Configuring the NodePort port for installing Helm charts
The default method that IBM® Cloud Private uses to install Helm charts with the Helm CLI is by using a proxied connection, which requires the user to have authorization to the kube-system namespace. The Helm Tiller service can also be configured to use a NodePort port to bypass the default proxied connection and allowing users to use Helm CLI without requiring access to the kube-system namespace.
Changing the NodePort port value
The value tiller_nodeport
in the config.yaml
file specifies the NodePort port that is used to connect to Tiller. When you install IBM Cloud Private, the NodePort port for Tiller is set to a default value of 31514
in the config.yaml
file. You can update the NodePort port value after deployment by changing the nodePort
value in the tiller-deploy
service.
tiller_nodeport: 31573
For additional information about the NodePort port, see Services in the Kubernetes documentation and Required ports.
Communicating with Tiller using the NodePort port
To access Tiller using the configured NodePort port, you can either set a HELM_HOST
environment variable in your terminal window or specify the --host
option on the Helm CLI. The format for both is: NodeIP:NodePort.
For example, if the NodeIP is set to 10.20.247.65
and the NodePort port is set to 31514
, then the value would be 10.20.247.65:31514
.
-
The best practice is to set the Helm CLI, as shown in the following example:
eval "$(cloudctl helm-init)" helm list --tls
This procedure sets the `HELM_HOST environmental variable to the correct Tiller endpoint and port automatically. Note: The command to set the environment variable must be entered each time you log in to the cluster.
-
You can set the
HELM_HOST
environment variable manually by entering a command similar to the following example:export HELM_HOST=10.20.247.65:31514 helm list --tls
After the
HELM_HOST
variable is set, you do not have to enter theHELM_HOST
command again during that session. Note: The command to set the environment variable must be entered each time you log in to the cluster. -
You can add the
--host
option to your command to use the configured NodePort port by entering a command similar to the following example:helm list --host 10.20.247.65:31514 --tls
Enabling FIPS compliance
The communication with Tiller through the NodePort port is not FIPS compliant. To obtain FIPS-compliant communication with the NodePort port, you must either use the IBM Cloud Private management console to install your Helm charts or enable FIPS-compliant cipher suites to encrypt your communication.
The TLS implementation that is used in the Go language is not FIPS compliant. Customers can use the IBM Cloud Private management console or use the Kubernetes proxy support without the NodePort port to remain FIPS compliant.
You can set the cipher suites for tiller
in the config.yaml
file when you install IBM Cloud Private. The setting tiller_ciphersuites
provides a set of comma-separated values that define the cipher suites that
Tiller
can use to encrypt communication. The default value of ""
means that tiller
can use any of the available cipher suites. The default values for cipher suites are shown in the following list:
- TLS_ECDHE_RSA_AES256_GCM_SHA384
- TLS_AES256_GCM_SHA384
- TLS_ECDHE_RSA_AES128_GCM_SHA256
- TLS_AES128_GCM_SHA256
An example of the tiller cipher suites setting in the config.yaml
file is shown in the following content:
tiller_ciphersuites: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
Setting the Tiller cipher suites at deployment
You can set the cipher suites for tiller
in the config.yaml
file when you install IBM Cloud Private. The setting tiller_ciphersuites
provides a set of comma-separated values that define the cipher suites that
Tiller
can use to encrypt communication. The default value of ""
means that tiller
can use any of the available cipher suites. The supported values for cipher suites are shown in the following list:
- TLS_RSA_WITH_RC4_128_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_RC4_128_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
-
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
An example of the tiller cipher suites setting in the
config.yaml
file is shown in the following content:tiller_ciphersuites: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
Setting the Tiller cipher suites after deployment
If you already finished installing IBM Cloud Private, you can set the cipher suites manually by completing the following steps:
-
Log in using your
cloudctl
login with cluster administrator permissions. -
Edit the
tiller-deploy
deployment by enteting the following command:kubectl edit deployment tiller-deploy
-
The file opens in the default editor.
-
Find
spec
>containers
>env
in the file. -
Find the environment variable named
CIPHERSUITES
. -
By default, its value is empty. All of the available ciphers are accepted. When it is empty, it looks like the following example:
{"name":"CIPHERSUITES","value":""}
-
Replace
value
with the desired ciphersuites in a comma-separated string.For example, to avoid sweet32 vulnerability, here is the new value:
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384"
-
Save the change, and Tiller restarts automatically with the new settings.
Disabling the NodePort port
You can disable NodePort port by completing the following steps:
-
From the IBM Cloud Private menu, navigate to Network Access > Services.
-
Find the
tiller-deploy
service. -
Edit the service by selecting Edit from the Actions menu of the service. The service information is displayed in the editor.
-
Remove the following text from the
ports
values:"nodePort":31514
-
Change the
type
value toClusterIP
. The resulting content is similar to the following example:{ "apiVersion": "v1", "kind": "Service", "metadata": { "name": "tiller-deploy", "namespace": "kube-system", "resourceVersion": "7619", "labels": { "app": "helm", "name": "tiller" }, "annotations": { "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"helm\",\"name\":\"tiller\"},\"name\":\"tiller-deploy\",\"namespace\":\"kube-system\"},\"spec\":{\"clusterIP\":\"10.0.0.9\",\"ports\":[{\"name\":\"grpc\",\"port\":44134,\"protocol\":\"TCP\",\"targetPort\":44134}],\"selector\":{\"app\":\"helm\",\"name\":\"tiller\"}}}\n" } }, "spec": { "ports": [ { "name": "grpc", "protocol": "TCP", "port": 44134, "targetPort": 44134, } ], "selector": { "app": "helm", "name": "tiller" }, "clusterIP": "10.0.0.9", "type": "ClusterIP", "sessionAffinity": "None", "externalTrafficPolicy": "Cluster" } }
-
Click Submit to commit the changes.