Helm

#Current shell

source <(helm completion bash)

#Basic

helm init --service-account tiller

helm init --upgrade

helm reset

helm delete --purge

helm search | helm search [mariadb]

helm list [--all]

helm inspect stable/mariadb

cat << EOF > config.yaml

mariadbUser: user0

mariadbDatabase: user0db

EOF

helm install -f config.yml stable/mariadb [--name my-db]

helm status [my-db]

helm upgrade -f config.yaml my-db stable/mariadb

helm get values my-db

helm history my-db

helm rollback my-db 1

helm delete my-db

#Repo

helm repo list

helm repo add dev https://example.com/dev-charts

helm repo add incubator https://kubernetes-charts-incubator.storage.googleapis.com/

helm repo update

#Charts

helm create my-chart

helm lint

helm package my-chart

helm install ./my-chart-0.1.0.tgz

helm serve --repo-path ./charts

#Plugins

helm plugin install https://github.com/technosophos/helm-template

helm plugin install http://domain/path/to/plugin.tar.gz

helm plugin install https://github.com/rimusz/helm-tiller

#Tillerless

helm tiller start [my-team-namespace] (starts new shell)

helm tiller stop (exit shell first)

CI/CD

helm tiller start-ci [my-team-namespace]

export HELM_HOST=localhost:44134

helm tiller stop

#RBAC

Service account with cluster-admin role

cat << EOF > rbac-config.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

  name: tiller

  namespace: kube-system

---

apiVersion: rbac.authorization.k8s.io/v1

kind: ClusterRoleBinding

metadata:

  name: tiller

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: ClusterRole

  name: cluster-admin

subjects:

  - kind: ServiceAccount

    name: tiller

    namespace: kube-system

EOF

kubectl create -f rbac-config.yaml

Deploy Tiller in a namespace, restricted to deploying resources only in that namespace

kubectl create namespace tiller-world

kubectl create serviceaccount tiller --namespace tiller-world

cat << EOF > role-tiller.yaml

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: tiller-manager

  namespace: tiller-world

rules:

- apiGroups: ["", "batch", "extensions", "apps"]

  resources: ["*"]

  verbs: ["*"]

EOF

kubectl create -f role-tiller.yaml

cat << EOF > rolebinding-tiller.yaml

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: tiller-binding

  namespace: tiller-world

subjects:

- kind: ServiceAccount

  name: tiller

  namespace: tiller-world

roleRef:

  kind: Role

  name: tiller-manager

  apiGroup: rbac.authorization.k8s.io

EOF

kubectl create -f rolebinding-tiller.yaml

helm init --service-account tiller --tiller-namespace tiller-world

helm install nginx --tiller-namespace tiller-world --namespace tiller-world

Deploy Tiller in a namespace, restricted to deploying resources in another namespace

kubectl create namespace myorg-system

kubectl create serviceaccount tiller --namespace myorg-system

cat << EOF > role-tiller.yaml

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: tiller-manager

  namespace: myorg-users

rules:

- apiGroups: ["", "batch", "extensions", "apps"]

  resources: ["*"]

  verbs: ["*"]

EOF

kubectl create -f role-tiller.yaml

cat << EOF > rolebinding-tiller.yaml

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: tiller-binding

  namespace: myorg-users

subjects:

- kind: ServiceAccount

  name: tiller

  namespace: myorg-system

roleRef:

  kind: Role

  name: tiller-manager

  apiGroup: rbac.authorization.k8s.io

EOF

kubectl create -f rolebinding-tiller.yaml

cat << EOF > role-tiller-myorg-system.yaml

kind: Role

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  namespace: myorg-system

  name: tiller-manager

rules:

- apiGroups: ["", "extensions", "apps"]

  resources: ["configmaps"]

  verbs: ["*"]

EOF

kubectl create -f role-tiller-myorg-system.yaml

cat << EOF > rolebinding-tiller-myorg-system.yaml

kind: RoleBinding

apiVersion: rbac.authorization.k8s.io/v1

metadata:

  name: tiller-binding

  namespace: myorg-system

subjects:

- kind: ServiceAccount

  name: tiller

  namespace: myorg-system

roleRef:

  kind: Role

  name: tiller-manager

  apiGroup: rbac.authorization.k8s.io

EOF

kubectl create -f rolebinding-tiller-myorg-system.yaml

Deploy Helm in a namespace, talking to Tiller in another namespace

cat << EOF > helm-user.yaml

apiVersion: v1

kind: ServiceAccount

metadata:

  name: helm

  namespace: helm-world

---

apiVersion: rbac.authorization.k8s.io/v1

kind: Role

metadata:

  name: tiller-user

  namespace: tiller-world

rules:

- apiGroups:

  - ""

  resources:

  - pods/portforward

  verbs:

  - create

- apiGroups:

  - ""

  resources:

  - pods

  verbs:

  - list

---

apiVersion: rbac.authorization.k8s.io/v1

kind: RoleBinding

metadata:

  name: tiller-user-binding

  namespace: tiller-world

roleRef:

  apiGroup: rbac.authorization.k8s.io

  kind: Role

  name: tiller-user

subjects:

- kind: ServiceAccount

  name: helm

  namespace: helm-world

EOF

kubectl create -f helm-user.yaml

#References

https://helm.sh/docs/using_helm/#using-helm