I have a Kubernetes cluster in GCP names foo. I created in that cluster a service account for tiller and gave it admin rights as follows:
kubectl -n kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller \
> --clusterrole=cluster-admin \
> --serviceaccount=kube-system:tiller
Then I init Helm as follows:
helm init --service-account tiller
Now finally when I try to install my own chart:
someserver:helm joe$ helm install onerepo/onechart --name foobar
Error: the server has asked for the client to provide credentials
I am already authenticated for cluster foo and I can describe all its other resources and service accounts. Why I cannot deploy using Helm?
The correct way to install helm and use it:
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get | bash
kubectl create serviceaccount --namespace kube-system tiller
kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
kubectl patch deploy --namespace kube-system tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'
helm init --service-account tiller
helm install onerepo/onechart --name foobar
Related
In my CI I'm running a helm upgrade command to release an app.
But if it is a non existing app, I have to create the namespace, a secret and patch the serviceaccount. So I come up with this:
kubectl create namespace ${namespace} --dry-run=client -o yaml | kubectl apply -f -
kubectl create secret docker-registry gitlab-registry --namespace ${namespace} --docker-server="\${CI_REGISTRY}" --docker-username="\${CI_DEPLOY_USER}" --docker-password="\${CI_DEPLOY_PASSWORD}" --docker-email="\${GITLAB_USER_EMAIL}" -o yaml --dry-run=client | kubectl apply -f -
kubectl patch serviceaccount default -p '{"imagePullSecrets":[{"name":"gitlab-registry"}]}' --namespace ${namespace}
This is working, but I think it is not the perfect way as these three steps should only be done once.
: Only if app/namespace/secret is not existing
Helm provides the --create-namespace switch that will create the namespace of the release if it does not already exist.
The secret can be added in your helm chart and you can pass the variables (CI_REGISTRY, CI_DEPLOY_USER, etc.) in as helm chart values either as --set values or via the values.yaml file and using --values
The service account patching you can do as a post-install and/or a post-upgrade job (https://helm.sh/docs/topics/charts_hooks/)
Hey I'm installing fresh minikube and try to init helm on it no in 3.x.x but 2.13.0 version.
$ minikube start
😄 minikube v1.6.2 on Darwin 10.14.6
✨ Automatically selected the 'hyperkit' driver (alternates: [virtualbox])
🔥 Creating hyperkit VM (CPUs=2, Memory=2000MB, Disk=20000MB) ...
🐳 Preparing Kubernetes v1.17.0 on Docker '19.03.5' ...
🚜 Pulling images ...
🚀 Launching Kubernetes ...
⌛ Waiting for cluster to come online ...
🏄 Done! kubectl is now configured to use "minikube"
$ kubectl -n kube-system create serviceaccount tiller
serviceaccount/tiller created
$ kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount kube-system:tiller
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ helm init --service-account tiller
$HELM_HOME has been configured at /Users/<user>/.helm.
Error: error installing: the server could not find the requested resource
$ helm init --service-account tiller --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' --output yaml | sed 's#apiVersion: extensions/v1beta1#apiVersion: apps/v1#' | kubectl apply -f -
deployment.apps/tiller-deploy created
service/tiller-deploy created
$ helm init --service-account tiller
59 ### ALIASES
$HELM_HOME has been configured at /Users/<user>/.helm.
Error: error installing: the server could not find the requested resource
$ helm version
Client: &version.Version{SemVer:"v2.13.0", GitCommit:"79d07943b03aea2b76c12644b4b54733bc5958d6", GitTreeState:"clean"}
Error: could not find tiller
I try to do same on some random other ns, and with no result:
$ kubectl create ns deployment-stuff
namespace/deployment-stuff created
$ kubectl create clusterrolebinding cluster-admin-binding --clusterrole=cluster-admin \
--user=$(gcloud config get-value account)
clusterrolebinding.rbac.authorization.k8s.io/cluster-admin-binding created
$ kubectl create serviceaccount tiller --namespace deployment-stuff
kubectl create clusterrolebinding tiller-admin-binding --clusterrole=cluster-admin \
--serviceaccount=deployment-stuff:tiller
serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller-admin-binding created
$ helm init --service-account=tiller --tiller-namespace=deployment-stuff
Creating /Users/<user>/.helm
Creating /Users/<user>/.helm/repository
Creating /Users/<user>/.helm/repository/cache
Creating /Users/<user>/.helm/repository/local
Creating /Users/<user>/.helm/plugins
Creating /Users/<user>/.helm/starters
Creating /Users/<user>/.helm/cache/archive
Creating /Users/<user>/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /Users/<user>/.helm.
Error: error installing: the server could not find the requested resource
$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Skip local chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈ Happy Helming!⎈
$ helm list
Error: could not find tiller
$ helm list --tiller-namespace=kube-system
Error: could not find tiller
$ helm list --tiller-namespace=deployment-stuff
Error: could not find tiller
Same error everywhere Error: error installing: the server could not find the requested resource any ideas how to approach it ?
I installed helm with those commands and works fine with my gcp clusters, helm list returns full list of helms.
wget -c https://get.helm.sh/helm-v2.13.0-darwin-amd64.tar.gz
tar -zxvf helm-v2.13.0-darwin-amd64.tar.gz
mv darwin-amd64/helm /usr/local/bin/helm
tbh I have no idea what's going on, sometimes it works fine on minikube sometimes I get these errors.
This can be fixed by deleting the tiller deployment and service and rerunning the helm init --override command after first helm init.
So after running commands You listed:
$ kubectl -n kube-system create serviceaccount tiller
serviceaccount/tiller created
$ kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount kube-system:tiller
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$ helm init --service-account tiller
And then finding out that tiller could not be found.
$ helm version
Client: &version.Version{SemVer:"v2.13.0", GitCommit:"79d07943b03aea2b76c12644b4b54733bc5958d6", GitTreeState:"clean"}
Error: could not find tiller
Run the following commands:
1.
$ kubectl delete service tiller-deploy -n kube-system
2.
$ kubectl delete deployment tiller-deploy -n kube-system
3.
helm init --override spec.selector.matchLabels.'name'='tiller',spec.selector.matchLabels.'app'='helm' --output yaml | sed 's#apiVersion: extensions/v1beta1#apiVersion: apps/v1#' | kubectl apply -f -
After that You can verify if it worked with:
$ helm version
Client: &version.Version{SemVer:"v2.13.0", GitCommit:"79d07943b03aea2b76c12644b4b54733bc5958d6", GitTreeState:"clean"}
Error: could not find a ready tiller pod
This one needs little more time, give it few seconds.
$ helm version
Client: &version.Version{SemVer:"v2.13.0", GitCommit:"79d07943b03aea2b76c12644b4b54733bc5958d6", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.13.0", GitCommit:"79d07943b03aea2b76c12644b4b54733bc5958d6", GitTreeState:"clean"}
Tell me if it worked.
Check logs of error tiller pod by:
kc -n kube-system describe pod tiller-deploy-*
You'll see following error:
Failed to pull image "gcr.io/kubernetes-helm/tiller:v2.15.1": rpc error: code = Unknown desc = Error response from daemon: Head "https://gcr.io/v2/kubernetes-helm/tiller/manifests/v2.15.1": unknown: Project 'project:kubernetes-helm' not found or deleted.
The reason is they changed the image location, so the old version of helm couldn't pull it.
Pull the image manually by:
docker pull ghcr.io/helm/tiller:v2.15.1
Tag the pulled image to the version that helm needed at the first place
docker tag ghcr.io/helm/tiller:v2.15.1 gcr.io/kubernetes-helm/tiller:v2.15.1
Re-init tiller (helm server):
helm init
and you'll see the tiller deploy is running.
I have installed Rancher 2 and created a kubernetes cluster of internal vm's ( no AWS / gcloud).
The cluster is up and running.
I logged into one of the nodes.
1) Installed Kubectl and executed kubectl cluster-info . It listed my cluster information correctly.
2) Installed helm
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get > get_helm.sh
chmod 700 get_helm.sh
./get_helm.sh
root#lnmymachine # helm version
Client: &version.Version{SemVer:"v2.12.3", GitCommit:"eecf22f77df5f65c823aacd2dbd30ae6c65f186e", GitTreeState:"clean"}
Server: &version.Version{SemVer:"v2.12.3", GitCommit:"eecf22f77df5f65c823aacd2dbd30ae6c65f186e", GitTreeState:"clean"}
3) Configured helm referencing Rancher Helm Init
kubectl -n kube-system create serviceaccount tiller
kubectl create clusterrolebinding tiller \
--clusterrole cluster-admin \
--serviceaccount=kube-system:tiller
helm init --service-account tiller
Tried installing Jenkins via helm
root#lnmymachine # helm ls
Error: Unauthorized
root#lnmymachine # helm install --name initial stable/jenkins
Error: the server has asked for the client to provide credentials
Browsed similar issues and few of them were due to multiple clusters. I have only one cluster. kubectl gives all information correctly.
Any idea whats happening.
It seems there is a mistake while creating the ClusterRoleBinding:
Instead of --clusterrole cluster-admin, you should have --clusterrole=cluster-admin
You can check if this is the case by verifying if ServiceAccount, ClustrerRoleBinding were created correctly.
kubectl describe -n kube-system sa tiller
kubectl describe clusterrolebinding tiller
Seems like they have already fixed this on Rancher Helm Init page.
I was facing the same issue, but the following steps worked for me.
root#node1:~# helm install --name prom-operator stable/prometheus-operator --namespace monitoring
Error: the server has asked for the client to provide credentials
Step 1: Delete the Service Account
root#node1:~# kubectl delete serviceaccount --namespace kube-system tiller
serviceaccount "tiller" deleted
Step2: Delete the cluster role binding
root#node1:~# kubectl delete clusterrolebinding tiller-cluster-rule
clusterrolebinding.rbac.authorization.k8s.io "tiller-cluster-rule" deleted
Step3: Remove helm directory
root#node1:~# rm -rf .helm/
Step4: Create the Service account again.
root#node1:~# kubectl create serviceaccount tiller --namespace kube-system
serviceaccount/tiller created
Step 5: Create the cluster role binding
root#node1:~# kubectl create clusterrolebinding tiller-cluster-rule \
> --clusterrole=cluster-admin \
> --serviceaccount=kube-system:tiller
clusterrolebinding.rbac.authorization.k8s.io/tiller-cluster-rule created
Step6: run helm init command
helm init --service-account=tiller
Creating /root/.helm
Creating /root/.helm/repository
Creating /root/.helm/repository/cache
Creating /root/.helm/repository/local
Creating /root/.helm/plugins
Creating /root/.helm/starters
Creating /root/.helm/cache/archive
Creating /root/.helm/repository/repositories.yaml
Adding stable repo with URL: https://kubernetes-charts.storage.googleapis.com
Adding local repo with URL: http://127.0.0.1:8879/charts
$HELM_HOME has been configured at /root/.helm.
Warning: Tiller is already installed in the cluster.
(Use --client-only to suppress this message, or --upgrade to upgrade Tiller to the current version.)
Step 7: Delete the tiller-deploy-xxx pod
kubectl delete pod -n kube-system tiller-deploy
pod "tiller-deploy-5d58456765-xlns2" deleted
Wait till it is recreated.
Step 8: Install the helm charts.
helm install --name prom-operator stable/prometheus-operator --namespace monitoring
I have a Kubernetes (v1.10) cluster with Istio installed, I'm trying to install fission following Enabling Istio on Fission guide. when i run
[![helm install --namespace $FISSION_NAMESPACE --set enableIstio=true --name istio-demo
https://github.com/fission/fission/releases/download/0.9.1/fission-all-0.9.1.tgz
It throws error saying
Error: the server has asked for the client to provide credentials
(My cluster has two nodes and one master created using kubespray all ubuntu 16.04 machines)
I think that error is probably an authentication failure between helm and the cluster. Are you able to run kubectl version? How about helm ls?
If you have follow up questions, could you ask them on the fission slack? You'll get quicker answers there.
I think problem with helm
Solution
Remove .helm folder
rm -rf .helm
kubectl create serviceaccount tiller --namespace kube-system
kubectl create clusterrolebinding tiller-cluster-rule \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
helm init --service-account=tiller
kubectl get pods -n kube-system
Background
I have kubernetes installed in clustered mode.
All nodes are up and running
I want to use jenkins-x to get ease of deployment.
Now jenkins-x uses Helm to do this job; Helm comes up with client and server architecture.
Helm setup can be achieved by following two ways:-
Using jenkins-x
jx install --username <username>
Standalone Helm
helm init
This helps to setup itsserver (Tiller), by putting it in pod of Kubernetes.
Whats issue
The issue is when I use first approach it does Tiller installation and later get failed by saying 'Tiller is available but not up and running'.
Created ClusterRoleBinding tiller
retrying after error:existing tiller deployment found but not running, please check the kube-system namespace and resolve any issues
Second approach also gets fail in similar path
It also does the Tiller installation but it does not find Tiller when I'm trying to list it.
helm ls
Error: could not find tiller
So essence of issue is :
It does Tiller installation but fails it in finding later.
helm init
Warning: Tiller is already installed in the cluster.
helm ls
Error: could not find tiller
I just went ahead and installed both helm and Jx with no problem. So, I don't know how to resolve your issue, but you can install it as below, and should work.
Installing Helm:
$ wget https://kubernetes-helm.storage.googleapis.com/helm-v2.9.1-linux-amd64.tar.gz
$ tar xzvf helm-v2.9.1-linux-amd64.tar.gz
$ cd linux-amd64/
$ sudo cp helm /usr/local/bin/helm
$ helm init
Installing Jx
$ curl -L https://github.com/jenkins-x/jx/releases/download/v1.2.98/jx-linux-amd64.tar.gz | tar xzv
$ sudo mv jx /usr/local/bin
Making Tiller cluster-admin role:
$ kubectl create clusterrolebinding tiller-cluster-admin \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:default
Checking it works:
$ helm install --name prometheus stable/prometheus
$ helm ls
prometheus 1 Sun Jun 3 09:47:12 2018 DEPLOYED prometheus-6.7.0 default
there may be a problem with the tiller pod starting either due to resources or RBAC. Try these commands:
kubectl get deploy -n kube-system
kubectl get node -n kube-system
that might give more of a clue. If you can find a tiller pod thats failing mabe
kubectl describe pod tiller-1234 -n kube-system