Helm | - 0 views
-
Helm will figure out where to install Tiller by reading your Kubernetes configuration file (usually $HOME/.kube/config). This is the same file that kubectl uses.
-
kubectl cluster-info
-
Role-Based Access Control (RBAC) enabled
- ...133 more annotations...
-
initialize the local CLI
-
install Tiller into your Kubernetes cluster
-
helm install
-
helm init --upgrade
-
By default, when Tiller is installed, it does not have authentication enabled.
-
helm repo update
-
Without a max history set the history is kept indefinitely, leaving a large number of records for helm and tiller to maintain.
-
helm init --upgrade
-
Whenever you install a chart, a new release is created.
-
one chart can be installed multiple times into the same cluster. And each can be independently managed and upgraded.
-
helm list function will show you a list of all deployed releases.
-
helm delete
-
helm status
-
you can audit a cluster’s history, and even undelete a release (with helm rollback).
-
the Helm server (Tiller).
-
The Helm client (helm)
-
brew install kubernetes-helm
-
Tiller, the server portion of Helm, typically runs inside of your Kubernetes cluster.
-
it can also be run locally, and configured to talk to a remote Kubernetes cluster.
-
Role-Based Access Control - RBAC for short
-
create a service account for Tiller with the right roles and permissions to access resources.
-
run Tiller in an RBAC-enabled Kubernetes cluster.
-
run kubectl get pods --namespace kube-system and see Tiller running.
-
helm inspect
-
Helm will look for Tiller in the kube-system namespace unless --tiller-namespace or TILLER_NAMESPACE is set.
-
For development, it is sometimes easier to work on Tiller locally, and configure it to connect to a remote Kubernetes cluster.
-
even when running locally, Tiller will store release configuration in ConfigMaps inside of Kubernetes.
-
helm version should show you both the client and server version.
-
Tiller stores its data in Kubernetes ConfigMaps, you can safely delete and re-install Tiller without worrying about losing any data.
-
helm reset
-
The --node-selectors flag allows us to specify the node labels required for scheduling the Tiller pod.
-
--override allows you to specify properties of Tiller’s deployment manifest.
-
helm init --override manipulates the specified properties of the final manifest (there is no “values” file).
-
The --output flag allows us skip the installation of Tiller’s deployment manifest and simply output the deployment manifest to stdout in either JSON or YAML format.
-
By default, tiller stores release information in ConfigMaps in the namespace where it is running.
-
switch from the default backend to the secrets backend, you’ll have to do the migration for this on your own.
-
a beta SQL storage backend that stores release information in an SQL database (only postgres has been tested so far).
-
Once you have the Helm Client and Tiller successfully installed, you can move on to using Helm to manage charts.
-
Helm requires that kubelet have access to a copy of the socat program to proxy connections to the Tiller API.
-
A Release is an instance of a chart running in a Kubernetes cluster. One chart can often be installed many times into the same cluster.
-
helm init --client-only
-
helm init --dry-run --debug
-
A panic in Tiller is almost always the result of a failure to negotiate with the Kubernetes API server
-
Tiller and Helm have to negotiate a common version to make sure that they can safely communicate without breaking API assumptions
-
helm delete --purge
-
Helm stores some files in $HELM_HOME, which is located by default in ~/.helm
-
A Chart is a Helm package. It contains all of the resource definitions necessary to run an application, tool, or service inside of a Kubernetes cluster.
-
it like the Kubernetes equivalent of a Homebrew formula, an Apt dpkg, or a Yum RPM file.
-
A Repository is the place where charts can be collected and shared.
-
Set the $HELM_HOME environment variable
-
each time it is installed, a new release is created.
-
Helm installs charts into Kubernetes, creating a new release for each installation. And to find new charts, you can search Helm chart repositories.
-
chart repository is named stable by default
-
helm search shows you all of the available charts
-
helm inspect
-
To install a new package, use the helm install command. At its simplest, it takes only one argument: The name of the chart.
-
If you want to use your own release name, simply use the --name flag on helm install
-
additional configuration steps you can or should take.
-
Helm does not wait until all of the resources are running before it exits. Many charts require Docker images that are over 600M in size, and may take a long time to install into the cluster.
-
helm status
-
helm inspect values
-
helm inspect values stable/mariadb
-
override any of these settings in a YAML formatted file, and then pass that file during installation.
-
helm install -f config.yaml stable/mariadb
-
--values (or -f): Specify a YAML file with overrides.
-
--set (and its variants --set-string and --set-file): Specify overrides on the command line.
-
Values that have been --set can be cleared by running helm upgrade with --reset-values specified.
-
Chart designers are encouraged to consider the --set usage when designing the format of a values.yaml file.
-
--set-file key=filepath is another variant of --set. It reads the file and use its content as a value.
-
inject a multi-line text into values without dealing with indentation in YAML.
-
An unpacked chart directory
-
When a new version of a chart is released, or when you want to change the configuration of your release, you can use the helm upgrade command.
-
Kubernetes charts can be large and complex, Helm tries to perform the least invasive upgrade.
-
It will only update things that have changed since the last release
-
$ helm upgrade -f panda.yaml happy-panda stable/mariadb
-
deployment
-
If both are used, --set values are merged into --values with higher precedence.
-
The helm get command is a useful tool for looking at a release in the cluster.
-
helm rollback
-
A release version is an incremental revision. Every time an install, upgrade, or rollback happens, the revision number is incremented by 1.
-
helm history
-
a release name cannot be re-used.
-
you can rollback a deleted resource, and have it re-activate.
-
helm repo list
-
helm repo add
-
helm repo update
-
The Chart Development Guide explains how to develop your own charts.
-
helm create
-
helm lint
-
helm package
-
Charts that are archived can be loaded into chart repositories.
-
chart repository server
-
Tiller can be installed into any namespace.
-
Limiting Tiller to only be able to install into specific namespaces and/or resource types is controlled by Kubernetes RBAC roles and rolebindings
-
Release names are unique PER TILLER INSTANCE
-
Charts should only contain resources that exist in a single namespace.
-
not recommended to have multiple Tillers configured to manage resources in the same namespace.
-
a client-side Helm plugin. A plugin is a tool that can be accessed through the helm CLI, but which is not part of the built-in Helm codebase.
-
Helm plugins are add-on tools that integrate seamlessly with Helm. They provide a way to extend the core feature set of Helm, but without requiring every new feature to be written in Go and added to the core tool.
-
Helm plugins live in $(helm home)/plugins
-
The Helm plugin model is partially modeled on Git’s plugin model
-
helm referred to as the porcelain layer, with plugins being the plumbing.
-
helm plugin install https://github.com/technosophos/helm-template
-
command is the command that this plugin will execute when it is called.
-
Environment variables are interpolated before the plugin is executed.
-
The command itself is not executed in a shell. So you can’t oneline a shell script.
-
Helm is able to fetch Charts using HTTP/S
-
Variables like KUBECONFIG are set for the plugin if they are set in the outer environment.
-
In Kubernetes, granting a role to an application-specific service account is a best practice to ensure that your application is operating in the scope that you have specified.
-
restrict Tiller’s capabilities to install resources to certain namespaces, or to grant a Helm client running access to a Tiller instance.
-
Service account with cluster-admin role
-
The cluster-admin role is created by default in a Kubernetes cluster
-
Deploy Tiller in a namespace, restricted to deploying resources only in that namespace
-
Deploy Tiller in a namespace, restricted to deploying resources in another namespace
-
When running a Helm client in a pod, in order for the Helm client to talk to a Tiller instance, it will need certain privileges to be granted.
-
SSL Between Helm and Tiller
-
The Tiller authentication model uses client-side SSL certificates.
-
creating an internal CA, and using both the cryptographic and identity functions of SSL.
-
Helm is a powerful and flexible package-management and operations tool for Kubernetes.
-
default installation applies no security configurations
-
with a cluster that is well-secured in a private network with no data-sharing or no other users or teams.
-
With great power comes great responsibility.
-
Choose the Best Practices you should apply to your helm installation
-
Role-based access control, or RBAC
-
Tiller’s gRPC endpoint and its usage by Helm
-
Kubernetes employ a role-based access control (or RBAC) system (as do modern operating systems) to help mitigate the damage that can be done if credentials are misused or bugs exist.
-
In the default installation the gRPC endpoint that Tiller offers is available inside the cluster (not external to the cluster) without authentication configuration applied.
-
Tiller stores its release information in ConfigMaps. We suggest changing the default to Secrets.
-
release information
-
charts
-
charts are a kind of package that not only installs containers you may or may not have validated yourself, but it may also install into more than one namespace.
-
As with all shared software, in a controlled or shared environment you must validate all software you install yourself before you install it.
-
Helm’s provenance tools to ensure the provenance and integrity of charts
-
"Helm will figure out where to install Tiller by reading your Kubernetes configuration file (usually $HOME/.kube/config). This is the same file that kubectl uses."
