Configuring the NodePort port for installing Helm charts

The default method that IBM® Cloud Private uses to install Helm charts with the Helm CLI is by using a proxied connection, which requires the user to have authorization to the kube-system namespace. The Helm Tiller service can also be configured to use a NodePort port to bypass the default proxied connection and allowing users to use Helm CLI without requiring access to the kube-system namespace.

Changing the NodePort port value

The value tiller_nodeport in the config.yaml file specifies the NodePort port that is used to connect to Tiller. When you install IBM Cloud Private, the NodePort port for Tiller is set to a default value of 31514 in the config.yaml file. You can update the NodePort port value after deployment by changing the nodePort value in the tiller-deploy service.

  tiller_nodeport: 31573

For additional information about the NodePort port, see Services in the Kubernetes documentation and Required ports.

Communicating with Tiller using the NodePort port

To access Tiller using the configured NodePort port, you can either set a HELM_HOST environment variable in your terminal window or specify the --host option on the Helm CLI. The format for both is: NodeIP:NodePort. For example, if the NodeIP is set to 10.20.247.65 and the NodePort port is set to 31514, then the value would be 10.20.247.65:31514.

• The best practice is to set the Helm CLI, as shown in the following example:

  eval "$(cloudctl helm-init)"
  helm list --tls
  

  This procedure sets the `HELM_HOST environmental variable to the correct Tiller endpoint and port automatically. Note: The command to set the environment variable must be entered each time you log in to the cluster.

• You can set the HELM_HOST environment variable manually by entering a command similar to the following example:

  export HELM_HOST=10.20.247.65:31514
  helm list --tls
  

  After the HELM_HOST variable is set, you do not have to enter the HELM_HOST command again during that session. Note: The command to set the environment variable must be entered each time you log in to the cluster.

• You can add the --host option to your command to use the configured NodePort port by entering a command similar to the following example:

  helm list --host 10.20.247.65:31514 --tls
  

Enabling FIPS compliance

The communication with Tiller through the NodePort port is not FIPS compliant. To obtain FIPS-compliant communication with the NodePort port, you must either use the IBM Cloud Private management console to install your Helm charts or enable FIPS-compliant cipher suites to encrypt your communication.

The TLS implementation that is used in the Go language is not FIPS compliant. Customers can use the IBM Cloud Private management console or use the Kubernetes proxy support without the NodePort port to remain FIPS compliant.

You can set the cipher suites for tiller in the config.yaml file when you install IBM Cloud Private. The setting tiller_ciphersuites provides a set of comma-separated values that define the cipher suites that Tiller can use to encrypt communication. The default value of "" means that tiller can use any of the available cipher suites. The default values for cipher suites are shown in the following list:

• TLS_ECDHE_RSA_AES256_GCM_SHA384
• TLS_AES256_GCM_SHA384
• TLS_ECDHE_RSA_AES128_GCM_SHA256
• TLS_AES128_GCM_SHA256

An example of the tiller cipher suites setting in the config.yaml file is shown in the following content:

  tiller_ciphersuites: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"

Setting the Tiller cipher suites at deployment

You can set the cipher suites for tiller in the config.yaml file when you install IBM Cloud Private. The setting tiller_ciphersuites provides a set of comma-separated values that define the cipher suites that Tiller can use to encrypt communication. The default value of "" means that tiller can use any of the available cipher suites. The supported values for cipher suites are shown in the following list:

• TLS_RSA_WITH_RC4_128_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA
• TLS_RSA_WITH_AES_256_CBC_SHA
• TLS_RSA_WITH_AES_128_CBC_SHA256
• TLS_RSA_WITH_AES_128_GCM_SHA256
• TLS_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_RSA_WITH_RC4_128_SHA
• TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
• TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

• TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305

  An example of the tiller cipher suites setting in the config.yaml file is shown in the following content:

  tiller_ciphersuites: "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256"
  

Setting the Tiller cipher suites after deployment

If you already finished installing IBM Cloud Private, you can set the cipher suites manually by completing the following steps:

1. Log in using your cloudctl login with cluster administrator permissions.

2. Edit the tiller-deploy deployment by enteting the following command:

   kubectl edit deployment tiller-deploy
   

3. The file opens in the default editor.

4. Find spec > containers > env in the file.

5. Find the environment variable named CIPHERSUITES.

6. By default, its value is empty. All of the available ciphers are accepted. When it is empty, it looks like the following example:

   {"name":"CIPHERSUITES","value":""}
   

7. Replace value with the desired ciphersuites in a comma-separated string.

   For example, to avoid sweet32 vulnerability, here is the new value:

   "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384"
   

8. Save the change, and Tiller restarts automatically with the new settings.

Disabling the NodePort port

You can disable NodePort port by completing the following steps:

1. From the IBM Cloud Private menu, navigate to Network Access > Services.

2. Find the tiller-deploy service.

3. Edit the service by selecting Edit from the Actions menu of the service. The service information is displayed in the editor.

4. Remove the following text from the ports values:

   "nodePort":31514
   

5. Change the type value to ClusterIP. The resulting content is similar to the following example:

   {
     "apiVersion": "v1",
     "kind": "Service",
     "metadata": {
       "name": "tiller-deploy",
       "namespace": "kube-system",
       "resourceVersion": "7619",
       "labels": {
         "app": "helm",
         "name": "tiller"
       },
       "annotations": {
         "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"Service\",\"metadata\":{\"annotations\":{},\"labels\":{\"app\":\"helm\",\"name\":\"tiller\"},\"name\":\"tiller-deploy\",\"namespace\":\"kube-system\"},\"spec\":{\"clusterIP\":\"10.0.0.9\",\"ports\":[{\"name\":\"grpc\",\"port\":44134,\"protocol\":\"TCP\",\"targetPort\":44134}],\"selector\":{\"app\":\"helm\",\"name\":\"tiller\"}}}\n"
       }
     },
     "spec": {
      "ports": [
        {
          "name": "grpc",
          "protocol": "TCP",
          "port": 44134,
          "targetPort": 44134,
          }
       ],
       "selector": {
         "app": "helm",
         "name": "tiller"
       },
       "clusterIP": "10.0.0.9",
       "type": "ClusterIP",
       "sessionAffinity": "None",
       "externalTrafficPolicy": "Cluster"
     }
   }
   

6. Click Submit to commit the changes.