Helm Feeds in Proget

Helm is the package manager for Kubernetes applications. A ProGet package for a Helm feed is known as a chart, which can be used to describe even the most complex application and provide a repeatable, versioned approach to Kubernetes deployments.

This feed type is available starting in ProGet 5.2.

Pre-requisite Configuration

In order to install packages from a ProGet feed using Helm, the ProGet feed must be added to the local list of repositories by running this command:

helm repo add proget http://{proget-server}/helm/{feed-name}

Common Tasks

Installing Helm Charts

To install a chart hosted by ProGet, run the following the commands:

helm repo update
helm install proget/{chart-name}

Creating Helm Charts

A basic Helm chart can be created using the following commands:

helm create {chart-name}
helm package {chart-name}

The create command will create a template/skeleton chart which can be modified as desired. The package command will package the chart into a .tgz file that can be pushed to ProGet.

Refer to the Helm chart creation documentation for more information.

Publishing Charts

The helm executable does not support pushing Helm charts, so ProGet offers three alternative methods to add charts to ProGet Helm feed:

Upload from ProGet Web Application

On the feed overview page, select "Add Package" and "Upload Chart" to upload a packaged Helm chart (i.e., .tgz file generated from the helm package command).

Publish via HTTP

To push a Helm chart via HTTP, issue a PUT or POST request with the package file as the content to: http://{proget-server}/helm/{feed-name}

This can be accomplished with the following examples:

PowerShell

Invoke-WebRequest http://{proget-server}/helm/{feed-name} -Headers @{"AUTHORIZATION"="Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("{username}:{password}"))} -Method PUT -InFile {chart-name}-{chart-version}.tgz

cURL

curl http://{proget-server}/helm/{feed-name} --user <user>:<password> --upload-file <chart-name>-<chart-version>.tgz

Deleting (Unpublishing) Charts

You can delete (permanently remove) Helm charts from your feed by navigating to the package page and clicking the Delete Package button. This actions requires the Feeds_DeletePackage permission attribute.

To programmatically delete a Helm chart from your feed, issue a DELETE request to: http://{proget-server}/helm/{feed-name}/package/{ID}/{VERSION}

This can be accomplished with the following examples:

PowerShell

Invoke-WebRequest http://{proget-server}/helm/{feed-name}/package/{ID}/{VERSION} -Headers @{"AUTHORIZATION"="Basic " + [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("{username}:{password}"))} -Method DELETE

cURL

curl http://{proget-server}/helm/{feed-name}/package/{ID}/{VERSION} --user <user>:<password> -X DELETE

What about the helm-push command?

The helm-push command comes from a third-party plugin that is designed exclusively to push packages to ChartMusuem (which is a private Helm repository). It is not a "standard" and is only compatible with the ChartMusuem API, and behind the scenes it seems quite complicated. With the other methods, you just upload the file you specify and get a standard HTTP status code in response.

The reason it doesn't work with ProGet is that the ChartMusuem repository is a very different product than ProGet; for example, it doesn't have the concept of "Feeds", or even custom URL endpoint points. This means that only a root path like https://proget.kramerica.corp/ is supported. Even if we could "hack something together" by reverse-engineering and re-implementing the ChartMusuem's API, it could unexpectedly break as they release new versions of the plug-in and clients.

Pull From External Repository

If the chart version you want to install is available in an external Helm repository, use this option.

Technical Limitations

Signed (i.e., provenance) charts are not supported at this time but may become available in a future v5.2 maintenance release.

Container Visibility

Helm charts reference a number of container images. These container images are defined in a values.yaml file that is used to populated the deployments.yaml template file. A chart may also be dependent on a number of other Helm charts. These dependencies also have a values.yaml file and deploment.yaml template.

ProGet will parse the values.yaml of the chart and its dependencies values.yaml files to find which container images are used. These container images will then be displayed in the chart's description under the Associated Container Images section. ProGet will also attempt to match these associated container images with a container image within your ProGet container registries. If a match is found, ProGet will automatically link the Helm chart to associated ProGet container image.

*This feature is available in ProGet 5.3 and above.

Parsing Requirements

When configuring container images in your values.yaml, the image property must end in image (e.g., image:, redisImage:, postgresImage:, etc.) and contain the following sub-properties: repository, tag (or dockerTag), and optionally registry. If tag or dockerTag is omitted, the latest tag will be used when defining the associated container image.

Container Vulnerabilities

If you have configured your container registries to leverage a vulnerability source, you may have a Helm chart that links to a vulnerable container image. This can cause your Kubernetes installation to fail when you try to pull the container image from your registry. Container images will be blocked if a vulnerability has been assessed and marked Blocked or if you have enabled the Unassessed vulnerabilities to be blocked in Administration > Advanced Settings.