Programming

Helm can use Docker Registries

You can pull and push Helm charts from a docker registry. Learn how in this blog post. In reward of doing so, get the bash script at the end!

Alec Di Vito
Alec Di Vito 2 min read
Helm can use Docker Registries
Photo by Loik Marras / Unsplash

Today I learned that I know nothing of the current state of Helm. When I first started using it, people would just host their own charts over HTTP. Times have changed and people have started to host them in Docker registries...because why not I guess. I've been so used to being able to pull charts over HTTP that i'm now surprised that I need to authenticate to pull a chart now 😱

I first learnt about this "feature" when trying to pull a helm chart from Github Container Registry from my ArgoCD install. I thought it was cool...up until the point it was asking for me to authenticate with my Github credentials to pull the chart.

I don't really like giving out my credentials when I have the choice, especially to external systems that are going to act on my behalf. So, I guess it's time to go on the path of how to move these github artifacts over to my own registry.

Prerequisite

  • Have your own docker registry running
  • Have the Github CLI (gh) installed and be logged in
  • Logged into your own registry

Steps

First we need to login to GitHub using docker so you can access their docker registry (wasn't this free before?).

gh auth token | docker login ghcr.io -u $USERNAME --password-stdin

Now we have access to GitHub registry, we can pull the tarball which contains the chart we want to use. For this example I'll use the GitHub Actions runner chart.

helm pull oci://ghcr.io/actions/actions-runner-controller-charts

This will download the chart as a tarball locally. Use it to push up to your private registry. We can then use it by pushing it up to our registry

helm push gha-runner-scale-set-controller-0.9.3.tgz oci://registry.docker.com/actions/actions-runner-controller-charts

Amazing. I love technology.

Why do this?

Because I used my GitHub account for much more then pulling images. Having it in my own Docker Registry means I can freely share the credentials to it without the possibility of my other property becoming compromised. I guess this is practicing principle of least privilege which security engineers rave on about.

It also means that when inevitable mess up my HomeLab and leave it running in a failed state for up to a keep, I don't get my actual GitHub account banned for trying to DDOS their servers. Instead I can just let my HomeLab run a failing loop until I have time to fix it.

I didn't know I would missing being able to pull charts over HTTP so much.