Openshift Helm

April 15, 2019

Page content

I this post I will demonstrate the basic configuration of Helm on Openshift.

Parts of the Openshift series

Part1: Install Opeshift
Part2: How to Enable Auto Approval of CSR in Openshift v3.11
Part3: Add new workers to Openshift cluster
Part4: Chane the certificates of the Openshift cluster
Part5: LDAP authentication for Openshift
Part6: Keycloak SSO authentication for Openshift
Part7: Gitlab SSO authentication for Openshift
Part8a: Ceph persistent storage for Openshift
Part8b: vSphere persistent storage for Openshift
Part9: Helm on Openshift
Part10: Tillerless Helm on Openshift
Part11: Use external docker registry on Openshift
Part12: Secondary router on Openshift
Part13a: Use Letsencrypt on Openshift
Part13b: Install cert-managger on Openshift
Part14: Create Openshift operators
Part15: Convert docker-compose file to Opeshift
Part16a: Opeshift elasticsearch search-guard error
Part16b: Openshift: Log4Shell - Remote Code Execution (CVE-2021-44228) (CVE-2021-4104)

Helm

Helm is a package manager and teplating engine for Kubernetes. It based on tree main components:

the helm cli client
the helm server called tiller
the template pcakage called halm chart

Install helm cli

# https://github.com/helm/helm/releases
curl -s https://storage.googleapis.com/kubernetes-helm/helm-v2.9.1-linux-amd64.tar.gz | tar xz
cd linux-amd64
cp helm /usr/bin

Helm with cluster-admin permissions

nano helm-cluster-admin.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: tiller-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: tiller-admin
  namespace: kube-system

Init helm

oc login master.openshift.devopstales.intra:443
kubectl apply -f helm-cluster-admin.yaml
helm init --service-account tiller-admin

Test hem

oc new-project myapp
helm install stable/ghost -n blog

oc get pods -n myapp
export APP_HOST=$(kubectl get svc --namespace myapp blog-ghost --template "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}")
export APP_PASSWORD=$(kubectl get secret --namespace myapp blog-ghost -o jsonpath="{.data.ghost-password}" | base64 --decode)
export APP_DATABASE_PASSWORD=$(kubectl get secret --namespace myapp blog-mariadb -o jsonpath="{.data.mariadb-password}" | base64 --decode)
helm upgrade blog stable/ghost --set service.type=LoadBalancer,ghostHost=$APP_HOST,ghostPassword=$APP_PASSWORD,mariadb.db.password=$APP_DATABASE_PASSWORD

oc get pods -n myapp
echo Password: $(kubectl get secret --namespace myapp blog-ghost -o jsonpath="{.data.ghost-password}" | base64 --decode)