Deduplicate Tiller documentation

Luke Addison · Luke Addison · commit 1277c0aab2e4 · 2018-06-04T15:29:57.000+01:00
diff --git a/docs/user-guide.rst b/docs/user-guide.rst
@@ -183,7 +183,7 @@ The above configuration would deploy Kubernetes Dashboard with an image of `gcr.
 Tiller
 ~~~~~~
 
-Tarmak supports deploying `Tiller <https://github.com/kubernetes/helm>`_ when spinning up a Kubernetes cluster. The following `tarmak.yaml` snippet shows how you would enable Tiller. 
+Tarmak supports deploying Tiller, the server-side component of `Helm <https://github.com/kubernetes/helm>`_, when spinning up a Kubernetes cluster. Tiller is configured to listen on localhost only which prevents arbitrary Pods in the cluster connecting to its unauthenticated endpoint. Helm clients can still talk to Tiller by port forwarding through the Kubernetes API Server. The following `tarmak.yaml` snippet shows how you would enable Tiller.
 
 .. code-block:: yaml
 
@@ -192,7 +192,13 @@ Tarmak supports deploying `Tiller <https://github.com/kubernetes/helm>`_ when sp
         enabled: true
     ...
 
-The above configuration would deploy Tiller with an image of `gcr.io/kubernetes-helm/tiller` with a fixed tag. The configuration block accepts two optional fields of `image` and `version` allowing you to change these defaults. The `version` field directly translates to the image tag used.
+The above configuration would deploy Tiller with an image of `gcr.io/kubernetes-helm/tiller` with a fixed tag. The configuration block accepts two optional fields of `image` and `version` allowing you to change these defaults. The `version` field directly translates to the image tag used. The version is particularly important when deploying Tiller since its minor version must match the minor version of any Helm clients.
+
+.. warning::
+   Tiller is deployed with full ``cluster-admin`` ClusterRole bound to its
+   service account and has therefore has quiet far reaching privileges. Also
+   consider Helm's `security best practices
+   <https://github.com/kubernetes/helm/blob/master/docs/securing_installation.md>`_.
 
 Logging
 ~~~~~~~
@@ -380,33 +386,6 @@ certificate is valid for ``jenkins.<environment>.<zone>``.
       type: ssd
   ...
 
-
-Tiller
-~~~~~~
-
-Another configuration option allows to deploy Tiller the server-side of `Helm
-<https://github.com/kubernetes/helm>`_. Tiller is listening for request on the
-loopback device only. This makes sure that no other Pod in the cluster can
-speak to it, while Helm clients are still able to access it using a port
-forwarding through the API server.
-
-As Helm and Tiller minor version need to match, the tarmak configuration also
-allows to override the deployed version:
-
-.. code-block:: yaml
-
-  kubernetes:
-    tiller:
-      enabled: true
-      version: 2.9.1
-
-.. warning::
-   Tiller is deployed with full ``cluster-admin`` ClusterRole bound to its
-   service account and has therefore quiet far reaching privileges. Also
-   consider Helm's `security best practices
-   <https://github.com/kubernetes/helm/blob/master/docs/securing_installation.md>`_.
-
-
 Prometheus
 ~~~~~~~~~~
 
