Setting up secure helm chart repository on Azure Blob Storage

Categories: Kubernetes

Kubernetes helm repository supports only basic authentication at the time of writing this article. There is, though, another and perhaps simpler way as of helm 2.7.0. Using Azure Blob Storage you can easily make your helm repository private.

Requirements

  • Time: ~10 minutes
  • Helm Package Manager 2.7.0-rc1 or later
  • Microsoft Azure account, at least with permissions to create azure storage account
  • Azure CLI, tested on 2.0.19 Darwin
  • Helm chart that you can upload to the cloud

Summary

  1. Create azure storage account in one of your resource groups
  2. Add blob storage container to Azure Storage Account and set access to private
  3. Go to Storage account -> Shared Access Signature and generate read-only credentials for helm users
  4. The url to your repository will be: https://[azure_storage_name].blob.core.windows.net/[container_name]/?[sas_key]

Step by step guide

(optional) Create new resource group

az group create --name helmgroup --location "westeurope"

Create storage account and get account key

az storage account create --resource-group helmgroup --name helmstorage --sku Standard_LRS
export AZURE_STORAGE_ACCOUNT=helmstorage
export AZURE_STORAGE_KEY=$(az storage account keys list --resource-group helmgroup --account-name helmstorage | grep -m 1 value | awk -F'"' '{print $4}')

Create blob container

az storage container create --name helm

Upload a helm chart to the repository and index.yaml

In this tutorial I will download chart from stable repository and re-upload it to private azure repository. However, you can easily use helm package to package your helm chart into .tzg file.

helm fetch stable/mysql
mkdir azure-helm-repository
cp ~/.helm/cache/archive/mysql-0.3.0.tgz ./azure-helm-repository/
helm repo index ./azure-helm-repository/

The last command should create index.yaml file inside azure-helm-repository directory. Now, provided that environment variables AZURE_STORAGE_ACCOUNT and AZURE_STORAGE_KEY are still set, you can upload those files to our Azure Storage Container using azure CLI:

az storage blob upload -f ./azure-helm-repository/mysql-0.3.0.tgz -c helm -n mysql-0.3.0.tgz
az storage blob upload -f ./azure-helm-repository/index.yaml -c helm -n index.yaml

Get SaS token for readonly access to container

az storage container generate-sas --name helm --expiry 2020-01-01 --permissions lr

The result will be the sas token that needs to be appended to helm repository URL:

"se=2020-01-01&sp=rl&sv=2017-04-17&sr=c&sig=3orAGQzVY9lSRlqFxHik0knAWQrFbdvctCwCR11OFw4%3D"

Test helm repository using generated SAS key

The helm repository URL is:

https://[azure_storage_name].blob.core.windows.net/[container_name]/?[sas_key]

WARNING! The last trailing slash, right before query string is very important!

Generated sas key must be escaped (when pasted into bash) and added at the end of Azure Blob Storage container URL in order for the users to be authenticated within Azure.

helm repo add azure https://helmstorage.blob.core.windows.net/helm/\?se\=2020-01-01\&sp\=rl\&sv\=2017-04-17\&sr\=c\&sig\=3orAGQzVY9lSRlqFxHik0knAWQrFbdvctCwCR11OFw4%3D
helm search azure

As a result you should see

NAME                            VERSION DESCRIPTION
azure/mysql                     0.3.0   Fast, reliable, scalable, and easy to use open-...

Done! You have created secure helm repository that can be used safely to fetch and distribute helm charts within your organization.

See also

Share this post with your friends

comments powered by Disqus