Configure Remote Helm Client

For non-admin users use of the helm client, you must create your own Tiller server, in a namespace that you have access to, with the required RBAC capabilities and optionally TLS protection.

About this task

To create a Tiller server with RBAC permissions within the default namespace, complete the following steps on the controller: Except where indicated, these commands can be run by the non-admin user, locally or remotely.

Note

If you are using container-backed helm CLIs and clients (method 1), ensure you change directories to <$HOME>/remote_cli_wd.

Prerequisites

• Your remote kubectl access is configured. For more information, see, Configuring Container-backed Remote CLIs, or Installing Kubectl and Helm Clients Directly on a Host.

• Your StarlingX administrator has setup the required RBAC policies for the tiller ServiceAccount in your namespace.

Procedure

1. Set the namespace.

   ~(keystone_admin)]$ NAMESPACE=default
   

2. Set up your Tiller account, roles, and bindings in your namespace.

   1. Execute the following commands.

      % cat <<EOF > default-tiller-sa.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: tiller
        namespace: <namespace>
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: tiller
        namespace: <namespace>
      rules:
      - apiGroups: ["*"]
        resources: ["*"]
        verbs: ["*"]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: tiller
        namespace: <namespace>
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: tiller
      subjects:
      - kind: ServiceAccount
        name: tiller
        namespace: <namespace>
      EOF
      % kubectl apply -f default-tiller-sa.yaml
      

3. Initialize the Helm account.

   ~(keystone_admin)]$ helm init --service-account=tiller --tiller-namespace=$NAMESPACE --output yaml | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' | sed 's@ replicas: 1@ replicas: 1\n \ selector: {"matchLabels": {"app": "helm", "name": "tiller"}}@' > helm-init.yaml
   ~(keystone_admin)]$ kubectl apply -f helm-init.yaml
   ~(keystone_admin)]$ helm init --client-only --home "./.helm"
   

   Note

   Ensure that each of the patterns between single quotes in the above sed commands are on single lines when run from your command-line interface.

   Note

   Add the following options if you are enabling TLS for this Tiller:

   --tiller-tls

   Enable TLS on Tiller.

   --tiller-tls-cert <certificate_file>

   The public key/certificate for Tiller (signed by --tls-ca-cert).

   --tiller-tls-key <key_file>

   The private key for Tiller.

   --tiller-tls-verify

   Enable authentication of client certificates (i.e. validate they are signed by --tls-ca-cert).

   --tls-ca-cert <certificate_file>

   The public certificate of the CA used for signing Tiller server and helm client certificates.

Results

You can now use the private Tiller server remotely or locally by specifying the --tiller-namespace default option on all helm CLI commands. For example:

helm version --tiller-namespace <namespace>
helm install --name wordpress stable/wordpress --tiller-namespace <namespace>

Note

If you are using container-backed helm CLI and Client (method 1), then you change directory to <$HOME>/remote_cli_wd and include the following option on all helm commands:

--home "./.helm"

See also

Configuring Container-backed Remote CLIs

Use Container-backed Remote CLIs and Clients

Installing Kubectl and Helm Clients Directly on a Host