max_ttl=720h

Generate the certs:

    vault write pki_helm/issue/tiller common_name="tiller"
    vault write pki_helm/issue/client common_name="user"

Get the certs and key output and generate appropriated files ()

Install Helm
---------------

The rbac bellow grants tiller service cluster-admin permissions:


```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system

```

Perform the installation 
    kubectl apply -f rbac-config.yml
    helm init --tiller-tls --tiller-tls-cert ./tiller.cert.pem --tiller-tls-key ./tiller.key.pem --tiller-tls-verify --tls-ca-cert issuing_ca.cert.pem --service-account=tiller 

Verify tls with `helm list`, it should error with __Error: transport is closing__

Copy certs to helm home:

    cp issuing_ca.cert.pem $(helm home)/ca.pem
    cp helm.cert.pem $(helm home)/cert.pem
    helm.key.pem $(helm home)/key.pem

Use `helm list --tls`

