# ⚠️ Repo Archive Notice As of Nov 13, 2020, charts in this repo will no longer be updated. For more information, see the Helm Charts [Deprecation and Archive Notice](https://github.com/helm/charts#%EF%B8%8F-deprecation-and-archive-notice), and [Update](https://helm.sh/blog/charts-repo-deprecation/). # ChartMuseum Helm Chart Deploy your own private ChartMuseum. Please also see https://github.com/kubernetes-helm/chartmuseum ## DEPRECATION NOTICE This chart is deprecated and no longer supported. ## Table of Content - [ChartMuseum Helm Chart](#chartmuseum-helm-chart) - [Table of Content](#table-of-content) - [Prerequisites](#prerequisites) - [Configuration](#configuration) - [Installation](#installation) - [Using with Amazon S3](#using-with-amazon-s3) - [permissions grant with access keys](#permissions-grant-with-access-keys) - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile) - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role) - [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts) - [Using with Google Cloud Storage](#using-with-google-cloud-storage) - [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account) - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage) - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage) - [Using with Openstack Object Storage](#using-with-openstack-object-storage) - [Using with Oracle Object Storage](#using-with-oracle-object-storage) - [Using an existing secret](#using-an-existing-secret) - [Using with local filesystem storage](#using-with-local-filesystem-storage) - [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers) - [Example storage class](#example-storage-class) - [Authentication](#authentication) - [Basic Authentication](#basic-authentication) - [Bearer/Token auth](#bearertoken-auth) - [Ingress](#ingress) - [Hosts](#hosts) - [Extra Paths](#extra-paths) - [Annotations](#annotations) - [Example Ingress configuration](#example-ingress-configuration) - [Uninstall](#uninstall) ## Prerequisites * [If enabled] A persistent storage resource and RW access to it * [If enabled] Kubernetes StorageClass for dynamic provisioning ## Configuration By default this chart will not have persistent storage, and the API service will be *DISABLED*. This protects against unauthorized access to the API with default configuration values. In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This is the user/group that the ChartMuseum container runs as, and is used to enable local persitant storage. If your cluster has DenySecurityContext enabled, you can set `securityContext` to `{}` and still use this chart with one of the cloud storage options. For a more robust solution supply helm install with a custom values.yaml You are also required to create the StorageClass resource ahead of time: ``` kubectl create -f /path/to/storage_class.yaml ``` The following table lists common configurable parameters of the chart and their default values. See values.yaml for all available options. | Parameter | Description | Default | | --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | | `image.repository` | Container image to use | `chartmuseum/chartmuseum` | | `image.tag` | Container image tag to deploy | `v0.12.0` | | `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` | | `persistence.enabled` | Whether to use a PVC for persistent storage | `false` | | `persistence.path` | PV mount path | `/storage` | | `persistence.size` | Amount of space to claim for PVC | `8Gi` | | `persistence.labels` | Additional labels for PVC | `{}` | | `persistence.storageClass` | Storage Class to use for PVC | `-` | | `persistence.volumeName` | Volume to use for PVC | `` | | `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` | | `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` | | `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` | | `persistence.pv.nfs.server` | NFS server for PV | `` | | `persistence.pv.nfs.path` | Storage Path | `` | | `persistence.pv.pvname` | Custom name for private volume | `` | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | | `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | | `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | | `replicaCount` | k8s replicas | `1` | | `resources.limits.cpu` | Container maximum CPU | `100m` | | `resources.limits.memory` | Container maximum memory | `128Mi` | | `resources.requests.cpu` | Container requested CPU | `80m` | | `resources.requests.memory` | Container requested memory | `64Mi` | | `secret.labels` | Additional labels for secret | `false` | | `serviceAccount.create` | If true, create the service account | `false` | | `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` | | `serviceAccount.annotations` | Additional Service Account annotations | `{}` | | `securityContext.enabled` | Enable securityContext | `true` | | `securityContext.fsGroup` | Group ID for the container | `1000` | | `securityContext.runAsNonRoot` | Running Pods as non-root | `` | | `securityContext.supplementalGroups` | Control which group IDs containers add | `` | | `containerSecurityContext` | Additional Container securityContext (ex. allowPrivilegeEscalation) | `{}` | | `priorityClassName ` | priorityClassName | `""` | | `nodeSelector` | Map of node labels for pod assignment | `{}` | | `tolerations` | List of node taints to tolerate | `[]` | | `affinity` | Map of node/pod affinities | `{}` | | `schedulerName` | Kubernetes scheduler to use | `default` | | `env.open.STORAGE` | Storage Backend to use | `local` | | `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` | | `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` | | `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` | | `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` | | `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` | | `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` | | `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` | | `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` | | `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` | | `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` | | `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` | | `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` | | `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` | | `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` | | `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` | | `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` | | `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` | | `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` | | `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` | | `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` | | `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` | | `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` | | `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` | | `env.open.DEBUG` | Show debug messages | `false` | | `env.open.LOG_JSON` | Output structured logs in JSON | `true` | | `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` | | `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` | | `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` | | `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` | | `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` | | `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` | | `env.open.CONTEXT_PATH` | Set the base context path | `` | | `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` | | `env.open.CACHE` | Cache store, can be one of: redis | `` | | `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` | | `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` | | `env.open.BEARER_AUTH` | Enable bearer auth | `false` | | `env.open.AUTH_REALM` | Realm used for bearer authentication | `` | | `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` | | `env.field` | Expose pod information to containers through environment variables | `` | | `env.existingSecret` | Name of the existing secret use values | `` | | `env.existingSecret.BASIC_AUTH_USER` | Key name in the secret for the Username | `` | | `env.existingSecret.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` | | `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` | | `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` | | `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` | | `extraArgs` | Pass extra arguments to the chartmuseum binary | `` | | `gcp.secret.enabled` | Flag for the GCP service account | `false` | | `gcp.secret.name` | Secret name for the GCP json file | `` | | `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` | | `oracle.secret.enabled` | Flag for Oracle OCI account | `false` | | `oracle.secret.name` | Secret name for OCI config and key | `` | | `oracle.secret.config` | Secret key that holds the OCI config | `config` | | `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` | | `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `` | | `bearerAuth.secret.publicKey` | The name of the secret with the public key | `` | | `service.type` | Kubernetes Service type | `ClusterIP` | | `service.clusterIP` | Static clusterIP or None for headless services | `nil` | | `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` | | `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` | | `service.servicename` | Custom name for service | `` | | `service.labels` | Additional labels for service | `{}` | | `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` | | `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` | | `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` | | `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` | | `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `nil` | | `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `nil` | | `deployment.labels` | Additional labels for deployment | `{}` | | `deployment.matchlabes` | Match labels for deployment selector | `{}` | | `ingress.enabled` | Enable ingress controller resource | `false` | | `ingress.annotations` | Ingress annotations | `[]` | | `ingress.labels` | Ingress labels | `[]` | | `ingress.hosts[0].name` | Hostname for the ingress | `` | | `ingress.hosts[0].path` | Path within the url structure | `` | | `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` | | `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` | | `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ .Values.service.externalPort }}` | | `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .chartmuseum. }}` | | `ingress.extraPaths[0].path` | Path within the url structure. | `` | | `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` | | `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. ## Installation ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with Amazon S3 Make sure your environment is properly setup to access `my-s3-bucket` You need at least the following permissions inside your IAM Policy ```yaml { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowListObjects", "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Resource": "arn:aws:s3:::my-s3-bucket" }, { "Sid": "AllowObjectsCRUD", "Effect": "Allow", "Action": [ "s3:DeleteObject", "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::my-s3-bucket/*" } ] } ``` You can grant it to `chartmuseum` by several ways: #### permissions grant with access keys Grant permissions to `special user` and us it's access keys for auth on aws Specify `custom.yaml` with such values ```yaml env: open: STORAGE: amazon STORAGE_AMAZON_BUCKET: my-s3-bucket STORAGE_AMAZON_PREFIX: STORAGE_AMAZON_REGION: us-east-1 secret: AWS_ACCESS_KEY_ID: "********" ## aws access key id value AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` #### permissions grant with IAM instance profile You can grant permissions to k8s node IAM instance profile. For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) Specify `custom.yaml` with such values ```yaml env: open: STORAGE: amazon STORAGE_AMAZON_BUCKET: my-s3-bucket STORAGE_AMAZON_PREFIX: STORAGE_AMAZON_REGION: us-east-1 ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` #### permissions grant with IAM assumed role To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam) and create role with granded permissions. Specify `custom.yaml` with such values ```yaml env: open: STORAGE: amazon STORAGE_AMAZON_BUCKET: my-s3-bucket STORAGE_AMAZON_PREFIX: STORAGE_AMAZON_REGION: us-east-1 replica: annotations: iam.amazonaws.com/role: "{assumed role name}" ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` #### permissions grant with IAM Roles for Service Accounts For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). Specify `custom.yaml` with such values ```yaml env: open: STORAGE: amazon STORAGE_AMAZON_BUCKET: my-s3-bucket STORAGE_AMAZON_PREFIX: STORAGE_AMAZON_REGION: us-east-1 serviceAccount: create: true annotations: eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}" ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with Google Cloud Storage Make sure your environment is properly setup to access `my-gcs-bucket` Specify `custom.yaml` with such values ```yaml env: open: STORAGE: google STORAGE_GOOGLE_BUCKET: my-gcs-bucket STORAGE_GOOGLE_PREFIX: ``` ### Using with Google Cloud Storage and a Google Service Account A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials: ```shell kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json" ``` Then you can either use a `VALUES` yaml with your values or set those values in the command line: ```shell helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret ``` If you prefer to use a yaml file: ```yaml env: open: STORAGE: google STORAGE_GOOGLE_BUCKET: my-gcs-bucket STORAGE_GOOGLE_PREFIX: gcp: secret: enabled: true name: chartmuseum-secret key: credentials.json ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands ```yaml env: open: STORAGE: google STORAGE_GOOGLE_BUCKET: my-gcs-bucket STORAGE_GOOGLE_PREFIX: secret: GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded gcp: secret: enabled: true ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value. ```shell export JSONKEY=$(cat my-project-77e35d85a593.json | base64) helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum ``` ### Using with Microsoft Azure Blob Storage Make sure your environment is properly setup to access `mycontainer`. To do so, you must set the following env vars: - `AZURE_STORAGE_ACCOUNT` - `AZURE_STORAGE_ACCESS_KEY` Specify `custom.yaml` with such values ```yaml env: open: STORAGE: microsoft STORAGE_MICROSOFT_CONTAINER: mycontainer # prefix to store charts for microsoft storage backend STORAGE_MICROSOFT_PREFIX: secret: AZURE_STORAGE_ACCOUNT: "********" ## azure storage account AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with Alibaba Cloud OSS Storage Make sure your environment is properly setup to access `my-oss-bucket`. To do so, you must set the following env vars: - `ALIBABA_CLOUD_ACCESS_KEY_ID` - `ALIBABA_CLOUD_ACCESS_KEY_SECRET` Specify `custom.yaml` with such values ```yaml env: open: STORAGE: alibaba STORAGE_ALIBABA_BUCKET: my-oss-bucket STORAGE_ALIBABA_PREFIX: STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com secret: ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with Openstack Object Storage Make sure your environment is properly setup to access `mycontainer`. To do so, you must set the following env vars (depending on your openstack version): - `OS_AUTH_URL` - either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` - either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` - either `OS_USERNAME` or `OS_USERID` - `OS_PASSWORD` Specify `custom.yaml` with such values ```yaml env: open: STORAGE: openstack STORAGE_OPENSTACK_CONTAINER: mycontainer STORAGE_OPENSTACK_PREFIX: STORAGE_OPENSTACK_REGION: YOURREGION secret: OS_AUTH_URL: https://myauth.url.com/v2.0/ OS_TENANT_ID: yourtenantid OS_USERNAME: yourusername OS_PASSWORD: yourpassword ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with Oracle Object Storage Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm ```shell kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key" ``` Then you can either use a `VALUES` yaml with your values or set those values in the command line: ```shell helm install stable/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret ``` If you prefer to use a yaml file: ```yaml env: open: STORAGE: oracle STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123 STORAGE_ORACLE_BUCKET: myocibucket STORAGE_ORACLE_PREFIX: chartmuseum oracle: secret: enabled: enabled name: chartmuseum-secret config: config key_file: key_file ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using an existing secret It is possible to pre-create a secret in kubernetes and get this chart to use that Given you are for example using the above AWS example You could create a Secret like this ```shell kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" ``` Specify `custom.yaml` with such values ```yaml env: open: STORAGE: amazonexistingSecret STORAGE_AMAZON_BUCKET: my-s3-bucket STORAGE_AMAZON_PREFIX: STORAGE_AMAZON_REGION: us-east-1 existingSecret: chartmuseum-secret existingSecretMappings: AWS_ACCESS_KEY_ID: aws-access-key AWS_SECRET_ACCESS_KEY: aws-secret-access-key BASIC_AUTH_USER: basic-auth-user BASIC_AUTH_PASS: basic-auth-pass ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Using with local filesystem storage By default chartmuseum uses local filesystem storage. But on pod recreation it will lose all charts, to prevent that enable persistent storage. ```yaml env: open: STORAGE: local persistence: enabled: true accessMode: ReadWriteOnce size: 8Gi ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound # existingClaim: ## Chartmuseum data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## # storageClass: "-" ``` Run command to install ```shell helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum ``` ### Setting local storage permissions with initContainers Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`. #### Example storage class Example storage-class.yaml provided here for use with a Ceph cluster. ``` kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: storage-volume provisioner: kubernetes.io/rbd parameters: monitors: "10.11.12.13:4567,10.11.12.14:4567" adminId: admin adminSecretName: thesecret adminSecretNamespace: default pool: chartstore userId: user userSecretName: thesecret ``` ### Authentication By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication #### Basic Authentication This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting: ```yaml env: secret: BASIC_AUTH_USER: curator BASIC_AUTH_PASS: mypassword ``` Or by using values from an existing secret in the cluster that can be created using: ```shell kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" ``` This secret can be used in the values file as follows: ```yaml env: existingSecret: chartmuseum-secret existingSecretMappings: BASIC_AUTH_USER: basic-auth-user BASIC_AUTH_PASS: basic-auth-pass ``` #### Bearer/Token auth When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example) To use this the public key should be stored in a secret this can be done with ```shell kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem ``` And Bearer/Token auth can be configured using the following values ```yaml env: open: BEARER_AUTH: true AUTH_REALM: AUTH_SERVICE: bearerAuth: secret: enabled: true publicKeySecret: chartmuseum-public-key ``` ### Ingress This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps. To enable ingress integration, please set `ingress.enabled` to `true` #### Hosts Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace. In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/). #### Extra Paths Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). ```shell helm install --name my-chartmuseum stable/chartmuseum \ --set ingress.enabled=true \ --set ingress.hosts[0].name=chartmuseum.domain.com \ --set ingress.extraPaths[0].service=ssl-redirect \ --set ingress.extraPaths[0].port=use-annotation \ ``` #### Annotations For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://docs.traefik.io/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`. #### Example Ingress configuration ```shell helm install --name my-chartmuseum stable/chartmuseum \ --set ingress.enabled=true \ --set ingress.hosts[0].name=chartmuseum.domain.com \ --set ingress.hosts[0].path=/ --set ingress.hosts[0].tls=true --set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret ``` ## Uninstall By default, a deliberate uninstall will result in the persistent volume claim being deleted. ```shell helm delete my-chartmuseum ``` To delete the deployment and its history: ```shell helm delete --purge my-chartmuseum ```