terraform secure deployment of helm's “a giant sudo server”

This module provides for a simple installation of helms tiller agent that is only accessible by establishing a proxy via the k8s API per this article: https://engineering.bitnami.com/articles/helm-security.html .

helm provider 0.6.2 vendors helm 2.9.0, which does not correctly deploy tiller with rbac enabled. The manual patching is not required with this module.

kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"automountServiceAccountToken":true}}}}'

Usage

resource "kubernetes_namespace" "tiller" {
  metadata {
    name = "tiller"
  }
}

module "tiller" {
  source = "git::https://github.com/lsst-sqre/terraform-tinfoil-tiller.git?ref=0.10.x"

  namespace = "${kubernetes_namespace.tiller.metadata.0.name}"
}

provider "helm" {
  version = "~> 0.10.0"

  service_account = "${module.tiller.service_account}"
  namespace       = "${module.tiller.namespace}"
  install_tiller  = false

  kubernetes {
    ...
  }
}

Inputs

Name	Description	Type	Default	Required
namespace	kubernetes namespace to deploy into	string	"kube-system"	no
service_account	kubernetes service account name	string	"tiller"	no
tiller_image	tiller docker image.	string	"gcr.io/kubernetes-helm/tiller:v2.14.1"	no

Outputs

Name	Description
namespace	kubernetes namespace in which tiller is installed
service_account	name of kubernetes service account for tiller

pre-commit hooks

go get github.com/segmentio/terraform-docs
pip install --user pre-commit
pre-commit install

# manual run
pre-commit run -a

See Also

• helm
• pre-commit
• pre-commit-terraform
• terraform-docs
• terraform