Helm — Certify your path to victory!

Introduction

Helm, the undeniable de facto “package manager” for the Kubernetes Platform. In this small article, we wont be explaining how to setup & install this tool. We are assuming you already know how to use it, so this will more geared to those features that are more obscure and rarely used.

Who knows? It might power your next deployment!

P.S: The follow up tips & tricks were validated with Helm 3.10!

Tip & Tricks — TLS Power!

Did you know that Helm contains a vast library of Cryptographic functions? In fact, you can pretty much generate a CA & Certificates in a couple of steps. This is particularly helpful if you want to deploy or simply offer a sane default installation with built-in TLS out of the box!

1. Generating a Private Key

{{ $prvKey := genPrivateKey "rsa" }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: tls
data:
  prv.key: {{ $prvKey | b64enc }}

The above example is able to generate an RSA 4096 key by leveraging the genPrivateKey function.

Of course using it just like this will generate a new key every time you deploy but we will take care of later on.

2. Creating a CA

This step comes in essentially two different methods.

You can “import” an external CA & Key with the buildCustomCert function as shown below. It will be helpful in Step 3 when we generate a signed certificate.

{{ $cert := buildCustomCert (.Values.tls.crt | b64enc) (.Values.tls.key | b64enc) }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: tls
data:
  cert.crt: {{ $cert.Cert | b64enc }}
  prv.key: {{ $cert.Key | b64enc }}

Or you can auto generate a random CA on demand and use it. All it takes is the CN (common-name) and the duration in days.

{{ $ca := genCA "foo-bar" 365 }}
apiVersion: v1
kind: ConfigMap
metadata:
  name: tls
data:
  cert.crt: {{ $ca.Cert | b64enc }}
  prv.key: {{ $ca.Key | b64enc }}

3. Signing a Certificate

Let’s keep going with the flow. In Step 2 we generated or imported a CA. Now we…