ChartMuseum

ChartMuseum is an open-source Helm Chart Repository server written in Go (Golang), with support for cloud storage backends, including Google Cloud Storage, Amazon S3, Microsoft Azure Blob Storage, Alibaba Cloud OSS Storage, Openstack Object Storage, Oracle Cloud Infrastructure Object Storage, Baidu Cloud BOS Storage, Tencent Cloud Object Storage, Netease Cloud NOS Storage, DigitalOcean Spaces, Minio, and etcd.

In addition to using ChartMuseum as you regular Helm Chart registry, you can also store your custom KubeVela addons in it.

  1. $ vela addon enable chartmuseum

To customize addon parameters, either:

  • use VelaUX and fill out the form when enabling addon
  • or check out what parameters are available using vela addon status chartmuseum -v, and specify it using vela addon enable chartmuseum externalPort=80

This tutorial will assume you used the default parameters.

After successfully enabling the addon, we need to make sure ChartMuseum is accessible to you by forwarding the default port (8080):

  1. vela port-forward -n vela-system addon-chartmuseum 8080:8080 --address 0.0.0.0

Typically, you would configure ingress (achievable using addon parameters) to make the addon accessible to the outside.

Use your newly created ChartMuseum repository (or any other Helm Chart repository) as an addon registry. We will name it localcm:

  1. $ vela addon registry add localcm --type helm --endpoint=http://localhost:8080
  2. # If username and password is required, you can specify them with --username and --password

You should see it in the list now:

  1. $ vela addon registry list
  2. Name Type URL
  3. ...
  4. localcm helm http://localhost:8080

Prepare your addon. We will create a new one named sample-addon here:

  1. $ vela addon init sample-addon
  2. # A conventional addon directory will be created
  3. # ./sample-addon
  4. # ├── definitions
  5. # ├── metadata.yaml
  6. # ├── readme.md
  7. # ├── resources
  8. # ├── schemas
  9. # └── template.yaml

(Optional) Package your addon:

Feel free to skip ahead. We will do this automatically for you if you don’t want to package it manually.

  1. $ vela addon package sample-addon
  2. # You should see a package named sample-addon-1.0.0.tgz

Push your addon (sample-addon) to the registry (localcm) that you just added:

  1. # Notice how we automatically package the addon for you.
  2. $ vela addon push sample-addon localcm
  3. Pushing sample-addon-1.0.0.tgz to localcm(http://localhost:8080)... Done
  4. # If you packaged it yourself, just replace `sample-addon` with `sample-addon-1.0.0.tgz`
  5. # In addition to registry names (localcm, as we saw earlier), URLs are also supported.
  6. # If you use URLs, you don't even have to add it as an addon registry.
  7. $ vela addon push sample-addon-1.0.0.tgz http://localhost:8080 -f
  8. Pushing sample-addon-1.0.0.tgz to http://localhost:8080... Done
  9. # Notice the `-f` option.
  10. # This is because we already pushed the exact same addon to the same registry earlier.
  11. # We need to use `-f` to overwrite it.

Your addon is available in the registry now!

  1. $ vela addon list
  2. NAME REGISTRY DESCRIPTION AVAILABLE-VERSIONS STATUS
  3. ...
  4. sample-addon localcm An addon for KubeVela. [1.0.0] disabled

Warning: to prevent anonymous uploads, do any of the following:

  • set disableAPI to true
  • enable authentication

By default this addon does not have any authentication configured and allows anyone to fetch or upload charts (unless the API is disabled with disableAPI).

To enable Basic Auth to protect APIs, configure basicAuth parameters:

  1. // +usage=Basic auth settings
  2. basicAuth: {
  3. // +usage=Username for basic http authentication
  4. username: "user"
  5. // +usage=Password for basic http authentication
  6. password: "pswd"
  7. }

By default ChartMuseum uses local filesystem storage. But on pod recreation it will lose all charts, to prevent that, enable persistent storage.

  1. enablePersistence: true
  2. persistentSize: "8Gi"

Make sure your environment is properly setup to access my-oss-bucket.

To do so, you must set the following parameters:

  • accessKeyID
  • accessKeySecret
  1. // +usage=Storage backend, can be one of: local(default), alibaba, amazon, google, microsoft
  2. storge: "alibaba"
  3. // +usage=Alibaba Cloud storage backend settings
  4. alibaba: {
  5. // +usage=OSS bucket to store charts for alibaba storage backend, e.g. my-oss-bucket
  6. bucket: "my-oss-bucket"
  7. // +usage=OSS endpoint to store charts for alibaba storage backend, e.g. oss-cn-beijing.aliyuncs.com
  8. endpoint: "oss-cn-beijing.aliyuncs.com"
  9. // +usage=Alibaba OSS access key id
  10. accessKeyID: "accessKeyID"
  11. // +usage=Alibaba OSS access key secret
  12. accessKeySecret: "accessKeySecret"
  13. }

Make sure your environment is properly setup to access mycontainer.

To do so, you must set the following parameters:

  • account
  • accessKey

Specify custom.yaml with such values

  1. // +usage=Storage backend, can be one of: local(default), alibaba, amazon, google, microsoft
  2. storage: "microsoft"
  3. // +usage=Microsoft Azure storage backend settings
  4. microsoft: {
  5. // +usage=Container to store charts for microsoft storage backend
  6. container: "mycontainer"
  7. // +usage=Azure storage account
  8. account: "account"
  9. // +usage=Azure storage account access key
  10. accessKey: "key"
  11. }
  1. // +usage=Storage backend, can be one of: local(default), alibaba, amazon, google, microsoft
  2. storage: "google"
  3. // +usage=GCP storage backend settings
  4. google: {
  5. // +usage=GCS bucket to store charts for google storage backend, e.g. my-gcs-bucket
  6. bucket: "my-gcs-bucket"
  7. // +usage=GCP service account json file
  8. googleCredentialsJSON: "json"
  9. }

Make sure your environment is properly setup to access my-s3-bucket

You need at least the following permissions inside your IAM Policy

  1. {
  2. "Version": "2012-10-17",
  3. "Statement": [
  4. {
  5. "Sid": "AllowListObjects",
  6. "Effect": "Allow",
  7. "Action": [
  8. "s3:ListBucket"
  9. ],
  10. "Resource": "arn:aws:s3:::my-s3-bucket"
  11. },
  12. {
  13. "Sid": "AllowObjectsCRUD",
  14. "Effect": "Allow",
  15. "Action": [
  16. "s3:DeleteObject",
  17. "s3:GetObject",
  18. "s3:PutObject"
  19. ],
  20. "Resource": "arn:aws:s3:::my-s3-bucket/*"
  21. }
  22. ]
  23. }

Grant permissions to special user and use it’s access keys for auth on aws

  1. // +usage=Storage backend, can be one of: local(default), alibaba, amazon, google, microsoft
  2. storage: "amazon"
  3. // +usage=AWS storage backend settings
  4. amazon: {
  5. // +usage=S3 bucket to store charts for amazon storage backend, e.g. my-s3-bucket
  6. bucket: "my-s3-bucket"
  7. // +usage=Region of s3 bucket to store charts, e.g. us-east-1
  8. region: "us-east-1"
  9. // +usage=AWS access key id
  10. accessKeyID: "keyid"
  11. // +usage=AWS access key secret
  12. accessKeySecret: "secret"
  13. }

Last updated on Aug 4, 2023 by Daniel Higuero