Generate certificates by calling the script generate-tiller-certs.sh
. This will provide a CA, server certs for tiller and client certs for helm / weave flux.
Next deploy Helm with TLS and RBAC enabled;
kubectl apply -f helm-rbac.yaml
# Deploy helm with mutual TLS enabled
helm init --upgrade --service-account tiller \
--override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' \
--tiller-tls \
--tiller-tls-cert ./tls/server.pem \
--tiller-tls-key ./tls/server-key.pem \
--tiller-tls-verify \
--tls-ca-cert ./tls/ca.pem
To check if tiller installed succesfully with TLS enabled, try helm ls
. This should give an error:
# Should give an error
$ helm ls
Error: transport is closing
When providing the certificates, it should work correctly:
helm --tls \
--tls-ca-cert ./tls/ca.pem \
--tls-cert ./tls/helm-user.pem \
--tls-key ././tls/helm-user-key.pem \
ls
First create a new k8s secret for the client certs;
kubectl create secret tls helm-client --cert=tls/helm-user.pem --key=./tls/helm-user-key.pem
note; this has to be in the same namespace as the helm-operator is deployed in.
Deploy flux with Helm;
helm repo add weaveworks https://weaveworks.github.io/flux
helm upgrade --install \
--set helmOperator.create=true \
--set git.url=$YOUR_GIT_REPO \
--set helmOperator.tls.enable=true \
--set helmOperator.tls.verify=true \
--set helmOperator.tls.secretName=helm-client \
--set helmOperator.tls.caContent="$(cat ./tls/tiller-ca.pem)" \
flux \
./chart/flux
Perform a kubectl logs on the helm-operator and observe the helm client being created.
Your CA certificate content is not set correctly, check if your configMap contains the correct values. Example:
$ kubectl get configmaps flux-helm-tls-ca-config -o yaml
apiVersion: v1
data:
ca.crt: |
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
creationTimestamp: 2018-07-04T15:27:25Z
name: flux-helm-tls-ca-config
namespace: helm-system
resourceVersion: "1267257"
selfLink: /api/v1/namespaces/helm-system/configmaps/flux-helm-tls-ca-config
uid: c106f866-7f9e-11e8-904a-025000000001
I've used the namespace
helm-system
in this snippet. The default iskube-system
- the error you gave indicates that the RBAC rules are missing to access the secrets in thekube-system
namespace. So this snippet has some confusing (or missing) information, sorry about that.I assume you have a
helm-system
namespace that's mostly empty. You can probably delete that (or install helm in it's namespace, using the flag--tiller-namespace=helm-system
during thehelm init
). But do double check though..Next, install the following RBAC rules in
kube-system
: