Skip to content
This repository has been archived by the owner on Nov 1, 2022. It is now read-only.

Manage Helm chart repositories using custom resources #142

Closed
hiddeco opened this issue Dec 10, 2019 · 6 comments
Closed

Manage Helm chart repositories using custom resources #142

hiddeco opened this issue Dec 10, 2019 · 6 comments
Labels
enhancement New feature or request

Comments

@hiddeco
Copy link
Member

hiddeco commented Dec 10, 2019
edited by stefanprodan
Loading

Edit: This has been implemented in helm-controller the successor of helm-operator, please see https://toolkit.fluxcd.io/

In #124 and #141 boilerplate was added to manage Helm chart repositories for Helm v2 and v3. The current implementation is however extremely limited and still requires the user to provide (and manage) a repository index file.

It would be more user friendly, and declarative, to introduce a new custom resource definition called i.e. HelmChartRepository to make it possible to manage the repositories using Kubernetes resources.
@hiddeco hiddeco added enhancement New feature or request helm v3 Issue or PR related to Helm v3 labels Dec 10, 2019
@stefanprodan
Copy link
Member

stefanprodan commented Jan 7, 2020
edited
Loading

Proposal: decoupling chart/git repositories from HelmReleases

Features:

  • a release references a chart source (can be helm chart repo or git repo)
  • a chart source references a secret (helm chart repo basic auth, git https basic auth or git ssh key)
  • a release can reference a chart source defined in a different namespace so that cluster admins can manage the sources in a restricted namespace
  • by running multiple helm-op instances we can restrict with RBAC what sources an operator instance can use
  • by allowing cross-namespace references, we can avoid duplicating the source definitions (e.g. stable) for each namespace

Chart repository with basic auth:

apiVersion: helm.fluxcd.io/v1
kind: ChartRepository
metadata:
  name: azurecr
  namespace: fluxcd
spec:
  url: https://<repository>.azurecr.io/helm/v1/repo #required
  secretRef: #optional
    name: azurecr-auth #required

Chart repository basic auth secret format:

apiVersion: v1
kind: Secret
metadata:
  name: azurecr-auth
  namespace: fluxcd
type: Opaque
data:
  username: <BASE64> #required
  password: <BASE64> #required
  caFile: <BASE64> #optional (path to file inside the helm-op container)
  certFile: <BASE64> #optional (path to file inside the helm-op container)
  keyFile: <BASE64> #optional (path to file inside the helm-op container)

Reference ChartRepository in HelmRelease with cross-namespace support:

apiVersion: helm.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: podinfo
  namespace: demo
spec:
  chart:
    name: podinfo #required (either name or path)
    version: 3.1.0 #required (when using chartRepositoryRef)
    chartRepositoryRef: #required (either chartRepositoryRef or gitRepositoryRef) 
      name: azurecr #required
      namespace: fluxcd #optional (defaults to HelmRelease ns)

HTTPS Git repository with basic auth:

apiVersion: helm.fluxcd.io/v1
kind: GitRepository
metadata:
  name: git-https-repo
  namespace: fluxcd
spec:
  url: https://github.com/myrepo.git #required (either url or git) 
  ref: master #optional (defaults to master)
  secretRef: #optional
    name: git-basic-auth #required

HTTPS Git repository basic auth secret format:

apiVersion: v1
kind: Secret
metadata:
  name: git-basic-auth
  namespace: fluxcd
type: Opaque
data:
  username: <BASE64> #required
  password: <BASE64> #required

Git repository with SSH auth:

apiVersion: helm.fluxcd.io/v1
kind: GitRepository
metadata:
  name: git-ssh-repo
  namespace: fluxcd
spec:
  git: ssh://git@gitsrv/git-server/repos/cluster.git #required (either url or git) 
  ref: master #optional (defaults to master)
  secretRef: #optional
    name: git-ssh-key #required

Git repository SSH secret format:

apiVersion: v1
kind: Secret
metadata:
  name: git-ssh-key
  namespace: fluxcd
type: Opaque
data:
  identity: <BASE64> #required

Reference GitRepository in HelmRelease with cross-namespace support:

apiVersion: helm.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: podinfo
  namespace: demo
spec:
  chart:
    path: charts/podinfo #required (either name or path)
    gitRepositoryRef: #required (either chartRepositoryRef or gitRepositoryRef) 
      name: https-repo
      namespace: fluxcd #optional (defaults to HelmRelease ns)

HelmRelease v2

The above changes would require a new major release of the HelmRelease CRD.

Chart repo changes:

kind: HelmRelease
spec:
  chart:
    repository: # replaced with chartRepositoryRef
    name: # no changes 
    version: # no changes

Git repo changes:

kind: HelmRelease
spec:
  chart:
    git: # replaced with gitRepositoryRef
    ref: master # moved to GitRepository.spec.ref
    path: charts/ghost # no changes

@stefanprodan stefanprodan pinned this issue Jan 7, 2020
@hiddeco
Copy link
Member Author

hiddeco commented Jan 8, 2020

@stefanprodan can you extend the examples to show how one would provide custom certificates for the ChartRepository kind?

@stefanprodan stefanprodan mentioned this issue Jan 8, 2020
Merged
@stefanprodan
Copy link
Member

@hiddeco I've added the cert fields to the secret as file paths.

@hiddeco hiddeco removed the helm v3 Issue or PR related to Helm v3 label Jan 8, 2020
@hiddeco hiddeco mentioned this issue Jan 28, 2020
Closed
@hiddeco hiddeco mentioned this issue Feb 7, 2020
Closed
@stefanprodan stefanprodan mentioned this issue Feb 14, 2020
Closed
@hiddeco hiddeco mentioned this issue Feb 27, 2020
Closed
@oleksandrsemak
Copy link

Hello, as I understood basic HTTPS implemented only for git? not for regular private char repo?
when I try using private chart repo and HelmRelease with secretRef I get: not a valid chart repository or cannot be reached: Failed to fetch 401 Unauthorized

@seaneagan
Copy link
Contributor

For CRD naming:

  • should there be consistency with HelmRelease in terms of the Helm prefix?
  • the term Repository means something different in ChartRepository and GitRepository. What about using a Source suffix instead?

Taking those into consideration, what about something like: HelmRepoSource, HelmGitSource, and then in the future if helm registry catches on, HelmRegistrySource? Referred to as:

  chart:
    path: ...
    gitSourceRef:
      namespace: ...
      name: ...
  chart:
    name: ...
    version: ...
    repoSourceRef:
      namespace: ...
      name: ...
  chart:
    name: ...
    # future extension
    registrySourceRef:
      namespace: ...
      name: ...

Relating this to values / valuesFrom, there is a tradeoff to having reference data in separate CRs, namely that changes in the reference CRs won't be automatically reconciled (see #151). Perhaps similarly to values there could still be an ability to define source inline as well:

  chart:
    name: ...
    version: ...
    # inline source
    gitSource:  # or repoSource or registrySource (same content as reference CR specs)
      git: ssh://git@gitsrv/git-server/repos/cluster.git #required (either url or git) 
      ref: master #optional (defaults to master)
      secretRef: #optional
        name: git-ssh-key #required

@seaneagan seaneagan mentioned this issue Apr 15, 2020
Closed
@stefanprodan
Copy link
Member

Implemented in helm-controller, see https://toolkit.fluxcd.io/guides/helmreleases/

@hiddeco hiddeco unpinned this issue Aug 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@seaneagan @stefanprodan @hiddeco @oleksandrsemak