From ddf80b1c3c9786b13e77538c0b11640291b9e710 Mon Sep 17 00:00:00 2001 From: jdolitsky <393494+jdolitsky@users.noreply.github.com> Date: Thu, 19 Nov 2020 19:12:23 -0500 Subject: [PATCH] Fix up chart for artifacthub Signed-off-by: jdolitsky <393494+jdolitsky@users.noreply.github.com> --- README.md | 740 +------------------------------------ logo.jpg | Bin 0 -> 14369 bytes src/chartmuseum/Chart.yaml | 4 +- src/chartmuseum/README.md | 740 +++++++++++++++++++++++++++++++++++++ 4 files changed, 743 insertions(+), 741 deletions(-) create mode 100644 logo.jpg create mode 100644 src/chartmuseum/README.md diff --git a/README.md b/README.md index 26399da..dd0ea36 100644 --- a/README.md +++ b/README.md @@ -1,742 +1,4 @@ -# ChartMuseum Helm Chart +# ChartMuseum Project Helm Charts [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/chartmuseum)](https://artifacthub.io/packages/search?page=1&org=chartmuseum) -Deploy your own private ChartMuseum. - -Please also see https://github.com/helm/chartmuseum - -## Table of Content - - - - - -- [ChartMuseum Helm Chart](#chartmuseum-helm-chart) - - [Table of Content](#table-of-content) - - [Prerequisites](#prerequisites) - - [Configuration](#configuration) - - [Installation](#installation) - - [Using with Amazon S3](#using-with-amazon-s3) - - [permissions grant with access keys](#permissions-grant-with-access-keys) - - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile) - - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role) - - [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts) - - [Using with Google Cloud Storage](#using-with-google-cloud-storage) - - [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account) - - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage) - - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage) - - [Using with Openstack Object Storage](#using-with-openstack-object-storage) - - [Using with Oracle Object Storage](#using-with-oracle-object-storage) - - [Using an existing secret](#using-an-existing-secret) - - [Using with local filesystem storage](#using-with-local-filesystem-storage) - - [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers) - - [Example storage class](#example-storage-class) - - [Authentication](#authentication) - - [Basic Authentication](#basic-authentication) - - [Bearer/Token auth](#bearertoken-auth) - - [Ingress](#ingress) - - [Hosts](#hosts) - - [Extra Paths](#extra-paths) - - [Annotations](#annotations) - - [Example Ingress configuration](#example-ingress-configuration) - - [Uninstall](#uninstall) - - - - -## Prerequisites - -* [If enabled] A persistent storage resource and RW access to it -* [If enabled] Kubernetes StorageClass for dynamic provisioning - -## Configuration - -By default this chart will not have persistent storage, and the API service -will be *DISABLED*. This protects against unauthorized access to the API -with default configuration values. - -In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This -is the user/group that the ChartMuseum container runs as, and is used to -enable local persitant storage. If your cluster has DenySecurityContext enabled, -you can set `securityContext` to `{}` and still use this chart with one of -the cloud storage options. - -For a more robust solution supply helm install with a custom values.yaml -You are also required to create the StorageClass resource ahead of time: -``` -kubectl create -f /path/to/storage_class.yaml -``` - -The following table lists common configurable parameters of the chart and -their default values. See values.yaml for all available options. - -| Parameter | Description | Default | -| --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ | -| `image.pullPolicy` | Container pull policy | `IfNotPresent` | -| `image.repository` | Container image to use | `chartmuseum/chartmuseum` | -| `image.tag` | Container image tag to deploy | `v0.12.0` | -| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` | -| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` | -| `persistence.path` | PV mount path | `/storage` | -| `persistence.size` | Amount of space to claim for PVC | `8Gi` | -| `persistence.labels` | Additional labels for PVC | `{}` | -| `persistence.storageClass` | Storage Class to use for PVC | `-` | -| `persistence.volumeName` | Volume to use for PVC | `` | -| `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` | -| `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` | -| `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` | -| `persistence.pv.nfs.server` | NFS server for PV | `` | -| `persistence.pv.nfs.path` | Storage Path | `` | -| `persistence.pv.pvname` | Custom name for private volume | `` | -| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | -| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | -| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | -| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | -| `replicaCount` | k8s replicas | `1` | -| `resources.limits.cpu` | Container maximum CPU | `100m` | -| `resources.limits.memory` | Container maximum memory | `128Mi` | -| `resources.requests.cpu` | Container requested CPU | `80m` | -| `resources.requests.memory` | Container requested memory | `64Mi` | -| `secret.labels` | Additional labels for secret | `false` | -| `serviceAccount.create` | If true, create the service account | `false` | -| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` | -| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | -| `securityContext.enabled` | Enable securityContext | `true` | -| `securityContext.fsGroup` | Group ID for the container | `1000` | -| `securityContext.runAsNonRoot` | Running Pods as non-root | `` | -| `securityContext.supplementalGroups` | Control which group IDs containers add | `` | -| `containerSecurityContext` | Additional Container securityContext (ex. allowPrivilegeEscalation) | `{}` | -| `priorityClassName ` | priorityClassName | `""` | -| `nodeSelector` | Map of node labels for pod assignment | `{}` | -| `tolerations` | List of node taints to tolerate | `[]` | -| `affinity` | Map of node/pod affinities | `{}` | -| `schedulerName` | Kubernetes scheduler to use | `default` | -| `env.open.STORAGE` | Storage Backend to use | `local` | -| `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` | -| `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` | -| `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` | -| `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` | -| `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` | -| `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` | -| `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` | -| `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` | -| `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` | -| `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` | -| `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` | -| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` | -| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` | -| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` | -| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` | -| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` | -| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` | -| `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` | -| `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` | -| `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` | -| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` | -| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` | -| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` | -| `env.open.DEBUG` | Show debug messages | `false` | -| `env.open.LOG_JSON` | Output structured logs in JSON | `true` | -| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` | -| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` | -| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` | -| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` | -| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` | -| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` | -| `env.open.CONTEXT_PATH` | Set the base context path | `` | -| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` | -| `env.open.CACHE` | Cache store, can be one of: redis | `` | -| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` | -| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` | -| `env.open.BEARER_AUTH` | Enable bearer auth | `false` | -| `env.open.AUTH_REALM` | Realm used for bearer authentication | `` | -| `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` | -| `env.field` | Expose pod information to containers through environment variables | `` | -| `env.existingSecret` | Name of the existing secret use values | `` | -| `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` | -| `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` | -| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` | -| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` | -| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` | -| `extraArgs` | Pass extra arguments to the chartmuseum binary | `` | -| `gcp.secret.enabled` | Flag for the GCP service account | `false` | -| `gcp.secret.name` | Secret name for the GCP json file | `` | -| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` | -| `oracle.secret.enabled` | Flag for Oracle OCI account | `false` | -| `oracle.secret.name` | Secret name for OCI config and key | `` | -| `oracle.secret.config` | Secret key that holds the OCI config | `config` | -| `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` | -| `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` | -| `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` | -| `service.type` | Kubernetes Service type | `ClusterIP` | -| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | -| `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` | -| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` | -| `service.servicename` | Custom name for service | `` | -| `service.labels` | Additional labels for service | `{}` | -| `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` | -| `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` | -| `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` | -| `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` | -| `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` | -| `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `nil` | -| `deployment.labels` | Additional labels for deployment | `{}` | -| `deployment.matchlabes` | Match labels for deployment selector | `{}` | -| `ingress.enabled` | Enable ingress controller resource | `false` | -| `ingress.annotations` | Ingress annotations | `[]` | -| `ingress.labels` | Ingress labels | `[]` | -| `ingress.hosts[0].name` | Hostname for the ingress | `` | -| `ingress.hosts[0].path` | Path within the url structure | `` | -| `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` | -| `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` | -| `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` | -| `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` | -| `ingress.extraPaths[0].path` | Path within the url structure. | `` | -| `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` | -| `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` | - -Specify each parameter using the `--set key=value[,key=value]` argument to -`helm install`. - -## Installation - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using with Amazon S3 -Make sure your environment is properly setup to access `my-s3-bucket` - -You need at least the following permissions inside your IAM Policy -```yaml -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowListObjects", - "Effect": "Allow", - "Action": [ - "s3:ListBucket" - ], - "Resource": "arn:aws:s3:::my-s3-bucket" - }, - { - "Sid": "AllowObjectsCRUD", - "Effect": "Allow", - "Action": [ - "s3:DeleteObject", - "s3:GetObject", - "s3:PutObject" - ], - "Resource": "arn:aws:s3:::my-s3-bucket/*" - } - ] -} -``` - -You can grant it to `chartmuseum` by several ways: - -#### permissions grant with access keys - -Grant permissions to `special user` and us it's access keys for auth on aws - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: amazon - STORAGE_AMAZON_BUCKET: my-s3-bucket - STORAGE_AMAZON_PREFIX: - STORAGE_AMAZON_REGION: us-east-1 - secret: - AWS_ACCESS_KEY_ID: "********" ## aws access key id value - AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -#### permissions grant with IAM instance profile - -You can grant permissions to k8s node IAM instance profile. -For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: amazon - STORAGE_AMAZON_BUCKET: my-s3-bucket - STORAGE_AMAZON_PREFIX: - STORAGE_AMAZON_REGION: us-east-1 -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -#### permissions grant with IAM assumed role - -To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam) -and create role with granded permissions. - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: amazon - STORAGE_AMAZON_BUCKET: my-s3-bucket - STORAGE_AMAZON_PREFIX: - STORAGE_AMAZON_REGION: us-east-1 -replica: - annotations: - iam.amazonaws.com/role: "{assumed role name}" -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -#### permissions grant with IAM Roles for Service Accounts - -For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: amazon - STORAGE_AMAZON_BUCKET: my-s3-bucket - STORAGE_AMAZON_PREFIX: - STORAGE_AMAZON_REGION: us-east-1 -serviceAccount: - create: true - annotations: - eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}" -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using with Google Cloud Storage -Make sure your environment is properly setup to access `my-gcs-bucket` - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: google - STORAGE_GOOGLE_BUCKET: my-gcs-bucket - STORAGE_GOOGLE_PREFIX: -``` - -### Using with Google Cloud Storage and a Google Service Account - -A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials: - -```shell -kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json" -``` - -Then you can either use a `VALUES` yaml with your values or set those values in the command line: - -```shell -helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret -``` - -If you prefer to use a yaml file: - -```yaml -env: - open: - STORAGE: google - STORAGE_GOOGLE_BUCKET: my-gcs-bucket - STORAGE_GOOGLE_PREFIX: - -gcp: - secret: - enabled: true - name: chartmuseum-secret - key: credentials.json -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands - -```yaml -env: - open: - STORAGE: google - STORAGE_GOOGLE_BUCKET: my-gcs-bucket - STORAGE_GOOGLE_PREFIX: - secret: - GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded -gcp: - secret: - enabled: true - -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value. - -```shell -export JSONKEY=$(cat my-project-77e35d85a593.json | base64) -helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum -``` - -### Using with Microsoft Azure Blob Storage - -Make sure your environment is properly setup to access `mycontainer`. - -To do so, you must set the following env vars: -- `AZURE_STORAGE_ACCOUNT` -- `AZURE_STORAGE_ACCESS_KEY` - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: microsoft - STORAGE_MICROSOFT_CONTAINER: mycontainer - # prefix to store charts for microsoft storage backend - STORAGE_MICROSOFT_PREFIX: - secret: - AZURE_STORAGE_ACCOUNT: "********" ## azure storage account - AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using with Alibaba Cloud OSS Storage - -Make sure your environment is properly setup to access `my-oss-bucket`. - -To do so, you must set the following env vars: -- `ALIBABA_CLOUD_ACCESS_KEY_ID` -- `ALIBABA_CLOUD_ACCESS_KEY_SECRET` - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: alibaba - STORAGE_ALIBABA_BUCKET: my-oss-bucket - STORAGE_ALIBABA_PREFIX: - STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com - secret: - ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id - ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using with Openstack Object Storage - -Make sure your environment is properly setup to access `mycontainer`. - -To do so, you must set the following env vars (depending on your openstack version): -- `OS_AUTH_URL` -- either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` -- either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` -- either `OS_USERNAME` or `OS_USERID` -- `OS_PASSWORD` - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: openstack - STORAGE_OPENSTACK_CONTAINER: mycontainer - STORAGE_OPENSTACK_PREFIX: - STORAGE_OPENSTACK_REGION: YOURREGION - secret: - OS_AUTH_URL: https://myauth.url.com/v2.0/ - OS_TENANT_ID: yourtenantid - OS_USERNAME: yourusername - OS_PASSWORD: yourpassword -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` -### Using with Oracle Object Storage - -Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm - -```shell -kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key" -``` - -Then you can either use a `VALUES` yaml with your values or set those values in the command line: - -```shell -helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret -``` - -If you prefer to use a yaml file: - -```yaml -env: - open: - STORAGE: oracle - STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123 - STORAGE_ORACLE_BUCKET: myocibucket - STORAGE_ORACLE_PREFIX: chartmuseum - -oracle: - secret: - enabled: enabled - name: chartmuseum-secret - config: config - key_file: key_file - -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using an existing secret - -It is possible to pre-create a secret in kubernetes and get this chart to use that - -Given you are for example using the above AWS example - -You could create a Secret like this - -```shell - kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" -``` - -Specify `custom.yaml` with such values - -```yaml -env: - open: - STORAGE: amazonexistingSecret - STORAGE_AMAZON_BUCKET: my-s3-bucket - STORAGE_AMAZON_PREFIX: - STORAGE_AMAZON_REGION: us-east-1 - existingSecret: chartmuseum-secret - existingSecretMappings: - AWS_ACCESS_KEY_ID: aws-access-key - AWS_SECRET_ACCESS_KEY: aws-secret-access-key - BASIC_AUTH_USER: basic-auth-user - BASIC_AUTH_PASS: basic-auth-pass -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Using with local filesystem storage -By default chartmuseum uses local filesystem storage. -But on pod recreation it will lose all charts, to prevent that enable persistent storage. - -```yaml -env: - open: - STORAGE: local -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 8Gi - ## A manually managed Persistent Volume and Claim - ## Requires persistence.enabled: true - ## If defined, PVC must be created manually before volume will be bound - # existingClaim: - - ## Chartmuseum data Persistent Volume Storage Class - ## If defined, storageClassName: - ## If set to "-", storageClassName: "", which disables dynamic provisioning - ## If undefined (the default) or set to null, no storageClassName spec is - ## set, choosing the default provisioner. (gp2 on AWS, standard on - ## GKE, AWS & OpenStack) - ## - # storageClass: "-" -``` - -Run command to install - -```shell -helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum -``` - -### Setting local storage permissions with initContainers - -Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`. - - -#### Example storage class - -Example storage-class.yaml provided here for use with a Ceph cluster. - -``` -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: storage-volume -provisioner: kubernetes.io/rbd -parameters: - monitors: "10.11.12.13:4567,10.11.12.14:4567" - adminId: admin - adminSecretName: thesecret - adminSecretNamespace: default - pool: chartstore - userId: user - userSecretName: thesecret -``` - -### Authentication - -By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication - -#### Basic Authentication - -This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting: - -```yaml -env: - secret: - BASIC_AUTH_USER: curator - BASIC_AUTH_PASS: mypassword -``` - -Or by using values from an existing secret in the cluster that can be created using: - -```shell -kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" -``` - -This secret can be used in the values file as follows: - -```yaml -env: - existingSecret: chartmuseum-secret - existingSecretMappings: - BASIC_AUTH_USER: basic-auth-user - BASIC_AUTH_PASS: basic-auth-pass -``` - -#### Bearer/Token auth - -When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example) - -To use this the public key should be stored in a secret this can be done with - -```shell -kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem -``` - -And Bearer/Token auth can be configured using the following values - -```yaml -env: - open: - BEARER_AUTH: true - AUTH_REALM: - AUTH_SERVICE: - -bearerAuth: - secret: - enabled: true - publicKeySecret: chartmuseum-public-key -``` - -### Ingress - -This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps. - -To enable ingress integration, please set `ingress.enabled` to `true` - -#### Hosts - -Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace. - -In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/). - -#### Extra Paths - -Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). - -```shell -helm install --name my-chartmuseum stable/chartmuseum \ - --set ingress.enabled=true \ - --set ingress.hosts[0].name=chartmuseum.domain.com \ - --set ingress.extraPaths[0].service=ssl-redirect \ - --set ingress.extraPaths[0].port=use-annotation \ -``` - - -#### Annotations - -For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`. - -#### Example Ingress configuration - -```shell -helm install --name my-chartmuseum stable/chartmuseum \ - --set ingress.enabled=true \ - --set ingress.hosts[0].name=chartmuseum.domain.com \ - --set ingress.hosts[0].path=/ - --set ingress.hosts[0].tls=true - --set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret -``` - -## Uninstall - -By default, a deliberate uninstall will result in the persistent volume -claim being deleted. - -```shell -helm delete my-chartmuseum -``` - -To delete the deployment and its history: -```shell -helm delete --purge my-chartmuseum -``` diff --git a/logo.jpg b/logo.jpg new file mode 100644 index 0000000000000000000000000000000000000000..ef5fd0f5fccf17330e3dac9a7a45b5c65d1d91e0 GIT binary patch literal 14369 zcmbum2T)U6+cq3TMQM>HRX7$vdY6EaJn8`sK|p#Z0wPW6NPv)7=vAqTl!Figgbtx7 zf+Qg*Rq0J2iFA+z0V9O)$=zR)bS$V z9Ms6f2*AMs0Q|*10LNrNsv+F>0RUiT22cb50A~QFI0ONl>=Fn20B}eEPW`(K06;k; z|5LW&xcc99P5=N2zJQbeUB`)?|C87~|I_-vbI!jx{-?*kPyDC${l7W?r~FT|<1GN_ zu1{cCV5m=E&>vc=>HyF!6SI^5^v+KIF3bMAcy8=M>U0L6@#NZ*v#&N8w~)sl0Rm?L z_W}1gIRpSF1UNVaIF5+`8TMP8;`n#^cQf{h;{@l)Q>VGkoaN?WSHPVEoZ#T(JaLlq z)Tw_S!x6*24>&1sO7Nn_&C^1b?p&9Gg*BhPEID)eRztUl)mPdTEsv0AXSvUdiiu0e z%E@0@KY-+}}w6?Xs!xM--q~1@T`$k5`#wRAHrf0|$>i4DP zmDRO%`p(bYz5QQ|-v|HTVt>#7g2g`n7qb5i7yBb{oH%)s^CZ_lxHwKk`~zIz}c>6qQg|6332*2mx2!;mtz-kU1OFqG>+=Iv3zJ3GjrQJQRhLN@curA4Z`b$VbyaMAo8F&< z>GHd9{Ft@K~&$ey6Vd zd)}cT?CX)Oc*yv;VfUyx2;j>9A|TH06pL+P{RoGiZ|mIp$t zvxLKF))y3Cmro?hePQ<6FQR^Jdw8uG8F-eFK+0?R#ZskNq&?JL8B=D;*KN?X2|Yz( z^nf=~Rt!&~uIR5{L2ef1k^1p9X#X!4lzuLhL7sNX(76(tnU83X(|OM3S>s0snq1z? zmsrKyzPZ2Gpn;zltOs$|X7vUCHc~JbFF%pPE$n43mb0mjqlKSWT4id}ITJO1T&n!Y z^mW5Ibvfkn@FWh%i&KLf7)G|2V`~yqD)&0BsY+qbI+cB2{HDu|^O;EXMVWLz6<=H6 z`Xl`asK=fK_P^(MyRusA%ybvfMIY2c4?Gr@kaTXGTX)XX(g_7cgr!8;Y&@4dQL z7-J zZ6_(2vjW#|j%m5Dq;~{zFFIc?ms$eWZrBibUNvLe@XEn0tSi6GzxUzr+4M-1#64eq zn+>pm(uJobcJaEZb>eMy=~{pfXni``GGr`XX4=CSeXVk`utaS%V-~{VPN6yP-)A_I z0|gl}mR}9jm^T@fzxbbee z^yGnU+=s5Iy%^)aSOK(%)lrh0EZxXA*IQcyA^(Eb;%%)&=@=G`Pi=VR(#t=I`>Z*4 z!Eq#A>srAhz5W@nG#4MpV`B(8c{ZVkRYICqyx*ag?XD3SbH^a~)$)`dytD~b*!Sai<@OLwuTR(%s<8py?xoo;RM>M#cd z45U$0>WlbjrzKCZ+AL0G)D(EA+ql1?uJ$T?w2*Xju_XqKOJ5gU>z`f%dCNY*f({>^ zhM8+GqBMgq7=S4*#R4Rzv9(}hcrsxGZ!BO3M`(98ISKosyu3oXR3%ipO$GlRkC5@* zY7nyZ0)8n@kd{7*0~;O#PLhr?YES`cVsK3N!9&P7B*+D!-A23Lc{$7J!&pLEhlyy? z!RJk(GStO&^Ydof-fxqeRdPdw91sm;WdtO2)V{NQ5NL35}iNwDg+coHTtRbhnSQR2*7StT`<-0YEKVtqGrIU6&{8bApg0~V7Y zjW8kusm|134AO5hJ-z?laFc23qQ@uEm8?dZKU{Y;h3~y7uJ`Q%YQr(Prp{rBpDQF8 zH6?;(fq^2Q1Se&Z3a;-C(_!%oXM=UQg0}Z<=!`q0FwFvQzAr>du!D}{y|qJx5h|rX z*w5~b4Q(5!Kbq}3RzUUMM z(eUV^pOt5RhF1I}2_^Iw)9fIp2=o*dw+`(m9tmjwLLNh2LqHg3%U0j*4Hx^OVe3U2 zM=-p`9GsZ87mgy8=%I(2h;Qwu={NB-Ls}!1yhb_o(9-@KA;!_p65o z@&wXSoWS&^s>OG2-GR*>#1_fYQ3(i8b$%41m<&mmEpjmU1Ac4v;UyHGpXe_^XRsP( z+LaMuzfk6iSdd_dlI2I_9cg8%GnNGeGPx$96}tX`>L z-MctWRd83bI~o&hv^WLJkL~h+_ysZ)TQ_G9Z!lG9t*K0Hr;bd2uF)wBMh^{x^q zx`|-Z*WahpVX#=uA*n${FNA5qgJwMzI=$qKZINpp+1(DP+dEcjmE(u9uWDqFv6ej( zy+-kufr`g~Cc1rchYq3L94M1Oysgu-Jav^ClFBa;ph>)oWrB?qOP?R)UNG=d^OvbM z55roP8lnAk6ndA78FKbplZURXnPY%dr>q}RkGAl%8S+G0n3htO%aWvxA2mnGXQ*xO z=F%n-yeWgmwjE=*Evt<`&HSw=9$}tckM>t<_=f8&-2Zk>{1{+(U;>vUTRfMNBxGy4 zPz?q^8@hv+LB{|eYJK?SluxVfbR~6CzZ#ybVA)N+m<9(M@Ruo#VXe>6wQcC?B~ECy zJX&i8oRF?H&{ykzTdm~9B2B7R%tf2b?U?2?RwN-z7s1-p*_F}g#IdTfqk?-SI_83f zx@zAfSc;GcZou*AzgNmYf(1iqa?|h-1WzH$6Jaw1yRmYHJ>9fBN;uS_hJhTx$3Q48 zH8*<7bI8R!4D8KUvu}<8=hh>B&iKs0lEY@-yFMUIJkGP1SbkmJ?G<>0*|nf!iFfLf z8PWJTY3V#68Y$vcUqJ{HUjv1wOAtaVMDiavn%^sRBnLSlZs&c$4MCj?}IA)`RO(o;JnqamiMi&pm0x7d(PMrYvHOfxOPMeJTwm{fVm>j&yf6{}Fig-!ThP!a#Sa9gaESj4coLt=5`F@WY&b0KS=lYYm^ zE3?P_E&PzoyK~!@H)z)Pz^g8$y4vHcu!)r2{uiB|!e+}qQ>2_J$)Is{(che_j}oou z8?w2Vnqz8}WGSm8+bTU9qKD#rhrV=$&+RrfmbXHh0>UM7ewR%j>ZS{mfk2I*xGN>5 z>YuYOo2wXQpVuq|p~Wy~MpI>)ETQMh(Ss2_1wf{d^&N&iHIO04^*j&}NNXh&OHmjW zk#vHC^y%@Ai+?lvtx$riNLjjDmvjpGNY}Nw^C{RAyXF*ESeyUpg-J+$wLsPt&G@{D z10#FN!{=)X#B-n9vNRVf>HcKJkfHj>TKDX`kpU33zIv2vuSbxG?|3dOt}edNtSN#%3eofqHVA^V*_)++AXjvjcA6u3*!^DBEmOD2RIl2xT_FHY)epT^NfoPJZP za6aa`ks!m*B{EmntnS22YFSyKa!cxxH)uZiIl0Zq%z7InYyHcd9#GPc{FZm?7{KD; zIK1eVrn>#-;r(Mkqss8UK}n!U&3?{)Mv~|#>cRZX$3Z^awmX#~C0 z6jj7+6=sm=rfLaK2DL&B6s+LYH%!J$lEQYtoiYxkcD_)w;>3RQx`~3hU}{u@lPte754n;(%2eIrX>pNv(RecVwNQVcl-JBtg9 zhY38)onJ#7-R^eNX~ebW5s@79TfMB5+SRN(uQTV3Y+5J7yz`ZAprFwyJa02~J`8rz zBI1e^f^}m%Y~v_y7iyP)-@XiKMvZ$*bs6;QWnrK6-V%kHxRnFXmncq2+4xSDA|3Il zuP*L*aeMLadm$a9Y)`9^%BQ_X0y&7&it|f;W*b-aoIv^fmYBp+ICSKD0V-`cwz$#! zrOejnQsgIC^GdQ#SG-1D`i~C2stq^EhL)lgyK&6ZTBgY9l!(fd*&CNl7-=FsvF~IO ze{AmEZ_pnq7M{@j<}#?$bwKYaQt|X&L|*Qx;|r#lIbzXjo`qv1 zEBqmMTeSt>M4SUvJ#5`Qra35Q<5rmuNx145AhslR@%B+nX*bh21)F#K5Lyef>y+01 zP`we-2NyA(jdlv7zJ_2)amL*1JVGWqdIq6~!3+%=jNJMWn2^tf-;V7(Ur$ST4!*%t zQ}o(<`LoX8I3Y6cprx+D1>AZ-YOfrAlV)K*R$g?lzxX5nZjzKQOPwAeN|(8?GBqzt zsU8)0;|=d(;gXbFxm%q}!VULyFQnIg&X zD;ial&9!&*81g2A0RmE5svaH#yz8Fi%Z?4{^e+f8%_g-S>KA76@;#^Fw?A6;rM$i% zV>JQ3Gw~@XEnLb<@$(fsY1UdFE4xjSbkJ`BPiF6F;nXKotCPj5LDFo`rIQNLY ztJ!S)5i{@iRxe4wo`EIKYxXdn_jcI!Fsg8h)f;*w`)(3qlCTuE{!ZM8Po75L%Cp3i z7c(=u2PkZVi8*_}o;)P^IV4=H>XpE$^1w4>=-qPf|%Nr#|OU-!N&@^8W2IEpKk)9LP@P69Q zF1Pinu3UG!Y}_m?;bx;FXAN~g*ZC*ZaOs2cRqxvR z*i@Q*R?zCw>kD%HVVm*!r$k8Qvw@&-^|nNO2*&ajW)=-9C)*WdR+_ssL4#9*eOOL1 z`<`rzSd8k{?1-eyZckUqoI_YM{3($F_s5w)vKZ@XX;lPOa7Eq zHDvbc_YU)#JnByVo^_>^+&!|Rxd0a2S$Mxe1eJp(NMB{RW{_;iuRNL%ts>U*bx-iU znkC7xipXV$O-v3&eF|r`GgN*7bUVLHfr37J0m#%HW}a_iCBo9KqXvr@+jJIi9l}jH z1|$mXY8?YgpJpEeC^O`3mR;a6KtPDpbs*m)y3zfLZFeU}na$a4u;&ZhU4aX;GW&Ff zD7}t~>CO;`JHZm>RT#clMk^`*7=R!2B)ZNyV2y-+?xfZc`L(HYS=Wbll#v39!LMCi z9;mk1+RNiDKi*TSnurZfR;=-LySpD&Wn2Ay*3yRZ8&apU{qlJM3wZ=2?|vjXGyi72 zW3{e%|7^+qi`B#Gs_9Z|V?BT@cEV13eE}QNF7N+MYaI5(4ucnXI&M}v8!xGJ;>gSI z=nI4!uH}hIb_eqg9hMK8&i~||@om5Yn=WAvuI~y{7!SnEL9||-eR!&HMQ>6ND5}Qd z&Dqp6a8^=Km59sRHTzOhHNVe#> zI_W?aNk#;IW~h!F z2yk4tn=zYA!C@s8u89D{m>XRp5TRTSS31 zd9ze~faU=11=rkyS2@}N1>A(`V!z32CN@}J6+QjT3Fi)Ti8uhwmKp7Xp z_e+(LJnf7NN3Vm+4GZ6n4l=U5tNiUho%#LaN?4?qs?8;!EM(mL{DH!e1U)jGd+K4h zxpvvwj9%-(9<)qDrN?B#rY)pJhzDwUsF8|3ncI*v{M}`?XIR*Wvc!8U-tfwD5qBi# zTk7^&`0LS{q>yB{A%kOpnru5&0j-BfqRPx%rpjzt9^PRM&x4Oj)oQkN;9xV_b9`=8 zPFJiuEgU`hY>TDTjcm1?x-EPyKe?r(YMnk^$#B&c@lx-gvytvJSP^U{O z(6(&TxkPg4j|1HVhuk8qasv$nD&uTQZ0F(LQqn-6lbBO_Xl&VrUjJ-#*F~7YFsL=T z&0DmG&%S1BC-syrm>Yjv=oxD!c648(6q*CK#oFN%#xVRQIK`+xSuaukz?s&49Gz<` z^ccYFeJJIEP^Q_ZfG^WpP$@`V`eaYH?~U@hM=GUmPVhj2-6ZVcGm-fD<&WQ7TJjJvNM`(ek7suRR{qGahKPY(5`?|Q?L2$38OCy-+N`Y5&U|(nFo%IA z?$3re1;wfyoy3we_{{Q>RFY?X^Ti|C9;S28IO9W*#p$trO{SZqLS(0wOg^a)t6+rw ziySmRujBryqoX)q+)eYR@J_h`$Ryr@l z;jG=W)IKkyhF@HI<*D(iR=L-*8~Kl(70aAL{DwmTuC9bPCp^n~&aP7SSGo3hRg&425l` z2x@WZ$4hs*-&X_ig^e$+EydQg0P${pq*Q^FNJVN?#Y_4LB+J@qcFNBX4xLetj+H;9oX|HIPO(Y-Gv^RHN zW(yrq)M9NhSM!#<1Ea2Vj;T9>+h|wTHZvtHG?5C){VGlelDAPRMa7|&#wR1}HKvu^ zz?Ov@4{H=SMDp7i5vxnPcPX28@~7~xGbwl6_%kLn;19EiGFwtc(h0b;|n(+L(@|B6IMh+c>C&cQ25VttKls8P) zdYbaQ+I#VFt zn~mM|Mc+#MR2p)qZo;NS)Hu^+Eu=rk18hQ1;CT}7pO}7~FLylc?AP8&@&KQ*tOG^D z#*2HW`%rhw8JfBB!MIwlG}5@?D8Fm*Zxqd@Zl(ugS z(XEohyTga~QQa4rvUCj5?Lq@>A!UmNVd&xySa0rc$)&TDY2R2)Wq$84@lO6JDa|9{ zk5qqe*KDbJ<*!(n{Mfuww4?Orhqm7`TwonHff(hV2EhIXM(U`7i%`J>kg}~qg~x=& z>qT1IoSdX~c`3K4P<+oQI=)7q4PrD-$_is>v#)-jszv$LGtWOVNOzD3YuMA;OoAgQXD&0G7BgR&N*riXxu4WLw6 zr*JRl3+Cm5Ip6@h`kGteZr%#+bZAgXe767f{$DU2&~`c_L#iHeGjpiZbTOD5dC38H% zI{L&#XRBc-MZhzEQ~$J1#JR!d%+4^&!PXm(e^<)QQCk**LavQHpyI|in;$(|$RQo> zp~4rm+el7OMd+{QoK0penk}qu{Wu0_F3@0g2{U;K%)mn}X4DszY1NCP%-ggB)73?# zQ{_1F4Yytj@aerG!_zvdlLlAwzj9Yhdp)*~#M>W0cFzr~zuGJ%c5?PY!LO2*es2b` zzAC;-<@b)OBeZXzEhzbEvNRTB2d>n*sl$CY_L$3K8ZhJ!jo~doVIMa+x(opV zben^9 zA(Vxr1*0E-Pz^ZxZ~c>a2&~T3R{sG4VC62!-N|ktZ~T507N4*fkR%P2i`WAZXQ5A{&pP>3gtEhL>`Y6Ox4Pcx7f)2|m>(oF*D_HID8 zsn;+^n7WO31)IO3I=ir@f+iJy5qIwA^~Imb>i$S%doy2-@~*R; zVOhH5F~Dm0bj%F^D{=!SzRPcVWJ|YT>rai+7|S~$4bdQ^ii-lIx) z!d&s#n6GXvt=2PLi(N81Z2IcK?W|$q(LNO>?BaHh z0abZwZjZmJ7V1y!Gf~-H zxPR~CYY?Gbo@0OrQpG^Q1k7KB2iCF`=5^QPnXl=*9M3Yl4 z$_`T2-WhhH$;SX7Y~3kspf0>(Lt2H+#8O;ut?%zd282riuGD&=*jSKOK>fm{_?borOfN)oA`FKxibea$KveVZqnEg_yry=sM#fJcD}G|{4B z19YZ;t~Fs=o|ksb%t-9v4SigbAHzq_93v|o1#%i+@1L)<7f;3}6QN~u>qF(@Kd-jm zH2u}JZ^D2a1Gqi+Js5m6tbG%XHAzz=0MD#RjEG&%xkNuZve-!n#4Q?J8_Ft*nlW>T}ny6&?%5>2l zn;j+LJ0RH;&-SO3v1iRYd1Fhyw-dETn;DZjzNWdGc(Tay<@YVIfcA|;C`ro+IEC{~kB{44E33;UMF zwhv>L%Ebqzt647?FP(dMvB@Ach02sqI|au3-eS}S9rBaDi)>Mq%KMnRQ#Ba5AXRY) zCY*XgP@F2RCev_LR`D0~*-JSRVmMxbR-|@ysNqZLE2{fmK_1XNg-9t$!?&BK%TIOp zd?A=a;eJ!^n&Q;F>}qrri}o)63}l_b97e1mPjm)Oi&8q9-$f)aZENQI7Ea=}%;}d# zb~A+ifh+zfzLk9VSLGU}bwy$m}gQk zx79KinKR8k|M$!>^Dqck_|JrT$Q&*DfT5E3;zRfykTv-q`o z@OtH;gbd}<++_zbGG&YSde>O+x^Jwf{VWZb@G)T1{UvI>7`)Je`FM0ul&KViIfD24-^U&NIKNT# z^}WG+x1rVjE{57L^F`fs#w6?fV_XLFTEsEHoOKMyRiYrD4$WVLKR*WCuK^zUHXh}S zv#)pTBaoBv40{&AZ{ZlgS2u~tn~#>yVB7NT#4a2cQxLZA!se%w`BbUIsNuM-2Q{}$ z7X;Q{`brpNyj`VDtxN3VD(4c>?{Y_>&%;Q=cbYoJwx6WW;Aecx_+Z7f)I&Rx4rkL=V7=x`K1E0bc#%wacX;!JHhb;x*)jRH$ELGA1^zBeopY3 zejuu5OK&@P5vLzkKgIjOGZgGnVgWQC|8~{r4Tf{Au}{xC9t?~x$zL`Y<$6h8*Jt$J z#5*KU71%nldV%rQmGb(pQjO~gqoJY5jY_%f6`7^?_=V;!Lg0))i~AyZdq#90KepV5PE;s|f2Qz$B3GcVZ)wki=$6=1`MQ0xA zyh-U-+g;J7O(r3<4{mreIPorxMUQ&ILtZb^9p1s;iSZIHqzqj=MVy}Ju5l#i+`(%X z&>~g&Yocr`-I18hCH*Ow}{&l4{LBY0mKf+y5 zvmLGTaNN@2W3%%nHG#@M$l>|(%k#eOx!3q4U-qC<83WR4YCRt64$Nzpx!8USHonJQ zgB|We2e}xYJ=C8<7;-nnIq6gkf^5)M0tHuUuH<{~A93#n+gzmtjaO3C_tx+@?p=&T zHr5I&q95*SlalRi9-Nsid!9nQ^0mf=RPryGe+Pkb#xaWP7+LsYelS}#;DSF`Ar-08 zR-Q2}YZf0>;P;}wr((mGP z_ZEp6qja?47i6e#dr6hGg@fuo$S6Ui<=g)$?OKI0u;0htM2Wcz8 z2~bOoYVASInD-JP+}hjcH`Xc{8@({W8b}kxvG3%CmCGT|s<^3e z5}Z!GHU5J&0{@{>hZ;A(bYR4|xLAC~9b`&~nhregv6CuTlDUM?v!4Av^gcOIvN)L6 zia_!6@IxmJR4sa^_ENE-)_LRG+}V&9jl;ZcztWrX+v@}fLfKY59!D(@(R>nG*&6L+ zZmT~1*wt}7KTeEIw^@g&H&?b9j)laM)xNSxb@q>jwn8lCMkwfRzV_sbMJgb4Xy1zB z^UYhU3{T~et}B^HQ2d9_GoDhC9wM)N7;Dv?K&oiWuGz<1miV2|M;4xcS+OcJ#1e?n z1f?iZs%H!oDT>}wYQ*0;4`ZAdPC{7wSh`M0zeJ=the_2OxP;qALmV1X2NgJANrclO z&V*%|a(dn~#{hZxZd8>GHEyu6?;K%=q6D%Yx+rdBUat6VDNTx`qlX>sv5LEDle21L zQ?eIHMmiqlLKbTm#35ea?jeUEtujv$k7{S(Dnp3~+fa;2AUz9zZNExoOQplI)Gu?! znfd3}OAeOGU_-BH{tv-E$PqOrtW(dPz5W&IOk&DV9tf}{uV;G8rg4=8J)V$8U&>`w zfkDNwyyiMmb%i}4iwJCEf$9#^WoVpL$%={>DlB<^Cr z=%SE#V0abs*GuZjG4($ zL4$BX=_#47p+0agO7WPI4do0${29j9eOwtY9$=8_Hx|1-f_>UM5?ocVhW}wB?~nXZ znqp;;dDLhCKz{DR!Jaeu&OY3*)q}$faKc_?3L{R+N@|UtNKOn6-kE|}- zEFGmbJbu+uc&%8|EXiO@;7|YG+pz@^l;XJd&hXU5bkWFkU!ntdq+yi95Ah)_r)+nr zaAiD@9sOpWaA-eq)u>;9_fJ_fbLpOie3&r_4C!XNKItYm4J-=>wYxfcxI6RZ-%}p~ zPkATgwNyIkT$Vtjecq`sF>{5^n6ALsu{zzBUGBiCZE`|_fgnPfe&ZNG`plAISU_o* zSg<^8d4GjC18@HN$fI#&3%8J*pUL*Vbi~z-B=&cBwnD8)_sy<3N`sttr4m+qsR=1k zx6>&B@_m&-F{*zI28*}&zX_IAbhP!g9S9aAQk51#{=kQ%vi7RJF!f`AeYg7ss!a6= zdJx3?;YFD|5tQzj(AS8tY3gf#ESL-AdfvZo{y~IS z>u%2Uevc{2Ief&%;A^0?Hj`U>i4jfX={_j^*Sok6oo|b|JEdo#x^CAJ0waU@hI;~& zMX&v7C_Dcb&No--O$OI$1kekzmxC~Vb_}?U6eE&@0uY9j)Bdrk=me~??!o86u>{(L zeprcJF;5WD-(+}7ZpBG^TWpyz6GXhrj1p#SkOpRS9u=f35f6st5wLUsc5ypKD*o~Hy^jA89&`>;``E#aubX6}I zp*8SEeCWVXi@r`sHQ3G_KT^XTR!P>ZmW4L2d1~t4Erk})MAnrbs@Y2#i`on5k7>xf z4fcK-8IHhkGpsD}52le4h1@Slwtn%!V$eM$4}U{c)3S)HuB=-@%=1+D`28?nl8CQ8 zd)h*R^_g;P&L^RhcLpA9O^3zp)tz%huf!n~sLrl|=1uQLIwUEx zk{jPnAKs>;(R=$C)fBX=OPNz{cK90~Wr;(3UE5vUAXtpbOh`Z&Eg}`j%m}f`-n)HG z4^N+{xnuAs-%Atk;b%=+(KCz^4j$8JH-u`dH}q0UO~wfxrE!(Y_6_)VmW#_mX^c>< z0l4>#J}q7YQz_XycIR8<6w8IU(%Aw3dX^ulzI`@|Uwdy=m#A&_J*xLupR|VkF)Ifp-kTEZ*{W2`gXPlpBHp0islPEPpgayIf zRaIR<()OTf*ZbEL5hi%48^vR$c^i5GTI%HL zKi@;EeXEDh%8SHYC9fL(bPREGIR>OJql~MQKP=^Vx0iGLbknA1*H0H-CH?xIvV^yX z&adY{ahQJp&!1g(RCHN<3picB@UEFO=^iP~G^NE4`ED;H8M0&G=!n3RZ-T5~O#=c4 zrB^R@Hg;`s^e6_dcZw5c+8hs&YD7hDyI)@VVVdDqjn)%)L(AvFte&W8$S{y_d1Rj5@Ix%?@{plS8$fb#fnEjVmdo ze1UJVyvfkqbfG2mm0b_jXFO-&(CF;qhN0uFpr(++f{c$WzCLfG79G!@>$?xCLY8f* zQo>bAGgjU1RCAHHKk6(*l<&w~u{H}O!D`-JODcs&Ku4QZIH99qWKTwW-##&RC*x3>Yc^|!6qRv4>PFgN@5o(Ze7EHwr~3%P|Wzmz}~g)6>dxNR!C zm9E|@1d#+{?UEH0mC(PmKXGMjuu#KJ-5XtO0>L@|$zA>6Avl$-CP$XCxX7*FpZsS_ T!~f52rT>b-{Qum@H2uE-W?7k- literal 0 HcmV?d00001 diff --git a/src/chartmuseum/Chart.yaml b/src/chartmuseum/Chart.yaml index faaf850..588474c 100644 --- a/src/chartmuseum/Chart.yaml +++ b/src/chartmuseum/Chart.yaml @@ -1,10 +1,10 @@ apiVersion: v1 description: Host your own Helm Chart Repository name: chartmuseum -version: 2.14.2 +version: 2.15.0 appVersion: 0.12.0 home: https://github.com/helm/chartmuseum -icon: https://raw.githubusercontent.com/helm/chartmuseum/master/logo2.png +icon: https://raw.githubusercontent.com/chartmuseum/charts/main/logo.jpg keywords: - chartmuseum - helm diff --git a/src/chartmuseum/README.md b/src/chartmuseum/README.md new file mode 100644 index 0000000..bd2abc4 --- /dev/null +++ b/src/chartmuseum/README.md @@ -0,0 +1,740 @@ +# ChartMuseum Helm Chart + +Deploy your own private ChartMuseum. + +Please also see https://github.com/helm/chartmuseum + +## Table of Content + + + + + +- [ChartMuseum Helm Chart](#chartmuseum-helm-chart) + - [Table of Content](#table-of-content) + - [Prerequisites](#prerequisites) + - [Configuration](#configuration) + - [Installation](#installation) + - [Using with Amazon S3](#using-with-amazon-s3) + - [permissions grant with access keys](#permissions-grant-with-access-keys) + - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile) + - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role) + - [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts) + - [Using with Google Cloud Storage](#using-with-google-cloud-storage) + - [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account) + - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage) + - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage) + - [Using with Openstack Object Storage](#using-with-openstack-object-storage) + - [Using with Oracle Object Storage](#using-with-oracle-object-storage) + - [Using an existing secret](#using-an-existing-secret) + - [Using with local filesystem storage](#using-with-local-filesystem-storage) + - [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers) + - [Example storage class](#example-storage-class) + - [Authentication](#authentication) + - [Basic Authentication](#basic-authentication) + - [Bearer/Token auth](#bearertoken-auth) + - [Ingress](#ingress) + - [Hosts](#hosts) + - [Extra Paths](#extra-paths) + - [Annotations](#annotations) + - [Example Ingress configuration](#example-ingress-configuration) + - [Uninstall](#uninstall) + + + + +## Prerequisites + +* [If enabled] A persistent storage resource and RW access to it +* [If enabled] Kubernetes StorageClass for dynamic provisioning + +## Configuration + +By default this chart will not have persistent storage, and the API service +will be *DISABLED*. This protects against unauthorized access to the API +with default configuration values. + +In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This +is the user/group that the ChartMuseum container runs as, and is used to +enable local persitant storage. If your cluster has DenySecurityContext enabled, +you can set `securityContext` to `{}` and still use this chart with one of +the cloud storage options. + +For a more robust solution supply helm install with a custom values.yaml +You are also required to create the StorageClass resource ahead of time: +``` +kubectl create -f /path/to/storage_class.yaml +``` + +The following table lists common configurable parameters of the chart and +their default values. See values.yaml for all available options. + +| Parameter | Description | Default | +| --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ | +| `image.pullPolicy` | Container pull policy | `IfNotPresent` | +| `image.repository` | Container image to use | `chartmuseum/chartmuseum` | +| `image.tag` | Container image tag to deploy | `v0.12.0` | +| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` | +| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` | +| `persistence.path` | PV mount path | `/storage` | +| `persistence.size` | Amount of space to claim for PVC | `8Gi` | +| `persistence.labels` | Additional labels for PVC | `{}` | +| `persistence.storageClass` | Storage Class to use for PVC | `-` | +| `persistence.volumeName` | Volume to use for PVC | `` | +| `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` | +| `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` | +| `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` | +| `persistence.pv.nfs.server` | NFS server for PV | `` | +| `persistence.pv.nfs.path` | Storage Path | `` | +| `persistence.pv.pvname` | Custom name for private volume | `` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | +| `replicaCount` | k8s replicas | `1` | +| `resources.limits.cpu` | Container maximum CPU | `100m` | +| `resources.limits.memory` | Container maximum memory | `128Mi` | +| `resources.requests.cpu` | Container requested CPU | `80m` | +| `resources.requests.memory` | Container requested memory | `64Mi` | +| `secret.labels` | Additional labels for secret | `false` | +| `serviceAccount.create` | If true, create the service account | `false` | +| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` | +| `serviceAccount.annotations` | Additional Service Account annotations | `{}` | +| `securityContext.enabled` | Enable securityContext | `true` | +| `securityContext.fsGroup` | Group ID for the container | `1000` | +| `securityContext.runAsNonRoot` | Running Pods as non-root | `` | +| `securityContext.supplementalGroups` | Control which group IDs containers add | `` | +| `containerSecurityContext` | Additional Container securityContext (ex. allowPrivilegeEscalation) | `{}` | +| `priorityClassName ` | priorityClassName | `""` | +| `nodeSelector` | Map of node labels for pod assignment | `{}` | +| `tolerations` | List of node taints to tolerate | `[]` | +| `affinity` | Map of node/pod affinities | `{}` | +| `schedulerName` | Kubernetes scheduler to use | `default` | +| `env.open.STORAGE` | Storage Backend to use | `local` | +| `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` | +| `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` | +| `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` | +| `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` | +| `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` | +| `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` | +| `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` | +| `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` | +| `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` | +| `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` | +| `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` | +| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` | +| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` | +| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` | +| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` | +| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` | +| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` | +| `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` | +| `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` | +| `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` | +| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` | +| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` | +| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` | +| `env.open.DEBUG` | Show debug messages | `false` | +| `env.open.LOG_JSON` | Output structured logs in JSON | `true` | +| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` | +| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` | +| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` | +| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` | +| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` | +| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` | +| `env.open.CONTEXT_PATH` | Set the base context path | `` | +| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` | +| `env.open.CACHE` | Cache store, can be one of: redis | `` | +| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` | +| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` | +| `env.open.BEARER_AUTH` | Enable bearer auth | `false` | +| `env.open.AUTH_REALM` | Realm used for bearer authentication | `` | +| `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` | +| `env.field` | Expose pod information to containers through environment variables | `` | +| `env.existingSecret` | Name of the existing secret use values | `` | +| `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` | +| `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` | +| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` | +| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` | +| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` | +| `extraArgs` | Pass extra arguments to the chartmuseum binary | `` | +| `gcp.secret.enabled` | Flag for the GCP service account | `false` | +| `gcp.secret.name` | Secret name for the GCP json file | `` | +| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` | +| `oracle.secret.enabled` | Flag for Oracle OCI account | `false` | +| `oracle.secret.name` | Secret name for OCI config and key | `` | +| `oracle.secret.config` | Secret key that holds the OCI config | `config` | +| `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` | +| `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` | +| `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` | +| `service.type` | Kubernetes Service type | `ClusterIP` | +| `service.clusterIP` | Static clusterIP or None for headless services | `nil` | +| `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` | +| `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` | +| `service.servicename` | Custom name for service | `` | +| `service.labels` | Additional labels for service | `{}` | +| `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` | +| `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` | +| `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` | +| `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` | +| `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` | +| `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `nil` | +| `deployment.labels` | Additional labels for deployment | `{}` | +| `deployment.matchlabes` | Match labels for deployment selector | `{}` | +| `ingress.enabled` | Enable ingress controller resource | `false` | +| `ingress.annotations` | Ingress annotations | `[]` | +| `ingress.labels` | Ingress labels | `[]` | +| `ingress.hosts[0].name` | Hostname for the ingress | `` | +| `ingress.hosts[0].path` | Path within the url structure | `` | +| `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` | +| `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` | +| `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` | +| `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` | +| `ingress.extraPaths[0].path` | Path within the url structure. | `` | +| `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` | +| `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` | + +Specify each parameter using the `--set key=value[,key=value]` argument to +`helm install`. + +## Installation + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using with Amazon S3 +Make sure your environment is properly setup to access `my-s3-bucket` + +You need at least the following permissions inside your IAM Policy +```yaml +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowListObjects", + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": "arn:aws:s3:::my-s3-bucket" + }, + { + "Sid": "AllowObjectsCRUD", + "Effect": "Allow", + "Action": [ + "s3:DeleteObject", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": "arn:aws:s3:::my-s3-bucket/*" + } + ] +} +``` + +You can grant it to `chartmuseum` by several ways: + +#### permissions grant with access keys + +Grant permissions to `special user` and us it's access keys for auth on aws + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: amazon + STORAGE_AMAZON_BUCKET: my-s3-bucket + STORAGE_AMAZON_PREFIX: + STORAGE_AMAZON_REGION: us-east-1 + secret: + AWS_ACCESS_KEY_ID: "********" ## aws access key id value + AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +#### permissions grant with IAM instance profile + +You can grant permissions to k8s node IAM instance profile. +For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: amazon + STORAGE_AMAZON_BUCKET: my-s3-bucket + STORAGE_AMAZON_PREFIX: + STORAGE_AMAZON_REGION: us-east-1 +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +#### permissions grant with IAM assumed role + +To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam) +and create role with granded permissions. + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: amazon + STORAGE_AMAZON_BUCKET: my-s3-bucket + STORAGE_AMAZON_PREFIX: + STORAGE_AMAZON_REGION: us-east-1 +replica: + annotations: + iam.amazonaws.com/role: "{assumed role name}" +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +#### permissions grant with IAM Roles for Service Accounts + +For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: amazon + STORAGE_AMAZON_BUCKET: my-s3-bucket + STORAGE_AMAZON_PREFIX: + STORAGE_AMAZON_REGION: us-east-1 +serviceAccount: + create: true + annotations: + eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}" +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using with Google Cloud Storage +Make sure your environment is properly setup to access `my-gcs-bucket` + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: google + STORAGE_GOOGLE_BUCKET: my-gcs-bucket + STORAGE_GOOGLE_PREFIX: +``` + +### Using with Google Cloud Storage and a Google Service Account + +A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials: + +```shell +kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json" +``` + +Then you can either use a `VALUES` yaml with your values or set those values in the command line: + +```shell +helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret +``` + +If you prefer to use a yaml file: + +```yaml +env: + open: + STORAGE: google + STORAGE_GOOGLE_BUCKET: my-gcs-bucket + STORAGE_GOOGLE_PREFIX: + +gcp: + secret: + enabled: true + name: chartmuseum-secret + key: credentials.json +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands + +```yaml +env: + open: + STORAGE: google + STORAGE_GOOGLE_BUCKET: my-gcs-bucket + STORAGE_GOOGLE_PREFIX: + secret: + GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded +gcp: + secret: + enabled: true + +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value. + +```shell +export JSONKEY=$(cat my-project-77e35d85a593.json | base64) +helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum +``` + +### Using with Microsoft Azure Blob Storage + +Make sure your environment is properly setup to access `mycontainer`. + +To do so, you must set the following env vars: +- `AZURE_STORAGE_ACCOUNT` +- `AZURE_STORAGE_ACCESS_KEY` + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: microsoft + STORAGE_MICROSOFT_CONTAINER: mycontainer + # prefix to store charts for microsoft storage backend + STORAGE_MICROSOFT_PREFIX: + secret: + AZURE_STORAGE_ACCOUNT: "********" ## azure storage account + AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using with Alibaba Cloud OSS Storage + +Make sure your environment is properly setup to access `my-oss-bucket`. + +To do so, you must set the following env vars: +- `ALIBABA_CLOUD_ACCESS_KEY_ID` +- `ALIBABA_CLOUD_ACCESS_KEY_SECRET` + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: alibaba + STORAGE_ALIBABA_BUCKET: my-oss-bucket + STORAGE_ALIBABA_PREFIX: + STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com + secret: + ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id + ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using with Openstack Object Storage + +Make sure your environment is properly setup to access `mycontainer`. + +To do so, you must set the following env vars (depending on your openstack version): +- `OS_AUTH_URL` +- either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` +- either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` +- either `OS_USERNAME` or `OS_USERID` +- `OS_PASSWORD` + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: openstack + STORAGE_OPENSTACK_CONTAINER: mycontainer + STORAGE_OPENSTACK_PREFIX: + STORAGE_OPENSTACK_REGION: YOURREGION + secret: + OS_AUTH_URL: https://myauth.url.com/v2.0/ + OS_TENANT_ID: yourtenantid + OS_USERNAME: yourusername + OS_PASSWORD: yourpassword +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` +### Using with Oracle Object Storage + +Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm + +```shell +kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key" +``` + +Then you can either use a `VALUES` yaml with your values or set those values in the command line: + +```shell +helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret +``` + +If you prefer to use a yaml file: + +```yaml +env: + open: + STORAGE: oracle + STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123 + STORAGE_ORACLE_BUCKET: myocibucket + STORAGE_ORACLE_PREFIX: chartmuseum + +oracle: + secret: + enabled: enabled + name: chartmuseum-secret + config: config + key_file: key_file + +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using an existing secret + +It is possible to pre-create a secret in kubernetes and get this chart to use that + +Given you are for example using the above AWS example + +You could create a Secret like this + +```shell + kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" +``` + +Specify `custom.yaml` with such values + +```yaml +env: + open: + STORAGE: amazonexistingSecret + STORAGE_AMAZON_BUCKET: my-s3-bucket + STORAGE_AMAZON_PREFIX: + STORAGE_AMAZON_REGION: us-east-1 + existingSecret: chartmuseum-secret + existingSecretMappings: + AWS_ACCESS_KEY_ID: aws-access-key + AWS_SECRET_ACCESS_KEY: aws-secret-access-key + BASIC_AUTH_USER: basic-auth-user + BASIC_AUTH_PASS: basic-auth-pass +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Using with local filesystem storage +By default chartmuseum uses local filesystem storage. +But on pod recreation it will lose all charts, to prevent that enable persistent storage. + +```yaml +env: + open: + STORAGE: local +persistence: + enabled: true + accessMode: ReadWriteOnce + size: 8Gi + ## A manually managed Persistent Volume and Claim + ## Requires persistence.enabled: true + ## If defined, PVC must be created manually before volume will be bound + # existingClaim: + + ## Chartmuseum data Persistent Volume Storage Class + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + # storageClass: "-" +``` + +Run command to install + +```shell +helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum +``` + +### Setting local storage permissions with initContainers + +Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`. + + +#### Example storage class + +Example storage-class.yaml provided here for use with a Ceph cluster. + +``` +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: storage-volume +provisioner: kubernetes.io/rbd +parameters: + monitors: "10.11.12.13:4567,10.11.12.14:4567" + adminId: admin + adminSecretName: thesecret + adminSecretNamespace: default + pool: chartstore + userId: user + userSecretName: thesecret +``` + +### Authentication + +By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication + +#### Basic Authentication + +This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting: + +```yaml +env: + secret: + BASIC_AUTH_USER: curator + BASIC_AUTH_PASS: mypassword +``` + +Or by using values from an existing secret in the cluster that can be created using: + +```shell +kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" +``` + +This secret can be used in the values file as follows: + +```yaml +env: + existingSecret: chartmuseum-secret + existingSecretMappings: + BASIC_AUTH_USER: basic-auth-user + BASIC_AUTH_PASS: basic-auth-pass +``` + +#### Bearer/Token auth + +When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example) + +To use this the public key should be stored in a secret this can be done with + +```shell +kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem +``` + +And Bearer/Token auth can be configured using the following values + +```yaml +env: + open: + BEARER_AUTH: true + AUTH_REALM: + AUTH_SERVICE: + +bearerAuth: + secret: + enabled: true + publicKeySecret: chartmuseum-public-key +``` + +### Ingress + +This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps. + +To enable ingress integration, please set `ingress.enabled` to `true` + +#### Hosts + +Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace. + +In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/). + +#### Extra Paths + +Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). + +```shell +helm install --name my-chartmuseum stable/chartmuseum \ + --set ingress.enabled=true \ + --set ingress.hosts[0].name=chartmuseum.domain.com \ + --set ingress.extraPaths[0].service=ssl-redirect \ + --set ingress.extraPaths[0].port=use-annotation \ +``` + + +#### Annotations + +For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`. + +#### Example Ingress configuration + +```shell +helm install --name my-chartmuseum stable/chartmuseum \ + --set ingress.enabled=true \ + --set ingress.hosts[0].name=chartmuseum.domain.com \ + --set ingress.hosts[0].path=/ + --set ingress.hosts[0].tls=true + --set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret +``` + +## Uninstall + +By default, a deliberate uninstall will result in the persistent volume +claim being deleted. + +```shell +helm delete my-chartmuseum +``` + +To delete the deployment and its history: +```shell +helm delete --purge my-chartmuseum +```