Hosting helm private repository from Github

How to setup private Github repository, instead of maintaining one yourself and spending time on making sure it is properly secured.

Photo by Jon Tyson on Unsplash

Why private helm repositories

Helm is a very useful package manager for Kubernetes. There are a lot of out of the box charts. If you are deploying serious k8s infrastructure chances are you will find yourself in need of creating your own charts. One way to manage custom charts is keeping the sources in some directory. You can then use such chart by referencing the directory. It is simple solution but not without flaws. For me the biggest issues were versioning and tooling requirements. Some tools for automation (like terraform helm_release) simply require chart to be available in repository.

Solutions

Helm repository is just a server hosting packaged chart files and index.yaml file pointing to them. index.yaml also stores some metadata about the repository. We could create simple server hosting such files. Unfortunately we’d have to maintain such server and make sure it properly secured. The easier approach is to actually use Github to host such files.

Github setup

Ok first things first — create private github repository within your organization and then push some files:

We have just created fully functional helm repository. The tricky part is to access it as if it was simple HTTP server hosting raw files. Luckily Github provides such feature via raw.githubusercontent.com. In order for helm to be able to pull files from such repository we need to provide it with Github username and token (Personal Access Token):

Adding new packages to existing repository

If you want to add new package to existing repository simply:

1. Place new package in repository root
2. helm repo index .. This will detect new file and update index.yaml.
3. Commit and push your new package and updated index.yaml
4. helm repo update

Additional security note

It is important to realize where does helm actually store your Github token. It is stored as plain text in ~/.helm/repository/repositories.yaml. Therefore I advise you to generate token with as few permissions as possible.