Deploying Helm / Tiller, Prometheus, AlertManager, Grafana, Elasticsearch On Your kubernetes Cluster

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 4.67 out of 5)

Deploying Helm Charts / Tiller on your kubernetes cluster

Below is a continuation to my previous post(S) part 1-7 on how to configure Kubernetes 3 Master Node cluster.

In the post below I am going to show you.

  1. How to install / configure – Helm / Tiller on your kubernetes cluster.
  2. How to install / configure – Prometheus / AlertManager, Grafana, Elasticsearch on your kubernetes cluster.

Please check out the full series to see how to configure a 3 node Kubernetes master, the links are below.

This is Part 8 – Deploying Helm Tiller, Prometheus, AlertManager, Grafana, Elasticsearch.

First we are going to install the helm client, this will help with the Tiller (Helm server) install.

Tiller v2.10 has removed checking the environment for an http_proxy/https_proxy, therefore causing many issues behind corporate proxies.
The issue is being addressed in a future updated(soon).
For the post below I am therefore using Tiller v2.9.1 – the latest stable release prior to v2.10.0.

Lets begin with downloading the Helm client.
Running the below will download the latest stable Helm client (v.2.10.0).

Since I will not be using v2.10.0 (because of the proxy bug), I will be downloading a specific version v2.9.1 below.
Note: You can get a list of releases here.

Tip: The Helm server is called referred to as tiller.
Next, we are going to create a kubernetes tiller(Helm server) service account. this account will be used by the helm/tiller server.
Create tiller serviceAccount by running the below.

Securing the Helm / Tiller server

Since the Helm / Tiller server has full access to the kubernetes cluster, its strongly recommended to secure tiller access.

We are therefore going to configure/use RBAC and TLS/SSL access to strengthen security.
Note: By default tiller will have no security constrain, meaning anyone with cluster access would be able to do anything by using the tiller account.

Step one will be, generating the tiller server and helm/client certificates.
To generate certificates you will need a CA.
I will be using the kubernetes CA (the same CA used for all other kubernetes components), feel free to generate another CA and use that instead(I will highlight the steps below).

Creating your on CA for tiller (this is only need if not using the kubernetes CA otherwise skip to step 2).

  1. Generating certificate CA keys.
  2. Generating tiller keys.
  3. Create certificate requests.
  4. Sign the certificate request.

  5. If using a separate CA for tiller – use the below instead.

We are now ready to Initialize the tiller server with the newly created tls keys.
Note: Export your proxy if your behind a firewall or proxy, by running the below.

Initialize tiller server by running the below.

If using a seprate CA for tiller – use the below insted.

Run to below to allow the tiller service account (RBAC) access.

Finally, lets test Tiller TLS access by using the tiller service account with TLS(RBAC). the below should return no errors i.e. empty.

If using a separate CA for tiller – use the below instead.

You can permanent add the certificates to your $HELM_HOME to make life simpler, by running the below.

And test by not specifying certificates.

Tiller common uses – help

To upgrade tiller just run the below.

See Part 2 Deploying Prometheus, AlertManager, Grafana, Elasticsearch by clicking here.

You might also like – Other related articles to Docker and Kubernetes / micro-service.

Like what you’re reading? please provide feedback, any feedback is appreciated.

Leave a Reply

Notify of