Make note of required Tiller config in prod envs

fluxcd · Jun 11, 2019 · ee0699f · ee0699f
1 parent b7e335e
commit ee0699f
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 4 deletions.
diff --git a/site/annotations-tutorial.md b/site/annotations-tutorial.md
@@ -62,9 +62,14 @@ If you have never used Helm, you first need to
   Deploy Tiller in the `kube-system` namespace:
 
   ```sh
-  helm init --skip-refresh --upgrade --service-account tiller
+  helm init --skip-refresh --upgrade --service-account tiller --history-max 10
   ```
 
+  > **Note:** This is a quick guide and by no means a production ready
+  > Tiller setup, please look into ['Securing your Helm installation'](https://helm.sh/docs/using_helm/#securing-your-helm-installation)
+  > and be aware of the `--history-max` flag before promoting to
+  > production.
+
 Now you can take care of the actual installation. First add the Flux
 repository of Weaveworks:
 

diff --git a/site/helm-get-started.md b/site/helm-get-started.md
@@ -52,9 +52,14 @@ kubectl create clusterrolebinding tiller-cluster-rule \
 Deploy Tiller in `kube-system` namespace:
 
 ```sh
-helm init --skip-refresh --upgrade --service-account tiller
+helm init --skip-refresh --upgrade --service-account tiller --history-max 10
 ```
 
+> **Note:** This is a quick guide and by no means a production ready
+> Tiller setup, please look into ['Securing your Helm installation'](https://helm.sh/docs/using_helm/#securing-your-helm-installation)
+> and be aware of the `--history-max` flag before promoting to
+> production.
+
 ## Install Weave Flux
 
 Add the Flux repository of Weaveworks:

diff --git a/site/helm-operator.md b/site/helm-operator.md
@@ -138,8 +138,12 @@ Deploy Tiller:
 ```bash
 kubectl apply -f helm-rbac.yaml
 
-# Deploy helm with mutual TLS enabled
-helm init --upgrade --service-account tiller \
+# Deploy helm with mutual TLS enabled.
+# --history-max limits the maximum number of revisions Tiller stores;
+# leaving it to the default (0) may result in request timeouts after N
+# releases, due to the excessive amount of ConfigMaps Tiller will
+# attempt to retrieve.
+helm init --upgrade --service-account tiller --history-max 10 \
     --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}' \
     --tiller-tls \
     --tiller-tls-cert ./tls/server.pem \