Configure Helm TLS communication with multiple Kubernetes clusters

Maor Friedman
Jun 9, 2018 · 4 min read
Image for post
Image for post

So, finally decided to secure your Helm installation? That`s great! Sounds easy enough, right? And as an extra, all sources seem to be telling the exact same story: “All you have to do is follow these steps, and you are good to go”. Right? Wrong. Well, not really wrong, it is a fairly simple procedure, but brace yourself for more typing. Much more. A bit more. There you are. But have no fear, the solution is here (in this post, if that was unclear).

Let`s start with a basic description of . Helm helps you manage Kubernetes applications (Helm charts). Think of it this way: Helm to Kubernetes is much like APT is to Debian. It helps you define, install or upgrade applications. Helm is comprised of a client side (helm, runs on your laptop, your CI/CD pipelines, etc) and a server side (tiller, runs inside your cluster).

Helm is easy to install on your cluster, and if you care about security, you will probably want to follow the . The official documentation is very good and will take you step by step from zero to Helm security hero in no time. We are going to skip the installation part, and focus on what happens after you are running securely.

A note about securing an existing Helm installation — The only potentially breaking part is to migrate existing Releases from ConfigMap to Secret objects. This can be handled using by Kirill Kuznetsov. Good job on that one!

Once you have TLS in place, the first question you are going to be asking is how can you avoid typing so much. To use any Helm commands that communicate with Tiller, you will need to type something like:

helm ls --tls --tls-cert /path/to/cert.pem --tls-key /path/to/key.pem

This is obviously too much for a simple ls command, and if you , you can simply type:

helm ls --tls

So far, so good. If you administer only one cluster, you are probably satisfied at this point. Adding --tls to (some) commands does not seem to be too much of a hassle. You will be seeing a lot of Error: transport is closing due to --tls-forgetfulness at first (doh!), but eventually it will grow on you.

But what if you administer multiple clusters and have different certificates and keys for each of them? The shortcut of having the files in your Helm home directory does not work anymore, and you are left at the mercy of --home /path/to/k8s.cluster.n/certs. If adding --tls was bearable, --home is just too much.

We need to find a solution that will allow us to type less and say more — an alias!

Consider the following folder structure:

$HELM_HOME/tls/
├── k8s.clustrer.1
│ ├── cert.pem
│ └── key.pem
└── k8s.cluster.2
├── cert.pem
└── key.pem

Place the appropriate cert.pem and key.pem in each of these folders. Just to be clear, k8s.cluster.n is meant to be the names of each of the clusters you administer. After having this structure, you can add the following line to your aliases:

alias tls=’cluster=$(kubectl config view  -- minify -o jsonpath='{.clusters[].name}'); echo -n “--tls --tls-cert $(helm home)/tls/$cluster/cert.pem --tls-key $(helm home)/tls/$cluster/key.pem”’

This alias gets the current cluster from your Kubernetes config file, and prints all arguments needed to call Tiller. So, to use this alias, you will type:

helm ls $(tls)

Quite a time saver already. we are down to the acceptable helm ls --tls, only written a bit differently, and works for multiple clusters.

Another nice shortcut would be to add this line to your aliases:

function helmet() {
helm "$@" $(tls)
}

Introducing Helmet! Hagai Barel had the idea of the name Helmet — Helm Enable TLS (be sure to check out his posts). So now you can just type:

helmet ls

This is definitely something I`m willing to live with. I do still suffer the occasional tls-forgetfulness, but this can be easily treated with some , specifically this sequnce: Arrow-up, Ctrl+A, Ctrl+Arrow-right, et, Enter.

To summarize, this is without a doubt a great time saver, but helmet has its drawbacks. For one, it does not handle multiple Tillers in a single cluster. This is maybe a place where we will need something a bit more powerful than an alias and a folder structure.

Update

With Helm 3 coming up, secure communication between Helm and Tiller will no longer be required, because… there will be no more Tiller! Read more .

Thanks for reading!

Nuvo Tech

Nuvo is an emerging leader in maternal-fetal connected…

Maor Friedman

Written by

Engineering Sites to be Reliable @ Red Hat

Nuvo Tech

Nuvo Tech

Nuvo is an emerging leader in maternal-fetal connected health, passionate about creating technology that radically transforms the experience of pregnancy. From software to electronics, this is our platform to share the insights we glean on a daily basis.

Maor Friedman

Written by

Engineering Sites to be Reliable @ Red Hat

Nuvo Tech

Nuvo Tech

Nuvo is an emerging leader in maternal-fetal connected health, passionate about creating technology that radically transforms the experience of pregnancy. From software to electronics, this is our platform to share the insights we glean on a daily basis.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store