PRODUCT
6 min read
Published on 04/24/2019
Last updated on 08/19/2024
Helm Chart repository (as a) service
Share
In one of our previous posts about creating Helm Charts for Kubernetes, we outlined what we consider the best practices for creating Helm charts. We've been using Helm in production and investing our time in creating Helm charts (available on the Banzai Cloud Charts GitHub repository) since Banzai Cloud's inception. Creating Helm Charts is one thing; storing and serving them is another. We'd like to reduce the burden this places on the user, so today marks the launch of our Banzai Charts, which you can use to store and serve public Helm Charts for free.
tl;dr:
- Accessing the Banzai Cloud {{% chart-repository-service %}}
- We opensourced a Chartsec library, making it available as a Golang lib or CLI tool
- As part of Pipeline's enterprise version, we support private Helm Chart repositories
- The {{% chart-repository-service %}} is available for free, with a generous fair usage policy
Architecture
Our Helm Chart service is based on ChartMuseum, an open-source, easy to deploy, Helm Chart repository server. We are using the upstream ChartMuseum distribution without any modifications. We have, however, added certain features to make it a managed, multi-tenant service. The services we added are outlined below:
Authentication Service
Pulling charts from our Chart repository service doesn't require authentication (in the free version), but pushing charts to the repository is protected by user authentication. You must request an API token - the free version supports GitHub, GitLab or BitBucket authentication - before you can receive the access necessary to push charts to the repositories of organizations/teams on a given provider. Our enterprise version supports private chart repositories, where chart access is protected. NOTE: if you are not part of an organization/team on a given SCM provider, it is not possible for you to use the Chart service at this time. An API token will be created by the official ChartMuseum/auth Go library.
Chart Push Filter
The Chart Push Filter scans charts and compares them to sets of XSS policies and quota limits. For this, we use a version of UGCPolicy
from the widely venerated bluemonday Go library with some added quota checks and with the Chartsec library, which we open-sourced and is also used as part of our Pipeline project.
Usage
To get a repository for your organization/team, navigate to the Banzai Cloud {{% chart-repository-service %}} and request an API token, then choose between expiring and non-expiring tokens: After requesting an API token, you will land on a page with instructions for using the Chart repository service in an end user-specific way. The outlined instructions will be very similar to those in the Helm Push Plugin documentation: Install the Push plugin:
$ helm plugin install
https://github.com/chartmuseum/helm-push
Expose the ChartMuseum API token in your shell, so the push plugin can pick it up:
$ export
HELM_REPO_ACCESS_TOKEN="eyJhbGciOiJSUz..."
Add the new repository to your Helm configuration (in my case it's gh/banzaicloud
, which belongs to the https://github.com/banzaicloud GitHub organization):
$ helm repo add my-helm-repo
cm://charts.banzaicloud.io/gh/banzaicloud
Push one of your charts into the newly added repository:
$ helm push my-helm-chart-0.1.2.tgz
my-helm-repo Pushing my-helm-chart-0.1.2.tgz to
my-helm-repo... Done.
CircleCI Helm Orb
We have also created a Helm CircleCI Orb, which can be reused in your CircleCI configurations. This Orb helps you streamline and automate the steps involved with:
- configuring dependent repositories
- linting and checking
- packaging
- and publishing a Helm chart to a configurable Helm repository.
We've assembled a simple Go Hello World application packaged as a Helm Chart, as well, which uses the Helm Orb for demonstration purposes. Here's how:
orbs: helm: banzaicloud/helm@volatile
jobs: build: docker: - image: circleci/golang:1.12
environment: GOFLAG: -mod=readonly
steps:
- checkout
- run:
name: Build
command: |
go build
workflows: e2e-test: jobs: - build helm-chart: jobs: -
helm/publish-chart: # The `helm-banzaicloud` Circle Context
has to exist which # contains the HELM_REPO_ACCESS_TOKEN
from above, you have # to create this manually after you
have requested a token. # See:
https://circleci.com/docs/2.0/contexts/ context:
helm-banzaicloud chart-path: charts/simple-helm-app # Your
own Banzai Cloud Chart repository URL, in my case # the one
belonging to the banzaicloud GitHub organization.
chartmuseum-url: cm://charts.banzaicloud.io/gh/banzaicloud
filters: branches: ignore: /.\*/ tags: only:
/simple-helm-app\/\d+.\d+.\d+/
(No blog about Kubernetes is complete without a wall of YAML, but at least there's no Kubernetes manifests this time) From the description above, you can see that tagging the application with the simple-helm-app/0.1.0 tag, for example, triggers the chart packaging, as can be seen in this build job.
Usage policy
Our {{% chart-repository-service %}} is free for everyone to use, with the fair use policy highlighted below:
- Compressed uploaded charts shouldn't exceed 100k bytes
- Chart packages should contain only those files necessary for the application itself
- Charts should be valid Helm Charts
- Overall, chart storage should not exceed 1GB (this is around 100 charts with about 100 versions of each chart)
If you have different needs, would like to deploy this chart within your environment, or have any other questions, contact us.
Enterprise offering
All this comes as part of the Pipeline Enterprise package, with which we offer a secure Chart repository service for all users, out-of-the-box, allowing users to create secure, private chart repositories, with no limitations.
Learn more about Helm:
About Banzai Cloud Pipeline
Banzai Cloud’s Pipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of the Pipeline platform.
Get emerging insights on innovative technology straight to your inbox.
Driving productivity and improved outcomes with Generative AI-powered assistants
Discover how AI assistants can revolutionize your business, from automating routine tasks and improving employee productivity to delivering personalized customer experiences and bridging the AI skills gap.
The Shift is Outshift’s exclusive newsletter.
The latest news and updates on generative AI, quantum computing, and other groundbreaking innovations shaping the future of technology.