Outshift Logo


5 min read

Blog thumbnail
Published on 04/24/2019
Last updated on 05/03/2024

Helm Chart repository (as a) service


In one of our previous posts about creating Helm Charts for Kubernetes, we outlined what we consider the best practices for creating Helm charts. We've been using Helm in production and investing our time in creating Helm charts (available on the Banzai Cloud Charts GitHub repository) since Banzai Cloud's inception. Creating Helm Charts is one thing; storing and serving them is another. We'd like to reduce the burden this places on the user, so today marks the launch of our Banzai Charts, which you can use to store and serve public Helm Charts for free.


  • Accessing the Banzai Cloud {{% chart-repository-service %}}
  • We opensourced a Chartsec library, making it available as a Golang lib or CLI tool
  • As part of Pipeline's enterprise version, we support private Helm Chart repositories
  • The {{% chart-repository-service %}} is available for free, with a generous fair usage policy


Our Helm Chart service is based on ChartMuseum, an open-source, easy to deploy, Helm Chart repository server. We are using the upstream ChartMuseum distribution without any modifications. We have, however, added certain features to make it a managed, multi-tenant service. Helm_Repository_Service The services we added are outlined below:

Authentication Service

Pulling charts from our Chart repository service doesn't require authentication (in the free version), but pushing charts to the repository is protected by user authentication. You must request an API token - the free version supports GitHub, GitLab or BitBucket authentication - before you can receive the access necessary to push charts to the repositories of organizations/teams on a given provider. Our enterprise version supports private chart repositories, where chart access is protected. NOTE: if you are not part of an organization/team on a given SCM provider, it is not possible for you to use the Chart service at this time. An API token will be created by the official ChartMuseum/auth Go library.

Chart Push Filter

The Chart Push Filter scans charts and compares them to sets of XSS policies and quota limits. For this, we use a version of UGCPolicy from the widely venerated bluemonday Go library with some added quota checks and with the Chartsec library, which we open-sourced and is also used as part of our Pipeline project.


To get a repository for your organization/team, navigate to the Banzai Cloud {{% chart-repository-service %}} and request an API token, then choose between expiring and non-expiring tokens: API_token After requesting an API token, you will land on a page with instructions for using the Chart repository service in an end user-specific way. The outlined instructions will be very similar to those in the Helm Push Plugin documentation: Install the Push plugin:
$ helm plugin install
Expose the ChartMuseum API token in your shell, so the push plugin can pick it up:
$ export
Add the new repository to your Helm configuration (in my case it's gh/banzaicloud, which belongs to the https://github.com/banzaicloud GitHub organization):
$ helm repo add my-helm-repo
Push one of your charts into the newly added repository:
$ helm push my-helm-chart-0.1.2.tgz
my-helm-repo Pushing my-helm-chart-0.1.2.tgz to
my-helm-repo... Done.

CircleCI Helm Orb

We have also created a Helm CircleCI Orb, which can be reused in your CircleCI configurations. This Orb helps you streamline and automate the steps involved with:
  • configuring dependent repositories
  • linting and checking
  • packaging
  • and publishing a Helm chart to a configurable Helm repository.
We've assembled a simple Go Hello World application packaged as a Helm Chart, as well, which uses the Helm Orb for demonstration purposes. Here's how:
orbs: helm: banzaicloud/helm@volatile

jobs: build: docker: - image: circleci/golang:1.12
environment: GOFLAG: -mod=readonly

      - checkout
      - run:
          name: Build
          command: |
            go build

workflows: e2e-test: jobs: - build helm-chart: jobs: -
helm/publish-chart: # The `helm-banzaicloud` Circle Context
has to exist which # contains the HELM_REPO_ACCESS_TOKEN
from above, you have # to create this manually after you
have requested a token. # See:
https://circleci.com/docs/2.0/contexts/ context:
helm-banzaicloud chart-path: charts/simple-helm-app # Your
own Banzai Cloud Chart repository URL, in my case # the one
belonging to the banzaicloud GitHub organization.
chartmuseum-url: cm://charts.banzaicloud.io/gh/banzaicloud
filters: branches: ignore: /.\*/ tags: only:
(No blog about Kubernetes is complete without a wall of YAML, but at least there's no Kubernetes manifests this time) From the description above, you can see that tagging the application with the simple-helm-app/0.1.0 tag, for example, triggers the chart packaging, as can be seen in this build job.

Usage policy

Our {{% chart-repository-service %}} is free for everyone to use, with the fair use policy highlighted below:
  • Compressed uploaded charts shouldn't exceed 100k bytes
  • Chart packages should contain only those files necessary for the application itself
  • Charts should be valid Helm Charts
  • Overall, chart storage should not exceed 1GB (this is around 100 charts with about 100 versions of each chart)
If you have different needs, would like to deploy this chart within your environment, or have any other questions, contact us.

Enterprise offering

All this comes as part of the Pipeline Enterprise package, with which we offer a secure Chart repository service for all users, out-of-the-box, allowing users to create secure, private chart repositories, with no limitations.
Learn more about Helm:

About Banzai Cloud Pipeline

Banzai Cloud’s Pipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of the Pipeline platform.
Subscribe card background
Subscribe to
the Shift!

Get emerging insights on emerging technology straight to your inbox.

Unlocking Multi-Cloud Security: Panoptica's Graph-Based Approach

Discover why security teams rely on Panoptica's graph-based technology to navigate and prioritize risks across multi-cloud landscapes, enhancing accuracy and resilience in safeguarding diverse ecosystems.

the Shift
emerging insights
on emerging technology straight to your inbox.

The Shift keeps you at the forefront of cloud native modern applications, application security, generative AI, quantum computing, and other groundbreaking innovations that are shaping the future of technology.

Outshift Background