apiVersion: helm.openshift.io/v1beta1
kind: HelmChartRepository
metadata:
name: <name>
spec:
# optional name that might be used by console
# name: <chart-display-name>
connectionConfig:
url: <helm-chart-repository-url>
The Developer Catalog, in the Developer perspective of the web console, displays the Helm charts available in the cluster. By default, it lists the Helm charts from the Red Hat Helm chart repository. For a list of the charts see the Red Hat Helm index
file.
As a cluster administrator, you can add multiple Helm chart repositories, apart from the default one, and display the Helm charts from these repositories in the Developer Catalog.
You can add custom Helm chart repositories to your cluster, and enable access to the Helm charts from these repositories in the Developer Catalog.
To add a new Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your cluster.
apiVersion: helm.openshift.io/v1beta1
kind: HelmChartRepository
metadata:
name: <name>
spec:
# optional name that might be used by console
# name: <chart-display-name>
connectionConfig:
url: <helm-chart-repository-url>
For example, to add an Azure sample chart repository, run:
$ cat <<EOF | oc apply -f -
apiVersion: helm.openshift.io/v1beta1
kind: HelmChartRepository
metadata:
name: azure-sample-repo
spec:
name: azure-sample-repo
connectionConfig:
url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
EOF
Navigate to the Developer Catalog in the web console to verify that the helm charts from the Azure chart repository are displayed.
Some Helm chart repositories need credentials and custom certificate authority (CA) certificates to connect to it. You can use the web console as well as the CLI to add credentials and certificates.
To configure the credentials and certificates, and then add a Helm chart repository using the CLI:
In the openshift-config
namespace, create a ConfigMap
object with a custom CA certificate in PEM encoded format, and store it under the ca-bundle.crt
key within the config map:
$ oc create configmap helm-ca-cert \
--from-file=ca-bundle.crt=/path/to/certs/ca.crt \
-n openshift-config
In the openshift-config
namespace, create a secret
object to add the client TLS configurations:
$ oc create secret generic helm-tls-configs \
--from-file=tls.crt=/path/to/certs/client.crt \
--from-file=tls.key=/path/to/certs//client.key \
-n openshift-config
Note that the client certificate and key must be in PEM encoded format and stored under the keys tls.crt
and tls.key
, respectively.
Add the Helm repository as follows:
$ cat <<EOF | oc apply -f -
apiVersion: helm.openshift.io/v1beta1
kind: HelmChartRepository
metadata:
name: <helm-repository>
spec:
name: <helm-repository>
connectionConfig:
url: <URL for the Helm repository>
tlsConfig:
name: helm-tls-configs
ca:
name: helm-ca-cert
EOF
The ConfigMap
and secret
are consumed in the HelmChartRepository CR using the tlsConfig
and ca
fields. These certificates are used to connect to the Helm repository URL.
By default, all authenticated users have access to all configured charts. However, for chart repositories where certificates are needed, you must provide users with read access to the helm-ca-cert
config map and helm-tls-configs
secret in the openshift-config
namespace, as follows:
$ cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: openshift-config
name: helm-chartrepos-tls-conf-viewer
rules:
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["helm-ca-cert"]
verbs: ["get"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["helm-tls-configs"]
verbs: ["get"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: openshift-config
name: helm-chartrepos-tls-conf-viewer
subjects:
- kind: Group
apiGroup: rbac.authorization.k8s.io
name: 'system:authenticated'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: helm-chartrepos-tls-conf-viewer
EOF