Helm is a package manager for Kubernetes
which helps users create templated packages called Helm Charts to
include all Kubernetes resources that are required to deploy a
particular application. Helm then assists with installing the Helm Chart
on Kubernetes, and afterwards it can upgrade or rollback the installed
package when new versions are available. Helm Charts are particularly
useful for installation and upgrade of stateless applications given that
the Kubernetes resources and the application image can simply be
updated to newer versions.
Helm 2 was based on a server-side
component named Tiller which was responsible for performing Helm
operations on Kubernetes clusters. Tiller was designed prior to
Kubernetes role-based access control (RBAC) and although useful for
single-tenant clusters, its permissive configuration could grant users a
wide array of unintended permissions. Therefore it was recognised as a
major security concern on multi-tenant clusters, which prevented many
enterprise users from using Helm in production environments. OpenShift
is an enterprise Kubernetes platform, and therefore we didn’t recommend
the use of Helm 2 in production, even though it was possible to disable
OpenShift security features in order for Helm 2 to be used on OpenShift.
Helm 3 was recently released as GA in
the Helm community, and a major update has been removing Tiller and
pivoting to a client-side architecture to address the aforementioned
security concerns, removing the barrier tor using Helm in enterprise
environments.
Starting from OpenShift 4.3 you can download Helm 3 via OpenShift Web Console or directly from our mirror as per documentation
Nevertheless if you are using earlier version of OpenShift or would like to try latest Helm 3 version you can do it easly.
$ #Download latest Helm 3 from https://github.com/helm/helm/releases
$ tar -xvf helm-v3*.tar.gz
$ mv helm /usr/local/bin
$ helm version
$ helm version
$ helm repo add stable https://kubernetes-charts.storage.googleapis.com
Once Helm 3 is up and running on your workstation let's deploy sample tomcat Chart to OpenShift.
The easiest way would be to install it directly to OpenShift using helm install command but this will fail due to OpenShift Security Context Constrains configuration which prohibits deployments of pods exposing host ports. Of course we can disable this configuration, but I don't want to introduce unnecessary security vulnerability to my OpenShift cluster. Hence first we need to pull and modify tomcat Chart locally:
$ helm pull stable/tomcat
$ sed -i "s/hostPort/#hostPort/g" ./tomcat/values.yaml
Now we can install tomcat chart to OpenShift:
$ oc new-project helm-tomcat-demo
$ helm install ./tomcat --generate-name
After a while you should see tomcat pod up ad running. Since this chart doesn't define ingress you can easily create OpenShift Route to access the tomcat sample application from outside of the cluster:
$ oc expose svc $(oc get svc --no-headers | awk '{print $1}')
$ curl $(oc get route --no-headers | awk '{print $2'})/sample/
Finally you can also use Helm to uninstall your tomcat Chart deployment:
$ helm uninstall $(helm ls | grep tomcat | awk '{print $1}')
$ oc delete project helm-tomcat-test
Learn more about OpenShift 4.3 and Helm 3 integration here.
