Configuring custom Helm chart repositories

    As a cluster administrator, you can add multiple Helm chart repositories, apart from the default one, and display the Helm charts from these repositories in the Developer Catalog.

    As a cluster administrator, you can add custom Helm chart repositories to your cluster and enable access to the Helm charts from these repositories in the Developer Catalog.

    Procedure

    1. To add a new Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your cluster.

      Sample Helm Chart Repository CR

      For example, to add an Azure sample chart repository, run:

      1. $ cat <<EOF | oc apply -f -
      2. apiVersion: helm.openshift.io/v1beta1
      3. kind: HelmChartRepository
      4. metadata:
      5.   name: azure-sample-repo
      6. spec:
      7.   name: azure-sample-repo
      8.   connectionConfig:
      9.     url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
      10. EOF

    2. For example, use the Chart repositories filter to search for a Helm chart from the repository.

      Figure 1. Chart repositories filter

    Creating credentials and CA certificates to add Helm chart repositories

    Some Helm chart repositories need credentials and custom certificate authority (CA) certificates to connect to it. You can use the web console as well as the CLI to add credentials and certificates.

    Procedure

    1. In the openshift-config namespace, create a ConfigMap object with a custom CA certificate in PEM encoded format, and store it under the ca-bundle.crt key within the config map:

    2. In the openshift-config namespace, create a Secret object to add the client TLS configurations:

      1. --from-file=tls.crt=/path/to/certs/client.crt \
      2. --from-file=tls.key=/path/to/certs//client.key \

      Note that the client certificate and key must be in PEM encoded format and stored under the keys tls.crt and tls.key, respectively.

    3. Add the Helm repository as follows:

      The ConfigMap and Secret are consumed in the HelmChartRepository CR using the tlsConfig and ca fields. These certificates are used to connect to the Helm repository URL.

    4. By default, all authenticated users have access to all configured charts. However, for chart repositories where certificates are needed, you must provide users with read access to the helm-ca-cert config map and helm-tls-configs secret in the openshift-config namespace, as follows:

      1. $ cat <<EOF | kubectl apply -f -
      2. apiVersion: rbac.authorization.k8s.io/v1
      3. kind: Role
      4. metadata:
      5.   namespace: openshift-config
      6.   name: helm-chartrepos-tls-conf-viewer
      7. rules:
      8. - apiGroups: [""]
      9.   resources: ["configmaps"]
      11.   verbs: ["get"]
      12.   resources: ["secrets"]
      13.   resourceNames: ["helm-tls-configs"]
      14.   verbs: ["get"]
      15. ---
      16. kind: RoleBinding
      17. apiVersion: rbac.authorization.k8s.io/v1
      18. metadata:
      19.   namespace: openshift-config
      20.   name: helm-chartrepos-tls-conf-viewer
      21. subjects:
      22.   - kind: Group
      23.     apiGroup: rbac.authorization.k8s.io
      24.     name: 'system:authenticated'
      25. roleRef:
      26.   apiGroup: rbac.authorization.k8s.io
      27.   kind: Role
      28. EOF