In one of our previous posts about
creating Helm Charts for Kubernetes, we outlined what we consider the best practices for creating Helm charts. We've been using Helm in production and investing our time in creating Helm charts (available on the Banzai Cloud
Charts GitHub repository)
since Banzai Cloud's inception. Creating Helm Charts is one thing; storing and serving them is another. We'd like to reduce the burden this places on the user, so today marks the launch of our Banzai Charts, which you can use to store and serve public Helm Charts
for free.
tl;dr:
- Accessing the Banzai Cloud {{% chart-repository-service %}}
- We opensourced a Chartsec library, making it available as a Golang lib or CLI tool
- As part of Pipeline's enterprise version, we support private Helm Chart repositories
- The {{% chart-repository-service %}} is available for free, with a generous fair usage policy
Architecture
Our Helm Chart service is based on
ChartMuseum, an
open-source, easy to deploy, Helm Chart repository server. We are using the
upstream ChartMuseum distribution without any modifications. We have, however, added certain features to make it a managed, multi-tenant service.
The services we added are outlined below:
Authentication Service
Pulling charts from our Chart repository service doesn't require authentication (in the free version), but pushing charts to the repository is protected by user authentication. You must request an API token - the free version supports GitHub, GitLab or BitBucket authentication - before you can receive the access necessary to push charts to the repositories of organizations/teams on a given provider. Our
enterprise version supports private chart repositories, where chart access is protected.
NOTE: if you are not part of an organization/team on a given SCM provider, it is not possible for you to use the Chart service at this time.
An API token will be created by the
official ChartMuseum/auth Go library.
Chart Push Filter
The Chart Push Filter scans charts and compares them to sets of XSS policies and quota limits. For this, we use a version of
UGCPolicy
from the widely venerated
bluemonday Go library with some added quota checks and with the
Chartsec library, which we open-sourced and is also used as part of our
Pipeline project.
Usage
To get a repository for your organization/team, navigate to the Banzai Cloud {{% chart-repository-service %}} and request an API token, then choose between expiring and non-expiring tokens:
After requesting an API token, you will land on a page with instructions for using the Chart repository service in an end user-specific way. The outlined instructions will be very similar to those in the
Helm Push Plugin documentation:
Install the Push plugin:
$ helm plugin install
https://github.com/chartmuseum/helm-push
Expose the ChartMuseum API token in your shell, so the push plugin can pick it up:
$ export
HELM_REPO_ACCESS_TOKEN="eyJhbGciOiJSUz..."
Add the new repository to your Helm configuration (in my case it's
gh/banzaicloud
, which belongs to the
https://github.com/banzaicloud GitHub organization):
$ helm repo add my-helm-repo
cm://charts.banzaicloud.io/gh/banzaicloud
Push one of your charts into the newly added repository:
$ helm push my-helm-chart-0.1.2.tgz
my-helm-repo Pushing my-helm-chart-0.1.2.tgz to
my-helm-repo... Done.
CircleCI Helm Orb
We have also created a Helm
CircleCI Orb, which can be reused in your CircleCI configurations. This Orb helps you streamline and automate the steps involved with:
- configuring dependent repositories
- linting and checking
- packaging
- and publishing a Helm chart to a configurable Helm repository.
We've assembled a
simple Go Hello World application packaged as a Helm Chart, as well, which uses the Helm Orb for demonstration purposes. Here's how:
orbs: helm: banzaicloud/helm@volatile
jobs: build: docker: - image: circleci/golang:1.12
environment: GOFLAG: -mod=readonly
steps:
- checkout
- run:
name: Build
command: |
go build
workflows: e2e-test: jobs: - build helm-chart: jobs: -
helm/publish-chart: # The `helm-banzaicloud` Circle Context
has to exist which # contains the HELM_REPO_ACCESS_TOKEN
from above, you have # to create this manually after you
have requested a token. # See:
https://circleci.com/docs/2.0/contexts/ context:
helm-banzaicloud chart-path: charts/simple-helm-app # Your
own Banzai Cloud Chart repository URL, in my case # the one
belonging to the banzaicloud GitHub organization.
chartmuseum-url: cm://charts.banzaicloud.io/gh/banzaicloud
filters: branches: ignore: /.\*/ tags: only:
/simple-helm-app\/\d+.\d+.\d+/
(No blog about Kubernetes is complete without a wall of YAML, but at least there's no Kubernetes manifests this time)
From the description above, you can see that tagging the application with the simple-helm-app/0.1.0 tag, for example, triggers the chart packaging, as can be seen in
this build job.
Usage policy
Our {{% chart-repository-service %}} is free for everyone to use, with the fair use policy highlighted below:
- Compressed uploaded charts shouldn't exceed 100k bytes
- Chart packages should contain only those files necessary for the application itself
- Charts should be valid Helm Charts
- Overall, chart storage should not exceed 1GB (this is around 100 charts with about 100 versions of each chart)
If you have different needs, would like to deploy this chart within your environment, or have any other questions,
contact us.
Enterprise offering
All this comes as part of the
Pipeline Enterprise package, with which we offer a secure Chart repository service for all users, out-of-the-box, allowing users to create secure, private chart repositories, with no limitations.
Learn more about Helm:
About Banzai Cloud Pipeline
Banzai Cloud’s
Pipeline provides a platform for enterprises to develop, deploy, and scale container-based applications. It leverages best-of-breed cloud components, such as Kubernetes, to create a highly productive, yet flexible environment for developers and operations teams alike. Strong security measures — multiple authentication backends, fine-grained authorization, dynamic secret management, automated secure communications between components using TLS, vulnerability scans, static code analysis, CI/CD, and so on — are default features of the
Pipeline platform.