From e3aaa89376c2b405d74c91995888c6370b25dc51 Mon Sep 17 00:00:00 2001
From: Jakub Darmach <jakub@stackhpc.com>
Date: Thu, 8 Feb 2024 13:19:33 +0100
Subject: [PATCH] Removing Tiller support

Removed Tiller support from Helm modules install kubernetes fragment.

Change-Id: I81db0055ae82c64218498ae3e2a4fcc802f8d0e4
---
 doc/source/user/index.rst                     |  28 +--
 doc/source/user/monitoring.rst                |   4 -
 .../fragments/enable-helm-tiller.sh           | 237 ------------------
 .../fragments/install-helm-modules.sh         | 101 ++++----
 .../fragments/write-heat-params-master.sh     |   3 -
 .../drivers/heat/k8s_fedora_template_def.py   |   3 -
 .../templates/kubecluster.yaml                |  19 --
 .../templates/kubemaster.yaml                 |  15 --
 .../unit/drivers/test_template_definition.py  |  18 --
 .../notes/drop-tiller-5b98862961003df8.yaml   |   8 +
 10 files changed, 57 insertions(+), 379 deletions(-)
 delete mode 100644 magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh
 create mode 100644 releasenotes/notes/drop-tiller-5b98862961003df8.yaml

diff --git a/doc/source/user/index.rst b/doc/source/user/index.rst
index 71b04b2fa4..f2783b9ab2 100644
--- a/doc/source/user/index.rst
+++ b/doc/source/user/index.rst
@@ -399,13 +399,6 @@ the table are linked to more details elsewhere in the user guide.
 +---------------------------------------+--------------------+---------------+
 | `k8s_keystone_auth_tag`_              | see below          | see below     |
 +---------------------------------------+--------------------+---------------+
-| `tiller_enabled`_                     | - true             | false         |
-|                                       | - false            |               |
-+---------------------------------------+--------------------+---------------+
-| `tiller_tag`_                         | see below          | ""            |
-+---------------------------------------+--------------------+---------------+
-| `tiller_namespace`_                   | see below          | see below     |
-+---------------------------------------+--------------------+---------------+
 | `helm_client_url`_                    | see below          | see below     |
 +---------------------------------------+--------------------+---------------+
 | `helm_client_sha256`_                 | see below          | see below     |
@@ -1404,22 +1397,6 @@ _`k8s_keystone_auth_tag`
   Train default: v1.14.0
   Ussuri default: v1.18.0
 
-_`tiller_enabled`
-  If set to true, tiller will be deployed in the kube-system namespace.
-  Ussuri default: false
-  Train default: false
-
-_`tiller_tag`
-  This label allows users to override the default container tag for Tiller.
-  For additional tags, `refer to Tiller page
-  <https://github.com/helm/helm/tags>`_ and look for tags<v3.0.0.
-  Train default: v2.12.3
-  Ussuri default: v2.16.7
-
-_`tiller_namespace`
-  The namespace in which Tiller and Helm v2 chart install jobs are installed.
-  Default: magnum-tiller
-
 _`helm_client_url`
   URL of the helm client binary.
   Default: ''
@@ -1431,8 +1408,7 @@ _`helm_client_sha256`
 _`helm_client_tag`
   This label allows users to override the default container tag for Helm
   client.  For additional tags, `refer to Helm client page
-  <https://github.com/helm/helm/tags>`_. You must use identical tiller_tag if
-  you wish to use Tiller (for helm_client_tag<v3.0.0).
+  <https://github.com/helm/helm/tags>`_.
   Ussuri default: v3.2.1
 
 _`master_lb_floating_ip_enabled`
@@ -1683,8 +1659,6 @@ _`ingress_controller`
   Controller is configured. For more details about octavia-ingress-controller
   please refer to `cloud-provider-openstack document
   <https://github.com/kubernetes/cloud-provider-openstack/blob/master/docs/octavia-ingress-controller/using-octavia-ingress-controller.md>`_
-  To use 'nginx' ingress controller, tiller_enabled must be true when using
-  helm_client_tag<v3.0.0.
 
 _`ingress_controller_role`
   This label defines the role nodes should have to run an instance of the
diff --git a/doc/source/user/monitoring.rst b/doc/source/user/monitoring.rst
index b580edf438..b7f40f71fe 100644
--- a/doc/source/user/monitoring.rst
+++ b/doc/source/user/monitoring.rst
@@ -28,16 +28,12 @@ The installation of these services is controlled with the following labels:
 _`metrics_server_enabled`
   metrics_server_enabled is used to enable disable the installation of
   the metrics server.
-  To use this service tiller_enabled must be true when using
-  helm_client_tag<v3.0.0.
   Train default: true
   Stein default: true
 
 _`monitoring_enabled`
   Enable installation of cluster monitoring solution provided by the
   stable/prometheus-operator helm chart.
-  To use this service tiller_enabled must be true when using
-  helm_client_tag<v3.0.0.
   Default: false
 
 _`prometheus_adapter_enabled`
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh
deleted file mode 100644
index cd74bd6d31..0000000000
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-helm-tiller.sh
+++ /dev/null
@@ -1,237 +0,0 @@
-. /etc/sysconfig/heat-params
-
-step="enable-helm-tiller"
-printf "Starting to run ${step}\n"
-
-if [ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" == "true" ]; then
-    CERTS_DIR="/etc/kubernetes/helm/certs/"
-    mkdir -p "${CERTS_DIR}"
-
-    # Private CA key
-    openssl genrsa -out "${CERTS_DIR}/ca.key.pem" 4096
-
-    # CA public cert
-    openssl req -key "${CERTS_DIR}/ca.key.pem" -new -x509 -days 7300 -sha256 -out "${CERTS_DIR}/ca.cert.pem" -extensions v3_ca -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller"
-
-    # Private tiller-server key
-    openssl genrsa -out "${CERTS_DIR}/tiller.key.pem" 4096
-
-    # Private helm-client key
-    openssl genrsa -out "${CERTS_DIR}/helm.key.pem" 4096
-
-    # Request for tiller-server cert
-    openssl req -key "${CERTS_DIR}/tiller.key.pem" -new -sha256 -out "${CERTS_DIR}/tiller.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=tiller-server"
-
-    # Request for helm-client cert
-    openssl req -key "${CERTS_DIR}/helm.key.pem" -new -sha256 -out "${CERTS_DIR}/helm.csr.pem" -subj "/C=US/ST=Texas/L=Austin/O=OpenStack/OU=Magnum/CN=helm-client"
-
-    # Sign tiller-server cert
-    openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/tiller.csr.pem" -out "${CERTS_DIR}/tiller.cert.pem" -days 365
-
-    # Sign helm-client cert
-    openssl x509 -req -CA "${CERTS_DIR}/ca.cert.pem" -CAkey "${CERTS_DIR}/ca.key.pem" -CAcreateserial -in "${CERTS_DIR}/helm.csr.pem" -out "${CERTS_DIR}/helm.cert.pem"  -days 365
-
-    _tiller_prefix=${CONTAINER_INFRA_PREFIX:-gcr.io/kubernetes-helm/}
-    TILLER_RBAC=/srv/magnum/kubernetes/manifests/tiller-rbac.yaml
-    TILLER_DEPLOYER=/srv/magnum/kubernetes/manifests/deploy-tiller.yaml
-
-    TILLER_IMAGE="${_tiller_prefix}tiller:${TILLER_TAG}"
-
-    [ -f ${TILLER_RBAC} ] || {
-        echo "Writing File: $TILLER_RBAC"
-        mkdir -p $(dirname ${TILLER_RBAC})
-        cat << EOF > ${TILLER_RBAC}
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ${TILLER_NAMESPACE}
----
-# Tiller service account
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: tiller
-  namespace: ${TILLER_NAMESPACE}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: tiller
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: tiller
-    namespace: ${TILLER_NAMESPACE}
-EOF
-    }
-
-    [ -f ${TILLER_DEPLOYER} ] || {
-        echo "Writing File: $TILLER_DEPLOYER"
-        mkdir -p $(dirname ${TILLER_DEPLOYER})
-        cat << EOF > ${TILLER_DEPLOYER}
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  creationTimestamp: null
-  labels:
-    app: helm
-    name: tiller
-  name: tiller-deploy
-  namespace: ${TILLER_NAMESPACE}
-spec:
-  replicas: 1
-  strategy: {}
-  selector:
-    matchLabels:
-      app: helm
-      name: tiller
-  template:
-    metadata:
-      creationTimestamp: null
-      labels:
-        app: helm
-        name: tiller
-    spec:
-      automountServiceAccountToken: true
-      containers:
-      - env:
-        - name: TILLER_NAMESPACE
-          value: ${TILLER_NAMESPACE}
-        - name: TILLER_HISTORY_MAX
-          value: "0"
-        - name: TILLER_TLS_VERIFY
-          value: "1"
-        - name: TILLER_TLS_ENABLE
-          value: "1"
-        - name: TILLER_TLS_CERTS
-          value: /etc/certs
-        image: ${TILLER_IMAGE}
-        imagePullPolicy: IfNotPresent
-        livenessProbe:
-          httpGet:
-            path: /liveness
-            port: 44135
-          initialDelaySeconds: 1
-          timeoutSeconds: 1
-        name: tiller
-        ports:
-        - containerPort: 44134
-          name: tiller
-        - containerPort: 44135
-          name: http
-        readinessProbe:
-          httpGet:
-            path: /readiness
-            port: 44135
-          initialDelaySeconds: 1
-          timeoutSeconds: 1
-        resources:
-          requests:
-            cpu: 25m
-        volumeMounts:
-        - mountPath: /etc/certs
-          name: tiller-certs
-          readOnly: true
-      serviceAccountName: tiller
-      tolerations:
-      # Make sure the pod can be scheduled on master kubelet.
-      - effect: NoSchedule
-        operator: Exists
-      # Mark the pod as a critical add-on for rescheduling.
-      - key: CriticalAddonsOnly
-        operator: Exists
-      - effect: NoExecute
-        operator: Exists
-      # run only on master nodes
-      nodeSelector:
-        node-role.kubernetes.io/master: ""
-      volumes:
-      - name: tiller-certs
-        secret:
-          secretName: tiller-secret
-status: {}
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  creationTimestamp: null
-  labels:
-    app: helm
-    name: tiller
-  name: tiller-deploy
-  namespace: ${TILLER_NAMESPACE}
-spec:
-  ports:
-  - name: tiller
-    port: 44134
-    targetPort: tiller
-  selector:
-    app: helm
-    name: tiller
-  type: ClusterIP
-status:
-  loadBalancer: {}
-
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  creationTimestamp: null
-  labels:
-    app: helm
-    name: tiller
-  name: tiller-secret
-  namespace: ${TILLER_NAMESPACE}
-data:
-  ca.crt: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
-  tls.crt: $(cat "${CERTS_DIR}/tiller.cert.pem" | base64 --wrap=0)
-  tls.key: $(cat "${CERTS_DIR}/tiller.key.pem" | base64 --wrap=0)
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  creationTimestamp: null
-  labels:
-    app: helm
-    name: tiller-ca-key
-  name: tiller-ca-key
-  namespace: ${TILLER_NAMESPACE}
-data:
-  ca.key.pem: $(cat "${CERTS_DIR}/ca.key.pem" | base64 --wrap=0)
----
-apiVersion: v1
-kind: Secret
-type: Opaque
-metadata:
-  creationTimestamp: null
-  labels:
-    app: helm
-    name: helm-client
-  name: helm-client-secret
-  namespace: ${TILLER_NAMESPACE}
-data:
-  ca.pem: $(cat "${CERTS_DIR}/ca.cert.pem" | base64 --wrap=0)
-  cert.pem: $(cat "${CERTS_DIR}/helm.cert.pem" | base64 --wrap=0)
-  key.pem: $(cat "${CERTS_DIR}/helm.key.pem" | base64 --wrap=0)
-EOF
-    }
-
-    until  [ "ok" = "$(kubectl get --raw='/healthz')" ]
-    do
-        echo "Waiting for Kubernetes API..."
-        sleep 5
-    done
-
-    kubectl apply -f ${TILLER_RBAC}
-    kubectl apply -f ${TILLER_DEPLOYER}
-fi
-
-printf "Finished running ${step}\n"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
index a0b3f4bc75..1bdc5aabc6 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/install-helm-modules.sh
@@ -24,68 +24,63 @@ until  [ "ok" = "$(kubectl get --raw='/healthz')" ]; do
     sleep 5
 done
 
-if [[ "$(echo ${TILLER_ENABLED} | tr '[:upper:]' '[:lower:]')" != "true" && "${HELM_CLIENT_TAG}" == v2.* ]]; then
-    echo "Use --labels tiller_enabled=True for helm_client_tag<v3.0.0 to allow for tiller dependent resources to be installed."
-else
-    if [ -z "${HELM_CLIENT_URL}"  ] ; then
-        HELM_CLIENT_URL="https://get.helm.sh/helm-$HELM_CLIENT_TAG-linux-amd64.tar.gz"
-    fi
-    i=0
-    until curl -o /srv/magnum/helm-client.tar.gz "${HELM_CLIENT_URL}"; do
-        i=$((i + 1))
-        [ $i -lt 5 ] || break;
-        sleep 5
+if [ -z "${HELM_CLIENT_URL}"  ] ; then
+    HELM_CLIENT_URL="https://get.helm.sh/helm-$HELM_CLIENT_TAG-linux-amd64.tar.gz"
+fi
+i=0
+until curl -o /srv/magnum/helm-client.tar.gz "${HELM_CLIENT_URL}"; do
+    i=$((i + 1))
+    [ $i -lt 5 ] || break;
+    sleep 5
+done
+
+if ! echo "${HELM_CLIENT_SHA256} /srv/magnum/helm-client.tar.gz" | sha256sum -c - ; then
+    echo "ERROR helm-client.tar.gz computed checksum did NOT match, exiting."
+    exit 1
+fi
+
+source /etc/bashrc
+$ssh_cmd tar xzvf /srv/magnum/helm-client.tar.gz linux-amd64/helm -O > /srv/magnum/bin/helm
+$ssh_cmd chmod +x /srv/magnum/bin/helm
+
+helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
+helm_history_cmd="helm history magnum --namespace kube-system"
+if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then
+    CERTS_DIR="/etc/kubernetes/helm/certs"
+    export HELM_HOME="/srv/magnum/kubernetes/helm/home"
+    export HELM_TLS_ENABLE="true"
+    mkdir -p "${HELM_HOME}"
+    ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem
+    ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem
+    ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem
+
+    # HACK - Force wait because of bug https://github.com/helm/helm/issues/5170
+    until helm init --client-only --wait; do
+        sleep 5s
     done
+    helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
+    helm_history_cmd="helm history magnum"
+fi
 
-    if ! echo "${HELM_CLIENT_SHA256} /srv/magnum/helm-client.tar.gz" | sha256sum -c - ; then
-        echo "ERROR helm-client.tar.gz computed checksum did NOT match, exiting."
-        exit 1
-    fi
-
-    source /etc/bashrc
-    $ssh_cmd tar xzvf /srv/magnum/helm-client.tar.gz linux-amd64/helm -O > /srv/magnum/bin/helm
-    $ssh_cmd chmod +x /srv/magnum/bin/helm
-
-    helm_install_cmd="helm upgrade --install magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
-    helm_history_cmd="helm history magnum --namespace kube-system"
-    if [[ "${HELM_CLIENT_TAG}" == v2.* ]]; then
-        CERTS_DIR="/etc/kubernetes/helm/certs"
-        export HELM_HOME="/srv/magnum/kubernetes/helm/home"
-        export HELM_TLS_ENABLE="true"
-        export TILLER_NAMESPACE
-        mkdir -p "${HELM_HOME}"
-        ln -s ${CERTS_DIR}/helm.cert.pem ${HELM_HOME}/cert.pem
-        ln -s ${CERTS_DIR}/helm.key.pem ${HELM_HOME}/key.pem
-        ln -s ${CERTS_DIR}/ca.cert.pem ${HELM_HOME}/ca.pem
-
-        # HACK - Force wait because of bug https://github.com/helm/helm/issues/5170
-        until helm init --client-only --wait; do
-            sleep 5s
-        done
-        helm_install_cmd="helm upgrade --install --name magnum . --namespace kube-system --values values.yaml --render-subchart-notes"
-        helm_history_cmd="helm history magnum"
-    fi
-
-    HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum"
-    if [[ -d "${HELM_CHART_DIR}" ]]; then
-        pushd ${HELM_CHART_DIR}
-        cat << EOF > Chart.yaml
+HELM_CHART_DIR="/srv/magnum/kubernetes/helm/magnum"
+if [[ -d "${HELM_CHART_DIR}" ]]; then
+    pushd ${HELM_CHART_DIR}
+    cat << EOF > Chart.yaml
 apiVersion: v1
 name: magnum
 version: 1.0.0
 appVersion: v1.0.0
 description: Magnum Helm Charts
 EOF
-        sed -i '1i\dependencies:' requirements.yaml
+    sed -i '1i\dependencies:' requirements.yaml
 
-        i=0
-        until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do
-            i=$((i + 1))
-            [ $i -lt 60 ] || break;
-            sleep 5
-        done
-        popd
-    fi
+    i=0
+    until ($helm_history_cmd | grep magnum | grep deployed) || (helm dep update && $helm_install_cmd); do
+        i=$((i + 1))
+        [ $i -lt 60 ] || break;
+        sleep 5
+    done
+    popd
 fi
 
 echo "END: ${step}"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
index 0cd02bf95b..53034354bc 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/write-heat-params-master.sh
@@ -124,9 +124,6 @@ KEYSTONE_AUTH_ENABLED="$KEYSTONE_AUTH_ENABLED"
 K8S_KEYSTONE_AUTH_TAG="$K8S_KEYSTONE_AUTH_TAG"
 PROJECT_ID="$PROJECT_ID"
 EXTERNAL_NETWORK_ID="$EXTERNAL_NETWORK_ID"
-TILLER_ENABLED="$TILLER_ENABLED"
-TILLER_TAG="$TILLER_TAG"
-TILLER_NAMESPACE="$TILLER_NAMESPACE"
 HELM_CLIENT_URL="$HELM_CLIENT_URL"
 HELM_CLIENT_SHA256="$HELM_CLIENT_SHA256"
 HELM_CLIENT_TAG="$HELM_CLIENT_TAG"
diff --git a/magnum/drivers/heat/k8s_fedora_template_def.py b/magnum/drivers/heat/k8s_fedora_template_def.py
index 52acc13e2e..b207daeda6 100644
--- a/magnum/drivers/heat/k8s_fedora_template_def.py
+++ b/magnum/drivers/heat/k8s_fedora_template_def.py
@@ -111,9 +111,6 @@ class K8sFedoraTemplateDefinition(k8s_template_def.K8sTemplateDefinition):
                       'prometheus_adapter_chart_tag',
                       'prometheus_adapter_configmap',
                       'selinux_mode',
-                      'tiller_enabled',
-                      'tiller_tag',
-                      'tiller_namespace',
                       'helm_client_url', 'helm_client_sha256',
                       'helm_client_tag',
                       'traefik_ingress_controller_tag',
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
index 02c6eac5d9..3a6252175c 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubecluster.yaml
@@ -789,21 +789,6 @@ parameters:
     description: >
       project id of current project
 
-  tiller_enabled:
-    type: boolean
-    description: Choose whether to install tiller or not.
-    default: false
-
-  tiller_tag:
-    type: string
-    description: tag of tiller container
-    default: "v2.16.7"
-
-  tiller_namespace:
-    type: string
-    description: namespace where tiller will be installed.
-    default: "magnum-tiller"
-
   helm_client_url:
     type: string
     description: url of helm client tarball
@@ -1364,9 +1349,6 @@ resources:
           prometheus_adapter_chart_tag: {get_param: prometheus_adapter_chart_tag}
           prometheus_adapter_configmap: {get_param: prometheus_adapter_configmap}
           project_id: {get_param: project_id}
-          tiller_enabled: {get_param: tiller_enabled}
-          tiller_tag: {get_param: tiller_tag}
-          tiller_namespace: {get_param: tiller_namespace}
           helm_client_url: {get_param: helm_client_url}
           helm_client_sha256: {get_param: helm_client_sha256}
           helm_client_tag: {get_param: helm_client_tag}
@@ -1417,7 +1399,6 @@ resources:
             - get_file: ../../common/templates/kubernetes/fragments/core-dns-service.sh
             - get_file: ../../common/templates/kubernetes/fragments/calico-service.sh
             - get_file: ../../common/templates/kubernetes/fragments/flannel-service.sh
-            - get_file: ../../common/templates/kubernetes/fragments/enable-helm-tiller.sh
             - str_replace:
                 template: {get_file: ../../common/templates/kubernetes/fragments/enable-prometheus-monitoring.sh}
                 params:
diff --git a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
index 917f010db8..4d2feb2303 100644
--- a/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
+++ b/magnum/drivers/k8s_fedora_coreos_v1/templates/kubemaster.yaml
@@ -545,18 +545,6 @@ parameters:
     description: >
       project id of current project
 
-  tiller_enabled:
-    type: string
-    description: Whether to enable tiller or not
-
-  tiller_tag:
-    type: string
-    description: tag of tiller container
-
-  tiller_namespace:
-    type: string
-    description: namespace where tiller will be installed
-
   helm_client_url:
     type: string
     description: url of helm client tarball
@@ -895,9 +883,6 @@ resources:
                   "$PROMETHEUS_ADAPTER_CONFIGMAP": {get_param: prometheus_adapter_configmap}
                   "$PROJECT_ID": {get_param: project_id}
                   "$EXTERNAL_NETWORK_ID": {get_param: external_network}
-                  "$TILLER_ENABLED": {get_param: tiller_enabled}
-                  "$TILLER_TAG": {get_param: tiller_tag}
-                  "$TILLER_NAMESPACE": {get_param: tiller_namespace}
                   "$HELM_CLIENT_URL": {get_param: helm_client_url}
                   "$HELM_CLIENT_SHA256": {get_param: helm_client_sha256}
                   "$HELM_CLIENT_TAG": {get_param: helm_client_tag}
diff --git a/magnum/tests/unit/drivers/test_template_definition.py b/magnum/tests/unit/drivers/test_template_definition.py
index a3f9d17e3a..eff2eeabd5 100644
--- a/magnum/tests/unit/drivers/test_template_definition.py
+++ b/magnum/tests/unit/drivers/test_template_definition.py
@@ -509,12 +509,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
         prometheus_adapter_configmap = mock_cluster.labels.get(
             'prometheus_adapter_configmap')
         project_id = mock_cluster.project_id
-        tiller_enabled = mock_cluster.labels.get(
-            'tiller_enabled')
-        tiller_tag = mock_cluster.labels.get(
-            'tiller_tag')
-        tiller_namespace = mock_cluster.labels.get(
-            'tiller_namespace')
         helm_client_url = mock_cluster.labels.get(
             'helm_client_url')
         helm_client_sha256 = mock_cluster.labels.get(
@@ -655,9 +649,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'prometheus_adapter_configmap': prometheus_adapter_configmap,
             'project_id': project_id,
             'external_network': external_network_id,
-            'tiller_enabled': tiller_enabled,
-            'tiller_tag': tiller_tag,
-            'tiller_namespace': tiller_namespace,
             'helm_client_url': helm_client_url,
             'helm_client_sha256': helm_client_sha256,
             'helm_client_tag': helm_client_tag,
@@ -1072,12 +1063,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
         prometheus_adapter_configmap = mock_cluster.labels.get(
             'prometheus_adapter_configmap')
         project_id = mock_cluster.project_id
-        tiller_enabled = mock_cluster.labels.get(
-            'tiller_enabled')
-        tiller_tag = mock_cluster.labels.get(
-            'tiller_tag')
-        tiller_namespace = mock_cluster.labels.get(
-            'tiller_namespace')
         helm_client_url = mock_cluster.labels.get(
             'helm_client_url')
         helm_client_sha256 = mock_cluster.labels.get(
@@ -1222,9 +1207,6 @@ class AtomicK8sTemplateDefinitionTestCase(BaseK8sTemplateDefinitionTestCase):
             'prometheus_adapter_configmap': prometheus_adapter_configmap,
             'project_id': project_id,
             'external_network': external_network_id,
-            'tiller_enabled': tiller_enabled,
-            'tiller_tag': tiller_tag,
-            'tiller_namespace': tiller_namespace,
             'helm_client_url': helm_client_url,
             'helm_client_sha256': helm_client_sha256,
             'helm_client_tag': helm_client_tag,
diff --git a/releasenotes/notes/drop-tiller-5b98862961003df8.yaml b/releasenotes/notes/drop-tiller-5b98862961003df8.yaml
new file mode 100644
index 0000000000..bef60274af
--- /dev/null
+++ b/releasenotes/notes/drop-tiller-5b98862961003df8.yaml
@@ -0,0 +1,8 @@
+---
+upgrade:
+  - |
+    ``Tiller`` support has been dropped, following labels are not functional
+    anymore:
+    * ``tiller_enabled``
+    * ``tiller_tag``
+    * ``tiller_namespace``