Skip to content

C
charts
Commit 06adcdad by Guangbo Chen Committed by Denise Schannon
Options

Bump chartmuseum to v2.3.1

parent 45edf905
Showing with 535 additions and 234 deletions
charts/chartmuseum/v2.3.1/Chart.yaml
apiVersion: v1
description: Helm Chart Repository with support for Amazon S3 and Google Cloud Storage
description: Host your own Helm Chart Repository
name: chartmuseum
version: 1.6.2
appVersion: 0.7.1
home: https://github.com/chartmuseum/chartmuseum
version: 2.3.1
appVersion: 0.9.0
home: https://github.com/helm/chartmuseum
icon: file://../logo.png
keywords:
- chartmuseum
......
charts/chartmuseum/v2.3.1/README.md
# ChartMuseum Helm Chart
Deploy your own private ChartMuseum.
Deploy your own private ChartMuseum.
Please also see https://github.com/kubernetes-helm/chartmuseum
......@@ -18,10 +18,22 @@ Please also see https://github.com/kubernetes-helm/chartmuseum
- [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile)
- [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role)
- [Using with Google Cloud Storage](#using-with-google-cloud-storage)
- [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account)
- [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage)
- [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage)
- [Using with Openstack Object Storage](#using-with-openstack-object-storage)
- [Using with Oracle Object Storage](#using-with-oracle-object-storage)
- [Using an existing secret](#using-an-existing-secret)
- [Using with local filesystem storage](#using-with-local-filesystem-storage)
- [Example storage class](#example-storage-class)
- [Authentication](#authentication)
- [Basic Authentication](#basic-authentication)
- [Bearer/Token auth](#bearertoken-auth)
- [Ingress](#ingress)
- [Hosts](#hosts)
- [Annotations](#annotations)
- [Extra Paths](#extra-paths)
- [Example Ingress configuration](#example-ingress-configuration)
- [Uninstall](#uninstall)
<!-- END doctoc generated TOC please keep comment here to allow auto update -->
......@@ -39,8 +51,14 @@ By default this chart will not have persistent storage, and the API service
will be *DISABLED*. This protects against unauthorized access to the API
with default configuration values.
For a more robust solution supply helm install with a custom values.yaml
You are also required to create the StorageClass resource ahead of time:
In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This
is the user/group that the ChartMuseum container runs as, and is used to
enable local persitant storage. If your cluster has DenySecurityContext enabled,
you can set `securityContext` to `{}` and still use this chart with one of
the cloud storage options.
For a more robust solution supply helm install with a custom values.yaml
You are also required to create the StorageClass resource ahead of time:
```
kubectl create -f /path/to/storage_class.yaml
```
......@@ -48,68 +66,109 @@ kubectl create -f /path/to/storage_class.yaml
The following table lists common configurable parameters of the chart and
their default values. See values.yaml for all available options.
| Parameter | Description | Default |
|----------------------------------------|---------------------------------------------|-----------------------------------------------------|
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `chartmuseum/chartmuseum` |
| `image.tag` | Container image tag to deploy | `v0.7.1` |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` |
| `persistence.size` | Amount of space to claim for PVC | `8Gi` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `replicaCount` | k8s replicas | `1` |
| `resources.limits.cpu` | Container maximum CPU | `100m` |
| `resources.limits.memory` | Container maximum memory | `128Mi` |
| `resources.requests.cpu` | Container requested CPU | `80m` |
| `resources.requests.memory` | Container requested memory | `64Mi` |
| `serviceAccount.create` | If true, create the service account | `false` |
| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` |
| `securityContext` | Map of securityContext for the pod | `{}` |
| `nodeSelector` | Map of node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate | `[]` |
| `affinity` | Map of node/pod affinities | `{}` |
| `env.open.STORAGE` | Storage Backend to use | `local` |
| `env.open.ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` |
| `env.open.ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` |
| `env.open.ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` |
| `env.open.ALIBABA_SSE` | Server side encryption algorithm to use | `` |
| `env.open.AMAZON_BUCKET` | Bucket to store charts in for AWS | `` |
| `env.open.AMAZON_ENDPOINT` | Alternative AWS endpoint | `` |
| `env.open.AMAZON_PREFIX` | Prefix to store charts under for AWS | `` |
| `env.open.AMAZON_REGION` | Region to use for bucket access for AWS | `` |
| `env.open.AMAZON_SSE` | Server side encryption algorithm to use | `` |
| `env.open.GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` |
| `env.open.GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` |
| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` |
| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` |
| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` |
| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` |
| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` |
| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` |
| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` |
| `env.open.DEBUG` | Show debug messages | `false` |
| `env.open.LOG_JSON` | Output structured logs in JSON | `true` |
| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` |
| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` |
| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` |
| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` |
| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` |
| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` |
| `env.open.CONTEXT_PATH` | Set the base context path | `` |
| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` |
| `env.open.CACHE` | Cache store, can be one of: redis | `` |
| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` |
| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` |
| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` |
| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` |
| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` |
| `gcp.secret.enabled` | Flag for the GCP service account | `false` |
| `gcp.secret.name` | Secret name for the GCP json file | `` |
| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services| `nil` |
| Parameter | Description | Default |
|-----------------------------------------|--------------------------------------------------------------------|--------------------------------------|
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.repository` | Container image to use | `chartmuseum/chartmuseum` |
| `image.tag` | Container image tag to deploy | `v0.8.0` |
| `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` |
| `persistence.enabled` | Whether to use a PVC for persistent storage | `false` |
| `persistence.size` | Amount of space to claim for PVC | `8Gi` |
| `persistence.labels` | Additional labels for PVC | `{}` |
| `persistence.storageClass` | Storage Class to use for PVC | `-` |
| `persistence.volumeName` | Volume to use for PVC | `` |
| `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` |
| `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` |
| `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` |
| `persistence.pv.nfs.server` | NFS server for PV | `` |
| `persistence.pv.nfs.path` | Storage Path | `` |
| `persistence.pv.pvname` | Custom name for private volume | `` |
| `replicaCount` | k8s replicas | `1` |
| `resources.limits.cpu` | Container maximum CPU | `100m` |
| `resources.limits.memory` | Container maximum memory | `128Mi` |
| `resources.requests.cpu` | Container requested CPU | `80m` |
| `resources.requests.memory` | Container requested memory | `64Mi` |
| `serviceAccount.create` | If true, create the service account | `false` |
| `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` |
| `securityContext` | Map of securityContext for the pod | `{ fsGroup: 1000 }` |
| `nodeSelector` | Map of node labels for pod assignment | `{}` |
| `tolerations` | List of node taints to tolerate | `[]` |
| `affinity` | Map of node/pod affinities | `{}` |
| `env.open.STORAGE` | Storage Backend to use | `local` |
| `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` |
| `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` |
| `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` |
| `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` |
| `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` |
| `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` |
| `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` |
| `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` |
| `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` |
| `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` |
| `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` |
| `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` |
| `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` |
| `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` |
| `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` |
| `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` |
| `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` |
| `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` |
| `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` |
| `env.open.DEBUG` | Show debug messages | `false` |
| `env.open.LOG_JSON` | Output structured logs in JSON | `true` |
| `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` |
| `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` |
| `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` |
| `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` |
| `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` |
| `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` |
| `env.open.CONTEXT_PATH` | Set the base context path | `` |
| `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` |
| `env.open.CACHE` | Cache store, can be one of: redis | `` |
| `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` |
| `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` |
| `env.open.BEARER_AUTH` | Enable bearer auth | `false` |
| `env.open.AUTH_REALM` | Realm used for bearer authentication | `` |
| `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` |
| `env.field` | Expose pod information to containers through environment variables | `` |
| `env.existingSecret` | Name of the existing secret use values | `` |
| `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` |
| `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` |
| `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` |
| `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` |
| `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` |
| `gcp.secret.enabled` | Flag for the GCP service account | `false` |
| `gcp.secret.name` | Secret name for the GCP json file | `` |
| `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` |
| `oracle.secret.enabled` | Flag for Oracle OCI account | `false` |
| `oracle.secret.name` | Secret name for OCI config and key | `` |
| `oracle.secret.config` | Secret key that holds the OCI config | `config` |
| `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` |
| `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` |
| `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` |
| `service.type` | Kubernetes Service type | `ClusterIP` |
| `service.clusterIP` | Static clusterIP or None for headless services | `nil` |
| `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort) | `Local` |
| `service.servicename` | Custom name for service | `` |
| `service.labels` | Additional labels for service | `{}` |
| `deployment.labels` | Additional labels for deployment | `{}` |
| `deployment.matchlabes` | Match labels for deployment selector | `{}` |
| `ingress.enabled` | Enable ingress controller resource | `false` |
| `ingress.annotations` | Ingress annotations | `[]` |
| `ingress.labels` | Ingress labels | `[]` |
| `ingress.hosts[0].name` | Hostname for the ingress | `` |
| `ingress.hosts[0].path` | Path within the url structure | `` |
| `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` |
| `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` |
| `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` |
| `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` |
| `ingress.extraPaths[0].path` | Path within the url structure. | `` |
| `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` |
| `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` |
Specify each parameter using the `--set key=value[,key=value]` argument to
`helm install`.
......@@ -233,7 +292,7 @@ env:
open:
STORAGE: google
STORAGE_GOOGLE_BUCKET: my-gcs-bucket
STORAGE_GOOGLE_PREFIX:
STORAGE_GOOGLE_PREFIX:
```
### Using with Google Cloud Storage and a Google Service Account
......@@ -294,7 +353,7 @@ Run command to install
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
To set the values directly in the command line, use the follosing command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value.
To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value.
```shell
export JSONKEY=$(cat my-project-77e35d85a593.json | base64)
......@@ -317,7 +376,7 @@ env:
STORAGE: microsoft
STORAGE_MICROSOFT_CONTAINER: mycontainer
# prefix to store charts for microsoft storage backend
STORAGE_MICROSOFT_PREFIX:
STORAGE_MICROSOFT_PREFIX:
secret:
AZURE_STORAGE_ACCOUNT: "********" ## azure storage account
AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key
......@@ -389,6 +448,75 @@ Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with Oracle Object Storage
Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm
```shell
kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key"
```
Then you can either use a `VALUES` yaml with your values or set those values in the command line:
```shell
helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret
```
If you prefer to use a yaml file:
```yaml
env:
open:
STORAGE: oracle
STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123
STORAGE_ORACLE_BUCKET: myocibucket
STORAGE_ORACLE_PREFIX: chartmuseum
oracle:
secret:
enabled: enabled
name: chartmuseum-secret
config: config
key_file: key_file
```
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using an existing secret
It is possible to pre-create a secret in kubernetes and get this chart to use that
Given you are for example using the above AWS example
You could create a Secret like this
```shell
kubectl create secret generic chartmuseum-secret --from-literal="AWS_ACCESS_KEY_ID=myaccesskey" --from-literal="AWS_SECRET_ACCESS_KEY=mysecretaccesskey" --from-literal="BASIC_AUTH_USER=curator" --from-literal="BASIC_AUTH_PASS=mypassword"
```
Specify `custom.yaml` with such values
```yaml
env:
open:
STORAGE: amazonexistingSecret
STORAGE_AMAZON_BUCKET: my-s3-bucket
STORAGE_AMAZON_PREFIX:
STORAGE_AMAZON_REGION: us-east-1
existingSecret: chartmuseum-secret
```
and `existingSecret` will auto mapping all the data from secrets to the `ENV`.
Run command to install
```shell
helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
```
### Using with local filesystem storage
By default chartmuseum uses local filesystem storage.
......@@ -425,7 +553,7 @@ helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum
#### Example storage class
Example storage-class.yaml provided here for use with a Ceph cluster.
Example storage-class.yaml provided here for use with a Ceph cluster.
```
kind: StorageClass
......@@ -443,10 +571,106 @@ parameters:
userSecretName: thesecret
```
### Authentication
By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication
#### Basic Authentication
This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting:
```yaml
env:
secret:
BASIC_AUTH_USER: curator
BASIC_AUTH_PASS: mypassword
```
Or by using values from an existing secret in the cluster that can be created using:
'''shell
kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword"
'''
This secret can be used in the values file as follows:
```yaml
env:
existingSecret: chartmuseum-secret
existingSecretMappings:
BASIC_AUTH_USER: basic-auth-user
BASIC_AUTH_PASS: basic-auth-pass
```
#### Bearer/Token auth
When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example)
To use this the public key should be stored in a secret this can be done with
```shell
kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem
```
And Bearer/Token auth can be configured using the following values
```yaml
env:
open:
BEARER_AUTH: true
AUTH_REALM: <realm>
AUTH_SERVICE: <service>
bearerAuth:
secret:
enabled: true
publicKeySecret: chartmuseum-public-key
```
### Ingress
This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps.
To enable ingress integration, please set `ingress.enabled` to `true`
#### Hosts
Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace.
In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/).
#### Extra Paths
Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions).
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.extraPaths[0].service=ssl-redirect \
--set ingress.extraPaths[0].port=use-annotation \
```
#### Annotations
For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`.
#### Example Ingress configuration
```shell
helm install --name my-chartmuseum stable/chartmuseum \
--set ingress.enabled=true \
--set ingress.hosts[0].name=chartmuseum.domain.com \
--set ingress.hosts[0].path=/
--set ingress.hosts[0].tls=true
--set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret
```
## Uninstall
By default, a deliberate uninstall will result in the persistent volume
claim being deleted.
claim being deleted.
```shell
helm delete my-chartmuseum
......
charts/chartmuseum/v2.3.1/questions.yml
labels:
io.cattle.role: project # options are cluster/project
questions:
- variable: defaultImage
default: true
......@@ -8,15 +10,17 @@ questions:
group: "Container Images"
subquestions:
- variable: image.repository
default: "chartmuseum/chartmuseum"
default: "ranchercharts/chartmuseum-chartmuseum"
description: "Docker image repository"
type: string
label: Image Repository
required: true
- variable: image.tag
default: "v0.7.1"
default: "v0.9.0"
description: "Docker image tag"
type: string
label: Image Tag
required: true
# storage settings
- variable: env.open.STORAGE
required: true
......@@ -27,8 +31,8 @@ questions:
group: "Storage Options"
options:
- "local"
- "amazon"
- "alibaba"
- "amazon"
- "google"
- "microsoft"
- "openstack"
......@@ -63,20 +67,23 @@ questions:
label: OSS Bucket Name
group: "Storage Options"
show_if: "env.open.STORAGE=alibaba"
- variable: env.open.STORAGE_ALIBABA_PREFIX
required: true
- variable: env.open.STORAGE_ALIBABA_ENDPOINT
default: ""
type: string
description: "Prefix to store charts for alibaba storage backend"
label: OSS Bucket Prefix
description: "OSS endpoint to store charts for alibaba storage backend"
label: Alternative OSS Storage Endpoint
group: "Storage Options"
show_if: "env.open.STORAGE=alibaba"
- variable: env.open.STORAGE_ALIBABA_ENDPOINT
required: true
- variable: env.open.STORAGE_ALIBABA_PREFIX
default: ""
type: string
description: "OSS endpoint to store charts for alibaba storage backend"
label: Alternative OSS Storage Endpoint
description: "Prefix to store charts for alibaba storage backend"
label: OSS Bucket Prefix
group: "Storage Options"
show_if: "env.open.STORAGE=alibaba"
required: true
# Google Storage Options
- variable: env.open.STORAGE_GOOGLE_BUCKET
default: ""
......@@ -85,6 +92,7 @@ questions:
label: GCS Bucket Name
group: "Storage Options"
show_if: "env.open.STORAGE=google"
required: true
- variable: env.open.STORAGE_GOOGLE_PREFIX
default: ""
type: string
......@@ -92,6 +100,7 @@ questions:
label: GCS Bucket Prefix
group: "Storage Options"
show_if: "env.open.STORAGE=google"
required: true
# Microsoft Azure Storage Options
- variable: env.open.STORAGE_MICROSOFT_CONTAINER
default: ""
......@@ -100,6 +109,7 @@ questions:
label: Microsoft Azure Blob Storage Name
group: "Storage Options"
show_if: "env.open.STORAGE=microsoft"
required: true
- variable: env.open.STORAGE_MICROSOFT_PREFIX
default: ""
type: string
......@@ -107,6 +117,7 @@ questions:
label: Microsoft Azure Blob Storage Prefix
group: "Storage Options"
show_if: "env.open.STORAGE=microsoft"
required: true
# OpenStack Storage Options
- variable: env.open.STORAGE_OPENSTACK_CONTAINER
default: ""
......@@ -115,6 +126,7 @@ questions:
label: Openstack Object Storage Container Name
group: "Storage Options"
show_if: "env.open.STORAGE=openstack"
required: true
- variable: env.open.STORAGE_OPENSTACK_PREFIX
default: ""
type: string
......@@ -122,6 +134,7 @@ questions:
label: Prefix To Openstack Object Storage Container
group: "Storage Options"
show_if: "env.open.STORAGE=openstack"
required: true
- variable: env.open.STORAGE_OPENSTACK_REGION
default: ""
type: string
......@@ -129,98 +142,14 @@ questions:
label: Region Of Openstack Object Storage Container
group: "Storage Options"
show_if: "env.open.STORAGE=openstack"
required: true
# Storage Secret
- variable: env.secret.AWS_ACCESS_KEY_ID
default: ""
type: string
description: "AWS access key id value"
label: AWS Access Key ID Value
group: "Storage Secret"
show_if: "env.open.STORAGE=amazon"
- variable: env.secret.AWS_SECRET_ACCESS_KEY
- variable: env.existingSecret
default: ""
type: string
description: "aws access key secret value "
label: AWS Access Key Secret Value
group: "Storage Secret"
show_if: "env.open.STORAGE=amazon"
- variable: env.secret.ALIBABA_CLOUD_ACCESS_KEY_ID
default: ""
type: string
description: "alibaba OSS access key id"
label: OSS Access Key ID
type: secret
description: "Name of an existing secret to get the secret values from"
label: Select the Existing Secret
group: "Storage Secret"
show_if: "env.open.STORAGE=alibaba"
- variable: env.secret.ALIBABA_CLOUD_ACCESS_KEY_SECRET
default: ""
type: string
description: "alibaba OSS access key secret "
label: OSS Access Key Secret
group: "Storage Secret"
show_if: "env.open.STORAGE=alibaba"
- variable: gcp.secret.enabled
default: false
type: boolean
description: "Flag for the GCP service account"
label: Enable GCP Service Account
group: "Storage Secret"
show_if: "env.open.STORAGE=google"
show_subquestion_if: true
subquestions:
- variable: gcp.secret.name
default: ""
type: string
description: "secret name for the gcp json file"
label: Secret Name For The GCP Json File
- variable: gcp.secret.key
default: "credentials.json"
type: string
description: "Secret key for the GCP json file"
label: Secret Key For The GCP Json File
# Openstack Object Storage secret
- variable: env.secret.OS_AUTH_URL
default: ""
type: string
description: "Openstack object storage auth url"
label: Auth URL Of Openstack Object Storage
group: "Storage Secret"
show_if: "env.open.STORAGE=openstack"
- variable: env.secret.OS_TENANT_ID
default: ""
type: string
description: "Openstack object storage tenant id"
label: Tenant ID Of Openstack Object Storage
group: "Storage Secret"
show_if: "env.open.STORAGE=openstack"
- variable: env.secret.OS_USERNAME
default: ""
type: string
description: "Openstack object storage username"
label: Username Of Openstack Object Storage
group: "Storage Secret"
show_if: "env.open.STORAGE=openstack"
- variable: env.secret.OS_PASSWORD
default: ""
type: string
description: "Openstack object storage password"
label: Password Of Openstack Object Storage
group: "Storage Secret"
show_if: "env.open.STORAGE=openstack"
# Microsoft azure secret
- variable: env.secret.AZURE_STORAGE_ACCOUNT
default: ""
type: string
description: "azure storage account"
label: Azure Storage Account
group: "Storage Secret"
show_if: "env.open.STORAGE=microsoft"
- variable: env.secret.AZURE_STORAGE_ACCESS_KEY
default: ""
type: string
description: "azure storage account access key "
label: Azure Storage Account Access Key
group: "Storage Secret"
show_if: "env.open.STORAGE=microsoft"
# Local Storage Settings
- variable: persistence.enabled
default: true
......@@ -252,14 +181,14 @@ questions:
label: Uses Existing Persistent Volume Cliam for LocalStorage
# Service and L7 LoadBalancer
- variable: ingress.enabled
default: true
default: false
description: "Expose app using Layer 7 Load Balancer - ingress"
type: boolean
label: Expose app using Layer 7 Load Balancer
show_subquestion_if: true
group: "Services and Load Balancing"
subquestions:
- variable: ingress.hosts[0]
- variable: ingress.hosts[0].name
default: "xip.io"
description: "Hostname to your app installation"
type: hostname
......@@ -276,26 +205,7 @@ questions:
options:
- "ClusterIP"
- "NodePort"
- "LoadBalancer"
# chartmuseum options
- variable: env.secret.BASIC_AUTH_USER
default: ""
description: "Username for basic http authentication"
type: string
label: Username For Basic Http Authentication (Optional)
group: "ChartMuseum Settings"
- variable: env.secret.BASIC_AUTH_PASS
default: ""
description: "Password for basic http authentication"
type: string
label: Password For Basic Http Authentication (Optional)
group: "ChartMuseum Settings"
- variable: env.open.CHART_URL
default: ""
description: "Absolute url for .tgzs in index.yaml"
type: string
label: Absolute URL For .tgzs In index.yaml
group: "ChartMuseum Settings"
- variable: env.open.SHOW_ADVANCED
default: false
description: "Show advanced ChartMuseum settings"
......@@ -304,10 +214,15 @@ questions:
group: "ChartMuseum Settings"
show_subquestion_if: true
subquestions:
- variable: env.open.CHART_URL
default: ""
description: "Absolute url for .tgzs in index.yaml"
type: string
label: Absolute URL For .tgzs In index.yaml
- variable: env.open.DEPTH
default: "0"
default: 0
description: "Levels of nested repos for multitenancy."
type: string
type: int
label: Levels Of Nested Repos For Multitenancy
- variable: env.open.ALLOW_OVERWRITE
default: false
......
charts/chartmuseum/v2.3.1/templates/deployment.yaml
apiVersion: extensions/v1beta1
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "chartmuseum.fullname" . }}
......@@ -6,16 +6,21 @@ metadata:
{{ toYaml .Values.deployment.annotations | indent 4 }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.deployment.labels }}
{{ toYaml .Values.deployment.labels | indent 4 }}
{{- end }}
spec:
replicas: {{ .Values.replicaCount }}
strategy:
{{ toYaml .Values.strategy | indent 4 }}
revisionHistoryLimit: 10
selector:
matchLabels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
template:
metadata:
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.replica.annotations | indent 8 }}
labels:
app: {{ template "chartmuseum.name" . }}
release: {{ .Release.Name | quote }}
......@@ -24,6 +29,11 @@ spec:
- name: {{ .Chart.Name }}
image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
{{- if .Values.env.existingSecret }}
envFrom:
- secretRef:
name: {{ .Values.env.existingSecret }}
{{- end }}
env:
{{- range $name, $value := .Values.env.open }}
{{- if not (empty $value) }}
......@@ -31,10 +41,30 @@ spec:
value: {{ $value | quote }}
{{- end }}
{{- end }}
{{- range $name, $value := .Values.env.field }}
{{- if not ( empty $value) }}
- name: {{ $name | quote }}
valueFrom:
fieldRef:
fieldPath: {{ $value | quote }}
{{- end }}
{{- end }}
{{- if .Values.gcp.secret.enabled }}
- name: GOOGLE_APPLICATION_CREDENTIALS
value: "/etc/secrets/google/credentials.json"
{{- end }}
{{- if .Values.env.existingSecret }}
{{- $secret_name := .Values.env.existingSecret }}
{{- range $name, $key := .Values.env.existingSecretMappings }}
{{- if not ( empty $key) }}
- name: {{ $name | quote }}
valueFrom:
secretKeyRef:
name: {{ $secret_name | quote }}
key: {{ $key | quote }}
{{- end }}
{{- end }}
{{- else }}
{{- $secret_name := include "chartmuseum.fullname" . }}
{{- range $name, $value := .Values.env.secret }}
{{- if not ( empty $value) }}
......@@ -45,6 +75,11 @@ spec:
key: {{ $name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: AUTH_CERT_PATH
value: /var/keys/public-key.pem
{{ end }}
args:
- --port=8080
{{- if eq .Values.env.open.STORAGE "local" }}
......@@ -63,16 +98,24 @@ spec:
path: {{ .Values.env.open.CONTEXT_PATH }}/health
port: http
{{ toYaml .Values.probes.readiness | indent 10 }}
{{- if eq .Values.env.open.STORAGE "local" }}
volumeMounts:
{{- if eq .Values.env.open.STORAGE "local" }}
- mountPath: /storage
name: storage-volume
{{- end }}
{{- if .Values.gcp.secret.enabled }}
volumeMounts:
- mountPath: /etc/secrets/google
name: {{ include "chartmuseum.fullname" . }}-gcp
{{- end }}
{{- if .Values.oracle.secret.enabled }}
- mountPath: /home/chartmuseum/.oci
name: {{ include "chartmuseum.fullname" . }}-oracle
{{- end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
mountPath: /var/keys
readOnly: true
{{- end }}
{{- with .Values.resources }}
resources:
{{ toYaml . | indent 10 }}
......@@ -121,3 +164,18 @@ spec:
path: credentials.json
{{ end }}
{{ end }}
{{ if .Values.oracle.secret.enabled }}
- name: {{ include "chartmuseum.fullname" . }}-oracle
secret:
secretName: {{ .Values.oracle.secret.name }}
items:
- key: {{ .Values.oracle.secret.config }}
path: config
- key: {{ .Values.oracle.secret.key_file }}
path: oci.key
{{ end }}
{{- if .Values.bearerAuth.secret.enabled }}
- name: public-key
secret:
secretName: {{ .Values.bearerAuth.secret.publicKeySecret }}
{{- end }}
charts/chartmuseum/v2.3.1/templates/ingress.yaml
{{- if .Values.ingress.enabled }}
{{- $servicePort := .Values.service.externalPort -}}
{{- $serviceName := include "chartmuseum.fullname" . -}}
{{- if .Values.ingress.enabled }}
{{- $ingressExtraPaths := .Values.ingress.extraPaths -}}
---
apiVersion: extensions/v1beta1
kind: Ingress
......@@ -15,17 +16,27 @@ metadata:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
spec:
rules:
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
{{- range .Values.ingress.hosts }}
- host: {{ .name }}
http:
paths:
- path:
{{- range $ingressExtraPaths }}
- path: {{ default "/" .path | quote }}
backend:
serviceName: {{ default $serviceName .service }}
servicePort: {{ default $servicePort .port }}
{{- end }}
- path: {{ default "/" .path | quote }}
backend:
serviceName: {{ $serviceName }}
servicePort: {{ $servicePort }}
{{- end -}}
{{- if .Values.ingress.tls }}
serviceName: {{ default $serviceName .serviceName }}
servicePort: {{ default $servicePort .servicePort }}
{{- end }}
tls:
{{ toYaml .Values.ingress.tls | indent 4 }}
{{- end -}}
{{- range .Values.ingress.hosts }}
{{- if .tls }}
- hosts:
- {{ .name }}
secretName: {{ .tlsSecret }}
{{- end }}
{{- end }}
{{- end -}}
charts/chartmuseum/v2.3.1/templates/pv.yaml 0 → 100644
{{- if .Values.persistence.pv.enabled -}}
apiVersion: v1
kind: PersistentVolume
metadata:
{{- if .Values.persistence.pv.pvname }}
name: {{ .Values.persistence.pv.pvname }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
{{- end }}
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
spec:
capacity:
storage: {{ .Values.persistence.pv.capacity.storage }}
accessModes:
- {{ .Values.persistence.pv.accessMode | quote }}
nfs:
server: {{ .Values.persistence.pv.nfs.server }}
path: {{ .Values.persistence.pv.nfs.path | quote }}
{{- end }}
\ No newline at end of file
charts/chartmuseum/v2.3.1/templates/pvc.yaml
......@@ -6,6 +6,9 @@ metadata:
labels:
app: {{ include "chartmuseum.fullname" . }}
release: {{ .Release.Name | quote }}
{{- if .Values.persistence.labels }}
{{ toYaml .Values.persistence.labels | indent 4 }}
{{- end }}
spec:
accessModes:
- {{ .Values.persistence.accessMode | quote }}
......@@ -18,5 +21,7 @@ spec:
{{- else }}
storageClassName: "{{ .Values.persistence.storageClass }}"
{{- end }}
{{- else if and .Values.persistence.volumeName (.Values.persistence.pv.enabled) }}
volumeName: "{{ .Values.persistence.volumeName }}"
{{- end }}
{{- end }}
charts/chartmuseum/v2.3.1/templates/secret.yaml
{{- if not .Values.env.existingSecret -}}
apiVersion: v1
kind: Secret
metadata:
......@@ -15,3 +16,4 @@ data:
{{- end }}
{{- end }}
{{- end }}
{{- end }}
charts/chartmuseum/v2.3.1/templates/service.yaml
apiVersion: v1
kind: Service
metadata:
{{- if .Values.service.servicename }}
name: {{ .Values.service.servicename }}
{{- else }}
name: {{ include "chartmuseum.fullname" . }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
labels:
{{ include "chartmuseum.labels.standard" . | indent 4 }}
{{- if .Values.service.labels }}
{{ toYaml .Values.service.labels | indent 4 }}
{{- end }}
{{- if .Values.service.annotations }}
annotations:
{{ toYaml .Values.service.annotations | indent 4 }}
{{- end }}
spec:
type: {{ .Values.service.type }}
{{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
{{- end }}
{{- if eq .Values.service.type "ClusterIP" }}
{{- if .Values.service.clusterIP }}
clusterIP: {{ .Values.service.clusterIP }}
......
charts/chartmuseum/v2.3.1/values.yaml
......@@ -4,12 +4,13 @@ strategy:
rollingUpdate:
maxUnavailable: 0
image:
repository: chartmuseum/chartmuseum
tag: v0.7.1
# repository: chartmuseum/chartmuseum
repository: ranchercharts/chartmuseum-chartmuseum
tag: v0.9.0
pullPolicy: IfNotPresent
env:
open:
# storage backend, can be one of: local, alibaba, amazon, google, microsoft
# storage backend, can be one of: local, alibaba, amazon, google, microsoft, oracle
STORAGE: local
# oss bucket to store charts for alibaba storage backend
STORAGE_ALIBABA_BUCKET:
......@@ -46,6 +47,12 @@ env:
STORAGE_OPENSTACK_REGION:
# path to a CA cert bundle for your openstack endpoint
STORAGE_OPENSTACK_CACERT:
# compartment id for for oracle storage backend
STORAGE_ORACLE_COMPARTMENTID:
# oci bucket to store charts for oracle storage backend
STORAGE_ORACLE_BUCKET:
# prefix to store charts for oracle storage backend
STORAGE_ORACLE_PREFIX:
# form field which will be queried for the chart file content
CHART_POST_FORM_FIELD_NAME: chart
# form field which will be queried for the provenance file content
......@@ -78,6 +85,14 @@ env:
CACHE_REDIS_ADDR:
# Redis database to be selected after connect
CACHE_REDIS_DB: 0
# enable bearer auth
BEARER_AUTH: false
# auth realm used for bearer auth
AUTH_REALM:
# auth service used for bearer auth
AUTH_SERVICE:
field:
# POD_IP: status.podIP
secret:
# username for basic http authentication
BASIC_AUTH_USER:
......@@ -87,21 +102,31 @@ env:
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
# Name of an existing secret to get the secret values from
existingSecret:
# Stores Enviromnt Variable to secret key name mappings
existingSecretMappings:
# username for basic http authentication
BASIC_AUTH_USER:
# password for basic http authentication
BASIC_AUTH_PASS:
# GCP service account json file
GOOGLE_CREDENTIALS_JSON:
# Redis requirepass server configuration
CACHE_REDIS_PASSWORD:
deployment:
## Chartmuseum Deployment annotations
annotations: {}
# name: value
replica:
## Chartmuseum Replicas annotations
annotations: {}
## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam
# iam.amazonaws.com/role: role-arn
service:
servicename:
type: ClusterIP
externalTrafficPolicy: Local
# clusterIP: None
externalPort: 8080
nodePort:
annotations: {}
labels: {}
resources: {}
# limits:
......@@ -129,7 +154,12 @@ serviceAccount:
create: false
# name:
securityContext: {}
# UID/GID 1000 is the default user "chartmuseum" used in
# the container image starting in v0.8.0 and above. This
# is required for local persistant storage. If your cluster
# does not allow this, try setting securityContext: {}
securityContext:
fsGroup: 1000
nodeSelector: {}
......@@ -141,6 +171,8 @@ persistence:
enabled: false
accessMode: ReadWriteOnce
size: 8Gi
labels: {}
# name: value
## A manually managed Persistent Volume and Claim
## Requires persistence.enabled: true
## If defined, PVC must be created manually before volume will be bound
......@@ -154,6 +186,16 @@ persistence:
## GKE, AWS & OpenStack)
##
# storageClass: "-"
# volumeName:
pv:
enabled: false
pvname:
capacity:
storage: 8Gi
accessMode: ReadWriteOnce
nfs:
server:
path:
## Ingress for load balancer
ingress:
......@@ -172,18 +214,19 @@ ingress:
## Chartmuseum Ingress hostnames
## Must be provided if Ingress is enabled
##
# hosts:
# chartmuseum.domain.com:
# - /charts
# - /index.yaml
## Chartmuseum Ingress TLS configuration
## Secrets must be manually created in the namespace
##
# tls:
# - secretName: chartmuseum-server-tls
# hosts:
# - chartmuseum.domain.com
# hosts:
# - name: chartmuseum.domain1.com
# path: /
# tls: false
# - name: chartmuseum.domain2.com
# path: /
#
# ## Set this to true in order to enable TLS on the ingress record
# tls: true
#
# ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS
# ## Secrets must be added manually to the namespace
# tlsSecret: chartmuseum.domain2-tls
# Adding secrets to tiller is not a great option, so If you want to use an existing
# secret that contains the json file, you can use the following entries
......@@ -194,3 +237,16 @@ gcp:
name:
# Secret key that holds the json value.
key: credentials.json
oracle:
secret:
enabled: false
# Name of the secret that contains the encoded config and key
name:
# Secret key that holds the oci config
config: config
# Secret key that holds the oci private key
key_file: key_file
bearerAuth:
secret:
enabled: false
publicKeySecret: chartmuseum-public-key
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment