Flux: Tiller-less support in Flux Helm Operator

Seems like a good idea if it is optional, eg --set helmOperator.tiller: false and could serve as a good
stepping stone to helm 3 migration.

That’s one way to do that, another way is to just run tiller in the same pod as helm-operator and bind it to localhost. You still have to run tiller, but it makes it easier to operate (and it’s not going to use many resources on its own) and mitigates the security issues. You also still get to benefit from all of the features tiller gives you (garage collection, rollbacks, etc).

There’s a helm plugin that lets you do effectively this when running helm locally, but you don’t need it if you’re running them in a pod together: http://rimusz.net/tillerless-helm/

I really like @justinbarrick's alternative for running tiller alongside the helm operator, but rbac could be a concern. If tiller is running alongside the operator, it will have all of the permissions as whatever service account it is running as, which could be good. But the operator will also get those privileges, which will often be essentially cluster-admin.

The main security issue solved is that nothing external can possibly connect to tiller. But the primary use-case I see for tillerless-helm is having more users of tiller each bringing their own credentials.

But the operator will also get those privileges, which will often be essentially cluster-admin.

If the HelmOperator pod is compromised today, the attacker has the certificate-auth secret material for connecting to tiller anyway. Giving a HelmOperator pod the k8s permission directly doesn't change the risk.

Helm 3 has just had its first alpha release without tiller:
https://github.com/helm/helm/releases/tag/v3.0.0-alpha.1

It would be great to look at what changes would be required to run flux with helm 3

There's a Helm 3 tracking issue at #2069.

This will be covered by Helm v3