helm configure #7
Conversation
|
This is ready for RDD review. |
| - `HELM_HOME`: The helm client home directory where the TLS certs are located. | ||
| - `TILLER_NAMESPACE`: The namespace where the helm server is installed. | ||
| - `HELM_TLS_VERIFY`: This will be set to true to enable TLS verification. | ||
| - `HELM_TLS_ENABLE`: This will be set to true to enable TLS authentication. |
There was a problem hiding this comment.
This is annoying, but helm doesn't have a concept of a config file. The default way for the user is:
helm --tiller-namespace NAMESPACE --tls --tls-verifyeverytime they want to use helm. If they want multiple helm configs, this is even worse:
helm --home HELM_HOME_DIR --tiller-namespace NAMESPACE --tls --tls-verify
# or if they want to share home dir but use different certs
helm --tiller-namespace NAMESPACE --tls --tls-verify --tls-ca-cert ca.cert.pem --tls-cert helm.cert.pem --tls-key helm.key.pem
So the proposal here is to instead provide an environment file they can source that sets these as environment variables. Then this becomes:
source ~/.helm/env
helm
|
From 1:1 with Jim. Aim for ideal experience:
Additional notes:
|
|
Re: config file - I found a github issue in helm on this topic (the OP is completely unrelated, but the discussion evolved to be about config files) and it looks like this will be a helmv3 feature. In that case, I might just stick with the env var style approach, and update this when helmv3 lands. PS: I found a way to do this in Powershell and Windows Cmd: https://stackoverflow.com/questions/20077820/how-can-i-source-variables-from-a-bat-file-into-a-powershell-script/20078095#20078095. We could detect the OS as part of the command and create the relevant files. |
yorinasub17
force-pushed
the
yori-helm-setup
branch
from
4ff5244 to
3608039
Compare
|
This will be ready to review once #8 merges |
yorinasub17
force-pushed
the
yori-helm-setup
branch
from
600f38f to
ffcdabf
Compare
yorinasub17
force-pushed
the
yori-helm-setup
branch
from
ffcdabf to
c05bce7
Compare
cmd/helm.go
Outdated
| @@ -15,15 +15,21 @@ import ( | |||
| ) | |||
|
|
|||
| var ( | |||
| // Shared configurations | |||
| tillerNamespaceFlag = cli.StringFlag{ | |||
| Name: "namespace", | |||
There was a problem hiding this comment.
nit: I wonder if tiller-namespace and namespace would be better naming here? I expect to use this namespace for a single item, the tiller server, while many resources will reside in the resource namespace.
cmd/helm.go
Outdated
| Usage: "The name of the RBAC user that should be granted access to Tiller. Pass in multiple times for multiple users.", | ||
| } | ||
| grantedServiceAccountsFlag = cli.StringSliceFlag{ | ||
| Name: "service-account", |
There was a problem hiding this comment.
Why not rbac-service-account for consistency? It's a little awkward to type, but namespacing all 3 under rbac makes the grouping more clear.
There was a problem hiding this comment.
Well, ServiceAccounts are technically not a part of the RBAC system. They are grouped under core API.
But I think that is a minor detail and I agree with you about the namespace grouping so will do that.
There was a problem hiding this comment.
adjusted to --rbac-service-account
cmd/helm.go
Outdated
| rbacUsers := cliContext.StringSlice(grantedRbacUsersFlag.Name) | ||
| serviceAccounts := cliContext.StringSlice(grantedServiceAccountsFlag.Name) | ||
| if len(rbacGroups) == 0 && len(rbacUsers) == 0 && len(serviceAccounts) == 0 { | ||
| return entrypoint.NewRequiredArgsError("At least one --rbac-group or --service-account is required") |
There was a problem hiding this comment.
Thanks forgot that when I added in rbac user support
helm/deploy.go
Outdated
| @@ -104,7 +106,7 @@ func Deploy( | |||
| logger.Errorf("Error deploying Helm server: %s", err) | |||
| return err | |||
| } | |||
| logger.Infof("Successfully deployed helm server in namespace %s with service account %s", namespace, serviceAccount) | |||
| logger.Infof("Successfully deployed helm server in namespace %s with service account %s", tillerNamespace, serviceAccount) | |||
There was a problem hiding this comment.
nit: s/helm server/Tiller here and a couple lines below?
helm/grant.go
Outdated
| return nil | ||
| } | ||
|
|
||
| // grantAccessToRBACGroups will grant access to the deployed Tiller server to the provided RBAC groups. |
There was a problem hiding this comment.
nit: outdated function name in comment
|
Ok the latest version has been verified to work with gruntwork-io/terraform-kubernetes-helm#9, so I am going to merge this and release. For reference here is the passing circleci build: https://circleci.com/workflow-run/11f575c4-7d30-4423-a61f-cc0b55bdfc9e?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-checks-link |
Depends on #8MERGEDThis implements the
helm grantandhelm configuresubcommands which can be used to grant and configure a local helm client to access the specified helm server install in the target Kubernetes namespace.