Documentation
¶
Overview ¶
Package helm contains utility functions for managing and using helm
Index ¶
- Constants
- func ConfigureClient(kubectlOptions *kubectl.KubectlOptions, helmHome string, ...) error
- func Deploy(kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, ...) error
- func GetDefaultHelmHome() (string, error)
- func GrantAccess(kubectlOptions *kubectl.KubectlOptions, tlsOptions tls.TLSOptions, ...) error
- func InstallTiller(kubectlOptions *kubectl.KubectlOptions, ...) (string, error)
- func NewHelmClient(tillerHost string, connectionTimeout int64, helmHome string) (helm.Interface, error)
- func RevokeAccess(kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, ...) error
- func RunHelm(options *kubectl.KubectlOptions, args ...string) error
- func RunHelmAndGetOutput(options *kubectl.KubectlOptions, args ...string) (string, error)
- func SetupConnection(kubeClient *kubernetes.Clientset, kubectlOptions *kubectl.KubectlOptions, ...) (*helmkube.Tunnel, error)
- func Undeploy(kubectlOptions *kubectl.KubectlOptions, namespace string, helmHome string, ...) error
- func VerifyTiller(kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, ...) error
- func WaitForTiller(kubectlOptions *kubectl.KubectlOptions, newImage string, ...) error
- type DeployedHelmInfo
- type GroupInfo
- type HelmHomeIsFileError
- type HelmValidationError
- type InvalidServiceAccountInfo
- type MultiHelmError
- type RBACEntity
- type RepoFileIsDirectoryError
- type RepositoryUnreachableError
- type ResourceDoesNotExistError
- type ServiceAccountInfo
- type TillerDeployWaitTimeoutError
- type TillerPingError
- type UnknownRBACEntityType
- type UserInfo
Constants ¶
const ( DeployTillerWaitTimeout = 5 * time.Minute DeployTillerWaitSleepBetweenRetries = 1 * time.Second TillerDeploymentName = "tiller-deploy" )
const ( StableRepositoryName = "stable" StableRepositoryURL = "https://kubernetes-charts.storage.googleapis.com" )
const ( NamespaceLabel = "gruntwork.io/tiller-namespace" CredentialsLabel = "gruntwork.io/tiller-credentials" CredentialsTypeLabel = "gruntwork.io/tiller-credentials-type" EntityIDLabel = "gruntwork.io/tiller-entity-id" )
const DefaultTillerConnectionTimeout = 300
DefaultTillerConnectionTimeout is the number of seconds to wait before timing out the connection to Tiller
const Instructions = `` /* 602-byte string literal not displayed */
Variables ¶
This section is empty.
Functions ¶
func ConfigureClient ¶
func ConfigureClient( kubectlOptions *kubectl.KubectlOptions, helmHome string, tillerNamespace string, resourceNamespace string, setKubectlNamespace bool, rbacEntity RBACEntity, ) error
ConfigureClient will configure the local helm client to be able to communicate with the Tiller server installed in the provided Tiller namespace. Note that this supports the notion where Tiller is deployed in a different namespace from where resources should go. This is to address the risk where access to the tiller-secret will grant admin access by using the tiller server TLS certs.
func Deploy ¶
func Deploy( kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, resourceNamespace string, serviceAccount string, tlsOptions tls.TLSOptions, clientTLSOptions tls.TLSOptions, helmHome string, localClientRBACEntity RBACEntity, imageSpec string, ) error
Deploy will deploy a new Tiller to the Kubernetes cluster configured with KubectlOptions following best practices. Specifically, this will:
- Require a Namespace and ServiceAccount, so that you will have to explicitly and consciously deploy a super user Tiller to get that.
- Generate a new set of TLS certs.
- Store the TLS certs into a Kubernetes Secret into a Namespace that only cluster admins have access to.
- Deploy Tiller using the generated TLS certs, Namespace, and ServiceAccount. Additionally, set the flags so that the release info is stored in a Secret as opposed to ConfigMap.
Additionally, if an RBAC entity is passed in, grant access to it and configure the local client at the specified helm home directory.
func GetDefaultHelmHome ¶ added in v0.2.0
GetDefaultHelmHome returns the default helm home directory, ~/.helm
func GrantAccess ¶
func GrantAccess( kubectlOptions *kubectl.KubectlOptions, tlsOptions tls.TLSOptions, tillerNamespace string, rbacGroups []string, rbacUsers []string, serviceAccounts []string, ) error
GrantAccess grants the provided RBAC groups and/or service accounts access to the Tiller Pod available in the provided Tiller namespace. Specifically, this will:
- Download the corresponding CA keypair for the Tiller deployment from Kubernetes. Assumes the CA cert is in the kube-system namespace.
- Issue a new TLS certificate keypair using the CA keypair.
- Upload the new TLS certificate keypair to a new Secret in the Tiller namespace.
- Create a new RBAC role that grants read only pod access to the Tiller namespace, and read only access to the Secret containing the TLS certificate keypair.
- Remove the local copies of the downloaded and generated certificates.
func InstallTiller ¶ added in v0.3.1
func InstallTiller( kubectlOptions *kubectl.KubectlOptions, caKeyPairPath tls.CertificateKeyPairPath, tillerKeyPairPath tls.CertificateKeyPairPath, tillerNamespace string, serviceAccountName string, imageSpec string, ) (string, error)
InstallTiller will install Tiller onto the Kubernetes cluster. Returns the Tiller image being installed.
func NewHelmClient ¶ added in v0.3.1
func NewHelmClient( tillerHost string, connectionTimeout int64, helmHome string, ) (helm.Interface, error)
NewHelmClient constructs a new helm client that can be used to interact with Tiller.
func RevokeAccess ¶ added in v0.4.0
func RevokeAccess( kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, rbacGroups []string, rbacUsers []string, serviceAccounts []string, ) error
RevokeAccess revokes access to a Tiller pod from a provided RBAC user, group, or serviceaccount in a provided Tiller namespace by deleting the secret, role, and rolebindings associated with said entities. Note that due to limitations in the Go TLS library used by helm, helm/tiller does not support checking certificate revocation lists. As a consequence, the signed TLS certificate will continue to be trusted by Tiller after running "kubergrunt helm revoke" since it was signed by the Tiller CA. However, the user's authorizations are removed by way of deleting the role and role binding and access is effectively removed. See https://github.com/helm/helm/issues/4273
func RunHelm ¶
func RunHelm(options *kubectl.KubectlOptions, args ...string) error
RunHelm will make a call to helm, setting the config and context to the ones specified in the provided options.
func RunHelmAndGetOutput ¶
func RunHelmAndGetOutput(options *kubectl.KubectlOptions, args ...string) (string, error)
RunHelmAndGetOutput will make a call to helm, setting the config and context to the ones specified in the provided options, and return the output of the command.
func SetupConnection ¶ added in v0.3.1
func SetupConnection(kubeClient *kubernetes.Clientset, kubectlOptions *kubectl.KubectlOptions, tillerNamespace string) (*helmkube.Tunnel, error)
SetupConnection will setup a tunnel to a deployed Tiller instance.
func Undeploy ¶
func Undeploy( kubectlOptions *kubectl.KubectlOptions, namespace string, helmHome string, force bool, undeployReleases bool, ) error
Undeploy will undeploy (uninstall) the helm server and related Secrets from the Kubernetes cluster.
func VerifyTiller ¶ added in v0.3.1
func VerifyTiller( kubectlOptions *kubectl.KubectlOptions, tillerNamespace string, helmHome string, ) error
VerifyTiller pings the Tiller host with the helm client configured using the settings in the provided helmHome to verify it is up.
func WaitForTiller ¶ added in v0.3.1
func WaitForTiller( kubectlOptions *kubectl.KubectlOptions, newImage string, tillerNamespace string, tillerDeploymentName string, timeout time.Duration, sleepBetweenRetries time.Duration, ) error
WaitForTiller will poll Kubernetes until Tiller is available, and then verify the Tiller instance is up. This is ported from the helm client: https://github.com/helm/helm/blob/master/cmd/helm/init.go#L322
Types ¶
type DeployedHelmInfo ¶
func (DeployedHelmInfo) Render ¶
func (info DeployedHelmInfo) Render() error
Render renders a platform specific environment file that can be dot sourced to setup the shell to be able to authenticate helm correctly to the deployed Tiller. See `env_generator_unix.go` for the unix based env file, and `env_generator_windows.go` for the windows Powershell based env file.
type GroupInfo ¶
type GroupInfo struct {
Name string
}
Represents an RBAC Group
func (GroupInfo) EntityType ¶
type HelmHomeIsFileError ¶ added in v0.3.1
type HelmHomeIsFileError struct {
HelmHome string
}
HelmHomeIsFileError is returned when the helm home path is a file and not a directory
func (HelmHomeIsFileError) Error ¶ added in v0.3.1
func (err HelmHomeIsFileError) Error() string
type HelmValidationError ¶
type HelmValidationError struct {
Message string
}
HelmValidationError is returned when a command validation fails.
func (HelmValidationError) Error ¶
func (err HelmValidationError) Error() string
type InvalidServiceAccountInfo ¶
type InvalidServiceAccountInfo struct {
EncodedServiceAccount string
}
InvalidServiceAccountInfo error is returned when the encoded service account is not encoded correctly.
func (InvalidServiceAccountInfo) Error ¶
func (err InvalidServiceAccountInfo) Error() string
type MultiHelmError ¶
MultiHelmError is returned when there are multiple errors in a helm action.
func (MultiHelmError) AddError ¶
func (err MultiHelmError) AddError(newErr error)
func (MultiHelmError) Error ¶
func (err MultiHelmError) Error() string
func (MultiHelmError) IsEmpty ¶
func (err MultiHelmError) IsEmpty() bool
type RBACEntity ¶
type RepoFileIsDirectoryError ¶ added in v0.3.1
type RepoFileIsDirectoryError struct {
RepoFilePath string
}
RepoFileIsDirectoryError is returned when the helm repository file path is unexpectedly a directory
func (RepoFileIsDirectoryError) Error ¶ added in v0.3.1
func (err RepoFileIsDirectoryError) Error() string
type RepositoryUnreachableError ¶ added in v0.3.1
RepositoryUnreachableError is returned when the chart repository is unreachable or does not exist.
func (RepositoryUnreachableError) Error ¶ added in v0.3.1
func (err RepositoryUnreachableError) Error() string
type ResourceDoesNotExistError ¶ added in v0.4.0
ResourceDoesNotExistError is returned when the resource that is being deleted is not found.
func (*ResourceDoesNotExistError) Error ¶ added in v0.4.0
func (d *ResourceDoesNotExistError) Error() string
type ServiceAccountInfo ¶
Represents a ServiceAccount
func ExtractServiceAccountInfo ¶
func ExtractServiceAccountInfo(serviceAccountID string) (ServiceAccountInfo, error)
ExtractServiceAccountInfo takes a service account identifier and extract out the namespace and name.
func (ServiceAccountInfo) EntityID ¶
func (serviceAccount ServiceAccountInfo) EntityID() string
func (ServiceAccountInfo) EntityType ¶
func (serviceAccount ServiceAccountInfo) EntityType() string
func (ServiceAccountInfo) String ¶
func (serviceAccount ServiceAccountInfo) String() string
func (ServiceAccountInfo) Subject ¶
func (serviceAccount ServiceAccountInfo) Subject() rbacv1.Subject
type TillerDeployWaitTimeoutError ¶ added in v0.3.1
type TillerDeployWaitTimeoutError struct {
Namespace string
}
TillerDeployWaitTimeoutError is returned when deploy times out waiting for Tiller to come up.
func (TillerDeployWaitTimeoutError) Error ¶ added in v0.3.1
func (err TillerDeployWaitTimeoutError) Error() string
type TillerPingError ¶ added in v0.3.1
TillerPingError is returned when we fail to reach the Tiller pod using the helm client.
func (TillerPingError) Error ¶ added in v0.3.1
func (err TillerPingError) Error() string
type UnknownRBACEntityType ¶ added in v0.2.0
type UnknownRBACEntityType struct {
RBACEntityType string
}
UnknownRBACEntityType error is returned when the RBAC entity type is something unexpected
func (UnknownRBACEntityType) Error ¶ added in v0.2.0
func (err UnknownRBACEntityType) Error() string
type UserInfo ¶
type UserInfo struct {
Name string
}
Represents an RBAC User
Source Files