Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-iconk8s-helm-client-tls-certs
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconk8s-namespace-roles
file-type-iconk8s-namespace
file-type-iconk8s-service-account
file-type-iconk8s-tiller-tls-certs
file-type-iconk8s-tiller
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconGRUNTWORK_PHILOSOPHY.md
file-type-iconLICENSE
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf

Browse the Repo

file-type-icon.circleci
file-type-iconexamples
file-type-iconmodules
file-type-iconk8s-helm-client-tls-certs
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
file-type-iconk8s-namespace-roles
file-type-iconk8s-namespace
file-type-iconk8s-service-account
file-type-iconk8s-tiller-tls-certs
file-type-iconk8s-tiller
file-type-icontest
file-type-icon.gitignore
file-type-icon.pre-commit-config.yaml
file-type-iconCODEOWNERS
file-type-iconCONTRIBUTING.md
file-type-iconGRUNTWORK_PHILOSOPHY.md
file-type-iconLICENSE
file-type-iconREADME.md
file-type-iconmain.tf
file-type-iconoutputs.tf
file-type-iconvariables.tf
Tiller / Helm

Tiller / Helm

Deploy Tiller (Helm Server) to your Kubernetes cluster as a service/package manager. Supports namespaces, service accounts, RBAC roles, and TLS.

Code Preview

Preview the Code

mobile file icon

README.md

down

K8S Helm Client TLS Certs Module

This Terraform Module can be used to generate a signed TLS certificate key pair that can be used to authenticate the helm client with Tiller. These certs are optionally then stored in a Kubernetes Secret, that can then be shared with the client. Note that the Secret is configured such that it is compatible with kubergrunt helm configure for setting up the helm client.

This module assumes the CA certs are stored as Kubernetes Secrets on the cluster, either via kubergrunt or the k8s-tiller-tls-certs module.

If you are unfamiliar with how TLS works, checkout this primer on TLS/SSL.

You can read more about Helm, Tiller, and their security model in our Helm guide.

WARNING: The private keys generated by this module will be stored unencrypted in your Terraform state file. If you are sensitive to storing secrets in your Terraform state file, consider using kubergrunt to generate and manage your TLS certificate. See the k8s-tiller-kubergrunt-minikube example for how to use kubergrunt for TLS management.

How do you use this module?

How do I configure Helm to use the generated TLS certs?

To configure the helm client to use the generated TLS certs, the certs must first be downloaded on to the machine. There are two ways to access the generated TLS certs:

  • Directly using the module outputs
  • Via the Kubernetes Secret (if var.store_in_kubernetes_secret is true)

These certs should be shared with the user so that they can install it on their machine. Once the certs are shared, they need to be stored on the local file system where the helm home directory is. By default the helm home directory is $HOME/.helm, but this is configurable. In the helm home directory, store the certs under the names:

  • ca.crt: The CA public certificate file, encoded in PEM format.
  • client.pem: The private key of the client TLS certificate key pair, encoded in PEM format.
  • client.crt: The public certificate of the client TLS certificate key pair, encoded in PEM format.

Once the certificate key pairs are stored, the helm client will automatically discover them when connecting to Tiller with TLS enabled. You need to pass in the CLI args --tls and --tls-verify to enable TLS verification with the client. For example, to run the ls command to list releases:

helm ls --tls --tls-verify

Note that the CLI args must come after the subcommand.

Questions? Ask away.

We're here to talk about our services, answer any questions, give advice, or just to chat.

Ready to hand off the Gruntwork?