This Terraform Module can be used to generate a signed TLS certificate key pair that can be used to authenticate the
helm client with Tiller. These certs are optionally then stored in a Kubernetes Secret, that can then be shared with
the client. Note that the Secret is configured such that it is compatible with kubergrunt helm configure for setting
up the helm client.
This module assumes the CA certs are stored as Kubernetes Secrets on the cluster, either via kubergrunt or the
k8s-tiller-tls-certs module.
You can read more about Helm, Tiller, and their security model in our Helm
guide.
WARNING: The private keys generated by this module will be stored unencrypted in your Terraform state file. If you are
sensitive to storing secrets in your Terraform state file, consider using kubergrunt to generate and manage your TLS
certificate. See the k8s-tiller-kubergrunt-minikube example for how to use
kubergrunt for TLS management.
How do you use this module?
See the root README for
instructions on using Terraform modules.
See variables.tf
for all the variables you can set on this module.
See outputs.tf
for all the variables that are outputed by this module.
How do I configure Helm to use the generated TLS certs?
To configure the helm client to use the generated TLS certs, the certs must first be downloaded on to the machine.
There are two ways to access the generated TLS certs:
Directly using the module outputs
Via the Kubernetes Secret (if var.store_in_kubernetes_secret is true)
These certs should be shared with the user so that they can install it on their machine. Once the certs are shared, they
need to be stored on the local file system where the helm home directory is. By default the helm home directory is
$HOME/.helm, but this is configurable. In the helm home directory, store the certs under the names:
ca.crt: The CA public certificate file, encoded in PEM format.
client.pem: The private key of the client TLS certificate key pair, encoded in PEM format.
client.crt: The public certificate of the client TLS certificate key pair, encoded in PEM format.
Once the certificate key pairs are stored, the helm client will automatically discover them when connecting to Tiller
with TLS enabled. You need to pass in the CLI args --tls and --tls-verify to enable TLS verification with the
client. For example, to run the ls command to list releases:
helm ls--tls--tls-verify
Note that the CLI args must come after the subcommand.
Questions? Ask away.
We're here to talk about our services, answer any questions, give advice, or just to chat.
{"treedata":{"name":"root","toggled":true,"children":[{"name":".circleci","children":[{"name":"config.yml","path":".circleci/config.yml","sha":"cef3f13f1128f203609bd70491c5789049d97396"}]},{"name":".gitignore","path":".gitignore","sha":"ca31ff35c5b25c686571a0430a14f86a38f15e77"},{"name":".pre-commit-config.yaml","path":".pre-commit-config.yaml","sha":"2dd1a8d4e16b65a1991537d51b5b59b6df1866f8"},{"name":"CODEOWNERS","path":"CODEOWNERS","sha":"89db2c0afb6268a0fa92d8e841018cef4bc653cb"},{"name":"CONTRIBUTING.md","path":"CONTRIBUTING.md","sha":"b12849077d576a7fad88da42db1131bb3369e194"},{"name":"GRUNTWORK_PHILOSOPHY.md","path":"GRUNTWORK_PHILOSOPHY.md","sha":"02d9873a74c99fe6d9b6b26bd9f8eb4a7a699c32"},{"name":"LICENSE","path":"LICENSE","sha":"276620ad6ffbc9954fd6633d167b0501155441d4"},{"name":"README.md","path":"README.md","sha":"444e80d608763aabb990f37a8badbe3bdf24b872"},{"name":"examples","children":[{"name":"k8s-namespace-with-service-account","children":[{"name":"README.md","path":"examples/k8s-namespace-with-service-account/README.md","sha":"cdff492defdaa77f736adc1c1ce9c1db1b3a9e1e"},{"name":"main.tf","path":"examples/k8s-namespace-with-service-account/main.tf","sha":"071b39770653ee2d6d12c80119bb290fff5c35d8"},{"name":"outputs.tf","path":"examples/k8s-namespace-with-service-account/outputs.tf","sha":"71e367b5fa5fc4d940c68b1689d340ab6fa2e17c"},{"name":"variables.tf","path":"examples/k8s-namespace-with-service-account/variables.tf","sha":"f38169a042290747cd6cda6375d99af81b1df97e"}]},{"name":"k8s-tiller-kubergrunt-minikube","children":[{"name":"README.md","path":"examples/k8s-tiller-kubergrunt-minikube/README.md","sha":"f4ee8247319417b5d433017005af1284c2feda71"},{"name":"main.tf","path":"examples/k8s-tiller-kubergrunt-minikube/main.tf","sha":"a2d71286a91c7cf02371ff10336ad6c8c65c5a99"},{"name":"outputs.tf","path":"examples/k8s-tiller-kubergrunt-minikube/outputs.tf","sha":"f839014a1879cfef47954641a01edf7820ac3bdc"},{"name":"variables.tf","path":"examples/k8s-tiller-kubergrunt-minikube/variables.tf","sha":"3da8530a497b5102a1bd8d88c473e15794e7f9d5"}]},{"name":"k8s-tiller-minikube","children":[{"name":"README.md","path":"examples/k8s-tiller-minikube/README.md","sha":"d579c9f2952bb63704def4d2c799a267e2ca3b2a"}]}]},{"name":"main.tf","path":"main.tf","sha":"506f789e6c7b0a9c767a683a4bc101498daef4d2"},{"name":"modules","children":[{"name":"k8s-helm-client-tls-certs","children":[{"name":"README.md","path":"modules/k8s-helm-client-tls-certs/README.md","sha":"4806c8188e5da43941b60b091133ad58f2537532","toggled":true},{"name":"main.tf","path":"modules/k8s-helm-client-tls-certs/main.tf","sha":"f9727619e0606e5710d81934c541d94d528ee633"},{"name":"outputs.tf","path":"modules/k8s-helm-client-tls-certs/outputs.tf","sha":"59994511786075fe1a930e3ec6b46dd6134fff29"},{"name":"variables.tf","path":"modules/k8s-helm-client-tls-certs/variables.tf","sha":"445e4da760004173140af1176fa80b0cc8722a81"}],"toggled":true},{"name":"k8s-namespace-roles","children":[{"name":"README.md","path":"modules/k8s-namespace-roles/README.md","sha":"9aaca3f9e32408e23c02622d33942e0ce4586e34"},{"name":"main.tf","path":"modules/k8s-namespace-roles/main.tf","sha":"f82819379a8864bd6b9e71a8a18d815dbbc02559"},{"name":"outputs.tf","path":"modules/k8s-namespace-roles/outputs.tf","sha":"ab91d72a436cc5e450795182b4b43b78be207293"},{"name":"variables.tf","path":"modules/k8s-namespace-roles/variables.tf","sha":"0e5be83826073b0f786ff8f9b04826c555208758"}]},{"name":"k8s-namespace","children":[{"name":"README.md","path":"modules/k8s-namespace/README.md","sha":"4fa9469fbbd22faae11ac3f461487b2bfbe167e6"},{"name":"main.tf","path":"modules/k8s-namespace/main.tf","sha":"eba9f2b3dbc0191d2d4bfe2931caac9b58122541"},{"name":"outputs.tf","path":"modules/k8s-namespace/outputs.tf","sha":"d8e2f96f44b67f9d0d59431c789b39609a745996"},{"name":"variables.tf","path":"modules/k8s-namespace/variables.tf","sha":"572a62e2ca963233931c527bab99fd9f0a3a048b"}]},{"name":"k8s-service-account","children":[{"name":"README.md","path":"modules/k8s-service-account/README.md","sha":"a53dfad1ff1d991dfed08fb5da77f9c15e3b6d50"},{"name":"main.tf","path":"modules/k8s-service-account/main.tf","sha":"3c5efa6c04722d679f1707ab49c118d39ef6a806"},{"name":"outputs.tf","path":"modules/k8s-service-account/outputs.tf","sha":"c5c2389e4646bb2a16b87bec129330e0c3c4dcf6"},{"name":"variables.tf","path":"modules/k8s-service-account/variables.tf","sha":"4f0cfad5f8a5869ff201fad385ecaa0de7454674"}]},{"name":"k8s-tiller-tls-certs","children":[{"name":"README.md","path":"modules/k8s-tiller-tls-certs/README.md","sha":"bf4e7de237e87459f8f617b6fa60f0ed1d94cd86"},{"name":"main.tf","path":"modules/k8s-tiller-tls-certs/main.tf","sha":"69d3adb8717f12381f0683c0ab37581975b5a8dc"},{"name":"outputs.tf","path":"modules/k8s-tiller-tls-certs/outputs.tf","sha":"1a4038f3a59478a9f2d4b76eef51817dd4200dc7"},{"name":"variables.tf","path":"modules/k8s-tiller-tls-certs/variables.tf","sha":"259ebea616195628a68b8eb8a1da83465cd0c782"}]},{"name":"k8s-tiller","children":[{"name":"README.md","path":"modules/k8s-tiller/README.md","sha":"7dec15a673134ebc488a070dc614d04c2bf538d3"},{"name":"main.tf","path":"modules/k8s-tiller/main.tf","sha":"c278eeebee9bc47d059f59a22916e5cc6dac1335"},{"name":"outputs.tf","path":"modules/k8s-tiller/outputs.tf","sha":"e23f872780e656e4f12578d439eb910692f59a60"},{"name":"variables.tf","path":"modules/k8s-tiller/variables.tf","sha":"5d03e38bfec082950d20c0f48865d7c5107f259f"}]}],"toggled":true},{"name":"outputs.tf","path":"outputs.tf","sha":"e81c16d641a0e30b706292ad37ce8b8ef343becb"},{"name":"test","children":[{"name":"Gopkg.lock","path":"test/Gopkg.lock","sha":"cdae09784de4638a1b0eea0525c3be70cebcf2d7"},{"name":"Gopkg.toml","path":"test/Gopkg.toml","sha":"a8644e81d7acf83db32419833ca1ca318d2559c1"},{"name":"README.md","path":"test/README.md","sha":"c4361f3756f62c10366b7302401e8a53552061bb"},{"name":"k8s_namespace_with_service_account_test.go","path":"test/k8s_namespace_with_service_account_test.go","sha":"8fac6e063e5c03371b681cdd48a98a8d27137712"},{"name":"k8s_tiller_kubergrunt_test.go","path":"test/k8s_tiller_kubergrunt_test.go","sha":"67f31a218feaa2840cdad23308b577f442bd3f4d"},{"name":"k8s_tiller_test.go","path":"test/k8s_tiller_test.go","sha":"7501db1bfc755b2709c688a5bbd1867b4238b44a"},{"name":"kubefixtures","children":[{"name":"curl-kubeapi-as-service-account.yml.tpl","path":"test/kubefixtures/curl-kubeapi-as-service-account.yml.tpl","sha":"12fa119c7e183bb8d35cda86322c92e6a36a5307"},{"name":"namespace-check-create-pod.json.tpl","path":"test/kubefixtures/namespace-check-create-pod.json.tpl","sha":"ba88dfa440d815c221febd455550dd6fdbe7cbac"},{"name":"namespace-check-list-pod.json.tpl","path":"test/kubefixtures/namespace-check-list-pod.json.tpl","sha":"047bb650ac081c5f63d9491cde3ca80b92603489"}]},{"name":"terratest_options.go","path":"test/terratest_options.go","sha":"675f98b4c34be584c9f7eea240f290949f08f460"}]},{"name":"variables.tf","path":"variables.tf","sha":"7efc75a2f7d990de3cdf52c7589e9468da6f4133"}]},"detailsContent":"<h1 class=\"preview__body--title\" id=\"k-8-s-helm-client-tls-certs-module\">K8S Helm Client TLS Certs Module</h1><div class=\"preview__body--border\"></div><p></p>\n<p>This Terraform Module can be used to generate a signed TLS certificate key pair that can be used to authenticate the\n<code>helm</code> client with Tiller. These certs are optionally then stored in a Kubernetes <code>Secret</code>, that can then be shared with\nthe client. Note that the <code>Secret</code> is configured such that it is compatible with <code>kubergrunt helm configure</code> for setting\nup the <code>helm</code> client.</p>\n<p>This module assumes the CA certs are stored as Kubernetes <code>Secrets</code> on the cluster, either via <code>kubergrunt</code> or the\n<a href=\"/repos/v0.6.1/terraform-kubernetes-helm/modules/k8s-tiller-tls-certs\" class=\"preview__body--description--blue\">k8s-tiller-tls-certs module</a>.</p>\n<p>If you are unfamiliar with how TLS works, checkout <a href=\"/repos/terraform-aws-vault/modules/private-tls-cert#background\" class=\"preview__body--description--blue\">this primer on\nTLS/SSL</a>.</p>\n<p>You can read more about Helm, Tiller, and their security model in our <a href=\"/repos/kubergrunt/HELM_GUIDE.md\" class=\"preview__body--description--blue\">Helm\nguide</a>.</p>\n<p><strong>WARNING: The private keys generated by this module will be stored unencrypted in your Terraform state file. If you are\nsensitive to storing secrets in your Terraform state file, consider using <code>kubergrunt</code> to generate and manage your TLS\ncertificate. See <a href=\"/repos/v0.6.1/terraform-kubernetes-helm/examples/k8s-tiller-kubergrunt-minikube\" class=\"preview__body--description--blue\">the k8s-tiller-kubergrunt-minikube example</a> for how to use\n<code>kubergrunt</code> for TLS management.</strong></p>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-you-use-this-module\">How do you use this module?</h2>\n<ul>\n<li>See the <a href=\"/repos/v0.6.1/terraform-kubernetes-helm/README.md\" class=\"preview__body--description--blue\">root README</a> for\ninstructions on using Terraform modules.</li>\n<li>This module uses <a href=\"https://www.terraform.io/docs/providers/kubernetes/index.html\" class=\"preview__body--description--blue\" target=\"_blank\">the <code>kubernetes</code> provider</a>.</li>\n<li>See the <a href=\"/repos/v0.6.1/terraform-kubernetes-helm/examples\" class=\"preview__body--description--blue\">examples</a> folder for example\nusage.</li>\n<li>See <a href=\"/repos/v0.6.1/terraform-kubernetes-helm/modules/k8s-helm-client-tls-certs/variables.tf\" class=\"preview__body--description--blue\">variables.tf</a>\nfor all the variables you can set on this module.</li>\n<li>See <a href=\"/repos/v0.6.1/terraform-kubernetes-helm/modules/k8s-helm-client-tls-certs/outputs.tf\" class=\"preview__body--description--blue\">outputs.tf</a>\nfor all the variables that are outputed by this module.</li>\n</ul>\n<h2 class=\"preview__body--subtitle\" id=\"how-do-i-configure-helm-to-use-the-generated-tls-certs\">How do I configure Helm to use the generated TLS certs?</h2>\n<p>To configure the <code>helm</code> client to use the generated TLS certs, the certs must first be downloaded on to the machine.\nThere are two ways to access the generated TLS certs:</p>\n<ul>\n<li>Directly using the module outputs</li>\n<li>Via the Kubernetes <code>Secret</code> (if <code>var.store_in_kubernetes_secret</code> is <code>true</code>)</li>\n</ul>\n<p>These certs should be shared with the user so that they can install it on their machine. Once the certs are shared, they\nneed to be stored on the local file system where the <code>helm</code> home directory is. By default the <code>helm</code> home directory is\n<code>$HOME/.helm</code>, but this is configurable. In the <code>helm</code> home directory, store the certs under the names:</p>\n<ul>\n<li><code>ca.crt</code>: The CA public certificate file, encoded in PEM format.</li>\n<li><code>client.pem</code>: The private key of the client TLS certificate key pair, encoded in PEM format.</li>\n<li><code>client.crt</code>: The public certificate of the client TLS certificate key pair, encoded in PEM format.</li>\n</ul>\n<p>Once the certificate key pairs are stored, the <code>helm</code> client will automatically discover them when connecting to Tiller\nwith TLS enabled. You need to pass in the CLI args <code>--tls</code> and <code>--tls-verify</code> to enable TLS verification with the\nclient. For example, to run the <code>ls</code> command to list releases:</p>\n<pre>helm <span class=\"hljs-keyword\">ls</span> <span class=\"hljs-params\">--tls</span> <span class=\"hljs-params\">--tls-verify</span>\n</pre>\n<p>Note that the CLI args must come after the subcommand.</p>\n","repoName":"terraform-kubernetes-helm","repoRef":"v0.6.1","serviceDescriptor":{"serviceName":"Tiller / Helm","serviceRepoName":"terraform-kubernetes-helm","serviceRepoOrg":"gruntwork-io","cloudProviders":["aws"],"description":"Deploy Tiller (Helm Server) to your Kubernetes cluster as a service/package manager. Supports namespaces, service accounts, RBAC roles, and TLS.","imageUrl":"kubernetes.png","licenseType":"subscriber","technologies":["Terraform","Bash","Helm"],"compliance":[],"tags":[""]},"serviceCategoryName":"Docker services","fileName":"README.md","filePath":"/modules/k8s-helm-client-tls-certs","title":"Repo Browser: Tiller / Helm","description":"Browse the repos in the Gruntwork Infrastructure as Code Library."}