Kubernetes Helm Chart Repositories

JFrog Artifactory Documentation

ft:sourceType
Paligo

Overview

Artifactory offers fully-featured operation with Helm through support for local, remote and virtual Helm chart repositories.

Artifactory's support for Helm charts includes:

  • Secure, private repositories for Helm charts with fine-grained access control according to projects or development teams.

  • Calculation of metadata for Helm charts hosted in Artifactory local repositories.

  • Access to remote Helm chart repositories through remote repositories which provide proxy and caching functionality.

  • Enterprise features such as high availability, repository replication for multi-site development and different options for massively scalability storage.

  • Supports Helm 3 clients, enabling you to deploy and resolve Helm Charts using Helm V2 and V3 clients.

Configuring the Helm Client

Download Helm client version 2.9.0 or above for authenticated access

To use all features of Artifactory Helm chart repositories, including resolution of Helm charts, you must use version 2.9.0 or above of the Helm client that supports basic authenticated access to Artifactory.

Before you can use your Helm client to resolve Helm charts from Artifactory, you need to configure it for authenticated access with your Artifactory user and password by adding the virtual Helm chart repository to be used for resolution as shown below:

helm repo add <REPO_KEY> http://<ARTIFACTORY_HOST>:<ARTIFACTORY_PORT>/artifactory/<REPO_KEY> --username <USERNAME> --password <PASSWORD>
helm repo update

For example:

helm repo add helm-virtual http://10.1.16.114:32775/artifactory/helm-virtual --username admin --password password
helm repo update

Use an encrypted password

We recommend using an encrypted password instead of clear-text. For details, please refer to Centrally Secure Passwords.Centrally Secure Passwords

Using the JFrog Helm Client

JFrog Helm Client

The JFrog Helm Client was necessary for authenticated access to Artifactory before the Helm client supported basic authentication (before version 2.9.0).

If you are using the JFrog Helm Client, you need to configure it for authenticated access with your Artifactory user and password by adding the virtual Helm chart repository to be used for resolution as shown below:

helm repo add <REPO_KEY> http://<ARTIFACTORY_HOST>:<ARTIFACTORY_PORT>/artifactory/<REPO_KEY> <USERNAME> <PASSWORD>
helm repo update

For example:

helm repo add helm-virtual http://10.1.16.114:32775/artifactory/helm-virtual admin password
helm repo update

Configuration

Local Repositories

To enable calculation of Helm chart metadata, from the Administration module, select Repositories | Repositories | Local and set Helm to be the Package Type when you create your local repository.

New Helm Local Repo.png
Remote Repositories

You can create Helm remote repository to proxy and cache remote repositories or other Artifactory instances.

In order for Artifactory to properly cache Helm charts, resolve the charts only through a virtual repository.

Automatically Rewriting External Dependencies

Helm Charts requested by the Helm client frequently use external dependencies as defined in the index.yaml file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading a chart, you may not have full visibility into the full set of dependencies that your original chart needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.

To manage this risk, and maintain the best practice of consuming external charts through Artifactory, you may specify a "safe" Allow List from which dependencies may be downloaded, cached in Artifactory, and configured to rewrite the dependencies so that the Helm client accesses dependencies through a remote repository as follows:

  • Select the Enable Dependency Rewrite checkbox in the Helm Chart remote repository advanced section.

  • Specify an Allow List pattern of external resources from which dependencies may be downloaded.

external_dependency_rewrite.png

The fields under External Dependency Rewrite are connected to automatically rewriting external dependencies for Helm Charts that require them.

Field

Description

Enable Dependency Rewrite

When selected, external dependencies are rewritten.

Patterns Allow List

An Allow List of Ant-style path expressions that specify where external dependencies may be downloaded from. By default, this is set to ** which means that dependencies may be downloaded from any external source.

For example, if you limit the Patterns Allow List to https://github.com/**, the external dependencies will be cached in the "helm" remote repository, and only charts with a URL starting with https://github.com/ will be allowed to be cached.

For example, if you limit the Patterns Allow List to "github.com", the external dependencies will be cached in the "helm" remote repository, and only charts from https://github.com/prometheus-community/helm-charts/ are allowed to be cached.

Virtual Repositories

A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories.

This allows you to access both locally hosted Helm charts and remote proxied Helm charts repositories from a single URL defined for the virtual repository.

To define a virtual Helm chart repository, create a virtual repository, set the Package Type to be Helm, and select the underlying local and remote Helm repositories to include in the Basic settingstab.

This repository will be configured in the Helm client.

Namespace Support for Helm Virtual Repositories

From Artifactory 7.24.1 (SaaS Version), you can explicitly state a specific aggregated local or remote repository to fetch from a virtual by assigning namespaces to local and remote repositories in Helm virtual repositories according to the following syntax.

By default, this feature is disabled but can be set when creating or updating a virtual Helm repository.

/helm-virtual/<local_repository_name>/chart.tgz
Relative URL Support for Helm Repositories

From version 7.59.5, Artifactory supports relative URLs for indexing Helm charts. Relative URLs allow the Helm client to use shorter URLs, which improves the performance of your Helm client and slightly reduces the size of your index.yaml file. This feature is available for Helm clients in version 3 and up.

To use this feature, enable the following feature flag in your system configuration file:

helm.relative.urls.enabled = true

This will only apply to new chart deployments- if you want it to apply to all charts, run a simple reindex to align the index.

Setting Multiple External Dependencies Using List of URLs

To support downloading files from multiple internal Artifactory URLs, you can create a list of URLs that are trusted by the repository.

By default, this feature is disabled but can be set for each aggregated remote repository separately.

The following example shows how to add the following configuration as an external dependency.

https://example.com/example-community/helm-charts/**

As a result, all the external URLs located in the index.yaml file starting with the following pattern.

https://example.com/example-community/helm-charts/

Will be replaced with the following syntax,

http://rt-host/artifactory/api/helm/helm-virtual/_external/https/example.com/exaple-community/helm-charts/

Resolving Helm Charts

JFrog Artifactory supports resolution of Helm charts from local and virtual Helm chart repositories. To resolve Helm charts from remote Helm chart repositories, you need to aggregate them in a virtual Helm chart repository.

To resolve a Helm chart through Artifactory, use the following command:

helm install <REPO_KEY>/<CHART_NAME>

For example:

helm install helm-virtual/artifactory

Deploying Helm Charts

Deploying Helm charts is done using cURL, Wget, JFrog CLI or any of the ways described in Deploying Artifacts.

Setting the Default Deployment Repository

To deploy Helm charts to a virtual Helm repository, make sure you have set the Default Deployment Repository.

Helm Default Repo.png

Reindexing a Helm Chart repository

You can trigger an asynchronous reindexing of a local Helm chart repository either through the UI or using the REST API.

Through the UI, select your Helm chart repository in the Tree Browser and select Recalculate Index from the right-click menu, as shown below (requires Admin privileges).

Artifact Browser Helm Recalculate Index.png

To reindex a Helm chart repository through the REST API, please refer to Calculate Helm Chart Index.Calculate Helm Chart Index

Warning

Using the above REST API command or UI will reindex the index.yaml from scratch. You may receive a partial index.yaml if you attempt to resolve the package from the repository while the calculation is ongoing. Therefore, reindex should only be used if the index.yaml is corrrupted.

Viewing Individual Helm Chart Information

Artifactory displays selected metadata of a Helm chart in its UI. Artifactory lets you view selected metadata of a Helm chart directly from the UI.

In the Tree Browsing tab, select your virtual Helm chart repository and drill down to find and select the package you want to inspect. The metadata is displayed in the Chart Info tab.

Helm Chart Info Blur.png

Watch the Screencast