├── .github └── workflows │ ├── lint-test.yaml │ └── release.yaml ├── .gitignore ├── README.md ├── cr.yaml ├── ct.yaml ├── logo.jpg └── src └── chartmuseum ├── .helmignore ├── Chart.yaml ├── LICENSE ├── README.md ├── ci └── ingress-values.yaml ├── templates ├── NOTES.txt ├── _helpers.tpl ├── deployment.yaml ├── ingress.yaml ├── pv.yaml ├── pvc.yaml ├── secret.yaml ├── service.yaml ├── serviceaccount.yaml └── servicemonitor.yaml └── values.yaml /.github/workflows/lint-test.yaml: -------------------------------------------------------------------------------- 1 | name: Lint and Test Charts 2 | 3 | on: pull_request 4 | 5 | jobs: 6 | lint-test: 7 | runs-on: ubuntu-latest 8 | steps: 9 | - name: Checkout 10 | uses: actions/checkout@v2 11 | with: 12 | fetch-depth: 0 13 | 14 | - name: Set up Helm 15 | uses: azure/setup-helm@v1 16 | with: 17 | version: v3.7.1 18 | 19 | # Python is required because `ct lint` runs Yamale (https://github.com/23andMe/Yamale) and 20 | # yamllint (https://github.com/adrienverge/yamllint) which require Python 21 | - name: Set up Python 22 | uses: actions/setup-python@v2 23 | with: 24 | python-version: 3.8 25 | 26 | - name: Set up chart-testing 27 | uses: helm/chart-testing-action@v2.1.0 28 | 29 | - name: Run chart-testing (list-changed) 30 | id: list-changed 31 | run: | 32 | changed=$(ct list-changed --config ct.yaml) 33 | if [[ -n "$changed" ]]; then 34 | echo "::set-output name=changed::true" 35 | fi 36 | 37 | - name: Run chart-testing (lint) 38 | run: ct lint --config ct.yaml 39 | 40 | - name: Create kind cluster 41 | uses: helm/kind-action@v1.2.0 42 | if: steps.list-changed.outputs.changed == 'true' 43 | 44 | - name: Run chart-testing (install) 45 | run: ct install --config ct.yaml 46 | -------------------------------------------------------------------------------- /.github/workflows/release.yaml: -------------------------------------------------------------------------------- 1 | name: Release Charts 2 | 3 | on: 4 | push: 5 | branches: 6 | - main 7 | 8 | jobs: 9 | release: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - name: Checkout 13 | uses: actions/checkout@v2 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: Configure Git 18 | run: | 19 | git config user.name "$GITHUB_ACTOR" 20 | git config user.email "$GITHUB_ACTOR@users.noreply.github.com" 21 | 22 | - name: Install Helm 23 | uses: azure/setup-helm@v1 24 | with: 25 | version: v3.7.1 26 | 27 | # Optional step if GPG signing is used 28 | - name: Prepare GPG key 29 | run: | 30 | gpg_dir=.cr-gpg 31 | mkdir "$gpg_dir" 32 | 33 | keyring="$gpg_dir/secring.gpg" 34 | base64 -d <<< "$GPG_KEYRING_BASE64" > "$keyring" 35 | 36 | passphrase_file="$gpg_dir/passphrase" 37 | echo "$GPG_PASSPHRASE" > "$passphrase_file" 38 | 39 | echo "CR_PASSPHRASE_FILE=$passphrase_file" >> "$GITHUB_ENV" 40 | echo "CR_KEYRING=$keyring" >> "$GITHUB_ENV" 41 | env: 42 | GPG_KEYRING_BASE64: "${{ secrets.GPG_KEYRING_BASE64 }}" 43 | GPG_PASSPHRASE: "${{ secrets.GPG_PASSPHRASE }}" 44 | 45 | - name: Add dependency chart repos 46 | run: | 47 | helm repo add bitnami https://charts.bitnami.com/bitnami 48 | 49 | - name: Run chart-releaser 50 | uses: helm/chart-releaser-action@v1.2.1 51 | with: 52 | charts_dir: src 53 | config: cr.yaml 54 | env: 55 | CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" 56 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | *.dump 8 | *.backup 9 | *.wal 10 | 11 | # IDEs and editors 12 | .idea/ 13 | .project 14 | .classpath 15 | .c9/ 16 | *.launch 17 | .settings/ 18 | *.sublime-workspace 19 | 20 | # IDE - VSCode 21 | .vscode/* 22 | !.vscode/settings.json 23 | !.vscode/tasks.json 24 | !.vscode/launch.json 25 | !.vscode/extensions.json 26 | .history/* 27 | 28 | # misc 29 | /.sass-cache 30 | /connect.lock 31 | /coverage 32 | /libpeerconnection.log 33 | npm-debug.log 34 | yarn-error.log 35 | testem.log 36 | /typings 37 | 38 | # System Files 39 | .DS_Store 40 | Thumbs.db 41 | Thumbs.Repo 42 | 43 | # Test binary, built with `go test -c` 44 | *.test 45 | 46 | # Output of the go coverage tool, specifically when used with LiteIDE 47 | *.out 48 | 49 | # Dependency directories (remove the comment below to include it) 50 | vendor/ 51 | 52 | .aws/ 53 | .do/ 54 | .gcp/ 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ChartMuseum Project Helm Charts 2 | 3 | [![Artifact HUB](https://img.shields.io/endpoint?url=https://artifacthub.io/badge/repository/chartmuseum)](https://artifacthub.io/packages/search?page=1&org=chartmuseum) 4 | 5 | ## Add repository 6 | ``` 7 | helm repo add chartmuseum https://chartmuseum.github.io/charts 8 | ``` 9 | 10 | ## Install chart (Helm v3) 11 | ``` 12 | helm install my-chartmuseum chartmuseum/chartmuseum --version 2.15.0 13 | ``` 14 | 15 | ## Install chart (Helm v2) 16 | ``` 17 | helm install --name my-chartmuseum chartmuseum/chartmuseum --version 2.15.0 18 | ``` 19 | 20 | -------------------------------------------------------------------------------- /cr.yaml: -------------------------------------------------------------------------------- 1 | # Set to true for GPG signing 2 | sign: false 3 | # UID of the GPG key to use 4 | key: Chart Releaser Test Key 5 | -------------------------------------------------------------------------------- /ct.yaml: -------------------------------------------------------------------------------- 1 | # See https://github.com/helm/chart-testing#configuration 2 | remote: origin 3 | chart-dirs: 4 | - src 5 | chart-repos: 6 | - bitnami=https://charts.bitnami.com/bitnami 7 | helm-extra-args: --timeout 600s 8 | target-branch: main 9 | -------------------------------------------------------------------------------- /logo.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/chartmuseum/charts/f4d02977f2add3581d7d3e0949aa3c72ca14ec47/logo.jpg -------------------------------------------------------------------------------- /src/chartmuseum/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | # OWNERS file for Kubernetes 23 | OWNERS 24 | 25 | -------------------------------------------------------------------------------- /src/chartmuseum/Chart.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v2 2 | description: Host your own Helm Chart Repository 3 | name: chartmuseum 4 | version: 3.10.4 5 | appVersion: 0.16.3 6 | home: https://github.com/helm/chartmuseum 7 | icon: https://raw.githubusercontent.com/chartmuseum/charts/main/logo.jpg 8 | keywords: 9 | - chartmuseum 10 | - helm 11 | - charts repo 12 | sources: 13 | - https://github.com/chartmuseum/charts/tree/main/src/chartmuseum 14 | - https://github.com/chartmuseum 15 | - https://github.com/helm/chartmuseum 16 | maintainers: 17 | - name: chartmuseum 18 | url: https://github.com/chartmuseum 19 | -------------------------------------------------------------------------------- /src/chartmuseum/LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /src/chartmuseum/README.md: -------------------------------------------------------------------------------- 1 | # ChartMuseum Helm Chart 2 | 3 | Deploy your own private ChartMuseum. 4 | 5 | Please also see https://github.com/helm/chartmuseum 6 | 7 | ## Table of Content 8 | 9 | 10 | 11 | 12 | 13 | - [ChartMuseum Helm Chart](#chartmuseum-helm-chart) 14 | - [Table of Content](#table-of-content) 15 | - [Prerequisites](#prerequisites) 16 | - [Configuration](#configuration) 17 | - [Installation](#installation) 18 | - [Add repository](#add-repository) 19 | - [Install chart (Helm v3)](#install-chart-helm-v3) 20 | - [Install chart (Helm v2)](#install-chart-helm-v2) 21 | - [Installation using custom config](#installation-using-custom-config) 22 | - [Using with Amazon S3](#using-with-amazon-s3) 23 | - [permissions grant with access keys](#permissions-grant-with-access-keys) 24 | - [permissions grant with IAM instance profile](#permissions-grant-with-iam-instance-profile) 25 | - [permissions grant with IAM assumed role](#permissions-grant-with-iam-assumed-role) 26 | - [permissions grant with IAM Roles for Service Accounts](#permissions-grant-with-iam-roles-for-service-accounts) 27 | - [Using with Google Cloud Storage](#using-with-google-cloud-storage) 28 | - [Using with Google Cloud Storage and a Google Service Account](#using-with-google-cloud-storage-and-a-google-service-account) 29 | - [Using with Microsoft Azure Blob Storage](#using-with-microsoft-azure-blob-storage) 30 | - [Using with Alibaba Cloud OSS Storage](#using-with-alibaba-cloud-oss-storage) 31 | - [Using with Openstack Object Storage](#using-with-openstack-object-storage) 32 | - [Using with Oracle Object Storage](#using-with-oracle-object-storage) 33 | - [Using an existing secret](#using-an-existing-secret) 34 | - [Using with local filesystem storage](#using-with-local-filesystem-storage) 35 | - [Setting local storage permissions with initContainers](#setting-local-storage-permissions-with-initcontainers) 36 | - [Example storage class](#example-storage-class) 37 | - [Authentication](#authentication) 38 | - [Basic Authentication](#basic-authentication) 39 | - [Bearer/Token auth](#bearertoken-auth) 40 | - [Ingress](#ingress) 41 | - [Hosts](#hosts) 42 | - [Path Types](#path-types) 43 | - [Extra Paths](#extra-paths) 44 | - [Annotations](#annotations) 45 | - [Example Ingress configuration](#example-ingress-configuration) 46 | - [Uninstall](#uninstall) 47 | - [Upgrading](#upgrading) 48 | - [To 3.0.0](#to-300) 49 | 50 | 51 | 52 | 53 | ## Prerequisites 54 | 55 | * Helm v3.0.0+ 56 | * [If enabled] A persistent storage resource and RW access to it 57 | * [If enabled] Kubernetes StorageClass for dynamic provisioning 58 | 59 | ## Configuration 60 | 61 | By default this chart will not have persistent storage, and the API service 62 | will be *DISABLED* (`env.open.DISABLE_API=true`). This protects against unauthorized access to the API 63 | with default configuration values. 64 | 65 | > You must set `env.open.DISABLE_API=false` if you intend to use the ChartMuseum API. 66 | 67 | In addition, by default, pod `securityContext.fsGroup` is set to `1000`. This 68 | is the user/group that the ChartMuseum container runs as, and is used to 69 | enable local persitant storage. If your cluster has DenySecurityContext enabled, 70 | you can set `securityContext` to `{}` and still use this chart with one of 71 | the cloud storage options. 72 | 73 | For a more robust solution supply helm install with a custom values.yaml 74 | You are also required to create the StorageClass resource ahead of time: 75 | ``` 76 | kubectl create -f /path/to/storage_class.yaml 77 | ``` 78 | 79 | The following table lists common configurable parameters of the chart and 80 | their default values. See values.yaml for all available options. 81 | 82 | | Parameter | Description | Default | 83 | | --------------------------------------- | --------------------------------------------------------------------------- | ------------------------------------ | 84 | | `image.pullPolicy` | Container pull policy | `IfNotPresent` | 85 | | `image.repository` | Container image to use | `ghcr.io/helm/chartmuseum` | 86 | | `image.tag` | Container image tag to deploy | `v0.13.1` | 87 | | `persistence.accessMode` | Access mode to use for PVC | `ReadWriteOnce` | 88 | | `persistence.enabled` | Whether to use a PVC for persistent storage | `false` | 89 | | `persistence.path` | PV mount path | `/storage` | 90 | | `persistence.size` | Amount of space to claim for PVC | `8Gi` | 91 | | `persistence.labels` | Additional labels for PVC | `{}` | 92 | | `persistence.storageClass` | Storage Class to use for PVC | `undefined` (Uses default provisioner)| 93 | | `persistence.volumeName` | Volume to use for PVC | `undefined` | 94 | | `persistence.pv.enabled` | Whether to use a PV for persistent storage | `false` | 95 | | `persistence.pv.capacity.storage` | Storage size to use for PV | `8Gi` | 96 | | `persistence.pv.accessMode` | Access mode to use for PV | `ReadWriteOnce` | 97 | | `persistence.pv.nfs.server` | NFS server for PV | `` | 98 | | `persistence.pv.nfs.path` | Storage Path | `` | 99 | | `persistence.pv.pvname` | Custom name for private volume | `` | 100 | | `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | 101 | | `volumePermissions.image.repository` | Init container volume-permissions image name | `bitnami/minideb` | 102 | | `volumePermissions.image.tag` | Init container volume-permissions image tag | `buster` | 103 | | `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `Always` | 104 | | `replicaCount` | k8s replicas | `1` | 105 | | `resources` | CPU/Memory resource requests and limits | `{}` | 106 | | `secret.labels` | Additional labels for secret | `{}` | 107 | | `serviceAccount.create` | If true, create the service account | `false` | 108 | | `serviceAccount.name` | Name of the serviceAccount to create or use | `""` | 109 | | `serviceAccount.annotations` | Additional Service Account annotations | `{}` | 110 | | `securityContext.enabled` | Enable securityContext | `true` | 111 | | `securityContext.fsGroup` | Group ID for the container | `1000` | 112 | | `securityContext.runAsNonRoot` | Running Pods as non-root | `undefined` | 113 | | `securityContext.supplementalGroups` | Control which group IDs containers add | `undefined` | 114 | | `containerSecurityContext` | Additional Container securityContext (e.g. allowPrivilegeEscalation) | `{}` | 115 | | `priorityClassName ` | priorityClassName | `""` | 116 | | `nodeSelector` | Map of node labels for pod assignment | `{}` | 117 | | `tolerations` | List of node taints to tolerate | `[]` | 118 | | `affinity` | Map of node/pod affinities | `{}` | 119 | | `schedulerName` | Kubernetes scheduler to use | `` (Uses default scheduler) | 120 | | `env.open.STORAGE` | Storage Backend to use | `local` | 121 | | `env.open.STORAGE_ALIBABA_BUCKET` | Bucket to store charts in for Alibaba | `` | 122 | | `env.open.STORAGE_ALIBABA_PREFIX` | Prefix to store charts under for Alibaba | `` | 123 | | `env.open.STORAGE_ALIBABA_ENDPOINT` | Alternative Alibaba endpoint | `` | 124 | | `env.open.STORAGE_ALIBABA_SSE` | Server side encryption algorithm to use | `` | 125 | | `env.open.STORAGE_AMAZON_BUCKET` | Bucket to store charts in for AWS | `` | 126 | | `env.open.STORAGE_AMAZON_ENDPOINT` | Alternative AWS endpoint | `` | 127 | | `env.open.STORAGE_AMAZON_PREFIX` | Prefix to store charts under for AWS | `` | 128 | | `env.open.STORAGE_AMAZON_REGION` | Region to use for bucket access for AWS | `` | 129 | | `env.open.STORAGE_AMAZON_SSE` | Server side encryption algorithm to use | `` | 130 | | `env.open.STORAGE_GOOGLE_BUCKET` | Bucket to store charts in for GCP | `` | 131 | | `env.open.STORAGE_GOOGLE_PREFIX` | Prefix to store charts under for GCP | `` | 132 | | `env.open.STORAGE_MICROSOFT_CONTAINER` | Container to store charts under for MS | `` | 133 | | `env.open.STORAGE_MICROSOFT_PREFIX` | Prefix to store charts under for MS | `` | 134 | | `env.open.STORAGE_OPENSTACK_CONTAINER` | Container to store charts for openstack | `` | 135 | | `env.open.STORAGE_OPENSTACK_PREFIX` | Prefix to store charts for openstack | `` | 136 | | `env.open.STORAGE_OPENSTACK_REGION` | Region of openstack container | `` | 137 | | `env.open.STORAGE_OPENSTACK_CACERT` | Path to a CA cert bundle for openstack | `` | 138 | | `env.open.STORAGE_ORACLE_COMPARTMENTID` | Compartment ID for Oracle Object Store | `` | 139 | | `env.open.STORAGE_ORACLE_BUCKET` | Bucket to store charts in Oracle Object Store | `` | 140 | | `env.open.STORAGE_ORACLE_PREFIX` | Prefix to store charts for Oracle object Store | `` | 141 | | `env.open.CHART_POST_FORM_FIELD_NAME` | Form field to query for chart file content | `chart` | 142 | | `env.open.PROV_POST_FORM_FIELD_NAME` | Form field to query for chart provenance | `prov` | 143 | | `env.open.DEPTH` | levels of nested repos for multitenancy. | `0` | 144 | | `env.open.DEBUG` | Show debug messages | `false` | 145 | | `env.open.LOG_JSON` | Output structured logs in JSON | `true` | 146 | | `env.open.DISABLE_STATEFILES` | Disable use of index-cache.yaml | `false` | 147 | | `env.open.ENABLE_METRICS` | Enable Prometheus metrics | `false` | 148 | | `env.open.DISABLE_API` | Disable all routes prefixed with /api | `true` | 149 | | `env.open.ALLOW_OVERWRITE` | Allow chart versions to be re-uploaded | `false` | 150 | | `env.open.CHART_URL` | Absolute url for .tgzs in index.yaml | `` | 151 | | `env.open.AUTH_ANONYMOUS_GET` | Allow anon GET operations when auth is used | `false` | 152 | | `env.open.CONTEXT_PATH` | Set the base context path | `` | 153 | | `env.open.INDEX_LIMIT` | Parallel scan limit for the repo indexer | `0` | 154 | | `env.open.CACHE` | Cache store, can be one of: redis | `` | 155 | | `env.open.CACHE_REDIS_ADDR` | Address of Redis service (host:port) | `` | 156 | | `env.open.CACHE_REDIS_DB` | Redis database to be selected after connect | `0` | 157 | | `env.open.BEARER_AUTH` | Enable bearer auth | `false` | 158 | | `env.open.AUTH_REALM` | Realm used for bearer authentication | `` | 159 | | `env.open.AUTH_SERVICE` | Service used for bearer authentication | `` | 160 | | `env.field` | Expose pod information to containers through environment variables | `{}` | 161 | | `env.existingSecret` | Name of the existing secret use values | `` | 162 | | `env.existingSecretMappings.BASIC_AUTH_USER` | Key name in the secret for the Username | `` | 163 | | `env.existingSecretMappings.BASIC_AUTH_PASS` | Key name in the secret for the Password | `` | 164 | | `env.existingSecretMappings.GOOGLE_CREDENTIALS_JSON` | Key name in the secret for the GCP service account json file | `` | 165 | | `env.existingSecretMappings.CACHE_REDIS_PASSWORD` | Key name in the secret for the Redis requirepass configuration | `` | 166 | | `env.secret.BASIC_AUTH_USER` | Username for basic HTTP authentication | `` | 167 | | `env.secret.BASIC_AUTH_PASS` | Password for basic HTTP authentication | `` | 168 | | `env.secret.GOOGLE_CREDENTIALS_JSON` | GCP service account json file | `` | 169 | | `env.secret.CACHE_REDIS_PASSWORD` | Redis requirepass server configuration | `` | 170 | | `extraArgs` | Pass extra arguments to the chartmuseum binary | `[]` | 171 | | `probes.liveness.initialDelaySeconds` | Delay before liveness probe is initiated | `5` | 172 | | `probes.liveness.periodSeconds` | How often (in seconds) to perform the liveness probe | `10` | 173 | | `probes.liveness.timeoutSeconds` | Number of seconds after which the liveness probe times out | `1` | 174 | | `probes.liveness.successThreshold` | Minimum consecutive successes for the liveness probe | `1` | 175 | | `probes.liveness.failureThreshold` | Minimum consecutive failures for the liveness probe | `3` | 176 | | `probes.livenessHttpGetConfig.scheme` | Scheme to use for the liveness probe | `HTTP` | 177 | | `probes.readiness.initialDelaySeconds` | Delay before readiness probe is initiated | `5` | 178 | | `probes.readiness.periodSeconds` | How often (in seconds) to perform the readiness probe | `10` | 179 | | `probes.readiness.timeoutSeconds` | Number of seconds after which the readiness probe times out | `1` | 180 | | `probes.readiness.successThreshold` | Minimum consecutive successes for the readiness probe | `1` | 181 | | `probes.readiness.failureThreshold` | Minimum consecutive failures for the readiness probe | `3` | 182 | | `probes.readinessHttpGetConfig.scheme` | Scheme to use for the readiness probe | `HTTP` | 183 | | `gcp.secret.enabled` | Flag for the GCP service account | `false` | 184 | | `gcp.secret.name` | Secret name for the GCP json file | `` | 185 | | `gcp.secret.key` | Secret key for te GCP json file | `credentials.json` | 186 | | `oracle.secret.enabled` | Flag for Oracle OCI account | `false` | 187 | | `oracle.secret.name` | Secret name for OCI config and key | `` | 188 | | `oracle.secret.config` | Secret key that holds the OCI config | `config` | 189 | | `oracle.secret.key_file` | Secret key that holds the OCI private key | `key_file` | 190 | | `bearerAuth.secret.enabled` | Flag for bearer auth public key secret | `false` | 191 | | `bearerAuth.secret.publicKeySecret` | The name of the secret with the public key | `chartmuseum-public-key` | 192 | | `service.type` | Kubernetes Service type | `ClusterIP` | 193 | | `service.clusterIP` | Static clusterIP or None for headless services | `` | 194 | | `service.externalTrafficPolicy` | Source IP preservation (only for Service type NodePort and LoadBalancer) | `Local` | 195 | | `service.loadBalancerIP` | Uses IP address created by a cloud provider | `` | 196 | | `service.loadBalancerSourceRanges` | Restricts access for LoadBalancer (only for Service type LoadBalancer) | `[]` | 197 | | `service.servicename` | Custom name for service | `` | 198 | | `service.labels` | Additional labels for service | `{}` | 199 | | `serviceMonitor.enabled` | Enable the ServiceMontor resource to be deployed | `false` | 200 | | `serviceMonitor.labels` | Labels for the servicemonitor used by the Prometheus Operator | `{}` | 201 | | `serviceMonitor.namespace` | Namespace of the ServiceMonitor resource | `{{ .Release.Namespace }}` | 202 | | `serviceMonitor.metricsPath` | Path to the Chartmuseum metrics path | `/metrics` | 203 | | `serviceMonitor.interval` | Scrape interval, If not set, the Prometheus default scrape interval is used | `` | 204 | | `serviceMonitor.timeout` | Scrape request timeout. If not set, the Prometheus default timeout is used | `` | 205 | | `deployment.annotations` | Additional annotations for deployment | `{}` | 206 | | `deployment.labels` | Additional labels for deployment | `{}` | 207 | | `deployment.extraVolumes` | Additional volumes for deployment | `[]` | 208 | | `deployment.extraVolumeMounts` | Additional volumes to mount in container for deployment | `[]` | 209 | | `deployment.sidecarContainers` | Additional containers to run in the pod | `{}` | 210 | | `podAnnotations` | Annotations for pods | `{}` | 211 | | `podLabels` | Labels for pods | `{}` | 212 | | `ingress.enabled` | Enable ingress controller resource | `false` | 213 | | `ingress.pathType` | Ingress pathType for Kubernetes 1.18 and above | `ImplementationSpecific` | 214 | | `ingress.annotations` | Ingress annotations | `{}` | 215 | | `ingress.labels` | Ingress labels | `{}` | 216 | | `ingress.ingressClassName` | Ingress class name for Kubernetes 1.18 and above | `` | 217 | | `ingress.hosts[0].name` | Hostname for the ingress | `` | 218 | | `ingress.hosts[0].path` | Path within the url structure | `/` | 219 | | `ingress.hosts[0].tls ` | Enable TLS on the ingress host | `false` | 220 | | `ingress.hosts[0].tlsSecret` | TLS secret to use (must be manually created) | `` | 221 | | `ingress.hosts[0].serviceName` | The name of the service to route traffic to. | `{{ include "chartmuseum.fullname" . }}` | 222 | | `ingress.hosts[0].servicePort` | The port of the service to route traffic to. | `{{ .Values.service.externalPort }}` | 223 | | `ingress.extraPaths[0].path` | Path within the url structure. | `` | 224 | | `ingress.extraPaths[0].service` | The name of the service to route traffic to. | `` | 225 | | `ingress.extraPaths[0].port` | The port of the service to route traffic to. | `` | 226 | 227 | Specify each parameter using the `--set key=value[,key=value]` argument to 228 | `helm install`. 229 | 230 | ## Installation 231 | 232 | ### Add repository 233 | ``` 234 | helm repo add chartmuseum https://chartmuseum.github.io/charts 235 | ``` 236 | 237 | ### Install chart (Helm v3) 238 | ``` 239 | helm install my-chartmuseum chartmuseum/chartmuseum --version 3.1.0 240 | ``` 241 | 242 | ### Install chart (Helm v2) 243 | ``` 244 | helm install --name my-chartmuseum chartmuseum/chartmuseum --version 2.15.0 245 | ``` 246 | 247 | ### Installation using custom config 248 | ```shell 249 | helm install --name my-chartmuseum chartmuseum/chartmuseum -f custom.yaml 250 | ``` 251 | 252 | ### Using with Amazon S3 253 | Make sure your environment is properly setup to access `my-s3-bucket` 254 | 255 | You need at least the following permissions inside your IAM Policy 256 | ```yaml 257 | { 258 | "Version": "2012-10-17", 259 | "Statement": [ 260 | { 261 | "Sid": "AllowListObjects", 262 | "Effect": "Allow", 263 | "Action": [ 264 | "s3:ListBucket" 265 | ], 266 | "Resource": "arn:aws:s3:::my-s3-bucket" 267 | }, 268 | { 269 | "Sid": "AllowObjectsCRUD", 270 | "Effect": "Allow", 271 | "Action": [ 272 | "s3:DeleteObject", 273 | "s3:GetObject", 274 | "s3:PutObject" 275 | ], 276 | "Resource": "arn:aws:s3:::my-s3-bucket/*" 277 | } 278 | ] 279 | } 280 | ``` 281 | 282 | You can grant it to `chartmuseum` by several ways: 283 | 284 | #### permissions grant with access keys 285 | 286 | Grant permissions to `special user` and us it's access keys for auth on aws 287 | 288 | Specify `custom.yaml` with such values 289 | 290 | ```yaml 291 | env: 292 | open: 293 | STORAGE: amazon 294 | STORAGE_AMAZON_BUCKET: my-s3-bucket 295 | STORAGE_AMAZON_PREFIX: 296 | STORAGE_AMAZON_REGION: us-east-1 297 | secret: 298 | AWS_ACCESS_KEY_ID: "********" ## aws access key id value 299 | AWS_SECRET_ACCESS_KEY: "********" ## aws access key secret value 300 | ``` 301 | 302 | Run command to install 303 | 304 | ```shell 305 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 306 | ``` 307 | 308 | #### permissions grant with IAM instance profile 309 | 310 | You can grant permissions to k8s node IAM instance profile. 311 | For more information read this [article](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html) 312 | 313 | Specify `custom.yaml` with such values 314 | 315 | ```yaml 316 | env: 317 | open: 318 | STORAGE: amazon 319 | STORAGE_AMAZON_BUCKET: my-s3-bucket 320 | STORAGE_AMAZON_PREFIX: 321 | STORAGE_AMAZON_REGION: us-east-1 322 | ``` 323 | 324 | Run command to install 325 | 326 | ```shell 327 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 328 | ``` 329 | 330 | #### permissions grant with IAM assumed role 331 | 332 | To provide access with assumed role you need to install [kube2iam](https://github.com/kubernetes/charts/tree/master/stable/kube2iam) 333 | and create role with granded permissions. 334 | 335 | Specify `custom.yaml` with such values 336 | 337 | ```yaml 338 | env: 339 | open: 340 | STORAGE: amazon 341 | STORAGE_AMAZON_BUCKET: my-s3-bucket 342 | STORAGE_AMAZON_PREFIX: 343 | STORAGE_AMAZON_REGION: us-east-1 344 | podAnnotations: 345 | iam.amazonaws.com/role: "{assumed role name}" 346 | ``` 347 | 348 | Run command to install 349 | 350 | ```shell 351 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 352 | ``` 353 | 354 | #### permissions grant with IAM Roles for Service Accounts 355 | 356 | For Amazon EKS clusters, access can be provided with a service account using [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). 357 | 358 | Specify `custom.yaml` with such values 359 | 360 | ```yaml 361 | env: 362 | open: 363 | AWS_SDK_LOAD_CONFIG: true 364 | STORAGE: amazon 365 | STORAGE_AMAZON_BUCKET: my-s3-bucket 366 | STORAGE_AMAZON_PREFIX: 367 | STORAGE_AMAZON_REGION: us-east-1 368 | serviceAccount: 369 | create: true 370 | annotations: 371 | eks.amazonaws.com/role-arn: "arn:aws:iam::{aws account ID}:role/{assumed role name}" 372 | ``` 373 | 374 | Run command to install 375 | 376 | ```shell 377 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 378 | ``` 379 | 380 | ### Using with Google Cloud Storage 381 | Make sure your environment is properly setup to access `my-gcs-bucket` 382 | 383 | Specify `custom.yaml` with such values 384 | 385 | ```yaml 386 | env: 387 | open: 388 | STORAGE: google 389 | STORAGE_GOOGLE_BUCKET: my-gcs-bucket 390 | STORAGE_GOOGLE_PREFIX: 391 | ``` 392 | 393 | ### Using with Google Cloud Storage and a Google Service Account 394 | 395 | A Google service account credentials are stored in a json file. There are two approaches here. Ideally you don't want to send your secrets to tiller. In that case, before installing this chart, you should create a secret with those credentials: 396 | 397 | ```shell 398 | kubectl create secret generic chartmuseum-secret --from-file=credentials.json="my-project-45e35d85a593.json" 399 | ``` 400 | 401 | Then you can either use a `VALUES` yaml with your values or set those values in the command line: 402 | 403 | ```shell 404 | helm install chartmuseum/chartmuseum --debug --set gcp.secret.enabled=true,env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum,gcp.secret.name=chartmuseum-secret 405 | ``` 406 | 407 | If you prefer to use a yaml file: 408 | 409 | ```yaml 410 | env: 411 | open: 412 | STORAGE: google 413 | STORAGE_GOOGLE_BUCKET: my-gcs-bucket 414 | STORAGE_GOOGLE_PREFIX: 415 | 416 | gcp: 417 | secret: 418 | enabled: true 419 | name: chartmuseum-secret 420 | key: credentials.json 421 | ``` 422 | 423 | Run command to install 424 | 425 | ```shell 426 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 427 | ``` 428 | 429 | In case that you don't mind adding your secret to tiller (you shouldn't do it), this are the commands 430 | 431 | ```yaml 432 | env: 433 | open: 434 | STORAGE: google 435 | STORAGE_GOOGLE_BUCKET: my-gcs-bucket 436 | STORAGE_GOOGLE_PREFIX: 437 | secret: 438 | GOOGLE_CREDENTIALS_JSON: my-json-file-base64-encoded 439 | gcp: 440 | secret: 441 | enabled: true 442 | 443 | ``` 444 | 445 | Run command to install 446 | 447 | ```shell 448 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 449 | ``` 450 | 451 | To set the values directly in the command line, use the following command. Note that we have to base64 encode the json file because we cannot pass a multi-line text as a value. 452 | 453 | ```shell 454 | export JSONKEY=$(cat my-project-77e35d85a593.json | base64) 455 | helm install chartmuseum/chartmuseum --debug --set gcp.secret.enabled=true,env.secret.GOOGLE_CREDENTIALS_JSON=${JSONKEY},env.open.STORAGE=google,env.open.DISABLE_API=false,env.open.STORAGE_GOOGLE_BUCKET=my-gcp-chartmuseum 456 | ``` 457 | 458 | ### Using with Microsoft Azure Blob Storage 459 | 460 | Make sure your environment is properly setup to access `mycontainer`. 461 | 462 | To do so, you must set the following env vars: 463 | - `AZURE_STORAGE_ACCOUNT` 464 | - `AZURE_STORAGE_ACCESS_KEY` 465 | 466 | Specify `custom.yaml` with such values 467 | 468 | ```yaml 469 | env: 470 | open: 471 | STORAGE: microsoft 472 | STORAGE_MICROSOFT_CONTAINER: mycontainer 473 | # prefix to store charts for microsoft storage backend 474 | STORAGE_MICROSOFT_PREFIX: 475 | secret: 476 | AZURE_STORAGE_ACCOUNT: "********" ## azure storage account 477 | AZURE_STORAGE_ACCESS_KEY: "********" ## azure storage account access key 478 | ``` 479 | 480 | Run command to install 481 | 482 | ```shell 483 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 484 | ``` 485 | 486 | ### Using with Alibaba Cloud OSS Storage 487 | 488 | Make sure your environment is properly setup to access `my-oss-bucket`. 489 | 490 | To do so, you must set the following env vars: 491 | - `ALIBABA_CLOUD_ACCESS_KEY_ID` 492 | - `ALIBABA_CLOUD_ACCESS_KEY_SECRET` 493 | 494 | Specify `custom.yaml` with such values 495 | 496 | ```yaml 497 | env: 498 | open: 499 | STORAGE: alibaba 500 | STORAGE_ALIBABA_BUCKET: my-oss-bucket 501 | STORAGE_ALIBABA_PREFIX: 502 | STORAGE_ALIBABA_ENDPOINT: oss-cn-beijing.aliyuncs.com 503 | secret: 504 | ALIBABA_CLOUD_ACCESS_KEY_ID: "********" ## alibaba OSS access key id 505 | ALIBABA_CLOUD_ACCESS_KEY_SECRET: "********" ## alibaba OSS access key secret 506 | ``` 507 | 508 | Run command to install 509 | 510 | ```shell 511 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 512 | ``` 513 | 514 | ### Using with Openstack Object Storage 515 | 516 | Make sure your environment is properly setup to access `mycontainer`. 517 | 518 | To do so, you must set the following env vars (depending on your openstack version): 519 | - `OS_AUTH_URL` 520 | - either `OS_PROJECT_NAME` or `OS_TENANT_NAME` or `OS_PROJECT_ID` or `OS_TENANT_ID` 521 | - either `OS_DOMAIN_NAME` or `OS_DOMAIN_ID` 522 | - either `OS_USERNAME` or `OS_USERID` 523 | - `OS_PASSWORD` 524 | 525 | Specify `custom.yaml` with such values 526 | 527 | ```yaml 528 | env: 529 | open: 530 | STORAGE: openstack 531 | STORAGE_OPENSTACK_CONTAINER: mycontainer 532 | STORAGE_OPENSTACK_PREFIX: 533 | STORAGE_OPENSTACK_REGION: YOURREGION 534 | secret: 535 | OS_AUTH_URL: https://myauth.url.com/v2.0/ 536 | OS_TENANT_ID: yourtenantid 537 | OS_USERNAME: yourusername 538 | OS_PASSWORD: yourpassword 539 | ``` 540 | 541 | Run command to install 542 | 543 | ```shell 544 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 545 | ``` 546 | ### Using with Oracle Object Storage 547 | 548 | Oracle (OCI) configuration and private key need to be added to a secret and are mounted at /home/chartmuseum/.oci. Your OCI config needs to be under [DEFAULT] and your `key_file` needs to be /home/chartmuseum/.oci/oci.key. See https://docs.cloud.oracle.com/iaas/Content/API/Concepts/sdkconfig.htm 549 | 550 | ```shell 551 | kubectl create secret generic chartmuseum-secret --from-file=config=".oci/config" --from-file=key_file=".oci/oci.key" 552 | ``` 553 | 554 | Then you can either use a `VALUES` yaml with your values or set those values in the command line: 555 | 556 | ```shell 557 | helm install chartmuseum/chartmuseum --debug --set env.open.STORAGE=oracle,env.open.STORAGE_ORACLE_COMPARTMENTID=ocid1.compartment.oc1..abc123,env.open.STORAGE_ORACLE_BUCKET=myocibucket,env.open.STORAGE_ORACLE_PREFIX=chartmuseum,oracle.secret.enabled=true,oracle.secret.name=chartmuseum-secret,env.open.OCI_CONFIG_FILE=/home/chartmuseum/.oci/config 558 | ``` 559 | 560 | If you prefer to use a yaml file: 561 | 562 | ```yaml 563 | env: 564 | open: 565 | STORAGE: oracle 566 | STORAGE_ORACLE_COMPARTMENTID: ocid1.compartment.oc1..abc123 567 | STORAGE_ORACLE_BUCKET: myocibucket 568 | STORAGE_ORACLE_PREFIX: chartmuseum 569 | OCI_CONFIG_FILE: /home/chartmuseum/.oci/config 570 | 571 | oracle: 572 | secret: 573 | enabled: enabled 574 | name: chartmuseum-secret 575 | config: config 576 | key_file: key_file 577 | 578 | ``` 579 | 580 | Run command to install 581 | 582 | ```shell 583 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 584 | ``` 585 | 586 | ### Using an existing secret 587 | 588 | It is possible to pre-create a secret in kubernetes and get this chart to use that 589 | 590 | Given you are for example using the above AWS example 591 | 592 | You could create a Secret like this 593 | 594 | ```shell 595 | kubectl create secret generic chartmuseum-secret --from-literal="aws-access-key=myaccesskey" --from-literal="aws-secret-access-key=mysecretaccesskey" --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" 596 | ``` 597 | 598 | Specify `custom.yaml` with such values 599 | 600 | ```yaml 601 | env: 602 | open: 603 | STORAGE: amazonexistingSecret 604 | STORAGE_AMAZON_BUCKET: my-s3-bucket 605 | STORAGE_AMAZON_PREFIX: 606 | STORAGE_AMAZON_REGION: us-east-1 607 | existingSecret: chartmuseum-secret 608 | existingSecretMappings: 609 | AWS_ACCESS_KEY_ID: aws-access-key 610 | AWS_SECRET_ACCESS_KEY: aws-secret-access-key 611 | BASIC_AUTH_USER: basic-auth-user 612 | BASIC_AUTH_PASS: basic-auth-pass 613 | ``` 614 | 615 | Run command to install 616 | 617 | ```shell 618 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 619 | ``` 620 | 621 | ### Using with local filesystem storage 622 | By default chartmuseum uses local filesystem storage. 623 | But on pod recreation it will lose all charts, to prevent that enable persistent storage. 624 | 625 | ```yaml 626 | env: 627 | open: 628 | STORAGE: local 629 | persistence: 630 | enabled: true 631 | accessMode: ReadWriteOnce 632 | size: 8Gi 633 | ## A manually managed Persistent Volume and Claim 634 | ## Requires persistence.enabled: true 635 | ## If defined, PVC must be created manually before volume will be bound 636 | # existingClaim: 637 | 638 | ## Chartmuseum data Persistent Volume Storage Class 639 | ## If defined, storageClassName: 640 | ## If set to "-", storageClassName: "", which disables dynamic provisioning 641 | ## If undefined (the default) or set to null, no storageClassName spec is 642 | ## set, choosing the default provisioner. (gp2 on AWS, standard on 643 | ## GKE, AWS & OpenStack) 644 | ## 645 | # storageClass: "-" 646 | ``` 647 | 648 | Run command to install 649 | 650 | ```shell 651 | helm install --name my-chartmuseum -f custom.yaml chartmuseum/chartmuseum 652 | ``` 653 | 654 | ### Setting local storage permissions with initContainers 655 | 656 | Some clusters do not allow using securityContext to set permissions for persistent volumes. Instead, an initContainer can be created to run `chown` on the mounted volume. To enable it, set `securityContext.enabled` to `false`. 657 | 658 | 659 | #### Example storage class 660 | 661 | Example storage-class.yaml provided here for use with a Ceph cluster. 662 | 663 | ``` 664 | kind: StorageClass 665 | apiVersion: storage.k8s.io/v1 666 | metadata: 667 | name: storage-volume 668 | provisioner: kubernetes.io/rbd 669 | parameters: 670 | monitors: "10.11.12.13:4567,10.11.12.14:4567" 671 | adminId: admin 672 | adminSecretName: thesecret 673 | adminSecretNamespace: default 674 | pool: chartstore 675 | userId: user 676 | userSecretName: thesecret 677 | ``` 678 | 679 | ### Authentication 680 | 681 | By default this chart does not have any authentication configured and allows anyone to fetch or upload (assuming the API is enabled) charts there are two supported methods of authentication 682 | 683 | #### Basic Authentication 684 | 685 | This allows all API routes to be protected by HTTP basic auth, this is configured either as plain text in the values that gets stored as a secret in the kubernetes cluster by setting: 686 | 687 | ```yaml 688 | env: 689 | secret: 690 | BASIC_AUTH_USER: curator 691 | BASIC_AUTH_PASS: mypassword 692 | ``` 693 | 694 | Or by using values from an existing secret in the cluster that can be created using: 695 | 696 | ```shell 697 | kubectl create secret generic chartmuseum-secret --from-literal="basic-auth-user=curator" --from-literal="basic-auth-pass=mypassword" 698 | ``` 699 | 700 | This secret can be used in the values file as follows: 701 | 702 | ```yaml 703 | env: 704 | existingSecret: chartmuseum-secret 705 | existingSecretMappings: 706 | BASIC_AUTH_USER: basic-auth-user 707 | BASIC_AUTH_PASS: basic-auth-pass 708 | ``` 709 | 710 | #### Bearer/Token auth 711 | 712 | When using this ChartMuseum is configured with a public key, and will accept RS256 JWT tokens signed by the associated private key, passed in the Authorization header. You can use the [chartmuseum/auth](https://github.com/chartmuseum/auth) Go library to generate valid JWT tokens. For more information about how this works, please see [chartmuseum/auth-server-example](https://github.com/chartmuseum/auth-server-example) 713 | 714 | To use this the public key should be stored in a secret this can be done with 715 | 716 | ```shell 717 | kubectl create secret generic chartmuseum-public-key --from-file=public-key.pem 718 | ``` 719 | 720 | And Bearer/Token auth can be configured using the following values 721 | 722 | ```yaml 723 | env: 724 | open: 725 | BEARER_AUTH: true 726 | AUTH_REALM: 727 | AUTH_SERVICE: 728 | 729 | bearerAuth: 730 | secret: 731 | enabled: true 732 | publicKeySecret: chartmuseum-public-key 733 | ``` 734 | 735 | ### Ingress 736 | 737 | This chart provides support for ingress resources. If you have an ingress controller installed on your cluster, such as [nginx-ingress](https://hub.kubeapps.com/charts/stable/nginx-ingress) or [traefik](https://hub.kubeapps.com/charts/stable/traefik) you can utilize the ingress controller to expose Kubeapps. 738 | 739 | To enable ingress integration, please set `ingress.enabled` to `true` 740 | 741 | #### Hosts 742 | 743 | Most likely you will only want to have one hostname that maps to this Chartmuseum installation, however, it is possible to have more than one host. To facilitate this, the `ingress.hosts` object is an array. TLS secrets referenced in the ingress host configuration must be manually created in the namespace. 744 | 745 | In most cases, you should not specify values for `ingress.hosts[0].serviceName` and `ingress.hosts[0].servicePort`. However, some ingress controllers support advanced scenarios requiring you to specify these values. For example, [setting up an SSL redirect using the AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/tasks/ssl_redirect/). 746 | 747 | #### Path Types 748 | 749 | Each path in an Ingress is required to have a corresponding path type. Paths that do not include an explicit pathType will fail validation. For more about Ingress pathTypes please see [this documentation](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types). 750 | 751 | ```shell 752 | helm install --name my-chartmuseum chartmuseum/chartmuseum \ 753 | --set ingress.enabled=true \ 754 | --set ingress.hosts[0].name=chartmuseum.domain.com \ 755 | --set ingress.pathType=ImplementationSpecific 756 | ``` 757 | 758 | #### Extra Paths 759 | 760 | Specifying extra paths to prepend to every host configuration is especially useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). 761 | 762 | ```shell 763 | helm install --name my-chartmuseum chartmuseum/chartmuseum \ 764 | --set ingress.enabled=true \ 765 | --set ingress.hosts[0].name=chartmuseum.domain.com \ 766 | --set ingress.extraPaths[0].service=ssl-redirect \ 767 | --set ingress.extraPaths[0].port=use-annotation \ 768 | ``` 769 | 770 | 771 | #### Annotations 772 | 773 | For annotations, please see [this document for nginx](https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md) and [this document for Traefik](https://doc.traefik.io/traefik/v1.7/configuration/backends/kubernetes/#general-annotations). Not all annotations are supported by all ingress controllers, but this document does a good job of indicating which annotation is supported by many popular ingress controllers. Annotations can be set using `ingress.annotations`. 774 | 775 | #### Example Ingress configuration 776 | 777 | ```shell 778 | helm install --name my-chartmuseum chartmuseum/chartmuseum \ 779 | --set ingress.enabled=true \ 780 | --set ingress.hosts[0].name=chartmuseum.domain.com \ 781 | --set ingress.pathType=ImplementationSpecific \ 782 | --set ingress.hosts[0].path=/ \ 783 | --set ingress.hosts[0].tls=true \ 784 | --set ingress.hosts[0].tlsSecret=chartmuseum.tls-secret 785 | ``` 786 | 787 | ## Uninstall 788 | 789 | By default, a deliberate uninstall will result in the persistent volume 790 | claim being deleted. 791 | 792 | ```shell 793 | helm delete my-chartmuseum 794 | ``` 795 | 796 | To delete the deployment and its history: 797 | ```shell 798 | helm delete --purge my-chartmuseum 799 | ``` 800 | 801 | ## Upgrading 802 | 803 | ### To 3.0.0 804 | 805 | * This is a breaking change which only supports Helm v3.0.0+ now. If you still use helm v2, please consider upgrading because v2 is EOL for quite a while. 806 | * To migrate to helm v3 please have a look at the [Helm 2to3 Plugin](https://github.com/helm/helm-2to3). This tool will convert the existing ConfigMap used for Tiller to a Secret of type `helm.sh/release.v1`. 807 | * When you are using object storage for persistence (instead of a PVC), you can simply uninstall your helm v2 release and perform a fresh installation with helm v3 without using the `2to3` plugin. 808 | * We now follow the official Kubernetes [label recommendations](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). 809 | To upgrade an existing installation, please **add the `--force` parameter** to the `helm upgrade` command or **delete the Deployment resource** before you upgrade. This is necessary becase Deployment's label selector is immutable. 810 | * Renamed parameters 811 | * `deployment.schedulerName` was renamed to `schedulerName` 812 | * `replica.annotations` was renamed to `podAnnotations` 813 | -------------------------------------------------------------------------------- /src/chartmuseum/ci/ingress-values.yaml: -------------------------------------------------------------------------------- 1 | ingress: 2 | enabled: true 3 | annotations: 4 | kubernetes.io/ingress.class: nginx 5 | kubernetes.io/tls-acme: "true" 6 | hosts: 7 | - name: chartmuseum.domain1.com 8 | path: / 9 | tls: false 10 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/NOTES.txt: -------------------------------------------------------------------------------- 1 | ** Please be patient while the chart is being deployed ** 2 | 3 | Get the ChartMuseum URL by running: 4 | 5 | {{- if contains "NodePort" .Values.service.type }} 6 | 7 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "chartmuseum.fullname" . }}) 8 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") 9 | echo http://$NODE_IP:$NODE_PORT{{ .Values.env.open.CONTEXT_PATH }}/ 10 | 11 | {{- else if contains "LoadBalancer" .Values.service.type }} 12 | 13 | ** Please ensure an external IP is associated to the {{ template "chartmuseum.fullname" . }} service before proceeding ** 14 | ** Watch the status using: kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "chartmuseum.fullname" . }} ** 15 | 16 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') 17 | echo http://$SERVICE_IP:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/ 18 | 19 | OR 20 | 21 | export SERVICE_HOST=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "chartmuseum.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].hostname}') 22 | echo http://$SERVICE_HOST:{{ .Values.service.externalPort }}{{ .Values.env.open.CONTEXT_PATH }}/ 23 | 24 | {{- else if contains "ClusterIP" .Values.service.type }} 25 | 26 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app={{ template "chartmuseum.name" . }}" -l "release={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") 27 | echo http://127.0.0.1:8080{{ .Values.env.open.CONTEXT_PATH }}/ 28 | kubectl port-forward $POD_NAME 8080:8080 --namespace {{ .Release.Namespace }} 29 | 30 | {{- end }} 31 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/_helpers.tpl: -------------------------------------------------------------------------------- 1 | {{/* 2 | Expand the name of the chart. 3 | */}} 4 | {{- define "chartmuseum.name" -}} 5 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 | {{- end }} 7 | 8 | {{/* 9 | Create a default fully qualified app name. 10 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). 11 | If release name contains chart name it will be used as a full name. 12 | */}} 13 | {{- define "chartmuseum.fullname" -}} 14 | {{- if .Values.fullnameOverride }} 15 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 16 | {{- else }} 17 | {{- $name := default .Chart.Name .Values.nameOverride }} 18 | {{- if contains $name .Release.Name }} 19 | {{- .Release.Name | trunc 63 | trimSuffix "-" }} 20 | {{- else }} 21 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 22 | {{- end }} 23 | {{- end }} 24 | {{- end }} 25 | 26 | {{- /* 27 | Create chart name and version as used by the chart label. 28 | 29 | It does minimal escaping for use in Kubernetes labels. 30 | 31 | Example output: 32 | 33 | chartmuseum-0.4.5 34 | */ -}} 35 | {{- define "chartmuseum.chart" -}} 36 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 37 | {{- end -}} 38 | 39 | {{/* 40 | Common labels 41 | */}} 42 | {{- define "chartmuseum.labels" -}} 43 | helm.sh/chart: {{ include "chartmuseum.chart" . }} 44 | {{ include "chartmuseum.selectorLabels" . }} 45 | {{- if .Chart.AppVersion }} 46 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 47 | {{- end }} 48 | {{- if .Values.commonLabels}} 49 | {{ toYaml .Values.commonLabels }} 50 | {{- end }} 51 | app.kubernetes.io/managed-by: {{ .Release.Service }} 52 | {{- end }} 53 | 54 | {{/* 55 | Selector labels 56 | */}} 57 | {{- define "chartmuseum.selectorLabels" -}} 58 | app.kubernetes.io/name: {{ include "chartmuseum.name" . }} 59 | app.kubernetes.io/instance: {{ .Release.Name }} 60 | {{- end }} 61 | 62 | {{/* 63 | Create the name of the service account to use 64 | */}} 65 | {{- define "chartmuseum.serviceAccountName" -}} 66 | {{- if .Values.serviceAccount.create }} 67 | {{- default (include "chartmuseum.fullname" .) .Values.serviceAccount.name }} 68 | {{- else }} 69 | {{- default "default" .Values.serviceAccount.name }} 70 | {{- end }} 71 | {{- end }} 72 | 73 | {{/* 74 | Return the proper image name to change the volume permissions 75 | */}} 76 | {{- define "chartmuseum.volumePermissions.image" -}} 77 | {{- $registryName := .Values.volumePermissions.image.registry -}} 78 | {{- $repositoryName := .Values.volumePermissions.image.repository -}} 79 | {{- $tag := .Values.volumePermissions.image.tag | toString -}} 80 | {{/* 81 | Helm 2.11 supports the assignment of a value to a variable defined in a different scope, 82 | but Helm 2.9 and 2.10 doesn't support it, so we need to implement this if-else logic. 83 | Also, we can't use a single if because lazy evaluation is not an option 84 | */}} 85 | {{- if .Values.global }} 86 | {{- if .Values.global.imageRegistry }} 87 | {{- printf "%s/%s:%s" .Values.global.imageRegistry $repositoryName $tag -}} 88 | {{- else -}} 89 | {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} 90 | {{- end -}} 91 | {{- else -}} 92 | {{- printf "%s/%s:%s" $registryName $repositoryName $tag -}} 93 | {{- end -}} 94 | {{- end -}} 95 | 96 | {{/* 97 | Return the proper Docker Image Registry Secret Names 98 | */}} 99 | {{- define "chartmuseum.imagePullSecrets" -}} 100 | {{/* 101 | Helm 2.11 supports the assignment of a value to a variable defined in a different scope, 102 | but Helm 2.9 and 2.10 does not support it, so we need to implement this if-else logic. 103 | Also, we can not use a single if because lazy evaluation is not an option 104 | */}} 105 | {{- if .Values.global }} 106 | {{- if .Values.global.imagePullSecrets }} 107 | imagePullSecrets: 108 | {{- range .Values.global.imagePullSecrets }} 109 | - name: {{ . }} 110 | {{- end }} 111 | {{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} 112 | imagePullSecrets: 113 | {{- range .Values.image.pullSecrets }} 114 | - name: {{ . }} 115 | {{- end }} 116 | {{- range .Values.volumePermissions.image.pullSecrets }} 117 | - name: {{ . }} 118 | {{- end }} 119 | {{- end -}} 120 | {{- else if or .Values.image.pullSecrets .Values.volumePermissions.image.pullSecrets }} 121 | imagePullSecrets: 122 | {{- range .Values.image.pullSecrets }} 123 | - name: {{ . }} 124 | {{- end }} 125 | {{- range .Values.volumePermissions.image.pullSecrets }} 126 | - name: {{ . }} 127 | {{- end }} 128 | {{- end -}} 129 | {{- end -}} -------------------------------------------------------------------------------- /src/chartmuseum/templates/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | name: {{ include "chartmuseum.fullname" . }} 5 | {{- with .Values.deployment.annotations }} 6 | annotations: 7 | {{- toYaml . | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "chartmuseum.labels" . | nindent 4 }} 11 | {{- if .Values.deployment.labels }} 12 | {{- toYaml .Values.deployment.labels | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | selector: 16 | matchLabels: 17 | {{- include "chartmuseum.selectorLabels" . | nindent 6 }} 18 | replicas: {{ .Values.replicaCount }} 19 | strategy: 20 | {{ toYaml .Values.strategy | indent 4 }} 21 | revisionHistoryLimit: 10 22 | template: 23 | metadata: 24 | {{- with .Values.podAnnotations }} 25 | annotations: 26 | {{- toYaml . | nindent 8 }} 27 | {{- end }} 28 | labels: 29 | {{- include "chartmuseum.selectorLabels" . | nindent 8 }} 30 | {{- if .Values.podLabels }} 31 | {{- toYaml .Values.podLabels | nindent 8 }} 32 | {{- end }} 33 | spec: 34 | {{- if .Values.priorityClassName }} 35 | priorityClassName: "{{ .Values.priorityClassName }}" 36 | {{- end }} 37 | {{- if .Values.securityContext.enabled }} 38 | securityContext: 39 | fsGroup: {{ .Values.securityContext.fsGroup }} 40 | {{- if .Values.securityContext.runAsNonRoot }} 41 | runAsNonRoot: {{ .Values.securityContext.runAsNonRoot }} 42 | {{- end }} 43 | {{- if .Values.securityContext.supplementalGroups }} 44 | supplementalGroups: {{ .Values.securityContext.supplementalGroups }} 45 | {{- end }} 46 | {{- else if .Values.persistence.enabled }} 47 | initContainers: 48 | - name: volume-permissions 49 | image: {{ template "chartmuseum.volumePermissions.image" . }} 50 | imagePullPolicy: "{{ .Values.volumePermissions.image.pullPolicy }}" 51 | securityContext: 52 | {{- toYaml .Values.containerSecurityContext | nindent 10 }} 53 | command: ['sh', '-c', 'chown -R {{ .Values.securityContext.fsGroup }}:{{ .Values.securityContext.fsGroup }} {{ .Values.persistence.path }}'] 54 | volumeMounts: 55 | - mountPath: {{ .Values.persistence.path }} 56 | name: storage-volume 57 | {{- end }} 58 | {{- include "chartmuseum.imagePullSecrets" . | indent 6 }} 59 | containers: 60 | - name: {{ .Chart.Name }} 61 | image: {{ .Values.image.repository }}:{{ .Values.image.tag }} 62 | imagePullPolicy: {{ .Values.image.pullPolicy }} 63 | securityContext: 64 | {{- toYaml .Values.containerSecurityContext | nindent 10 }} 65 | env: 66 | {{- range $name, $value := .Values.env.open }} 67 | {{- if not (empty $value) }} 68 | - name: {{ $name | quote }} 69 | value: {{ $value | quote }} 70 | {{- end }} 71 | {{- end }} 72 | {{- range $name, $value := .Values.env.field }} 73 | {{- if not ( empty $value) }} 74 | - name: {{ $name | quote }} 75 | valueFrom: 76 | fieldRef: 77 | fieldPath: {{ $value | quote }} 78 | {{- end }} 79 | {{- end }} 80 | {{- if .Values.gcp.secret.enabled }} 81 | - name: GOOGLE_APPLICATION_CREDENTIALS 82 | value: "/etc/secrets/google/credentials.json" 83 | {{- end }} 84 | {{- if .Values.env.existingSecret }} 85 | {{- $secret_name := .Values.env.existingSecret }} 86 | {{- range $name, $key := .Values.env.existingSecretMappings }} 87 | {{- if not ( empty $key) }} 88 | - name: {{ $name | quote }} 89 | valueFrom: 90 | secretKeyRef: 91 | name: {{ $secret_name | quote }} 92 | key: {{ $key | quote }} 93 | {{- end }} 94 | {{- end }} 95 | {{- else }} 96 | {{- $secret_name := include "chartmuseum.fullname" . }} 97 | {{- range $name, $value := .Values.env.secret }} 98 | {{- if not ( empty $value) }} 99 | - name: {{ $name | quote }} 100 | valueFrom: 101 | secretKeyRef: 102 | name: {{ $secret_name }} 103 | key: {{ $name | quote }} 104 | {{- end }} 105 | {{- end }} 106 | {{- end }} 107 | {{- if .Values.bearerAuth.secret.enabled }} 108 | - name: AUTH_CERT_PATH 109 | value: /var/keys/public-key.pem 110 | {{ end }} 111 | args: 112 | - --port=8080 113 | {{- if eq .Values.env.open.STORAGE "local" }} 114 | - --storage-local-rootdir={{ .Values.persistence.path }} 115 | {{- end }} 116 | {{- if .Values.extraArgs }} 117 | {{ toYaml .Values.extraArgs | indent 8 }} 118 | {{- end }} 119 | ports: 120 | - name: http 121 | containerPort: 8080 122 | livenessProbe: 123 | httpGet: 124 | path: {{ .Values.env.open.CONTEXT_PATH }}/health 125 | port: http 126 | {{ toYaml .Values.probes.livenessHttpGetConfig | indent 12 }} 127 | {{ toYaml .Values.probes.liveness | indent 10 }} 128 | readinessProbe: 129 | httpGet: 130 | path: {{ .Values.env.open.CONTEXT_PATH }}/health 131 | port: http 132 | {{ toYaml .Values.probes.readinessHttpGetConfig | indent 12 }} 133 | {{ toYaml .Values.probes.readiness | indent 10 }} 134 | volumeMounts: 135 | {{- if .Values.deployment.extraVolumeMounts }} 136 | {{- toYaml .Values.deployment.extraVolumeMounts | nindent 8 }} 137 | {{- end }} 138 | {{- if eq .Values.env.open.STORAGE "local" }} 139 | - mountPath: {{ .Values.persistence.path }} 140 | name: storage-volume 141 | {{- end }} 142 | {{- if .Values.gcp.secret.enabled }} 143 | - mountPath: /etc/secrets/google 144 | name: {{ include "chartmuseum.fullname" . }}-gcp 145 | {{- end }} 146 | {{- if .Values.oracle.secret.enabled }} 147 | - mountPath: /home/chartmuseum/.oci 148 | name: {{ include "chartmuseum.fullname" . }}-oracle 149 | {{- end }} 150 | {{- if .Values.bearerAuth.secret.enabled }} 151 | - name: public-key 152 | mountPath: /var/keys 153 | readOnly: true 154 | {{- end }} 155 | {{- if .Values.deployment.sidecarContainers }} 156 | {{- range $name, $spec := .Values.deployment.sidecarContainers }} 157 | - name: {{ $name }} 158 | {{- toYaml $spec | nindent 8 }} 159 | {{- end }} 160 | {{- end }} 161 | {{- with .Values.resources }} 162 | resources: 163 | {{ toYaml . | indent 10 }} 164 | {{- end }} 165 | {{- with .Values.nodeSelector }} 166 | nodeSelector: 167 | {{ toYaml . | indent 8 }} 168 | {{- end }} 169 | {{- with .Values.affinity }} 170 | affinity: 171 | {{ toYaml . | indent 8 }} 172 | {{- end }} 173 | {{- with .Values.tolerations }} 174 | tolerations: 175 | {{ toYaml . | indent 8 }} 176 | {{- end }} 177 | {{- if .Values.schedulerName }} 178 | schedulerName: {{ .Values.schedulerName }} 179 | {{- end }} 180 | serviceAccountName: {{ include "chartmuseum.serviceAccountName" . }} 181 | automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} 182 | volumes: 183 | {{- if .Values.deployment.extraVolumes }} 184 | {{- toYaml .Values.deployment.extraVolumes | nindent 6 }} 185 | {{- end }} 186 | - name: storage-volume 187 | {{- if .Values.persistence.enabled }} 188 | persistentVolumeClaim: 189 | claimName: {{ .Values.persistence.existingClaim | default (include "chartmuseum.fullname" .) }} 190 | {{- else }} 191 | emptyDir: {} 192 | {{- end }} 193 | {{ if .Values.gcp.secret.enabled }} 194 | - name: {{ include "chartmuseum.fullname" . }}-gcp 195 | secret: 196 | {{- if .Values.env.secret.GOOGLE_CREDENTIALS_JSON }} 197 | secretName: {{ include "chartmuseum.fullname" . }} 198 | items: 199 | - key: GOOGLE_CREDENTIALS_JSON 200 | path: credentials.json 201 | {{- else }} 202 | secretName: {{ .Values.gcp.secret.name }} 203 | items: 204 | - key: {{ .Values.gcp.secret.key }} 205 | path: credentials.json 206 | {{- end }} 207 | {{- end }} 208 | {{- if .Values.oracle.secret.enabled }} 209 | - name: {{ include "chartmuseum.fullname" . }}-oracle 210 | secret: 211 | secretName: {{ .Values.oracle.secret.name }} 212 | items: 213 | - key: {{ .Values.oracle.secret.config }} 214 | path: config 215 | - key: {{ .Values.oracle.secret.key_file }} 216 | path: oci.key 217 | {{ end }} 218 | {{- if .Values.bearerAuth.secret.enabled }} 219 | - name: public-key 220 | secret: 221 | secretName: {{ .Values.bearerAuth.secret.publicKeySecret }} 222 | {{- end }} 223 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/ingress.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.ingress.enabled }} 2 | {{- $servicePort := .Values.service.externalPort -}} 3 | {{- $serviceName := include "chartmuseum.fullname" . -}} 4 | {{- $ingressExtraPaths := .Values.ingress.extraPaths -}} 5 | --- 6 | {{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion }} 7 | apiVersion: extensions/v1beta1 8 | {{- else if semverCompare "<1.19-0" .Capabilities.KubeVersion.GitVersion }} 9 | apiVersion: networking.k8s.io/v1beta1 10 | {{- else }} 11 | apiVersion: networking.k8s.io/v1 12 | {{- end }} 13 | kind: Ingress 14 | metadata: 15 | name: {{ include "chartmuseum.fullname" . }} 16 | {{- with .Values.ingress.annotations }} 17 | annotations: 18 | {{- toYaml . | nindent 4 }} 19 | {{- end }} 20 | labels: 21 | {{- include "chartmuseum.labels" . | nindent 4 }} 22 | {{- with .Values.ingress.labels }} 23 | {{- toYaml . | nindent 4 }} 24 | {{- end }} 25 | spec: 26 | {{- with .Values.ingress.ingressClassName }} 27 | ingressClassName: {{ . }} 28 | {{- end }} 29 | rules: 30 | {{- range .Values.ingress.hosts }} 31 | - host: {{ .name }} 32 | http: 33 | paths: 34 | {{- range $ingressExtraPaths }} 35 | - path: {{ default "/" .path | quote }} 36 | backend: 37 | {{- if semverCompare "<1.19-0" $.Capabilities.KubeVersion.GitVersion }} 38 | {{- if $.Values.service.servicename }} 39 | serviceName: {{ $.Values.service.servicename }} 40 | {{- else }} 41 | serviceName: {{ default $serviceName .service }} 42 | {{- end }} 43 | servicePort: {{ default $servicePort .port }} 44 | {{- else }} 45 | service: 46 | {{- if $.Values.service.servicename }} 47 | name: {{ $.Values.service.servicename }} 48 | {{- else }} 49 | name: {{ default $serviceName .service }} 50 | {{- end }} 51 | port: 52 | number: {{ default $servicePort .port }} 53 | pathType: {{ default $.Values.ingress.pathType .pathType }} 54 | {{- end }} 55 | {{- end }} 56 | - path: {{ default "/" .path | quote }} 57 | backend: 58 | {{- if semverCompare "<1.19-0" $.Capabilities.KubeVersion.GitVersion }} 59 | {{- if $.Values.service.servicename }} 60 | serviceName: {{ $.Values.service.servicename }} 61 | {{- else }} 62 | serviceName: {{ default $serviceName .service }} 63 | {{- end }} 64 | servicePort: {{ default $servicePort .servicePort }} 65 | {{- else }} 66 | service: 67 | {{- if $.Values.service.servicename }} 68 | name: {{ $.Values.service.servicename }} 69 | {{- else }} 70 | name: {{ default $serviceName .service }} 71 | {{- end }} 72 | port: 73 | number: {{ default $servicePort .port }} 74 | pathType: {{ $.Values.ingress.pathType }} 75 | {{- end }} 76 | {{- end }} 77 | tls: 78 | {{- range .Values.ingress.hosts }} 79 | {{- if .tls }} 80 | - hosts: 81 | - {{ .name }} 82 | secretName: {{ .tlsSecret }} 83 | {{- end }} 84 | {{- end }} 85 | {{- end -}} 86 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/pv.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.persistence.pv.enabled -}} 2 | apiVersion: v1 3 | kind: PersistentVolume 4 | metadata: 5 | name: {{ .Values.persistence.pv.pvname | default (include "chartmuseum.fullname" .) }} 6 | labels: 7 | {{- include "chartmuseum.labels" . | nindent 4 }} 8 | spec: 9 | capacity: 10 | storage: {{ .Values.persistence.pv.capacity.storage }} 11 | accessModes: 12 | - {{ .Values.persistence.pv.accessMode | quote }} 13 | nfs: 14 | server: {{ .Values.persistence.pv.nfs.server }} 15 | path: {{ .Values.persistence.pv.nfs.path | quote }} 16 | {{- end }} -------------------------------------------------------------------------------- /src/chartmuseum/templates/pvc.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}} 2 | kind: PersistentVolumeClaim 3 | apiVersion: v1 4 | metadata: 5 | name: {{ include "chartmuseum.fullname" . }} 6 | labels: 7 | {{- include "chartmuseum.labels" . | nindent 4 }} 8 | {{- with .Values.persistence.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | spec: 12 | accessModes: 13 | - {{ .Values.persistence.accessMode | quote }} 14 | resources: 15 | requests: 16 | storage: {{ .Values.persistence.size | quote }} 17 | {{- if .Values.persistence.storageClass }} 18 | {{- if (eq "-" .Values.persistence.storageClass) }} 19 | storageClassName: "" 20 | {{- else }} 21 | storageClassName: "{{ .Values.persistence.storageClass }}" 22 | {{- end }} 23 | {{- if .Values.persistence.volumeName }} 24 | volumeName: "{{ .Values.persistence.volumeName }}" 25 | {{- end }} 26 | {{- end }} 27 | {{- end }} 28 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/secret.yaml: -------------------------------------------------------------------------------- 1 | {{- if not .Values.env.existingSecret -}} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ include "chartmuseum.fullname" . }} 6 | labels: 7 | {{- include "chartmuseum.labels" . | nindent 4 }} 8 | {{- with .Values.secret.labels }} 9 | {{- toYaml . | nindent 4 }} 10 | {{- end }} 11 | type: Opaque 12 | data: 13 | {{- range $name, $value := .Values.env.secret }} 14 | {{- if not (empty $value) }} 15 | {{- if eq $name "GOOGLE_CREDENTIALS_JSON" }} 16 | {{ $name }}: {{ $value }} 17 | {{- else }} 18 | {{ $name }}: {{ $value | b64enc }} 19 | {{- end }} 20 | {{- end }} 21 | {{- end }} 22 | {{- end }} 23 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/service.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Service 3 | metadata: 4 | name: {{ .Values.service.servicename | default (include "chartmuseum.fullname" .) }} 5 | {{- with .Values.service.annotations }} 6 | annotations: 7 | {{- toYaml . | nindent 4 }} 8 | {{- end }} 9 | labels: 10 | {{- include "chartmuseum.labels" . | nindent 4 }} 11 | {{- with .Values.service.labels }} 12 | {{- toYaml . | nindent 4 }} 13 | {{- end }} 14 | spec: 15 | type: {{ .Values.service.type }} 16 | {{- if (or (eq .Values.service.type "LoadBalancer") (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort)))) }} 17 | externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }} 18 | {{- end }} 19 | {{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerIP) }} 20 | loadBalancerIP: {{ .Values.service.loadBalancerIP }} 21 | {{- end }} 22 | {{- if (and (eq .Values.service.type "LoadBalancer") .Values.service.loadBalancerSourceRanges) }} 23 | loadBalancerSourceRanges: 24 | {{- with .Values.service.loadBalancerSourceRanges }} 25 | {{ toYaml . | indent 2 }} 26 | {{- end }} 27 | {{- end }} 28 | {{- if eq .Values.service.type "ClusterIP" }} 29 | {{- if .Values.service.clusterIP }} 30 | clusterIP: {{ .Values.service.clusterIP }} 31 | {{- end }} 32 | {{- end }} 33 | ports: 34 | - port: {{ .Values.service.externalPort }} 35 | {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }} 36 | nodePort: {{.Values.service.nodePort}} 37 | {{- end }} 38 | {{- if .Values.service.targetPort }} 39 | targetPort: {{ .Values.service.targetPort }} 40 | name: {{ .Values.service.targetPort }} 41 | {{- else }} 42 | targetPort: http 43 | name: http 44 | {{- end }} 45 | protocol: TCP 46 | 47 | selector: 48 | {{- include "chartmuseum.selectorLabels" . | nindent 4 }} 49 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create -}} 2 | --- 3 | apiVersion: v1 4 | kind: ServiceAccount 5 | metadata: 6 | name: {{ include "chartmuseum.serviceAccountName" . }} 7 | {{- with .Values.serviceAccount.annotations }} 8 | annotations: 9 | {{ toYaml . | nindent 4 }} 10 | {{- end }} 11 | labels: 12 | {{- include "chartmuseum.labels" . | nindent 4 }} 13 | {{- end }} 14 | -------------------------------------------------------------------------------- /src/chartmuseum/templates/servicemonitor.yaml: -------------------------------------------------------------------------------- 1 | {{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) ( .Values.serviceMonitor.enabled ) }} 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: {{ include "chartmuseum.fullname" . }} 6 | namespace: {{ .Values.serviceMonitor.namespace | default .Release.Namespace }} 7 | labels: 8 | {{- include "chartmuseum.labels" . | nindent 4 }} 9 | {{- with .Values.serviceMonitor.labels }} 10 | {{- toYaml . | nindent 4 }} 11 | {{- end }} 12 | spec: 13 | endpoints: 14 | - targetPort: 8080 15 | {{- if .Values.serviceMonitor.interval }} 16 | interval: {{ .Values.serviceMonitor.interval }} 17 | {{- end }} 18 | {{- if .Values.serviceMonitor.metricsPath }} 19 | path: {{ .Values.serviceMonitor.metricsPath }} 20 | {{- end }} 21 | {{- if .Values.serviceMonitor.timeout }} 22 | scrapeTimeout: {{ .Values.serviceMonitor.timeout }} 23 | {{- end }} 24 | jobLabel: {{ include "chartmuseum.fullname" . }} 25 | namespaceSelector: 26 | matchNames: 27 | - {{ .Release.Namespace }} 28 | selector: 29 | matchLabels: 30 | {{- include "chartmuseum.selectorLabels" . | nindent 6 }} 31 | {{- end }} 32 | -------------------------------------------------------------------------------- /src/chartmuseum/values.yaml: -------------------------------------------------------------------------------- 1 | extraArgs: [] 2 | # - --storage-timestamp-tolerance 1s 3 | replicaCount: 1 4 | strategy: 5 | type: RollingUpdate 6 | image: 7 | repository: ghcr.io/helm/chartmuseum 8 | tag: v0.16.3 9 | pullPolicy: IfNotPresent 10 | secret: 11 | labels: {} 12 | ## Labels to apply to all resources 13 | ## 14 | commonLabels: {} 15 | # team_name: dev 16 | env: 17 | open: 18 | # storage backend, can be one of: local, alibaba, amazon, google, microsoft, oracle 19 | STORAGE: local 20 | # oss bucket to store charts for alibaba storage backend 21 | STORAGE_ALIBABA_BUCKET: 22 | # prefix to store charts for alibaba storage backend 23 | STORAGE_ALIBABA_PREFIX: 24 | # oss endpoint to store charts for alibaba storage backend 25 | STORAGE_ALIBABA_ENDPOINT: 26 | # server side encryption algorithm for alibaba storage backend, can be one 27 | # of: AES256 or KMS 28 | STORAGE_ALIBABA_SSE: 29 | # s3 bucket to store charts for amazon storage backend 30 | STORAGE_AMAZON_BUCKET: 31 | # prefix to store charts for amazon storage backend 32 | STORAGE_AMAZON_PREFIX: 33 | # region of s3 bucket to store charts 34 | STORAGE_AMAZON_REGION: 35 | # alternative s3 endpoint 36 | STORAGE_AMAZON_ENDPOINT: 37 | # server side encryption algorithm 38 | STORAGE_AMAZON_SSE: 39 | # gcs bucket to store charts for google storage backend 40 | STORAGE_GOOGLE_BUCKET: 41 | # prefix to store charts for google storage backend 42 | STORAGE_GOOGLE_PREFIX: 43 | # container to store charts for microsoft storage backend 44 | STORAGE_MICROSOFT_CONTAINER: 45 | # prefix to store charts for microsoft storage backend 46 | STORAGE_MICROSOFT_PREFIX: 47 | # container to store charts for openstack storage backend 48 | STORAGE_OPENSTACK_CONTAINER: 49 | # prefix to store charts for openstack storage backend 50 | STORAGE_OPENSTACK_PREFIX: 51 | # region of openstack container 52 | STORAGE_OPENSTACK_REGION: 53 | # path to a CA cert bundle for your openstack endpoint 54 | STORAGE_OPENSTACK_CACERT: 55 | # compartment id for for oracle storage backend 56 | STORAGE_ORACLE_COMPARTMENTID: 57 | # oci bucket to store charts for oracle storage backend 58 | STORAGE_ORACLE_BUCKET: 59 | # prefix to store charts for oracle storage backend 60 | STORAGE_ORACLE_PREFIX: 61 | # form field which will be queried for the chart file content 62 | CHART_POST_FORM_FIELD_NAME: chart 63 | # form field which will be queried for the provenance file content 64 | PROV_POST_FORM_FIELD_NAME: prov 65 | # levels of nested repos for multitenancy. The default depth is 0 (singletenant server) 66 | DEPTH: 0 67 | # show debug messages 68 | DEBUG: false 69 | # output structured logs as json 70 | LOG_JSON: true 71 | # disable use of index-cache.yaml 72 | DISABLE_STATEFILES: false 73 | # enable Prometheus metrics 74 | ENABLE_METRICS: false 75 | # disable all routes prefixed with /api 76 | DISABLE_API: true 77 | # allow chart versions to be re-uploaded 78 | ALLOW_OVERWRITE: false 79 | # absolute url for .tgzs in index.yaml 80 | CHART_URL: 81 | # allow anonymous GET operations when auth is used 82 | AUTH_ANONYMOUS_GET: false 83 | # sets the base context path 84 | CONTEXT_PATH: 85 | # parallel scan limit for the repo indexer 86 | INDEX_LIMIT: 0 87 | # cache store, can be one of: redis (leave blank for inmemory cache) 88 | CACHE: 89 | # address of Redis service (host:port) 90 | CACHE_REDIS_ADDR: 91 | # Redis database to be selected after connect 92 | CACHE_REDIS_DB: 0 93 | # enable bearer auth 94 | BEARER_AUTH: false 95 | # auth realm used for bearer auth 96 | AUTH_REALM: 97 | # auth service used for bearer auth 98 | AUTH_SERVICE: 99 | field: {} 100 | # POD_IP: status.podIP 101 | secret: 102 | # username for basic http authentication 103 | BASIC_AUTH_USER: 104 | # password for basic http authentication 105 | BASIC_AUTH_PASS: 106 | # GCP service account json file 107 | GOOGLE_CREDENTIALS_JSON: 108 | # Redis requirepass server configuration 109 | CACHE_REDIS_PASSWORD: 110 | # Name of an existing secret to get the secret values ftom 111 | existingSecret: 112 | # Stores Enviromnt Variable to secret key name mappings 113 | existingSecretMappings: 114 | # username for basic http authentication 115 | BASIC_AUTH_USER: 116 | # password for basic http authentication 117 | BASIC_AUTH_PASS: 118 | # GCP service account json file 119 | GOOGLE_CREDENTIALS_JSON: 120 | # Redis requirepass server configuration 121 | CACHE_REDIS_PASSWORD: 122 | 123 | ## Use an alternate scheduler, e.g. "stork". 124 | ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ 125 | ## 126 | # schedulerName: 127 | 128 | deployment: 129 | ## Chartmuseum Deployment annotations 130 | annotations: {} 131 | # name: value 132 | labels: {} 133 | # name: value 134 | # additional volumes 135 | extraVolumes: [] 136 | # - name: nginx-config 137 | # secret: 138 | # secretName: nginx-config 139 | # additional volumes to mount 140 | extraVolumeMounts: [] 141 | ## sidecarContainers for the Chartmuseum 142 | # Can be used to add a proxy to the pod that does 143 | # scanning for secrets, signing, authentication, validation 144 | # of the chart's content, send notifications... 145 | sidecarContainers: {} 146 | ## Example sidecarContainer which uses an extraVolume from above and 147 | ## a named port that can be referenced in the service as targetPort. 148 | # proxy: 149 | # image: nginx:latest 150 | # ports: 151 | # - name: proxy 152 | # containerPort: 8081 153 | # volumeMounts: 154 | # - name: nginx-config 155 | # readOnly: true 156 | # mountPath: /etc/nginx 157 | 158 | ## Pod annotations 159 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ 160 | ## Read more about kube2iam to provide access to s3 https://github.com/jtblin/kube2iam 161 | ## 162 | podAnnotations: {} 163 | # iam.amazonaws.com/role: role-arn 164 | 165 | ## Pod labels 166 | ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 167 | podLabels: {} 168 | # name: value 169 | 170 | service: 171 | servicename: 172 | type: ClusterIP 173 | externalTrafficPolicy: Local 174 | ## Uses pre-assigned IP address from cloud provider 175 | ## Only valid if service.type: LoadBalancer 176 | loadBalancerIP: 177 | ## Limits which cidr blocks can connect to service's load balancer 178 | ## Only valid if service.type: LoadBalancer 179 | loadBalancerSourceRanges: [] 180 | # clusterIP: None 181 | externalPort: 8080 182 | ## targetPort of the container to use. If a sidecar should handle the 183 | ## requests first, use the named port from the sidecar. See sidecar example 184 | ## from deployment above. Leave empty to use chartmuseum directly. 185 | targetPort: 186 | nodePort: 187 | annotations: {} 188 | labels: {} 189 | 190 | serviceMonitor: 191 | enabled: false 192 | # namespace: prometheus 193 | labels: {} 194 | metricsPath: "/metrics" 195 | # timeout: 60 196 | # interval: 60 197 | 198 | resources: {} 199 | # limits: 200 | # cpu: 100m 201 | # memory: 128Mi 202 | # requests: 203 | # cpu: 80m 204 | # memory: 64Mi 205 | 206 | probes: 207 | liveness: 208 | initialDelaySeconds: 5 209 | periodSeconds: 10 210 | timeoutSeconds: 1 211 | successThreshold: 1 212 | failureThreshold: 3 213 | livenessHttpGetConfig: 214 | scheme: HTTP 215 | readiness: 216 | initialDelaySeconds: 5 217 | periodSeconds: 10 218 | timeoutSeconds: 1 219 | successThreshold: 1 220 | failureThreshold: 3 221 | readinessHttpGetConfig: 222 | scheme: HTTP 223 | 224 | serviceAccount: 225 | create: false 226 | name: "" 227 | automountServiceAccountToken: false 228 | ## Annotations for the Service Account 229 | annotations: {} 230 | 231 | # UID/GID 1000 is the default user "chartmuseum" used in 232 | # the container image starting in v0.8.0 and above. This 233 | # is required for local persistent storage. If your cluster 234 | # does not allow this, try setting securityContext: {} 235 | securityContext: 236 | enabled: true 237 | fsGroup: 1000 238 | ## Optionally, specify supplementalGroups and/or 239 | ## runAsNonRoot for security purposes 240 | # runAsNonRoot: true 241 | # supplementalGroups: [1000] 242 | 243 | containerSecurityContext: {} 244 | 245 | priorityClassName: "" 246 | 247 | nodeSelector: {} 248 | 249 | tolerations: [] 250 | 251 | affinity: {} 252 | 253 | persistence: 254 | enabled: false 255 | accessMode: ReadWriteOnce 256 | size: 8Gi 257 | labels: {} 258 | # name: value 259 | path: /storage 260 | ## A manually managed Persistent Volume and Claim 261 | ## Requires persistence.enabled: true 262 | ## If defined, PVC must be created manually before volume will be bound 263 | # existingClaim: 264 | 265 | ## Chartmuseum data Persistent Volume Storage Class 266 | ## If defined, storageClassName: 267 | ## If set to "-", storageClassName: "", which disables dynamic provisioning 268 | ## If undefined (the default) or set to null, no storageClassName spec is 269 | ## set, choosing the default provisioner. (gp2 on AWS, standard on 270 | ## GKE, AWS & OpenStack) 271 | ## 272 | # storageClass: "-" 273 | # volumeName: 274 | pv: 275 | enabled: false 276 | pvname: 277 | capacity: 278 | storage: 8Gi 279 | accessMode: ReadWriteOnce 280 | nfs: 281 | server: 282 | path: 283 | 284 | ## Init containers parameters: 285 | ## volumePermissions: Change the owner of the persistent volume mountpoint to RunAsUser:fsGroup 286 | ## 287 | volumePermissions: 288 | image: 289 | registry: docker.io 290 | repository: bitnami/minideb 291 | tag: buster 292 | pullPolicy: Always 293 | ## Optionally specify an array of imagePullSecrets. 294 | ## Secrets must be manually created in the namespace. 295 | ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ 296 | ## 297 | # pullSecrets: 298 | # - myRegistryKeySecretName 299 | 300 | ## Ingress for load balancer 301 | ingress: 302 | enabled: false 303 | pathType: "ImplementationSpecific" 304 | ## Chartmuseum Ingress labels 305 | ## 306 | labels: {} 307 | # dns: "route53" 308 | 309 | ## Chartmuseum Ingress annotations 310 | ## 311 | annotations: {} 312 | # kubernetes.io/ingress.class: nginx 313 | # kubernetes.io/tls-acme: "true" 314 | 315 | ## Chartmuseum Ingress hostnames 316 | ## Must be provided if Ingress is enabled 317 | ## 318 | hosts: [] 319 | # - name: chartmuseum.domain1.com 320 | # path: / 321 | # tls: false 322 | # - name: chartmuseum.domain2.com 323 | # path: / 324 | # 325 | # ## Set this to true in order to enable TLS on the ingress record 326 | # tls: true 327 | # 328 | # ## If TLS is set to true, you must declare what secret will store the key/certificate for TLS 329 | # ## Secrets must be added manually to the namespace 330 | # tlsSecret: chartmuseum.domain2-tls 331 | 332 | # For Kubernetes >= 1.18 you should specify the ingress-controller via the field ingressClassName 333 | # See https://kubernetes.io/blog/2020/04/02/improvements-to-the-ingress-api-in-kubernetes-1.18/#specifying-the-class-of-an-ingress 334 | ingressClassName: 335 | 336 | # Adding secrets to tiller is not a great option, so If you want to use an existing 337 | # secret that contains the json file, you can use the following entries 338 | gcp: 339 | secret: 340 | enabled: false 341 | # Name of the secret that contains the encoded json 342 | name: 343 | # Secret key that holds the json value. 344 | key: credentials.json 345 | oracle: 346 | secret: 347 | enabled: false 348 | # Name of the secret that contains the encoded config and key 349 | name: 350 | # Secret key that holds the oci config 351 | config: config 352 | # Secret key that holds the oci private key 353 | key_file: key_file 354 | bearerAuth: 355 | secret: 356 | enabled: false 357 | publicKeySecret: chartmuseum-public-key 358 | --------------------------------------------------------------------------------