Document how to install Helm on Kubernetes behind a proxy
Problem to solve
Currently GitLab does not support an easy way for users to specify their proxy information.
If a Kubernetes cluster is created behind a proxy and user attempts to install Helm, it will result in the following error:
Something went wrong while installing Helm Tiller
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/main: operation timed out WARNING: Ignoring APKINDEX.84815163.tar.gz: No such file or directory ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/community: operation timed out WARNING: Ignoring APKINDEX.24d64ab1.tar.gz: No such file or directory ERROR: unsatisfiable constraints...Intended users
operators, developers
Further details
Currently, it's possible to work-around this issue by enabling PodPreset on the api server and injecting proxy configuration as described in https://kubernetes.io/docs/concepts/workloads/pods/podpreset, however, this is not intuitive.
Proposal
Following the suggestion in this comment, this issue will serve as the MVC by providing documentation on how to accomplish this.
Permissions and Security
Documentation
Testing
What does success look like, and how can we measure that?
Links / references
original issue content
Summary
Clicking on "Install" button for Helm Tiller under CI/CD / Clusters generates time out error
Steps to reproduce
- create Kubernetes cluster behind proxy
- integrate with GitLab
- click install Helm/Tiller
What is the current bug behavior?
When you try to install Helm/Tiller, you'll see this ERROR:
Something went wrong while installing Helm Tiller
ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/main: operation timed out WARNING: Ignoring APKINDEX.84815163.tar.gz: No such file or directory ERROR: http://dl-cdn.alpinelinux.org/alpine/v3.6/community: operation timed out WARNING: Ignoring APKINDEX.24d64ab1.tar.gz: No such file or directory ERROR: unsatisfiable constraints...What is the expected correct behavior?
Helm/Tiller installed successfully
Relevant logs and/or screenshots
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 14.04 Current User: git Using RVM: no Ruby Version: 2.3.6p384 Gem Version: 2.6.13 Bundler Version:1.13.7 Rake Version: 12.3.0 Redis Version: 3.2.11 Git Version: 2.14.3 Sidekiq Version:5.0.5 Go Version: unknownGitLab information Version: 10.7.3 Revision: 2555d6c Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: postgresql URL: https://gitlab.well.kz HTTP Clone URL: https://gitlab.well.kz/some-group/some-project.git SSH Clone URL: git@gitlab.well.kz:some-group/some-project.git Using LDAP: yes Using Omniauth: no
GitLab Shell Version: 7.1.2 Repository storage paths:
- default: /var/opt/gitlab/git-data/repositories Hooks: /opt/gitlab/embedded/service/gitlab-shell/hooks Git: /opt/gitlab/embedded/bin/git
Results of GitLab application Check
Expand for output related to the GitLab application check
Everything is OK
Redis version >= 2.8.0? ... yes Ruby version >= 2.3.5 ? ... yes (2.3.6) Git version >= 2.9.5 ? ... yes (2.14.3) Git user has default SSH configuration? ... yes Active users: ... num
Checking GitLab ... Finished
Possible fixes
As far as i know once you click "install" button in GitLab UI the Helm/Tiller installation goes on k8s node. According to source code helm binary is downloaded inside of alpine container: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/lib/gitlab/kubernetes/helm/base_command.rb
But it'll never come to that. Just because running apk add -U <package> will fall due to proxy server environment variables missing:
$ kubectl run -it --image=alpine alpine -- sh
If you don't see a command prompt, try pressing enter.
/ # apk add -U ca-certificates openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
(takes a long time until time out)
^C/ Setting up environment variable fixes it:
/ # export http_proxy='http://<proxy_user>:<proxy_pass>@<proxy_host>:<proxy_host_port>/'
/ # apk add -U ca-certificates openssl
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.7/community/x86_64/APKINDEX.tar.gz
(1/4) Installing ca-certificates (20171114-r0)
0%
And as a result, UI needs the ability to declare proxy server settings.