github.com/nikkelma/oras-project_oras-go@v1.1.1-0.20220201001104-a75f6a419090/testdata/charts/chartmuseum/README.md (about) 1 # ChartMuseum Helm Chart 2 3 Deploy your own private ChartMuseum. 4 5 Please also see https://github.com/kubernetes-helm/chartmuseum 6 7 ## Table of Content 8 9 <!-- START doctoc generated TOC please keep comment here to allow auto update --> 10 <!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE --> 11 12 13 - [Prerequisites](#prerequisites) 14 - [Configuration](#configuration) 15 - [Installation](#installation) 16 - [Using with Amazon S3](#using-with-amazon-s3) 17 - [permissions grant with access keys](#permissions-grant-with-access-keys) 18 - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile) 19 - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role) 20 - [Using with Google Cloud Storage](#using-with-google-cloud-storage) 21 - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage) 22 - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage) 23 - [Using with local filesystem storage](#using-with-local-filesystem-storage) 24 - [Example storage class](#example-storage-class) 25 - [Uninstall](#uninstall) 26 27 <!-- END doctoc generated TOC please keep comment here to allow auto update --> 28 29 30 ## Prerequisites 31 32 * Kubernetes with extensions/v1beta1 available 33 * [If enabled] A persistent storage resource and RW access to it 34 * [If enabled] Kubernetes StorageClass for dynamic provisioning 35 36 ## Configuration 37 38 By default this chart will not have persistent storage, and the API service 39 will be *DISABLED*. This protects against unauthorized access to the API 40 with default configuration values. 41 42 In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This 43 is the user/group that the ChartMuseum container runs as, and is used to 44 enable local persitant storage. If your cluster has DenySecurityContext enabled, 45 you can set `securityContext` to `{}` and still use this chart with one of 46 the cloud storage options. 47 48 For a more robust solution supply helm install with a custom values.yaml 49 You are also required to create the StorageClass resource ahead of time: 50 ``` 51 kubectl create -f /path/to/storage_class.yaml 52 ``` 53 54 The following table lists common configurable parameters of the chart and 55 their default values. See values.yaml for all available options. 56 57 | Parameter | Description | Default | 58 |----------------------------------------|---------------------------------------------|-----------------------------------------------------| 59 | `image.pullPolicy` | Container pull policy | `IfNotPresent` | 60 | `image.repository` | Container image to use | `chartmuseum/chartmuseum` | 61 | `image.tag` | Container image tag to deploy | `v0.8.0` | 62 | `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` | 63 | `persistence.enabled` | Whether to use a PVC for persistent storage | `false` | 64 | `persistence.size` | Amount of space to claim for PVC | `8Gi` | 65 | `persistence.labels` | Additional labels for PVC | `{}` | 66 | `persistence.storageClass` | Storage Class to use for PVC | `-` | 67 | `persistence.volumeName` | Volume to use for PVC | `` | 68 | `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` | 69 | `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` | 70 | `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` | 71 | `persistence.pv.nfs.server` | NFS server for PV | `` | 72 | `persistence.pv.nfs.path` | Storage Path | `` | 73 | `persistence.pv.pvname` | Custom name for private volume | `` | 74 | `replicaCount` | k8s replicas | `1` | 75 | `resources.limits.cpu` | Container maximum CPU | `100m` | 76 | `resources.limits.memory` | Container maximum memory | `128Mi` | 77 | `resources.requests.cpu` | Container requested CPU | `80m` | 78 | `resources.requests.memory` | Container requested memory | `64Mi` | 79 | `serviceAccount.create` | If true, create the service account | `false` | 80 | `serviceAccount.name` | Name of the serviceAccount to create or use | `{{ chartmuseum.fullname }}` | 81 | `securityContext` | Map of securityContext for the pod | `{ fsGroup: 1000 }` | 82 | `nodeSelector` | Map of node labels for pod assignment | `{}` | 83 | `tolerations` | List of node taints to tolerate | `[]` | 84 | `affinity` | Map of node/pod affinities | `{}` | 85 | `env.open.STORAGE` | Storage Backend to use | `local` | 86 | `env.open.ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` | 87 | `env.open.ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` | 88 | `env.open.ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` | 89 | `env.open.ALIBABA_SSE` | Server side encryption algorithm to use | `` | 90 | `env.open.AMAZON_BUCKET` | Bucket to store charts in for AWS | `` | 91 | `env.open.AMAZON_ENDPOINT` | Alternative AWS endpoint | `` | 92 | `env.open.AMAZON_PREFIX` | Prefix to store charts under for AWS | `` | 93 | `env.open.AMAZON_REGION` | Region to use for bucket access for AWS | `` | 94 | `env.open.AMAZON_SSE` | Server side encryption algorithm to use | `` | 95 | `env.open.GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` | 96 | `env.open.GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` | 97 | `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` | 98 | `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` | 99 | `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` | 100 | `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` | 101 | `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` | 102 | `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` | 103 | `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `` | 104 | `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `` | 105 | `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` | 106 | `env.open.DEBUG` | Show debug messages | `false` | 107 | `env.open.LOG_JSON` | Output structured logs in JSON | `true` | 108 | `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` | 109 | `env.open.DISABLE_METRICS` | Disable Prometheus metrics | `true` | 110 | `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` | 111 | `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` | 112 | `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` | 113 | `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` | 114 | `env.open.CONTEXT_PATH` | Set the base context path | `` | 115 | `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `` | 116 | `env.open.CACHE` | Cache store, can be one of: redis | `` | 117 | `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` | 118 | `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` | 119 | `env.field` | Expose pod information to containers through environment variables | `` | 120 | `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` | 121 | `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` | 122 | `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` | 123 | `gcp.secret.enabled` | Flag for the GCP service account | `false` | 124 | `gcp.secret.name` | Secret name for the GCP json file | `` | 125 | `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` | 126 | `service.type` | Kubernetes Service type | `ClusterIP` | 127 | `service.clusterIP` | Static clusterIP or None for headless services| `nil` | 128 | `service.servicename` | Custom name for service | `` | 129 | `service.labels` | Additional labels for service | `{}` | 130 | `deployment.labels` | Additional labels for deployment | `{}` | 131 | `deployment.matchlabes` | Match labels for deployment selector | `{}` | 132 133 Specify each parameter using the `--set key=value[,key=value]` argument to 134 `helm install`. 135 136 ## Installation 137 138 ```shell 139 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 140 ``` 141 142 ### Using with Amazon S3 143 Make sure your environment is properly setup to access `my-s3-bucket` 144 145 You need at least the following permissions inside your IAM Policy 146 ```yaml 147 { 148 "Version": "2012-10-17", 149 "Statement": [ 150 { 151 "Sid": "AllowListObjects", 152 "Effect": "Allow", 153 "Action": [ 154 "s3:ListBucket" 155 ], 156 "Resource": "arn:aws:s3:::my-s3-bucket" 157 }, 158 { 159 "Sid": "AllowObjectsCRUD", 160 "Effect": "Allow", 161 "Action": [ 162 "s3:DeleteObject", 163 "s3:GetObject", 164 "s3:PutObject" 165 ], 166 "Resource": "arn:aws:s3:::my-s3-bucket/*" 167 } 168 ] 169 } 170 ``` 171 172 You can grant it to `chartmuseum` by several ways: 173 174 #### permissions grant with access keys 175 176 Grant permissions to `special user` and us it's access keys for auth on aws 177 178 Specify `custom.yaml` with such values 179 180 ```yaml 181 env: 182 open: 183 STORAGE: amazon 184 STORAGE_AMAZON_BUCKET: my-s3-bucket 185 STORAGE_AMAZON_PREFIX: 186 STORAGE_AMAZON_REGION: us-east-1 187 secret: 188 AWS_ACCESS_KEY_ID: "********" ## aws access key id value 189 AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value 190 ``` 191 192 Run command to install 193 194 ```shell 195 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 196 ``` 197 198 #### permissions grant with IAM instance profile 199 200 You can grant permissions to k8s node IAM instance profile. 201 For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) 202 203 Specify `custom.yaml` with such values 204 205 ```yaml 206 env: 207 open: 208 STORAGE: amazon 209 STORAGE_AMAZON_BUCKET: my-s3-bucket 210 STORAGE_AMAZON_PREFIX: 211 STORAGE_AMAZON_REGION: us-east-1 212 ``` 213 214 Run command to install 215 216 ```shell 217 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 218 ``` 219 220 #### permissions grant with IAM assumed role 221 222 To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam) 223 and create role with granded permissions. 224 225 Specify `custom.yaml` with such values 226 227 ```yaml 228 env: 229 open: 230 STORAGE: amazon 231 STORAGE_AMAZON_BUCKET: my-s3-bucket 232 STORAGE_AMAZON_PREFIX: 233 STORAGE_AMAZON_REGION: us-east-1 234 replica: 235 annotations: 236 iam.amazonaws.com/role: "{assumed role name}" 237 ``` 238 239 Run command to install 240 241 ```shell 242 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 243 ``` 244 245 ### Using with Google Cloud Storage 246 Make sure your environment is properly setup to access `my-gcs-bucket` 247 248 Specify `custom.yaml` with such values 249 250 ```yaml 251 env: 252 open: 253 STORAGE: google 254 STORAGE_GOOGLE_BUCKET: my-gcs-bucket 255 STORAGE_GOOGLE_PREFIX: 256 ``` 257 258 ### Using with Google Cloud Storage and a Google Service Account 259 260 A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials: 261 262 ```shell 263 kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json" 264 ``` 265 266 Then you can either use a `VALUES` yaml with your values or set those values in the command line: 267 268 ```shell 269 helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret 270 ``` 271 272 If you prefer to use a yaml file: 273 274 ```yaml 275 env: 276 open: 277 STORAGE: google 278 STORAGE_GOOGLE_BUCKET: my-gcs-bucket 279 STORAGE_GOOGLE_PREFIX: 280 281 gcp: 282 secret: 283 enabled: true 284 name: chartmuseum-secret 285 key: credentials.json 286 ``` 287 288 Run command to install 289 290 ```shell 291 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 292 ``` 293 294 In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands 295 296 ```yaml 297 env: 298 open: 299 STORAGE: google 300 STORAGE_GOOGLE_BUCKET: my-gcs-bucket 301 STORAGE_GOOGLE_PREFIX: 302 secret: 303 GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded 304 gcp: 305 secret: 306 enabled: true 307 308 ``` 309 310 Run command to install 311 312 ```shell 313 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 314 ``` 315 316 To set the values directly in the command line, use the follosing command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value. 317 318 ```shell 319 export JSONKEY=$(cat my-project-77e35d85a593.json | base64) 320 helm install stable/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum 321 ``` 322 323 ### Using with Microsoft Azure Blob Storage 324 325 Make sure your environment is properly setup to access `mycontainer`. 326 327 To do so, you must set the following env vars: 328 - `AZURE_STORAGE_ACCOUNT` 329 - `AZURE_STORAGE_ACCESS_KEY` 330 331 Specify `custom.yaml` with such values 332 333 ```yaml 334 env: 335 open: 336 STORAGE: microsoft 337 STORAGE_MICROSOFT_CONTAINER: mycontainer 338 # prefix to store charts for microsoft storage backend 339 STORAGE_MICROSOFT_PREFIX: 340 secret: 341 AZURE_STORAGE_ACCOUNT: "********" ## azure storage account 342 AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key 343 ``` 344 345 Run command to install 346 347 ```shell 348 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 349 ``` 350 351 ### Using with Alibaba Cloud OSS Storage 352 353 Make sure your environment is properly setup to access `my-oss-bucket`. 354 355 To do so, you must set the following env vars: 356 - `ALIBABA_CLOUD_ACCESS_KEY_ID` 357 - `ALIBABA_CLOUD_ACCESS_KEY_SECRET` 358 359 Specify `custom.yaml` with such values 360 361 ```yaml 362 env: 363 open: 364 STORAGE: alibaba 365 STORAGE_ALIBABA_BUCKET: my-oss-bucket 366 STORAGE_ALIBABA_PREFIX: 367 STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com 368 secret: 369 ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id 370 ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret 371 ``` 372 373 Run command to install 374 375 ```shell 376 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 377 ``` 378 379 ### Using with Openstack Object Storage 380 381 Make sure your environment is properly setup to access `mycontainer`. 382 383 To do so, you must set the following env vars (depending on your openstack version): 384 - `OS_AUTH_URL` 385 - either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` 386 - either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` 387 - either `OS_USERNAME` or `OS_USERID` 388 - `OS_PASSWORD` 389 390 Specify `custom.yaml` with such values 391 392 ```yaml 393 env: 394 open: 395 STORAGE: openstack 396 STORAGE_OPENSTACK_CONTAINER: mycontainer 397 STORAGE_OPENSTACK_PREFIX: 398 STORAGE_OPENSTACK_REGION: YOURREGION 399 secret: 400 OS_AUTH_URL: https://myauth.url.com/v2.0/ 401 OS_TENANT_ID: yourtenantid 402 OS_USERNAME: yourusername 403 OS_PASSWORD: yourpassword 404 ``` 405 406 Run command to install 407 408 ```shell 409 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 410 ``` 411 412 ### Using with local filesystem storage 413 By default chartmuseum uses local filesystem storage. 414 But on pod recreation it will lose all charts, to prevent that enable persistent storage. 415 416 ```yaml 417 env: 418 open: 419 STORAGE: local 420 persistence: 421 enabled: true 422 accessMode: ReadWriteOnce 423 size: 8Gi 424 ## A manually managed Persistent Volume and Claim 425 ## Requires persistence.enabled: true 426 ## If defined, PVC must be created manually before volume will be bound 427 # existingClaim: 428 429 ## Chartmuseum data Persistent Volume Storage Class 430 ## If defined, storageClassName: <storageClass> 431 ## If set to "-", storageClassName: "", which disables dynamic provisioning 432 ## If undefined (the default) or set to null, no storageClassName spec is 433 ## set, choosing the default provisioner. (gp2 on AWS, standard on 434 ## GKE, AWS & OpenStack) 435 ## 436 # storageClass: "-" 437 ``` 438 439 Run command to install 440 441 ```shell 442 helm install --name my-chartmuseum -f custom.yaml stable/chartmuseum 443 ``` 444 445 #### Example storage class 446 447 Example storage-class.yaml provided here for use with a Ceph cluster. 448 449 ``` 450 kind: StorageClass 451 apiVersion: storage.k8s.io/v1 452 metadata: 453 name: storage-volume 454 provisioner: kubernetes.io/rbd 455 parameters: 456 monitors: "10.11.12.13:4567,10.11.12.14:4567" 457 adminId: admin 458 adminSecretName: thesecret 459 adminSecretNamespace: default 460 pool: chartstore 461 userId: user 462 userSecretName: thesecret 463 ``` 464 465 ## Uninstall 466 467 By default, a deliberate uninstall will result in the persistent volume 468 claim being deleted. 469 470 ```shell 471 helm delete my-chartmuseum 472 ``` 473 474 To delete the deployment and its history: 475 ```shell 476 helm delete --purge my-chartmuseum 477 ```