It is possible to use a private Helm repository to store your own Helm charts and deploy them using Kubeapps. In this guide we will show how you can do that with some of the solutions available right now:
- ChartMuseum
- Artifactory (Pro)
ChartMuseum is an open-source Helm Chart Repository written in Go (Golang), with support for cloud storage backends, including Google Cloud Storage, Amazon S3, Microsoft Azure Blob Storage, Alibaba Cloud OSS Storage and OpenStack Object Storage.
To use ChartMuseum with Kubeapps, first deploy its Helm chart from the stable
repository:
In the deployment form we should change at least two things:
env.open.DISABLE_API
: We should set this value tofalse
so we can use the ChartMuseum API to push new charts.persistence.enabled
: We will set this value totrue
to enable persistence for the charts we store. Note that this will create a Kubernetes Persistent Volume Claim so depending on your Kubernetes provider you may need to manually allocate the required Persistent Volume to satisfy the claim. Some Kubernetes providers will automatically create PVs for you so setting this value totrue
will be enough.
Once ChartMuseum is deployed you will be able to upload a chart. In one terminal open a port-forward tunnel to the application:
$ export POD_NAME=$(kubectl get pods --namespace default -l "app=chartmuseum" -l "release=my-chartrepo" -o jsonpath="{.items[0].metadata.name}")
$ kubectl port-forward $POD_NAME 8080:8080 --namespace default
Forwarding from 127.0.0.1:8080 -> 8080
Forwarding from [::1]:8080 -> 8080
And in a different terminal you can push your chart:
$ helm package /path/to/my/chart
Successfully packaged chart and saved it to: /path/to/my/chart/my-chart-1.0.0.tgz
$ curl --data-binary "@my-chart-1.0.0.tgz" http://localhost:8080/api/charts
{"saved":true}
To add your private repository go to Configuration > App Repositories
in Kubeapps and click on "Add App Repository". You will need to add your repository using the Kubernetes DNS name for the ChartMuseum service. This will be <release_name>-chartmuseum.<namespace>:8080
:
Once you create the repository you can click on the link for the specific repository and you will be able to deploy your own applications using Kubeapps.
It is possible to configure ChartMuseum to use authentication with two different mechanism:
- Using HTTP basic authentication (user/password). To use this feature, it's needed to:
- Specify the parameters
secret.AUTH_USER
andsecret.AUTH_PASS
when deploying the ChartMuseum. - Set as Authorization Header a
Basic
auth header using as value the base64 codification of the stringuser:password
. For example, for the user "Aladdin" and password "open sesame", it would use the following header field:Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
- Specify the parameters
- Using a JWT token. Once you obtain a valid token you can set it in the Authorization Header field of the App Repository form. Note that in this case it will be prefixed with
Bearer
. For example:Bearer UVd4aFpHUnBianB2Y0dWdUlIT=
.
JFrog Artifactory is a Repository Manager supporting all major packaging formats, build tools and CI servers.
Note: In order to use the Helm repository feature, it's necessary to use an Artifactory Pro account.
To install Artifactory with Kubeapps first add the JFrog repository to Kubeapps. Go to Configuration > App Repositories
and add their repository:
Then click on the JFrog repository and deploy Artifactory. For detailed installation instructions, check its README. If you don't have any further requirement, the default values will work.
When deployed, in the setup wizard, select "Helm" to initialize a repository:
By default, Artifactory creates a chart repository called helm
. That is the one you can use to store your applications.
First, you will need to obtain the user and password of the Helm repository. To do so, click on the helm
repository and in the Set Me Up
menu enter your password. After that you will be able to see the repository user and password.
Once you have done that, you will be able to upload a chart:
$ curl -u{USER}:{PASSWORD} -T /path/to/chart.tgz "http://{REPO_URL}/artifactory/helm/"
To be able able to access private charts with Kubeapps first you need to generate a token. You can do that with the Artifactory API:
curl -u{USER}:{PASSWORD} -XPOST "http://{REPO_URL}/artifactory/api/security/token?expires_in=0" -d "username=kubeapps" -d "scope=member-of-groups:readers"
{
"scope" : "member-of-groups:readers api:*",
"access_token" : "TOKEN CONTENT",
"token_type" : "Bearer"
}
The above command creates a token with read-only permissions. Now you can go to the Configuration > App Repositories
menu and add your personal repository:
After submitting the repository, you will be able to click on the new repository and see the chart you uploaded in the previous step.