Configure Remote Helm Client

For non-admin users use of the helm client, you must create your own Tiller server, in a namespace that you have access to, with the required RBAC capabilities and optionally TLS protection.

About this task

To create a Tiller server with RBAC permissions within the default namespace, complete the following steps on the controller: Except where indicated, these commands can be run by the non-admin user, locally or remotely.

Note

If you are using container-backed helm CLIs and clients (method 1), ensure you change directories to <$HOME>/remote_cli_wd.

Prerequisites

Procedure

  1. Set the namespace.

    ~(keystone_admin)]$ NAMESPACE=default
    
  2. Set up your Tiller account, roles, and bindings in your namespace.

    1. Execute the following commands.

      % cat <<EOF > default-tiller-sa.yaml
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: tiller
        namespace: <namespace>
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: Role
      metadata:
        name: tiller
        namespace: <namespace>
      rules:
      - apiGroups: ["*"]
        resources: ["*"]
        verbs: ["*"]
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: RoleBinding
      metadata:
        name: tiller
        namespace: <namespace>
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: Role
        name: tiller
      subjects:
      - kind: ServiceAccount
        name: tiller
        namespace: <namespace>
      EOF
      % kubectl apply -f default-tiller-sa.yaml
      
  3. Initialize the Helm account.

    ~(keystone_admin)]$ helm init --service-account=tiller --tiller-namespace=$NAMESPACE --output yaml | sed 's@apiVersion: extensions/v1beta1@apiVersion: apps/v1@' | sed 's@ replicas: 1@ replicas: 1\n \ selector: {"matchLabels": {"app": "helm", "name": "tiller"}}@' > helm-init.yaml
    ~(keystone_admin)]$ kubectl apply -f helm-init.yaml
    ~(keystone_admin)]$ helm init –client-only
    

    Note

    Ensure that each of the patterns between single quotes in the above sed commands are on single lines when run from your command-line interface.

    Note

    Add the following options if you are enabling TLS for this Tiller:

    --tiller-tls

    Enable TLS on Tiller.

    --tiller-tls-cert <certificate_file>

    The public key/certificate for Tiller (signed by --tls-ca-cert).

    --tiller-tls-key <key_file>

    The private key for Tiller.

    --tiller-tls-verify

    Enable authentication of client certificates (i.e. validate they are signed by --tls-ca-cert).

    --tls-ca-cert <certificate_file>

    The public certificate of the CA used for signing Tiller server and helm client certificates.

Results

You can now use the private Tiller server remotely or locally by specifying the --tiller-namespace default option on all helm CLI commands. For example:

helm version --tiller-namespace <namespace>
helm install --name wordpress stable/wordpress --tiller-namespace <namespace>

Note

If you are using container-backed helm CLI and Client (method 1), then you change directory to <$HOME>/remote_cli_wd and include the following option on all helm commands:

--home "./.helm"