Skip to main content
Version: v1alpha5

Private Helm

Holos supports private Helm repositories accessed with http basic authentication since v0.101.4. Use the following command to update your author and core schemas to support this configuration.

holos init platform v1alpha5 --force

Configuration

Holos uses the Helm SDK and defers to it for authentication to private repositories. Each Helm Generator supports providing http basic authentication credentials from environment variables.

For example, the following BuildPlan causes holos to get the admin username password from the HOLOS_TEST_PASS environment variable.

mkdir -p projects/holos/components/private-chart
cat <<EOF > projects/holos/components/private-chart/private-chart.cue
package holos

holos: Component.BuildPlan

// Test holos can access a private repository with basic auth.
// https://github.com/holos-run/holos/issues/370
Component: #Helm & {
Chart: {
name: "mychart"
version: "0.1.0"
repository: {
name: "holos-test"
url: "https://charts.holos.localhost"
// auth: username: fromEnv: "HOLOS_TEST_USER"
auth: username: value: "admin"
auth: password: fromEnv: "HOLOS_TEST_PASS"
}
}
}
EOF

Verification

Verify holos can access a private Helm repository by setting ChartMuseum up on a Local Cluster. We'll use https with basic auth to authenticate to the chart repository.

Using the bank of holos repository, deploy chart museum:

holos render platform -t ChartMuseum

Apply the manifests:

kubectl apply --server-side=true -f deploy/clusters/workload/projects/holos/components/chart-museum
kubectl apply --server-side=true -f deploy/clusters/workload/projects/network/components/httproutes

Get the admin password:

kubectl get secret -n holos chartmuseum-auth -o json \
| jq --exit-status -r '.data.password | @base64d'

Add a local repo:

helm repo add holos-test https://charts.holos.localhost --username admin
Password:
"holos-test" has been added to your repositories
note

Helm by default stores this password in ~/Library/Preferences/helm/repositories.yaml

Create a chart:

helm create mychart
Creating mychart

Package it up.

helm package mychart
Successfully packaged chart and saved it to: mychart-0.1.0.tgz

Publish it.

curl --user "admin:$(pbpaste)" --data-binary "@mychart-0.1.0.tgz" https://charts.holos.localhost/api/charts
{"saved":true}

Remove all cached charts:

find . -name vendor | xargs rm -rf

Render the chart:

cat <<EOF > test-private-repo.cue
@if(TestPrivateRepo)
package holos

// Test holos can access a private repository with basic auth.
// https://github.com/holos-run/holos/issues/370
Projects: holos: #ProjectBuilder & {
team: "holos-authors"

namespaces: holos: _
_components: "private-chart": _
}
EOF
time holos render platform -t TestPrivateRepo

Check the chart was pulled and cached:

tree ./projects/holos/components/private-chart/vendor
./projects/holos/components/private-chart/vendor
└── 0.1.0
├── mychart
│   ├── Chart.yaml
│   ├── mychart-0.1.0.tgz
│   ├── templates
│   │   ├── NOTES.txt
│   │   ├── _helpers.tpl
│   │   ├── deployment.yaml
│   │   ├── hpa.yaml
│   │   ├── ingress.yaml
│   │   ├── service.yaml
│   │   ├── serviceaccount.yaml
│   │   └── tests
│   │   └── test-connection.yaml
│   └── values.yaml
└── mychart-0.1.0.tgz

6 directories, 11 files