Giters

kirs / tiller-releases-converter

A tool to migrate your Helm Tiller setup from ConfigMaps to Secrets as a backend.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

tiller-releases-convertor

It is a tool to automate Helm's tiller migration from ConfigMap releases backend to Secrets-based backend.

TL;DR

To upgrade your Helm's Tiller setup to Secrets storage backend with zero-downtime run these three commands in the following order:

tiller-release-convertor convert # Will create a Secret for every ConfigMap release
tiller-release-convertor secure-tiller # WIll update tiller deployment with "--storate=secret"
tiller-release-convertor cleanup # Deletes tiller's ConfigMaps

Overview

Tiller is the in-cluster Helm's component, which manages Helm releases creating, updating or removing Kubernetes resources. It also manages Helm releases data. Tiller can use one of three storage types to store releases: ConfigMaps, Secrets, and Memory. The default option is ConfigMaps. If you have a default Tiller setup(with some software installed via Helm) on your cluster you can see them for yourself by typing:

kubectl get configmaps -n kube-system -l OWNER=TILLER

You will see all ConfigMaps, which are owned by Tiller.

Here comes the main problem. These releases contain every value you've passed during helm install/update including your app's secrets. ConfigMaps are stored in the Kubernetes etcd key-value storage as is, without any encryption. Secrets, on the other hand, are normally encrypted.

If you make a new Tiller installation it's recommended use the next command to enable Secrets storage backend:

helm init --service-account tiller  --override 'spec.template.spec.containers[0].command'='{/tiller,--storage=secret}'

But what to do if you have a working installation?

This script solves the problem. It

This tool has four commands:

  • list
  • convert
  • secure-tiller
  • cleanup

list

Lists current tiller's ConfigMap-based releases.

tiller-release-convertor list

Output example:

I've found these Tiller's ConfigMap releases for you:

kube-state-metrics.v1
kube-state-metrics.v2
...

convert

This command creates Secrets out of Tiller's ConfigMaps. ConfigMaps are left untouched.

tiller-release-convertor convert

Output Example:

 - [🚫] kube-state-metrics.v1 (target already exists)
 - [βœ…] kube-state-metrics.v2
...

See "target already exists" error? It happens when the target Secret already exists in the cluster. This tool will just skip this Secret, you shall check every situation like that by yourself.

secure-tiller

This command updates tiller-deploy deployment and adds .spec.template.spec.containers[0].command={"/tiller", "--storage=secret"}

tiller-release-convertor secure-tiller

Output example:

Updating Tiller Deployment...
Tiller Deployment was updated successfully!

cleanup

This command deletes old Tiller ConfigMaps.

tiller-release-convertor cleanup

Output example:

Deleting: kube-state-metrics.v1 βœ…
Deleting: kube-state-metrics.v2 ❌
<Error message>

Red cross indicates an error which is followed by en error message.

Command line options

There are some global command line arguments:

Flags:
      --context string      kube config context
  -h, --help                help for tiller-releases-convertor
  -c, --kubeconfig string   config file (default is $HOME/.kube/config)
  -n, --namespace string    tiller namespace (default is kube-system)

About

A tool to migrate your Helm Tiller setup from ConfigMaps to Secrets as a backend.

License:Apache License 2.0

Languages

Language:Go 100.0%