Hosting helm private repository from Github
How to setup private Github repository, instead of maintaining one yourself and spending time on making sure it is properly secured.
Why private helm repositories
Helm is a very useful package manager for Kubernetes. There are a lot of out of the box charts. If you are deploying serious k8s infrastructure chances are you will find yourself in need of creating your own charts. One way to manage custom charts is keeping the sources in some directory. You can then use such chart by referencing the directory. It is simple solution but not without flaws. For me the biggest issues were versioning and tooling requirements. Some tools for automation (like terraform helm_release) simply require chart to be available in repository.
Solutions
Helm repository is just a server hosting packaged chart files and index.yaml
file pointing to them. index.yaml
also stores some metadata about the repository. We could create simple server hosting such files. Unfortunately we’d have to maintain such server and make sure it properly secured. The easier approach is to actually use Github to host such files.
Github setup
Ok first things first — create private github repository within your organization and then push some files:
We have just created fully functional helm repository. The tricky part is to access it as if it was simple HTTP server hosting raw files. Luckily Github provides such feature via raw.githubusercontent.com. In order for helm to be able to pull files from such repository we need to provide it with Github username and token (Personal Access Token):
Adding new packages to existing repository
If you want to add new package to existing repository simply:
- Place new package in repository root
helm repo index .
. This will detect new file and updateindex.yaml
.- Commit and push your new package and updated
index.yaml
helm repo update
Additional security note
It is important to realize where does helm actually store your Github token. It is stored as plain text in ~/.helm/repository/repositories.yaml
. Therefore I advise you to generate token with as few permissions as possible.