helm --tls option is not supported

[teruz]

Hi, I've found that when jx install into existing Kubernetes cluster, though some Kubernetes implementation such as IBM Cloud Private forces helm install with --tls option, jx install cannot pass --tls option to helm install command.

$ jx install --provider=kubernetes
...
...Successfully got an update from the "stable" chart repository
...Successfully got an update from the "jenkins-x" chart repository
Update Complete. ? Happy Helming!?
helm install jenkins-x/jenkins-x-platform --name jenkins-x -f ./myvalues.yaml -f ./secrets.yaml --version 0.0.507 --values=/home/teru/.jx/gitSecrets.yaml --values=/home/teru/.jx/adminSecrets.yaml --values=/home/teru/.jx/extraValues.yaml --namespace=jx --timeout=6000
Error: transport is closing

I'd like to set --tls option with helm command, but there is no resort to tell jx command to set any helm options.

[teruz]

Some Kubernetes forces --tls option.
ex)

$ helm version
Client: &version.Version{SemVer:"v2.8.2", GitCommit:"a80231648a1473929271764b920a8e346f6de844", GitTreeState:"clean"}
Error: cannot connect to Tiller

$ helm version --tls
Client: &version.Version{SemVer:"v2.8.2", GitCommit:"a80231648a1473929271764b920a8e346f6de844", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.7.2+icp", GitCommit:"d41a5c2da480efc555ddca57d3972bcad3351801", GitTreeState:"dirty"}

[jstrachan]

@teruz ah thanks for the heads up! Lets try add that flag ASAP.

BTW will you be able to upgrade tiller to 2.8.2? Have had issues with client + server differences in the past. (Can't wait for the CRD based helm 3! :)

[teruz]

@jstrachan thank you for your quick response. I've looked your commit.
it seems that --helm-tls option is actually added to jx install command, but maybe there is no logic appending --tls flag to "helm install", while added in "helm version" code. we also need --tls with "helm install".

[jstrachan]

@teruz yeah - I was hoping it was a super quick fix; but we're gonna have to tinker with our Makefile to allow a tls option to be passed in. At least the first commit can handle jx version --tls ;)

[jstrachan]

@teruz its a huge shame you can't just configure helm to always use TLS - via an env var or something

[teruz]

@jstrachan yeah, I've also be looking for some workaround with env or config file.. but i cannot find it out.

[jstrachan]

@teruz I spotted TILLER_TLS_ENABLE environment variable in the source, I wonder if that helps enable TLS on the helm CLI?

[teruz]

@jstrachan thank you for your suggestion. I've checked helm source and unfortunately I've found TILLER_TLS_ENABLE env var is defined but not used in helm source...

defined but not used?:

[jstrachan]

I've raised this to see if anyone in the helm community has any better ideas helm/helm#3841

[teruz]

@jstrachan thanks a lot. it seems some pull requests are raised and not merged on helm repo.
I'll wait patiently it to be merged :-)

[khell]

This is still an issue. Running jx install --helm-tls I thought would work, but it fails on installing Jenkins X chart because it does not pass --tls flag to helm upgrade. Fortunately TILLER_TLS_ENABLE environment variable does work... as does --no-tiller.

[jstrachan]

here is a workaround for now (just avoid tiller completely which is way more secure and avoids side-stepping k8s RBAC completely): https://jenkins-x.io/news/helm-without-tiller/

[jstrachan]

I'd actually say avoiding tiller completely is a much better solution than enabling TLS on it https://jenkins-x.io/news/helm-without-tiller/ - as tiller basically disables fine grained RBAC - anyone who can access the tiller endpoint has effectively cluster-admin

[jenkins-x-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://jenkins-x.io/community.
/lifecycle stale

[jenkins-x-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://jenkins-x.io/community.
/lifecycle rotten

[jenkins-x-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://jenkins-x.io/community.
/close

[jenkins-x-bot]

@jenkins-x-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Provide feedback via https://jenkins-x.io/community.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.