Generate certificates by calling the script generate-tiller-certs.sh
. This will provide a CA, server certs for tiller and client certs for helm / weave flux.
Next deploy Helm with TLS and RBAC enabled;
kubectl apply -f helm-rbac.yaml
# Deploy helm with mutual TLS enabled
helm init --upgrade --service-account tiller \
--override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' \
--tiller-tls \
--tiller-tls-cert ./tls/server.pem \
--tiller-tls-key ./tls/server-key.pem \
--tiller-tls-verify \
--tls-ca-cert ./tls/ca.pem
To check if tiller installed succesfully with TLS enabled, try helm ls
. This should give an error:
# Should give an error
$ helm ls
Error: transport is closing
When providing the certificates, it should work correctly:
helm --tls \
--tls-ca-cert ./tls/ca.pem \
--tls-cert ./tls/helm-user.pem \
--tls-key ././tls/helm-user-key.pem \
ls
First create a new k8s secret for the client certs;
kubectl create secret tls helm-client --cert=tls/helm-user.pem --key=./tls/helm-user-key.pem
note; this has to be in the same namespace as the helm-operator is deployed in.
Deploy flux with Helm;
helm repo add weaveworks https://weaveworks.github.io/flux
helm upgrade --install \
--set helmOperator.create=true \
--set git.url=$YOUR_GIT_REPO \
--set helmOperator.tls.enable=true \
--set helmOperator.tls.verify=true \
--set helmOperator.tls.secretName=helm-client \
--set helmOperator.tls.caContent="$(cat ./tls/tiller-ca.pem)" \
flux \
./chart/flux
Perform a kubectl logs on the helm-operator and observe the helm client being created.
Your CA certificate content is not set correctly, check if your configMap contains the correct values. Example:
$ kubectl get configmaps flux-helm-tls-ca-config -o yaml
apiVersion: v1
data:
ca.crt: |
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
creationTimestamp: 2018-07-04T15:27:25Z
name: flux-helm-tls-ca-config
namespace: helm-system
resourceVersion: "1267257"
selfLink: /api/v1/namespaces/helm-system/configmaps/flux-helm-tls-ca-config
uid: c106f866-7f9e-11e8-904a-025000000001
@thojkooi Thanks... yeah I figured that was part of it so I tried to modify things to use
helm-system
as well but still ended up with things not working correctly.The fact that your snippet is using different
namespace
is okay but I think when I tried to add the proper namespace to the additionalhelm init
andhelm instlal flux
commands, along with--tls
flag to helm commands is where I was running into issues. You could also mention setting environment variables likeTILLER_NAMESPACE
andHELM_TLS_ENABLE
could be used if you want to continue with using a differentnamespace
.Also you added the
helm-client
secret but didn't specify which namespace. So if the secret is influx
namespace then flux should be able to use it but since tiller is in eitherhelm-system
orkube-system
wasn't sure if that's where it needed to be. By default with the above command the secret gets installed indefault
.