This Terraform Module can be used to generate a Certificate Authority (CA) public key, that is then used to generate a
signed TLS certificate. These certs are then stored in a Kubernetes Secret so that they can be used with Tiller and
kubergrunt to manage authentication to Tiller.
You can read more about Helm, Tiller, and their security model in our Helm
guide.
WARNING: The private keys generated by this module will be stored unencrypted in your Terraform state file. If you are
sensitive to storing secrets in your Terraform state file, consider using kubergrunt to generate and manage your TLS
certificate. See the k8s-tiller-kubergrunt-minikube example for how to use
kubergrunt for TLS management.
How do you use this module?
See the root README for
instructions on using Terraform modules.
See variables.tf
for all the variables you can set on this module.
See outputs.tf
for all the variables that are outputed by this module.
How do you use the generated TLS certs with Tiller?
This module will generate TLS certificate key pairs and store them in a Kubernetes Secret, outputting the name of the
Secret. You can then pass the Secret name (output variable signed_tls_certificate_key_pair_secret_name) to the
k8s-tiller module as the
input variable tiller_tls_secret_name. Tiller will then be able to find the generated TLS certificate key pairs and
mount them into the container so that the server can use it.
How do you use the generated TLS certs with kubergrunt for client side TLS management?
kubergrunt provides TLS management features that can be used for managing client side TLS certs for use with helm.
This module is compatible with the kubergrunt approach, although it requires a few labels on the created Secret
resource so that kubergrunt can properly find the CA private key.
kubergrunt model of client side TLS management works by looking for the Secret that stores the CA certificate key
pair, which it can use to generate client side TLS certs to authenticate the client. These CA certs need to be the ones
used for generating the server side TLS certs, so that the two way verification works.
To allow kubergrunt to find the TLS certs, the following must be set:
# kubergrunt looks for CA certs in the kube-system Namespace.
ca_tls_certificate_key_pair_secret_namespace = "kube-system"# kubergrunt uses the following labels to look for Tiller related certs
ca_tls_certificate_key_pair_secret_labels = {
"gruntwork.io/tiller-namespace" = "{NAME_OF_TILLER_NAMESPACE}""gruntwork.io/tiller-credentials" = "true""gruntwork.io/tiller-credentials-type" = "ca"
}
# kubergrunt uses the following name to look for the CA certs
ca_tls_certificate_key_pair_secret_name = "{NAME_OF_TILLER_NAMESPACE}-namespace-tiller-ca-certs"
With these input variables, kubergrunt should be able to locate the generated CA certs and use them to generate client
side certs when you use the kubergrunt helm grant command.
How do you use the generated TLS certs to sign additional certificates?
In order to access Tiller, you will typically need to generate additional signed certificates using the generated TLS CA
certs. You have two options for generating the client side TLS certs:
k8s-helm-client-tls-certs is designed to take a CA TLS cert generated using k8s-tiller-tls-certs and generate new
signed TLS certs that can be used as verified clients. To use the module for this purpose, you can either call out to
the module in your terraform code (like we do here to generate one for the operator), or use it directly as a temporary
module.
Follow these steps to use it as a temporary module:
Copy this module to your computer.
Open variables.tf and fill in the variables that do not have a default.
DO NOT configure Terraform remote state storage for this code. You do NOT want to store the state files as they will
contain the private keys for the certificates.
DO NOT configure store_in_kubernetes_secret to true. You do NOT want to store the certificates in Kubernetes
without the state file.
Run terraform apply.
Extract the generated certificates from the output and store to a file. E.g:
Delete your local Terraform state: rm -rf terraform.tfstate*. The Terraform state will contain the private keys for
the certificates, so it's important to clean it up!
The user can then install the certs and setup the client by installing them into the helm home directory, and then
running helm init. For example:
Once the certificates are installed and the client is configured, your user is ready to use helm. However, by default
the helm client does not assume a TLS setup. In order for the helm client to properly communicate with the deployed
Tiller instance, it needs to be told to use TLS verification. These are specified through command line arguments. If
everything is configured correctly, you should be able to access the Tiller that was deployed with the following args:
If you have access to Tiller, this should return you both the client version and the server version of Helm. Note that
you need to pass the above CLI argument every time you want to use helm.
Using kubergrunt
kubergrunt automates this process in the grant and configure commands. For example, suppose you wanted to grant
access to the deployed Tiller to a group of users grouped under the RBAC group dev. You can grant them access using
the following command:
This will generate a new certificate key pair for the client and upload it as a Secret. Then, it will bind new RBAC
roles to the dev RBAC group that grants it permission to access the Tiller pod and the uploaded Secret.
This in turn allows your users to configure their local client using kubergrunt:
At the end of this, your users is ready to use helm. However, like the previous method, you will need to enable a few
flags on the helm client to indicate that TLS verification is required. For convenience, kubergrunt also installs an
environment file into your helm home directory that sets the same flags using environment variables. You can dot source
this file to use helm without passing in the flags:
. ~/.helm/env
helm version
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"cef3f13f1128f203609bd70491c5789049d97396"}]},{"name":".gitignore","path":".gitignore","sha":"ca31ff35c5b25c686571a0430a14f86a38f15e77"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"2dd1a8d4e16b65a1991537d51b5b59b6df1866f8"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"89db2c0afb6268a0fa92d8e841018cef4bc653cb"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"b12849077d576a7fad88da42db1131bb3369e194"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE","path":"LICENSE","sha":"276620ad6ffbc9954fd6633d167b0501155441d4"},{"name":"README.md","path":"README.md","sha":"444e80d608763aabb990f37a8badbe3bdf24b872"},{"name":"examples","children":[{"name":"k8s-namespace-with-service-account","children":[{"name":"README.md","path":"examples/k8s-namespace-with-service-account/README.md","sha":"cdff492defdaa77f736adc1c1ce9c1db1b3a9e1e"},{"name":"main.tf","path":"examples/k8s-namespace-with-service-account/main.tf","sha":"071b39770653ee2d6d12c80119bb290fff5c35d8"},{"name":"outputs.tf","path":"examples/k8s-namespace-with-service-account/outputs.tf","sha":"71e367b5fa5fc4d940c68b1689d340ab6fa2e17c"},{"name":"variables.tf","path":"examples/k8s-namespace-with-service-account/variables.tf","sha":"f38169a042290747cd6cda6375d99af81b1df97e"}]},{"name":"k8s-tiller-kubergrunt-minikube","children":[{"name":"README.md","path":"examples/k8s-tiller-kubergrunt-minikube/README.md","sha":"f4ee8247319417b5d433017005af1284c2feda71"},{"name":"main.tf","path":"examples/k8s-tiller-kubergrunt-minikube/main.tf","sha":"a2d71286a91c7cf02371ff10336ad6c8c65c5a99"},{"name":"outputs.tf","path":"examples/k8s-tiller-kubergrunt-minikube/outputs.tf","sha":"f839014a1879cfef47954641a01edf7820ac3bdc"},{"name":"variables.tf","path":"examples/k8s-tiller-kubergrunt-minikube/variables.tf","sha":"3da8530a497b5102a1bd8d88c473e15794e7f9d5"}]},{"name":"k8s-tiller-minikube","children":[{"name":"README.md","path":"examples/k8s-tiller-minikube/README.md","sha":"d579c9f2952bb63704def4d2c799a267e2ca3b2a"}]}]},{"name":"main.tf","path":"main.tf","sha":"506f789e6c7b0a9c767a683a4bc101498daef4d2"},{"name":"modules","children":[{"name":"k8s-helm-client-tls-certs","children":[{"name":"README.md","path":"modules/k8s-helm-client-tls-certs/README.md","sha":"4806c8188e5da43941b60b091133ad58f2537532"},{"name":"main.tf","path":"modules/k8s-helm-client-tls-certs/main.tf","sha":"f9727619e0606e5710d81934c541d94d528ee633"},{"name":"outputs.tf","path":"modules/k8s-helm-client-tls-certs/outputs.tf","sha":"59994511786075fe1a930e3ec6b46dd6134fff29"},{"name":"variables.tf","path":"modules/k8s-helm-client-tls-certs/variables.tf","sha":"445e4da760004173140af1176fa80b0cc8722a81"}]},{"name":"k8s-namespace-roles","children":[{"name":"README.md","path":"modules/k8s-namespace-roles/README.md","sha":"9aaca3f9e32408e23c02622d33942e0ce4586e34"},{"name":"main.tf","path":"modules/k8s-namespace-roles/main.tf","sha":"f82819379a8864bd6b9e71a8a18d815dbbc02559"},{"name":"outputs.tf","path":"modules/k8s-namespace-roles/outputs.tf","sha":"ab91d72a436cc5e450795182b4b43b78be207293"},{"name":"variables.tf","path":"modules/k8s-namespace-roles/variables.tf","sha":"0e5be83826073b0f786ff8f9b04826c555208758"}]},{"name":"k8s-namespace","children":[{"name":"README.md","path":"modules/k8s-namespace/README.md","sha":"4fa9469fbbd22faae11ac3f461487b2bfbe167e6"},{"name":"main.tf","path":"modules/k8s-namespace/main.tf","sha":"eba9f2b3dbc0191d2d4bfe2931caac9b58122541"},{"name":"outputs.tf","path":"modules/k8s-namespace/outputs.tf","sha":"d8e2f96f44b67f9d0d59431c789b39609a745996"},{"name":"variables.tf","path":"modules/k8s-namespace/variables.tf","sha":"572a62e2ca963233931c527bab99fd9f0a3a048b"}]},{"name":"k8s-service-account","children":[{"name":"README.md","path":"modules/k8s-service-account/README.md","sha":"a53dfad1ff1d991dfed08fb5da77f9c15e3b6d50"},{"name":"main.tf","path":"modules/k8s-service-account/main.tf","sha":"3c5efa6c04722d679f1707ab49c118d39ef6a806"},{"name":"outputs.tf","path":"modules/k8s-service-account/outputs.tf","sha":"c5c2389e4646bb2a16b87bec129330e0c3c4dcf6"},{"name":"variables.tf","path":"modules/k8s-service-account/variables.tf","sha":"4f0cfad5f8a5869ff201fad385ecaa0de7454674"}]},{"name":"k8s-tiller-tls-certs","children":[{"name":"README.md","path":"modules/k8s-tiller-tls-certs/README.md","sha":"bf4e7de237e87459f8f617b6fa60f0ed1d94cd86","toggled":true},{"name":"main.tf","path":"modules/k8s-tiller-tls-certs/main.tf","sha":"69d3adb8717f12381f0683c0ab37581975b5a8dc"},{"name":"outputs.tf","path":"modules/k8s-tiller-tls-certs/outputs.tf","sha":"1a4038f3a59478a9f2d4b76eef51817dd4200dc7"},{"name":"variables.tf","path":"modules/k8s-tiller-tls-certs/variables.tf","sha":"259ebea616195628a68b8eb8a1da83465cd0c782"}],"toggled":true},{"name":"k8s-tiller","children":[{"name":"README.md","path":"modules/k8s-tiller/README.md","sha":"7dec15a673134ebc488a070dc614d04c2bf538d3"},{"name":"main.tf","path":"modules/k8s-tiller/main.tf","sha":"c278eeebee9bc47d059f59a22916e5cc6dac1335"},{"name":"outputs.tf","path":"modules/k8s-tiller/outputs.tf","sha":"e23f872780e656e4f12578d439eb910692f59a60"},{"name":"variables.tf","path":"modules/k8s-tiller/variables.tf","sha":"5d03e38bfec082950d20c0f48865d7c5107f259f"}]}],"toggled":true},{"name":"outputs.tf","path":"outputs.tf","sha":"e81c16d641a0e30b706292ad37ce8b8ef343becb"},{"name":"test","children":[{"name":"Gopkg.lock","path":"test/Gopkg.lock","sha":"cdae09784de4638a1b0eea0525c3be70cebcf2d7"},{"name":"Gopkg.toml","path":"test/Gopkg.toml","sha":"a8644e81d7acf83db32419833ca1ca318d2559c1"},{"name":"README.md","path":"test/README.md","sha":"c4361f3756f62c10366b7302401e8a53552061bb"},{"name":"k8s_namespace_with_service_account_test.go","path":"test/k8s_namespace_with_service_account_test.go","sha":"8fac6e063e5c03371b681cdd48a98a8d27137712"},{"name":"k8s_tiller_kubergrunt_test.go","path":"test/k8s_tiller_kubergrunt_test.go","sha":"67f31a218feaa2840cdad23308b577f442bd3f4d"},{"name":"k8s_tiller_test.go","path":"test/k8s_tiller_test.go","sha":"7501db1bfc755b2709c688a5bbd1867b4238b44a"},{"name":"kubefixtures","children":[{"name":"curl-kubeapi-as-service-account.yml.tpl","path":"test/kubefixtures/curl-kubeapi-as-service-account.yml.tpl","sha":"12fa119c7e183bb8d35cda86322c92e6a36a5307"},{"name":"namespace-check-create-pod.json.tpl","path":"test/kubefixtures/namespace-check-create-pod.json.tpl","sha":"ba88dfa440d815c221febd455550dd6fdbe7cbac"},{"name":"namespace-check-list-pod.json.tpl","path":"test/kubefixtures/namespace-check-list-pod.json.tpl","sha":"047bb650ac081c5f63d9491cde3ca80b92603489"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"675f98b4c34be584c9f7eea240f290949f08f460"}]},{"name":"variables.tf","path":"variables.tf","sha":"7efc75a2f7d990de3cdf52c7589e9468da6f4133"}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"k-8-s-tiller-tls-certs-module\">K8S Tiller TLS Certs Module</h1><div class=\"preview__body--border\"></div><p></p>\n<p>This Terraform Module can be used to generate a Certificate Authority (CA) public key, that is then used to generate a\nsigned TLS certificate. These certs are then stored in a Kubernetes <code>Secret</code> so that they can be used with Tiller and\n<code>kubergrunt</code> to manage authentication to Tiller.</p>\n<p>If you are unfamiliar with how TLS works, checkout <a href=\"/repos/terraform-aws-vault/modules/private-tls-cert#background\" class=\"preview__body--description--blue\">this primer on\nTLS/SSL</a>.</p>\n<p>You can read more about Helm, Tiller, and their security model in our <a href=\"/repos/kubergrunt/HELM_GUIDE.md\" class=\"preview__body--description--blue\">Helm\nguide</a>.</p>\n<p><strong>WARNING: The private keys generated by this module will be stored unencrypted in your Terraform state file. If you are\nsensitive to storing secrets in your Terraform state file, consider using <code>kubergrunt</code> to generate and manage your TLS\ncertificate. See <a href=\"/repos/v0.6.2/terraform-kubernetes-helm/examples/k8s-tiller-kubergrunt-minikube\" class=\"preview__body--description--blue\">the k8s-tiller-kubergrunt-minikube example</a> for how to use\n<code>kubergrunt</code> for TLS management.</strong></p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.6.2/terraform-kubernetes-helm/README.md\" class=\"preview__body--description--blue\">root README</a> for\ninstructions on using Terraform modules.</li>\n<li>This module uses <a href=\"https://www.terraform.io/docs/providers/kubernetes/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">the <code>kubernetes</code> provider</a>.</li>\n<li>See the <a href=\"/repos/v0.6.2/terraform-kubernetes-helm/examples\" class=\"preview__body--description--blue\">examples</a> folder for example\nusage.</li>\n<li>See <a href=\"/repos/v0.6.2/terraform-kubernetes-helm/modules/k8s-tiller-tls-certs/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a>\nfor all the variables you can set on this module.</li>\n<li>See <a href=\"/repos/v0.6.2/terraform-kubernetes-helm/modules/k8s-tiller-tls-certs/outputs.tf\" class=\"preview__body--description--blue\">outputs.tf</a>\nfor all the variables that are outputed by this module.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-the-generated-tls-certs-with-tiller\">How do you use the generated TLS certs with Tiller?</h2>\n<p>This module will generate TLS certificate key pairs and store them in a Kubernetes <code>Secret</code>, outputting the name of the\n<code>Secret</code>. You can then pass the <code>Secret</code> name (output variable <code>signed_tls_certificate_key_pair_secret_name</code>) to the\n<a href=\"/repos/v0.6.2/terraform-kubernetes-helm/modules/k8s-tiller\" class=\"preview__body--description--blue\">k8s-tiller module</a> as the\ninput variable <code>tiller_tls_secret_name</code>. Tiller will then be able to find the generated TLS certificate key pairs and\nmount them into the container so that the server can use it.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-the-generated-tls-certs-with-kubergrunt-for-client-side-tls-management\">How do you use the generated TLS certs with kubergrunt for client side TLS management?</h2>\n<p><code>kubergrunt</code> provides TLS management features that can be used for managing client side TLS certs for use with <code>helm</code>.\nThis module is compatible with the <code>kubergrunt</code> approach, although it requires a few labels on the created <code>Secret</code>\nresource so that <code>kubergrunt</code> can properly find the CA private key.</p>\n<p><code>kubergrunt</code> model of client side TLS management works by looking for the <code>Secret</code> that stores the CA certificate key\npair, which it can use to generate client side TLS certs to authenticate the client. These CA certs need to be the ones\nused for generating the server side TLS certs, so that the two way verification works.</p>\n<p>To allow <code>kubergrunt</code> to find the TLS certs, the following must be set:</p>\n<pre><span class=\"hljs-comment\"># kubergrunt looks for CA certs in the kube-system Namespace.</span>\nca_tls_certificate_key_pair_secret_namespace = <span class=\"hljs-string\">\"kube-system\"</span>\n<span class=\"hljs-comment\"># kubergrunt uses the following labels to look for Tiller related certs</span>\nca_tls_certificate_key_pair_secret_labels = {\n <span class=\"hljs-string\">\"gruntwork.io/tiller-namespace\"</span> = <span class=\"hljs-string\">\"{NAME_OF_TILLER_NAMESPACE}\"</span>\n <span class=\"hljs-string\">\"gruntwork.io/tiller-credentials\"</span> = <span class=\"hljs-string\">\"true\"</span>\n <span class=\"hljs-string\">\"gruntwork.io/tiller-credentials-type\"</span> = <span class=\"hljs-string\">\"ca\"</span>\n}\n<span class=\"hljs-comment\"># kubergrunt uses the following name to look for the CA certs</span>\nca_tls_certificate_key_pair_secret_name = <span class=\"hljs-string\">\"{NAME_OF_TILLER_NAMESPACE}-namespace-tiller-ca-certs\"</span>\n</pre>\n<p>With these input variables, <code>kubergrunt</code> should be able to locate the generated CA certs and use them to generate client\nside certs when you use the <code>kubergrunt helm grant</code> command.</p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-the-generated-tls-certs-to-sign-additional-certificates\">How do you use the generated TLS certs to sign additional certificates?</h2>\n<p>In order to access Tiller, you will typically need to generate additional signed certificates using the generated TLS CA\ncerts. You have two options for generating the client side TLS certs:</p>\n<ul>\n<li><a href=\"#using-the-k8s-helm-client-tls-certs-module\" class=\"preview__body--description--blue\">Using the <code>k8s-helm-client-tls-certs</code> module</a></li>\n<li><a href=\"#using-kubergrunt\" class=\"preview__body--description--blue\">Using <code>kubergrunt</code></a></li>\n</ul>\n<h4 id=\"using-the-k-8-s-helm-client-tls-certs-module\">Using the k8s-helm-client-tls-certs module</h4>\n<p><code>k8s-helm-client-tls-certs</code> is designed to take a CA TLS cert generated using <code>k8s-tiller-tls-certs</code> and generate new\nsigned TLS certs that can be used as verified clients. To use the module for this purpose, you can either call out to\nthe module in your terraform code (like we do here to generate one for the operator), or use it directly as a temporary\nmodule.</p>\n<p>Follow these steps to use it as a temporary module:</p>\n<ol>\n<li>\n<p>Copy this module to your computer.</p>\n</li>\n<li>\n<p>Open <code>variables.tf</code> and fill in the variables that do not have a default.</p>\n</li>\n<li>\n<p>DO NOT configure Terraform remote state storage for this code. You do NOT want to store the state files as they will\ncontain the private keys for the certificates.</p>\n</li>\n<li>\n<p>DO NOT configure <code>store_in_kubernetes_secret</code> to <code>true</code>. You do NOT want to store the certificates in Kubernetes\nwithout the state file.</p>\n</li>\n<li>\n<p>Run <code>terraform apply</code>.</p>\n</li>\n<li>\n<p>Extract the generated certificates from the output and store to a file. E.g:</p>\n<pre><span class=\"hljs-keyword\">terraform</span> <span class=\"hljs-keyword\">output</span> tls_certificate_key_pair_private_key_pem > client.pem\n<span class=\"hljs-keyword\">terraform</span> <span class=\"hljs-keyword\">output</span> tls_certificate_key_pair_certificate_pem > client.crt\n<span class=\"hljs-keyword\">terraform</span> <span class=\"hljs-keyword\">output</span> ca_tls_certificate_key_pair_certificate_pem > ca.crt\n</pre>\n</li>\n<li>\n<p>Share the extracted files with the user.</p>\n</li>\n<li>\n<p>Delete your local Terraform state: <code>rm -rf terraform.tfstate*</code>. The Terraform state will contain the private keys for\nthe certificates, so it's important to clean it up!</p>\n</li>\n</ol>\n<p>The user can then install the certs and setup the client by installing them into the helm home directory, and then\nrunning <code>helm init</code>. For example:</p>\n<pre>mkdir -<span class=\"hljs-selector-tag\">p</span> <span class=\"hljs-variable\">$HOME</span>/<span class=\"hljs-selector-class\">.helm</span>\ncp client<span class=\"hljs-selector-class\">.pem</span> <span class=\"hljs-variable\">$HOME</span>/<span class=\"hljs-selector-class\">.helm</span>\ncp client<span class=\"hljs-selector-class\">.crt</span> <span class=\"hljs-variable\">$HOME</span>/<span class=\"hljs-selector-class\">.helm</span>\ncp ca<span class=\"hljs-selector-class\">.crt</span> <span class=\"hljs-variable\">$HOME</span>/<span class=\"hljs-selector-class\">.helm</span>\nhelm init --client-only\n</pre>\n<p>Once the certificates are installed and the client is configured, your user is ready to use <code>helm</code>. However, by default\nthe <code>helm</code> client does not assume a TLS setup. In order for the <code>helm</code> client to properly communicate with the deployed\nTiller instance, it needs to be told to use TLS verification. These are specified through command line arguments. If\neverything is configured correctly, you should be able to access the Tiller that was deployed with the following args:</p>\n<pre>helm <span class=\"hljs-keyword\">version</span> <span class=\"hljs-params\">--tls</span> <span class=\"hljs-params\">--tls-verify</span> <span class=\"hljs-params\">--tiller-namespace</span> NAMESPACE_OF_TILLER\n</pre>\n<p>If you have access to Tiller, this should return you both the client version and the server version of Helm. Note that\nyou need to pass the above CLI argument every time you want to use <code>helm</code>.</p>\n<h4 id=\"using-kubergrunt\">Using kubergrunt</h4>\n<p><code>kubergrunt</code> automates this process in the <code>grant</code> and <code>configure</code> commands. For example, suppose you wanted to grant\naccess to the deployed Tiller to a group of users grouped under the RBAC group <code>dev</code>. You can grant them access using\nthe following command:</p>\n<pre><span class=\"hljs-comment\">kubergrunt</span> <span class=\"hljs-comment\">helm</span> <span class=\"hljs-comment\">grant</span> --<span class=\"hljs-comment\">tiller</span><span class=\"hljs-literal\">-</span><span class=\"hljs-comment\">namespace</span> <span class=\"hljs-comment\">NAMESPACE_OF_TILLER</span> --<span class=\"hljs-comment\">rbac</span><span class=\"hljs-literal\">-</span><span class=\"hljs-comment\">group</span> <span class=\"hljs-comment\">dev</span> --<span class=\"hljs-comment\">tls</span><span class=\"hljs-literal\">-</span><span class=\"hljs-comment\">common</span><span class=\"hljs-literal\">-</span><span class=\"hljs-comment\">name</span> <span class=\"hljs-comment\">dev</span> --<span class=\"hljs-comment\">tls</span><span class=\"hljs-literal\">-</span><span class=\"hljs-comment\">org</span> <span class=\"hljs-comment\">YOUR_ORG</span>\n</pre>\n<p>This will generate a new certificate key pair for the client and upload it as a <code>Secret</code>. Then, it will bind new RBAC\nroles to the <code>dev</code> RBAC group that grants it permission to access the Tiller pod and the uploaded <code>Secret</code>.</p>\n<p>This in turn allows your users to configure their local client using <code>kubergrunt</code>:</p>\n<pre>kubergrunt helm configure --tiller-namespace NAMESPACE_OF_TILLER --rbac-<span class=\"hljs-keyword\">group</span> <span class=\"hljs-title\">dev</span>\n</pre>\n<p>At the end of this, your users is ready to use <code>helm</code>. However, like the previous method, you will need to enable a few\nflags on the <code>helm</code> client to indicate that TLS verification is required. For convenience, <code>kubergrunt</code> also installs an\nenvironment file into your helm home directory that sets the same flags using environment variables. You can dot source\nthis file to use <code>helm</code> without passing in the flags:</p>\n<pre>. ~<span class=\"hljs-string\">/.helm/env</span>\nhelm <span class=\"hljs-keyword\">version</span>\n</pre>\n","repoName":"terraform-kubernetes-helm","repoRef":"v0.6.1","serviceDescriptor":{"serviceName":"Tiller / Helm","serviceRepoName":"terraform-kubernetes-helm","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy Tiller (Helm Server) to your Kubernetes cluster as a service/package manager. Supports namespaces, service accounts, RBAC roles, and TLS.","imageUrl":"kubernetes.png","licenseType":"subscriber","technologies":["Terraform","Bash","Helm"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker services","fileName":"README.md","filePath":"/modules/k8s-tiller-tls-certs","title":"Repo Browser: Tiller / Helm","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}