Specify tiller version

.circleci/config.yml

@@ -8,8 +8,8 @@ defaults: &defaults
     TERRAGRUNT_VERSION: NONE
     PACKER_VERSION: NONE
     GOLANG_VERSION: 1.11.2
-    K8S_VERSION: v1.10.0  # Same as EKS
-    HELM_VERSION: v2.12.2
+    K8S_VERSION: v1.10.0   # Same as EKS
+    HELM_VERSION: v2.11.0  # Same as helm provider
     KUBECONFIG: /home/circleci/.kube/config
     MINIKUBE_VERSION: v0.28.2  # See https://github.com/kubernetes/minikube/issues/2704
     MINIKUBE_WANTUPDATENOTIFICATION: "false"

cmd/helm.go

@@ -14,21 +14,36 @@ import (
 	"github.com/gruntwork-io/kubergrunt/tls"
 )
 
+const (
+	DefaultTillerImage   = "gcr.io/kubernetes-helm/tiller"
+	DefaultTillerVersion = "v2.11.0"
+)
+
 var (
 	// Shared configurations
 	tillerNamespaceFlag = cli.StringFlag{
 		Name:  "tiller-namespace",
-		Usage: "Kubernetes namespace that Tiller will reside in.",
+		Usage: "(Required) Kubernetes namespace that Tiller will reside in.",
 	}
 	resourceNamespaceFlag = cli.StringFlag{
 		Name:  "resource-namespace",
-		Usage: "Kubernetes namespace where the resources deployed by Tiller reside.",
+		Usage: "(Required) Kubernetes namespace where the resources deployed by Tiller reside.",
 	}
 
 	// Configurations for how helm is installed
 	serviceAccountFlag = cli.StringFlag{
 		Name:  "service-account",
-		Usage: "The name of the ServiceAccount that Tiller should use.",
+		Usage: "(Required) The name of the ServiceAccount that Tiller should use.",
+	}
+	tillerImageFlag = cli.StringFlag{
+		Name:  "tiller-image",
+		Value: DefaultTillerImage,
+		Usage: "The container image to use when deploying tiller.",
+	}
+	tillerVersionFlag = cli.StringFlag{
+		Name:  "tiller-version",
+		Value: DefaultTillerVersion,
+		Usage: "The version of the container image to use when deploying tiller.",
 	}
 
 	// Configurations for how to authenticate with the Kubernetes cluster.
@@ -40,7 +55,7 @@ var (
 	}
 	helmKubeconfigFlag = cli.StringFlag{
 		Name:  KubeconfigFlagName,
-		Usage: "The path to the kubectl config file to use to authenticate with Kubernetes. Defaults to ~/.kube/config",
+		Usage: "The path to the kubectl config file to use to authenticate with Kubernetes. (default: \"~/.kube/config\")",
 	}
 
 	// Configurations for setting up the TLS certificates
@@ -150,7 +165,7 @@ var (
 	// This is also used in configure
 	helmHomeFlag = cli.StringFlag{
 		Name:  "helm-home",
-		Usage: "Home directory that is configured for accessing deployed Tiller server. If unset, defaults to ~/.helm",
+		Usage: "Home directory that is configured for accessing deployed Tiller server. (default: \"~/.helm\")",
 	}
 
 	// Configurations for configuring the helm client
@@ -192,12 +207,21 @@ func SetupHelmCommand() cli.Command {
 Additionally, this command will grant access to an RBAC entity and configure the local helm client to use that using one of "--rbac-user", "--rbac-group", "--rbac-service-account" options.`,
 				Action: deployHelmServer,
 				Flags: []cli.Flag{
-					helmHomeFlag,
+					// Required flags
 					serviceAccountFlag,
 					tillerNamespaceFlag,
 					resourceNamespaceFlag,
 					tlsCommonNameFlag,
 					tlsOrgFlag,
+					clientTLSCommonNameFlag,
+					clientTLSOrgFlag,
+					configuringRBACUserFlag,
+					configuringRBACGroupFlag,
+					configuringServiceAccountFlag,
+
+					// Optional flags
+					tillerImageFlag,
+					tillerVersionFlag,
 					tlsOrgUnitFlag,
 					tlsCityFlag,
 					tlsStateFlag,
@@ -206,15 +230,11 @@ Additionally, this command will grant access to an RBAC entity and configure the
 					tlsAlgorithmFlag,
 					tlsECDSACurveFlag,
 					tlsRSABitsFlag,
-					clientTLSCommonNameFlag,
-					clientTLSOrgFlag,
 					clientTLSOrgUnitFlag,
 					clientTLSCityFlag,
 					clientTLSStateFlag,
 					clientTLSCountryFlag,
-					configuringRBACUserFlag,
-					configuringRBACGroupFlag,
-					configuringServiceAccountFlag,
+					helmHomeFlag,
 					helmKubectlContextNameFlag,
 					helmKubeconfigFlag,
 				},
@@ -334,6 +354,9 @@ func deployHelmServer(cliContext *cli.Context) error {
 	if err != nil {
 		return err
 	}
+	tillerImage := cliContext.String(tillerImageFlag.Name)
+	tillerVersion := cliContext.String(tillerVersionFlag.Name)
+	imageSpec := fmt.Sprintf("%s:%s", tillerImage, tillerVersion)
 
 	return helm.Deploy(
 		kubectlOptions,
@@ -344,6 +367,7 @@ func deployHelmServer(cliContext *cli.Context) error {
 		clientTLSOptions,
 		helmHome,
 		rbacEntity,
+		imageSpec,
 	)
 }
 

helm/deploy.go

@@ -31,6 +31,7 @@ func Deploy(
 	clientTLSOptions tls.TLSOptions,
 	helmHome string,
 	localClientRBACEntity RBACEntity,
+	imageSpec string,
 ) error {
 	logger := logging.GetProjectLogger()
 
@@ -91,6 +92,7 @@ func Deploy(
 		tillerKeyPairPath,
 		tillerNamespace,
 		serviceAccount,
+		imageSpec,
 	)
 	if err != nil {
 		logger.Errorf("Error deploying Tiller: %s", err)

helm/deploy_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/gruntwork-io/terratest/modules/shell"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"k8s.io/helm/pkg/helm/portforwarder"
 
 	"github.com/gruntwork-io/kubergrunt/kubectl"
 	"github.com/gruntwork-io/kubergrunt/tls"
@@ -66,6 +67,9 @@ func TestValidateRequiredResourcesForDeploy(t *testing.T) {
 // 7. Undeploy helm
 func TestHelmDeployConfigureUndeploy(t *testing.T) {
 	t.Parallel()
+
+	imageSpec := "gcr.io/kubernetes-helm/tiller:v2.11.0"
+
 	kubectlOptions := getTestKubectlOptions(t)
 	terratestKubectlOptions := k8s.NewKubectlOptions("", "")
 	tlsOptions := sampleTlsOptions(tls.ECDSAAlgorithm)
@@ -102,11 +106,15 @@ func TestHelmDeployConfigureUndeploy(t *testing.T) {
 		clientTLSOptions,
 		getHelmHome(t),
 		testServiceAccountInfo,
+		imageSpec,
 	))
 
 	// Check tiller pod is in chosen namespace
 	tillerPodName := validateTillerPodDeployedInNamespace(t, terratestKubectlOptions)
 
+	// Check tiller pod is using the right image
+	validateTillerPodImage(t, terratestKubectlOptions, namespaceName, imageSpec)
+
 	// Check tiller pod is launched with the right service account
 	validateTillerPodServiceAccount(t, terratestKubectlOptions, tillerPodName, serviceAccountName)
 
@@ -144,6 +152,15 @@ func validateTillerPodDeployedInNamespace(t *testing.T, terratestKubectlOptions
 	return strings.TrimLeft(tillerPodName, "pod/")
 }
 
+// validateTillerPodImage checks if the deployed tiller image is actually the one we configured.
+func validateTillerPodImage(t *testing.T, terratestKubectlOptions *k8s.KubectlOptions, tillerNamespace string, tillerImageSpec string) {
+	kubeClient, err := k8s.GetKubernetesClientFromOptionsE(t, terratestKubectlOptions)
+	require.NoError(t, err)
+	image, err := portforwarder.GetTillerPodImage(kubeClient.CoreV1(), tillerNamespace)
+	require.NoError(t, err)
+	assert.Equal(t, image, tillerImageSpec)
+}
+
 // validateTillerPodDeployedInNamespace validates that the tiller pod was deployed with the provided service account
 func validateTillerPodServiceAccount(t *testing.T, terratestKubectlOptions *k8s.KubectlOptions, tillerPodName string, serviceAccountName string) {
 	pod := k8s.GetPod(t, terratestKubectlOptions, tillerPodName)

helm/tiller.go

@@ -29,13 +29,15 @@ func InstallTiller(
 	tillerKeyPairPath tls.CertificateKeyPairPath,
 	tillerNamespace string,
 	serviceAccountName string,
+	imageSpec string,
 ) (string, error) {
 	client, err := kubectl.GetKubernetesClientFromFile(kubectlOptions.ConfigPath, kubectlOptions.ContextName)
 	if err != nil {
 		return "", err
 	}
 
 	options := installer.Options{}
+	options.ImageSpec = imageSpec
 
 	// RBAC options
 	options.Namespace = tillerNamespace