Support TLS-enabled Tiller

[skogie]

I have installed tiller in my namespace test1 with a service account named tiller. I have also followed the helm quickstart guide for securing the communication between helm and tiller with tls here (https://docs.helm.sh/using_helm/#using-ssl-between-helm-and-tiller). When i try to deploy from Monocular into my k8s-cluster i get

{
"code": 500,
"message": "failed to connect to Tiller, are you sure it is installed?"
}

on the monocular-api at the endpoint /v1/releases

in the monocular-api-log i get the following:

[monocular-monocular-api-744c57976-7bvcc] [negroni] 2018-04-18T13:54:01Z | 500 |     9.298694ms | <monocular-api-url> | GET /v1/releases
[monocular-monocular-api-744c57976-7bvcc] 2018/04/18 13:54:01 grpc: addrConn.resetTransport failed to create client transport: connection error: desc = "transport: dial tcp: operation was canceled"; Reconnecting to {tiller-deploy.test1:44134 <nil>}
[monocular-monocular-api-744c57976-7bvcc] 2018/04/18 13:54:01 grpc: addrConn.transportMonitor exits due to: grpc: the connection is closing

Am I right to assume that since my helm/tiller installation is using tls-certificates these also have to be deployed with the api somehow?

[prydonius]

@skogie yes, unfortunately Monocular doesn't support this currently.

[skogie]

Ok, thank you. Closing.

[prydonius]

Going to keep this open to keep track of the issue, if that's okay @skogie

[skogie]

Sure, no problem.

[jseguillon]

Hi there. Does anyone know a workaround for this or any plan on handling this issue ? As a workaround : could something like a sidecar proxy handling Tls <-> http do the job ?

[kunickiaj]

Sidecar proxy might work but you'd also probably need a network policy plugin that could enforce rules between any non-monocular connections.

I'd def like to see support for TLS since we can't really leave any open tillers.