host helm charts in google artifact registry

Google Artifact Registry is great to securely store and manage container images but we could do more with its supported formats. One of the use case could be to store your own Helm charts that you could reuse and share privately in your company, accross different projects, etc.

Let’s see in actions how we could store our own Helm chart in Google Artifact Registry!

region=us-east4
project=FIXME
repository=helm
chart=hello-world

# If you don't have your own Helm chart yet, you could create it like this:
helm create $chart
cd $chart
export HELM_EXPERIMENTAL_OCI=1

# Save it in the local registry cache:
helm chart save . $region-docker.pkg.dev/$project/$repository/$chart:v1
helm chart list

# Login to Google Artifact Registry with your user account:
gcloud auth print-access-token | helm registry login -u oauth2accesstoken --password-stdin https://$region-docker.pkg.dev
# Alternatively if you are using a service account, you could use the access token file like this:
cat key.json | helm registry login -u _json_key -password-stdin $region-docker.pkg.dev
# If using a base64 encoded key, use _json_key_base64 instead of _json_key.

# Push the chart there:
helm chart push $region-docker.pkg.dev/$project/$repository/$chart:v1

# Verify the chart is there:
gcloud artifacts docker images list $region-docker.pkg.dev/$project/$repository/$chart
gcloud artifacts docker images describe $region-docker.pkg.dev/$project/$repository/$chart:v1

# Pull the chart back:
helm chart remove $region-docker.pkg.dev/$project/$repository/$chart:v1
helm chart pull $region-docker.pkg.dev/$project/$repository/$chart:v1
helm chart export mycontainerregistry.azurecr.io/helm/hello-world:v1 \
  --destination ./install

# From there you could deploy this chart via `helm upgrade|install`...

Wonderful! Isn’t it!? But that’s not all…

Now let’s push any file as an Open Container Initiative (OCI) Artifact. For this we need a generic client able to push an OCI format compliant file to the registry, here comes OCI Registry As Storage (ORAS).

Let’s see it in actions by pushing a simple .txt file (I’m using oras CLI via its public container image but you could find more options to install it here):

repository=files

# Let's have a file
echo "Here is an artifact!" > artifact.txt

# And push it in Google Artifact Registry:
docker run -i --rm -v $(pwd):/workspace orasbot/oras push \
    $region-docker.pkg.dev/$project/$repository/sample-txt:v1 \
    ./artifact.txt \
    -u oauth2accesstoken \
    -p $(gcloud auth print-access-token)

# Verify the chart is there:
gcloud artifacts docker images list $region-docker.pkg.dev/$project/$repository/sample-txt
gcloud artifacts docker images describe $region-docker.pkg.dev/$project/$repository/sample-txt:v1

# Pull the file back:
rm artifact.txt
docker run -i --rm -v $(pwd):/workspace orasbot/oras pull \
    $region-docker.pkg.dev/$project/$repository/sample-txt:v1 \
    -u oauth2accesstoken \
    -p $(gcloud auth print-access-token)
cat artifact.txt 

You could ask why are we doing this? Good question, one of the use case in the cloud native ecosystem could be to store and share your OPA’s rego files:

repository=regos

# Let's have a rego file:
curl https://raw.githubusercontent.com/mathieu-benoit/mygkecluster/master/policy/container-policies.rego -o ./container-policies.rego

# And push it in Google Artifact Registry:
docker run -i --rm -v $(pwd):/workspace orasbot/oras push \
    $region-docker.pkg.dev/$project/$repository/container-policies:v1 \
    ./container-policies.rego \
    -u oauth2accesstoken \
    -p $(gcloud auth print-access-token)

# Verify the chart is there:
gcloud artifacts docker images list $region-docker.pkg.dev/$project/$repository/container-policies
gcloud artifacts docker images describe $region-docker.pkg.dev/$project/$repository/container-policies:v1

# Pull the file back:
rm container-policies.rego
docker run -i --rm -v $(pwd):/workspace orasbot/oras pull \
    $region-docker.pkg.dev/$project/$repository/container-policies:v1 \
    -u oauth2accesstoken \
    -p $(gcloud auth print-access-token)
cat container-policies.rego

And that’s it! That’s how easily you could securely store and share your OPA’s rego files accross your company, teams and projects! ;)

Notes:

• There is still an opened question about the future of the ORAS project and how is it really maintained
• OCI support with Helm is still in experimental mode

Complementary and further resources:

• Managing your containers with Google Artifact Registry
• Use Google Artifact Registry with Cloud Build and GKE
• OCI Artifacts, Push it all to the registry!
• Sharing Is Caring! Push Your Cloud Application to an OCI Registry
• Managing Cloud Native Artifacts for Large Scale Kubernetes Cluster
• Push and pull Helm charts to ACR
• Push and pull an OCI artifact using ACR
• Pushing an Helm chart to ECR

Hope you enjoyed that one, cheers!