Helm

Install the Helm CLI

You can either download and install the pre-built binary release of Helm v2.16.6 or use the Helm binary which comes with the product (to be found in ./ssob-install/deployments/helm).

To use the installer script provided by Helm that will automatically fetch the desired version of Helm and install it locally, run the following command:

export DESIRED_VERSION=v2.16.6
curl -fsSL https://raw.githubusercontent.com/helm/helm/master/scripts/get | sudo bash
Note: The location of the Helm binary must be set in the PATH environment variable.

Create Service Account for Helm Tiller

Set up the service account role bindings required by Tiller by creating a service account and granting it admin rights for the namespace:

oc project foundation-gitlab
oc create sa tiller
oc adm policy add-role-to-user admin -z tiller

Install Helm Tiller with TLS

You can either provide your own certificates for configuring TLS/SSL between Helm and Tiller or reuse the Helm certificates of an existing IBM Cloud Pak for Data (CPD 3.5) installation.

To reuse the Helm certificates from the existing CPD Tiller installation, identify the following variables:

VariableReplacement
{tiller_namespace}Namespace of the existing CPD installation (default: zen)
{tiller_secret}Name of the Tiller secret that was created by the CPD installation (Commonly: tiller-secret or helm-secret)
{cert_folder}Folder for storing the certificate files (e.g. $HOME/.helm)
Note: The created certificate and key files must be saved and will be used later to execute the helm install command in section Start the Helm chart installation.

Create the certificate and key files for Helm Tiller by setting the variables in the following command block and executing the commands:

export TILLER_NAMESPACE={tiller_namespace}
export TILLER_SECRET={tiller_secret}
export SECRET_FOLDER={cert_folder}
mkdir $SECRET_FOLDER
cd $SECRET_FOLDER

# Export secret certificates as files
oc get secret $TILLER_SECRET -n $TILLER_NAMESPACE -o yaml|grep -A3 '^data:'|tail -3 | awk -F: '{system("echo "$2" |base64 --decode > "$1)}'

# Rename to standard names for HELM certificates
mv ca.cert.pem ca.pem
mv helm.cert.pem cert.pem
mv helm.key.pem key.pem

# Set certificate file permissions
chmod 700 $PWD
chmod 644 ./ca.pem
chmod 644 ./cert.pem
chmod 600 ./key.pem
export HELM_TLS_CA_CERT=$PWD/ca.pem
export HELM_TLS_CERT=$PWD/cert.pem
export HELM_TLS_KEY=$PWD/key.pem

# Verify TLS communication
helm version --tls --tiller-namespace $TILLER_NAMESPACE

You should see helm version command output like this:

Client: &version.Version{SemVer:"v2.16.6", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.16.6", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}

In order to install the Helm Tiller and configure TLS/SSL between Helm and Tiller run the helm init command with the --tiller-tls-* parameters and names of the certificates, as shown in the following example:

$ helm init \
--tiller-namespace foundation-gitlab \
--tiller-tls \
--tiller-tls-cert $HELM_TLS_CERT \
--tiller-tls-key $HELM_TLS_KEY \
--tiller-tls-verify \
--tls-ca-cert $HELM_TLS_CA_CERT \
--service-account tiller

After a few minutes validate that Tiller is deployed in the namespaces:

$ oc -n foundation-gitlab rollout status deploy/tiller-deploy
deployment "tiller-deploy" successfully rolled out
Note: Further information about securing Tiller and Helm with TLS can be found in the official Helm documentation Using TLS Between Helm and Tiller

Verify the Tiller Installation

Run the following command to validate Helm can communicate to the Tiller service:

$ helm version --tls --tiller-namespace foundation-gitlab
Client: &version.Version{SemVer:"v2.16.6", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.16.6", GitCommit:"0e7f3b6637f7af8fcfddb3d2941fcc7cbebb0085", GitTreeState:"clean"}