我的书签
添加书签
移除书签Configuring custom Helm chart repositories
The Developer Catalog, in the Developer perspective of the web console, displays the Helm charts available in the cluster. By default, it lists the Helm charts from the Red Hat Helm chart repository. For a list of the charts see the Red Hat Helm index file.
As a cluster administrator, you can add multiple Helm chart repositories, apart from the default one, and display the Helm charts from these repositories in the Developer Catalog.
Adding custom Helm chart repositories
You can add custom Helm chart repositories to your cluster, and enable access to the Helm charts from these repositories in the Developer Catalog.
Procedure
To add a new Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your cluster.
Sample Helm Chart Repository CR
apiVersion: helm.openshift.io/v1beta1kind: HelmChartRepositorymetadata:name: <name>spec:# optional name that might be used by console# name: <chart-display-name>connectionConfig:url: <helm-chart-repository-url>
For example, to add an Azure sample chart repository, run:
$ cat <<EOF | oc apply -f -apiVersion: helm.openshift.io/v1beta1kind: HelmChartRepositorymetadata:name: azure-sample-repospec:name: azure-sample-repoconnectionConfig:url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docsEOF
Navigate to the Developer Catalog in the web console to verify that the helm charts from the Azure chart repository are displayed.
Creating credentials and CA certificates to add Helm chart repositories
Some Helm chart repositories need credentials and custom certificate authority (CA) certificates to connect to it. You can use the web console as well as the CLI to add credentials and certificates.
Procedure
To configure the credentials and certificates, and then add a Helm chart repository using the CLI:
In the
openshift-confignamespace, create aConfigMapobject with a custom CA certificate in PEM encoded format, and store it under theca-bundle.crtkey within the config map:$ oc create configmap helm-ca-cert \--from-file=ca-bundle.crt=/path/to/certs/ca.crt \-n openshift-config
In the
openshift-confignamespace, create aSecretobject to add the client TLS configurations:$ oc create secret generic helm-tls-configs \--from-file=tls.crt=/path/to/certs/client.crt \--from-file=tls.key=/path/to/certs//client.key \-n openshift-config
Note that the client certificate and key must be in PEM encoded format and stored under the keys
tls.crtandtls.key, respectively.Add the Helm repository as follows:
$ cat <<EOF | oc apply -f -apiVersion: helm.openshift.io/v1beta1kind: HelmChartRepositorymetadata:name: <helm-repository>spec:name: <helm-repository>connectionConfig:url: <URL for the Helm repository>tlsConfig:name: helm-tls-configsca:name: helm-ca-certEOF
The
ConfigMapandSecretare consumed in the HelmChartRepository CR using thetlsConfigandcafields. These certificates are used to connect to the Helm repository URL.By default, all authenticated users have access to all configured charts. However, for chart repositories where certificates are needed, you must provide users with read access to the
helm-ca-certconfig map andhelm-tls-configssecret in theopenshift-confignamespace, as follows:$ cat <<EOF | kubectl apply -f -apiVersion: rbac.authorization.k8s.io/v1kind: Rolemetadata:namespace: openshift-configname: helm-chartrepos-tls-conf-viewerrules:- apiGroups: [""]resources: ["configmaps"]resourceNames: ["helm-ca-cert"]verbs: ["get"]- apiGroups: [""]resources: ["secrets"]resourceNames: ["helm-tls-configs"]verbs: ["get"]---kind: RoleBindingapiVersion: rbac.authorization.k8s.io/v1metadata:namespace: openshift-configname: helm-chartrepos-tls-conf-viewersubjects:- kind: GroupapiGroup: rbac.authorization.k8s.ioname: 'system:authenticated'roleRef:apiGroup: rbac.authorization.k8s.iokind: Rolename: helm-chartrepos-tls-conf-viewerEOF
