Configuring custom Helm chart repositories

You can install Helm charts on an OKD cluster using the following methods:

  • The CLI.

  • The Developer perspective of the web console.

The Developer Catalog, in the Developer perspective of the web console, displays the Helm charts available in the cluster. By default, it lists the Helm charts from the Red Hat OpenShift Helm chart repository. For a list of the charts, see the Red Hat Helm index file.

As a cluster administrator, you can add multiple cluster-scoped and namespace-scoped Helm chart repositories, separate from the default cluster-scoped Helm repository, and display the Helm charts from these repositories in the Developer Catalog.

As a regular user or project member with the appropriate role-based access control (RBAC) permissions, you can add multiple namespace-scoped Helm chart repositories, apart from the default cluster-scoped Helm repository, and display the Helm charts from these repositories in the Developer Catalog.

In the Developer perspective of the web console, you can use the Helm page to:

  • Create Helm Releases and Repositories using the Create button.

  • Create, update, or delete a cluster-scoped or namespace-scoped Helm chart repository.

  • View the list of the existing Helm chart repositories in the Repositories tab, which can also be easily distinguished as either cluster scoped or namespace scoped.

Installing a Helm chart on an OKD cluster

Prerequisites

  • You have a running OKD cluster and you have logged into it.

  • You have installed Helm.

Procedure

  1. Create a new project:

    1. $ oc new-project vault
  2. Add a repository of Helm charts to your local Helm client:

    1. $ helm repo add openshift-helm-charts https://charts.openshift.io/

    Example output

    1. "openshift-helm-charts" has been added to your repositories
  3. Update the repository:

    1. $ helm repo update
  4. Install an example HashiCorp Vault:

    1. $ helm install example-vault openshift-helm-charts/hashicorp-vault

    Example output

    1. NAME: example-vault
    2. LAST DEPLOYED: Fri Mar 11 12:02:12 2022
    3. NAMESPACE: vault
    4. STATUS: deployed
    5. REVISION: 1
    6. NOTES:
    7. Thank you for installing HashiCorp Vault!
  5. Verify that the chart has installed successfully:

    1. $ helm list

    Example output

    1. NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
    2. example-vault vault 1 2022-03-11 12:02:12.296226673 +0530 IST deployed vault-0.19.0 1.9.2

Installing Helm charts using the Developer perspective

You can use either the Developer perspective in the web console or the CLI to select and install a chart from the Helm charts listed in the Developer Catalog. You can create Helm releases by installing Helm charts and see them in the Developer perspective of the web console.

Prerequisites

Procedure

To create Helm releases from the Helm charts provided in the Developer Catalog:

  1. In the Developer perspective, navigate to the +Add view and select a project. Then click Helm Chart option to see all the Helm Charts in the Developer Catalog.

  2. Select a chart and read the description, README, and other details about the chart.

  3. Click Install Helm Chart.

    odc helm chart devcatalog

    Figure 1. Helm charts in developer catalog

  4. In the Install Helm Chart page:

    1. Enter a unique name for the release in the Release Name field.

    2. Select the required chart version from the Chart Version drop-down list.

    3. Configure your Helm chart by using the Form View or the YAML View.

      Where available, you can switch between the YAML View and Form View. The data is persisted when switching between the views.

    4. Click Install to create a Helm release. You will be redirected to the Topology view where the release is displayed. If the Helm chart has release notes, the chart is pre-selected and the right panel displays the release notes for that release.

    5. View the newly created Helm release in the Helm Releases page.

You can upgrade, rollback, or uninstall a Helm release by using the Actions button on the side panel or by right-clicking a Helm release.

Using Helm in the web terminal

You can use Helm by initializing the web terminal in the Developer perspective of the web console. For more information, see Using the web terminal.

Creating a custom Helm chart on OKD

Procedure

  1. Create a new project:

    1. $ oc new-project nodejs-ex-k
  2. Download an example Node.js chart that contains OKD objects:

    1. $ git clone https://github.com/redhat-developer/redhat-helm-charts
  3. Go to the directory with the sample chart:

    1. $ cd redhat-helm-charts/alpha/nodejs-ex-k/
  4. Edit the Chart.yaml file and add a description of your chart:

    1. apiVersion: v2 (1)
    2. name: nodejs-ex-k (2)
    3. description: A Helm chart for OpenShift (3)
    4. icon: https://static.redhat.com/libs/redhat/brand-assets/latest/corp/logo.svg (4)
    5. version: 0.2.1 (5)
    1The chart API version. It should be v2 for Helm charts that require at least Helm 3.
    2The name of your chart.
    3The description of your chart.
    4The URL to an image to be used as an icon.
    5The Version of your chart as per the Semantic Versioning (SemVer) 2.0.0 Specification.
  5. Verify that the chart is formatted properly:

    1. $ helm lint

    Example output

    1. [INFO] Chart.yaml: icon is recommended
    2. 1 chart(s) linted, 0 chart(s) failed
  6. Navigate to the previous directory level:

    1. $ cd ..
  7. Install the chart:

    1. $ helm install nodejs-chart nodejs-ex-k
  8. Verify that the chart has installed successfully:

    1. $ helm list

    Example output

    1. NAME NAMESPACE REVISION UPDATED STATUS CHART APP VERSION
    2. nodejs-chart nodejs-ex-k 1 2019-12-05 15:06:51.379134163 -0500 EST deployed nodejs-0.1.0 1.16.0

Adding custom Helm chart repositories

As a cluster administrator, you can add custom Helm chart repositories to your cluster and enable access to the Helm charts from these repositories in the Developer Catalog.

Procedure

  1. To add a new Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your cluster.

    Sample Helm Chart Repository CR

    1. apiVersion: helm.openshift.io/v1beta1
    2. kind: HelmChartRepository
    3. metadata:
    4. name: <name>
    5. spec:
    6. # optional name that might be used by console
    7. # name: <chart-display-name>
    8. connectionConfig:
    9. url: <helm-chart-repository-url>

    For example, to add an Azure sample chart repository, run:

    1. $ cat <<EOF | oc apply -f -
    2. apiVersion: helm.openshift.io/v1beta1
    3. kind: HelmChartRepository
    4. metadata:
    5. name: azure-sample-repo
    6. spec:
    7. name: azure-sample-repo
    8. connectionConfig:
    9. url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
    10. EOF
  2. Navigate to the Developer Catalog in the web console to verify that the Helm charts from the chart repository are displayed.

    For example, use the Chart repositories filter to search for a Helm chart from the repository.

    odc helm chart repo filter

    Figure 2. Chart repositories filter

    If a cluster administrator removes all of the chart repositories, then you cannot view the Helm option in the +Add view, Developer Catalog, and left navigation panel.

Adding namespace-scoped custom Helm chart repositories

The cluster-scoped HelmChartRepository custom resource definition (CRD) for Helm repository provides the ability for administrators to add Helm repositories as custom resources. The namespace-scoped ProjectHelmChartRepository CRD allows project members with the appropriate role-based access control (RBAC) permissions to create Helm repository resources of their choice but scoped to their namespace. Such project members can see charts from both cluster-scoped and namespace-scoped Helm repository resources.

  • Administrators can limit users from creating namespace-scoped Helm repository resources. By limiting users, administrators have the flexibility to control the RBAC through a namespace role instead of a cluster role. This avoids unnecessary permission elevation for the user and prevents access to unauthorized services or applications.

  • The addition of the namespace-scoped Helm repository does not impact the behavior of the existing cluster-scoped Helm repository.

As a regular user or project member with the appropriate RBAC permissions, you can add custom namespace-scoped Helm chart repositories to your cluster and enable access to the Helm charts from these repositories in the Developer Catalog.

Procedure

  1. To add a new namespace-scoped Helm Chart Repository, you must add the Helm Chart Repository custom resource (CR) to your namespace.

    Sample Namespace-scoped Helm Chart Repository CR

    1. apiVersion: helm.openshift.io/v1beta1
    2. kind: ProjectHelmChartRepository
    3. metadata:
    4. name: <name>
    5. spec:
    6. url: https://my.chart-repo.org/stable
    7. # optional name that might be used by console
    8. name: <chart-repo-display-name>
    9. # optional and only needed for UI purposes
    10. description: <My private chart repo>
    11. # required: chart repository URL
    12. connectionConfig:
    13. url: <helm-chart-repository-url>

    For example, to add an Azure sample chart repository scoped to your my-namespace namespace, run:

    1. $ cat <<EOF | oc apply --namespace my-namespace -f -
    2. apiVersion: helm.openshift.io/v1beta1
    3. kind: ProjectHelmChartRepository
    4. metadata:
    5. name: azure-sample-repo
    6. spec:
    7. name: azure-sample-repo
    8. connectionConfig:
    9. url: https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
    10. EOF

    The output verifies that the namespace-scoped Helm Chart Repository CR is created:

    Example output

    1. projecthelmchartrepository.helm.openshift.io/azure-sample-repo created
  2. Navigate to the Developer Catalog in the web console to verify that the Helm charts from the chart repository are displayed in your my-namespace namespace.

    For example, use the Chart repositories filter to search for a Helm chart from the repository.

    odc namespace helm chart repo filter

    Figure 3. Chart repositories filter in your namespace

    Alternatively, run:

    1. $ oc get projecthelmchartrepositories --namespace my-namespace

    Example output

    1. NAME AGE
    2. azure-sample-repo 1m

    If a cluster administrator or a regular user with appropriate RBAC permissions removes all of the chart repositories in a specific namespace, then you cannot view the Helm option in the +Add view, Developer Catalog, and left navigation panel for that specific namespace.

Creating credentials and CA certificates to add Helm chart repositories

Some Helm chart repositories need credentials and custom certificate authority (CA) certificates to connect to it. You can use the web console as well as the CLI to add credentials and certificates.

Procedure

To configure the credentials and certificates, and then add a Helm chart repository using the CLI:

  1. In the openshift-config namespace, create a ConfigMap object with a custom CA certificate in PEM encoded format, and store it under the ca-bundle.crt key within the config map:

    1. $ oc create configmap helm-ca-cert \
    2. --from-file=ca-bundle.crt=/path/to/certs/ca.crt \
    3. -n openshift-config
  2. In the openshift-config namespace, create a Secret object to add the client TLS configurations:

    1. $ oc create secret tls helm-tls-configs \
    2. --cert=/path/to/certs/client.crt \
    3. --key=/path/to/certs/client.key \
    4. -n openshift-config

    Note that the client certificate and key must be in PEM encoded format and stored under the keys tls.crt and tls.key, respectively.

  3. Add the Helm repository as follows:

    1. $ cat <<EOF | oc apply -f -
    2. apiVersion: helm.openshift.io/v1beta1
    3. kind: HelmChartRepository
    4. metadata:
    5. name: <helm-repository>
    6. spec:
    7. name: <helm-repository>
    8. connectionConfig:
    9. url: <URL for the Helm repository>
    10. tlsConfig:
    11. name: helm-tls-configs
    12. ca:
    13. name: helm-ca-cert
    14. EOF

    The ConfigMap and Secret are consumed in the HelmChartRepository CR using the tlsConfig and ca fields. These certificates are used to connect to the Helm repository URL.

  4. By default, all authenticated users have access to all configured charts. However, for chart repositories where certificates are needed, you must provide users with read access to the helm-ca-cert config map and helm-tls-configs secret in the openshift-config namespace, as follows:

    1. $ cat <<EOF | kubectl apply -f -
    2. apiVersion: rbac.authorization.k8s.io/v1
    3. kind: Role
    4. metadata:
    5. namespace: openshift-config
    6. name: helm-chartrepos-tls-conf-viewer
    7. rules:
    8. - apiGroups: [""]
    9. resources: ["configmaps"]
    10. resourceNames: ["helm-ca-cert"]
    11. verbs: ["get"]
    12. - apiGroups: [""]
    13. resources: ["secrets"]
    14. resourceNames: ["helm-tls-configs"]
    15. verbs: ["get"]
    16. ---
    17. kind: RoleBinding
    18. apiVersion: rbac.authorization.k8s.io/v1
    19. metadata:
    20. namespace: openshift-config
    21. name: helm-chartrepos-tls-conf-viewer
    22. subjects:
    23. - kind: Group
    24. apiGroup: rbac.authorization.k8s.io
    25. name: 'system:authenticated'
    26. roleRef:
    27. apiGroup: rbac.authorization.k8s.io
    28. kind: Role
    29. name: helm-chartrepos-tls-conf-viewer
    30. EOF

Filtering Helm Charts by their certification level

You can filter Helm charts based on their certification level in the Developer Catalog.

Procedure

  1. In the Developer perspective, navigate to the +Add view and select a project.

  2. From the Developer Catalog tile, select the Helm Chart option to see all the Helm charts in the Developer Catalog.

  3. Use the filters to the left of the list of Helm charts to filter the required charts:

    • Use the Chart Repositories filter to filter charts provided by Red Hat Certification Charts or OpenShift Helm Charts.

    • Use the Source filter to filter charts sourced from Partners, Community, or Red Hat. Certified charts are indicated with the (odc verified icon) icon.

The Source filter will not be visible when there is only one provider type.

You can now select the required chart and install it.

Disabling Helm Chart repositories

You can disable Helm Charts from a particular Helm Chart Repository in the catalog by setting the disabled property in the HelmChartRepository custom resource to true.

Procedure

  • To disable a Helm Chart repository by using CLI, add the disabled: true flag to the custom resource. For example, to remove an Azure sample chart repository, run:

    1. $ cat <<EOF | oc apply -f -
    2. apiVersion: helm.openshift.io/v1beta1
    3. kind: HelmChartRepository
    4. metadata:
    5. name: azure-sample-repo
    6. spec:
    7. connectionConfig:
    8. url:https://raw.githubusercontent.com/Azure-Samples/helm-charts/master/docs
    9. disabled: true
    10. EOF
  • To disable a recently added Helm Chart repository by using Web Console:

    1. Go to Custom Resource Definitions and search for the HelmChartRepository custom resource.

    2. Go to Instances, find the repository you want to disable, and click its name.

    3. Go to the YAML tab, add the disabled: true flag in the spec section, and click Save.

      Example

      1. spec:
      2. connectionConfig:
      3. url: <url-of-the-repositoru-to-be-disabled>
      4. disabled: true

      The repository is now disabled and will not appear in the catalog.