Deploying Vault Operators on GKE
• Mark Eschbach
First task is to figure out where Helm installed Tiller. By default Helm installs Tiller into kube-system
.
This can be verified by using kubectl get pods --namespace=kube-system |grep tiller
. Sure enough 1/1
pods are
active ready. Probably not ideal to install Tiller to kube-system
for an actual production system but that is a
different bridge I’ve already looked at.
Alright, so Tiller is installed, I am going to assume it is done properly. With Helm you need the --debug
option
not the --verbose
to get additional details. The output I get is:
[debug] Created tunnel using local port: ‘63286’
[debug] SERVER: “127.0.0.1:63286”
[debug] Original chart version: “” [debug] Fetched banzaicloud-stable/vault-operator to /Users/human/.helm/cache/archive/vault-operator-0.2.4.tgz
[debug] CHART PATH: /Users/human/.helm/cache/archive/vault-operator-0.2.4.tgz
Error: no available release name found
A file does exist at /Users/human/.helm/cache/archive/vault-operator-0.2.4.tgz
. To list Tiller output I stole
kubectl get pods --all-namespaces | grep tiller
, using the first column for the namespace and the second column for
the container. Within the output I get an access control error. I am guessing that is the root of the problems.
[storage/driver] 2019/02/01 17:51:47 get: failed to get “banking-lamb.v1”: configmaps “banking-lamb.v1” is forbidden: User “system:serviceaccount:kube-system:default” cannot get configmaps in the namespace “kube-system”
Makes sense a GKE cluster out of the box would be more secure than a local Docker for Mac instance. Looks like I glued the tiller on in wrong place.