Consume VMware Application Catalog for Tanzu Advanced using a Private ChartMuseum repository

This section explains how to configure ChartMuseum to replicate Helm charts from the VMware Application Catalog for Tanzu Advanced chart repository. ChartMuseum is an open source application which makes it easy to privately host and manage a repository of Helm charts. Some of its key features include multi-tenancy support, caching and a full-featured API.

ChartMuseum can be used to store Helm charts replicated from the VMware Application Catalog for Tanzu Advanced. This enables Tanzu Advanced users to maintain private copies of VMware Application Catalog Helm charts behind the enterprise firewall. This approach ensures maximum security for the replicated Helm charts and gives enterprise development teams the confidence that they are using trusted, “known good” sources.

When replicating VMware Application Catalog Helm charts to ChartMuseum, there are two strategies available to store and retrieve the corresponding container images:

Strategy 1: Container images are replicated from the VMware Application Catalog for Tanzu Advanced registry and stored in or retrieved from a private Harbor registry.
Strategy 2: Container images are retrieved directly from the VMware Application Catalog for Tanzu Advanced registry as needed.

What to do first

In both cases, ensure:

You have an active deployment of ChartMuseum, configured in line with existing enterprise requirements, and administrator access to it. If you don’t already have ChartMuseum, see installation instructions.
You have credentials (consisting of a username and token) for the VMware Application Catalog for Tanzu Advanced registry.

For strategy 1 only, ensure:

You have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don’t already have Harbor, see Bitnami’s Harbor Helm chart. For more information about Harbor, see Harbor.

Important
For Strategy 1, start with Step 1 below. For Strategy 2, start with Step 3 below. Note also that depending on which strategy you follow, the configuration and commands in Step 3 and Step 5 are different.

To consume VMware Application Catalog for Tanzu Advanced using a Private ChartMuseum Repository, follow these steps as explained in the sections below:

Configure a registry
Configure and test container image replication
Install and configure charts-syncer
Replicate Helm charts to ChartMuseum with charts-syncer
Use the replicated Helm charts

Configure a registry

Important
This step is only required if you wish to store VMware Application Catalog for Tanzu Advanced container images in a private Harbor registry (Strategy 1). If this is not the case, proceed directly to Step 3.

The first step is to define the source registry which hosts the container images. Follow these steps:

Log in to Harbor with administrator credentials.
Navigate to the “Administration > Registries” page.
Click “New Endpoint” to create a new registry endpoint.
In the resulting dialog, configure the registry endpoint as follows:
- Set the “Provider” field to Docker Registry.
- Enter a name and description for the registry.
- Set the “Endpoint URL” to https://registry.pivotal.io.
- Enter your VMware Application Catalog for Tanzu Advanced username and token in the “Access ID” and “Access Secret” fields respectively.
  
  The Configuration dialog box displays.
Click “Test Connection” to test the connection to the endpoint. If the test passes, click “OK” to create the registry.

The new registry should appear in the list of registries.

Configure and test container image replication

Important
This step is only required if you wish to store VMware Application Catalog for Tanzu Advanced container images in a private Harbor registry (Strategy 1). If this is not the case, proceed directly to Step 3.

Once the private Harbor registry has been created, the next step is to configure replication between this registry and the source catalog. A separate rule is to be configured for each container image and Helm chart that you wish to replicate.

As an example, this article will show you how to replicate the MySQL container image from the VMware Application Catalog for Tanzu Advanced to the private Harbor registry. Follow these steps:

Log in to Harbor with administrator credentials.
Navigate to the “Administration > Replications” page.
Click “New Replication Rule” to create a new rule.
In the resulting dialog, configure the replication rule as follows:
- Enter a descriptive name for the rule in the “Name” field, such as mysql-container.
- Set the “Replication mode” to Pull-based.
- Set the source registry to the one created in Step 1.
- Enter the complete path to the source image in the “Source resource filter” field. For example, to replicate the MySQL image, enter the value tac-for-tanzu-advanced/containers/mysql. You can obtain the path from the container’s detail page (in the “Digest” section) in the VMware Application Catalog interface.
- Enter specific tags or labels as required (optional, enter ** to replicate all tags and labels).
- Set the destination namespace to tac-for-tanzu-advanced/containers/.
- Set the “Trigger Mode” to Manual.
- Tick the “Override” checkbox if you want pre-existing images with the same name in the private registry to be overwritten by fresh versions.
  
  Note
  It is extremely important to set the destination namespace only to the value tac-for-tanzu-advanced/containers/, so that container references in Helm charts are correctly followed.
  
  The Configuration dialog box displays.
Click “Save” to save the replication rule.

Tip If you plan to synchronize images on a fixed schedule, set the “Trigger Mode” to Scheduled instead and provide a cron string to define the schedule.

The new rule should appear in the list of replication rules.

Repeat this step for every container image that you wish to replicate, modifying the source resource filter path/name as required.

Tip It is also possible to replicate several container images with a single replication rule. For example, setting the “Source resource filter” field to tac-for-tanzu-advanced/containers/{mysql,mongodb,redis,postgresql} will create a rule to replicate multiple container images.

You can now proceed to test the replication for container images, as follows:

Log in to Harbor with administrator credentials.
Navigate to the “Administration > Replications” page.
Select the rule for the container image you wish to replicate - in this case, the mysql-container rule. Click “Replicate”.
Confirm the replication request.

The replication process will begin. You will be able to watch the status in the “Executions” list.

To view the details on what was replicated, or to stop the process: 1. Click the event ID in the “Executions” list.

The Event Details page display.

Click the “Logs” icon to view a detailed log of the replication process, or click “Stop” to stop the operation.

Follow the same procedure to replicate other container images.

Tip For more information, see Consuming VMware Application Catalog for Tanzu Advanced container images using a private Harbor registry.

Install and configure charts-syncer

Bitnami’s charts-syncer utility is designed specifically to synchronize Helm chart packages between chart repositories - in this case, between the VMware Application Catalog for Tanzu Advanced chart repository and your private ChartMuseum repository. Follow the steps below to install the charts-syncer utility:

Download the latest release of charts-syncer from its GitHub repository. Replace the X.Y.Z placeholder in the command below with the version number of the latest release. This guide uses v0.6.2, which is the most current release at time of writing.
```
$ curl -LO https://github.com/bitnami-labs/charts-syncer/releases/download/v0.6.2/charts-syncer_X.Y.Z_linux_x86_64.tar.gz
```
Uncompress the release package and move the binary file to a location in your system path:
```
$ tar xzf charts-syncer_X.Y.Z_linux_x86_64.tar.gz
$ chmod +x ./charts-syncer
$ mv ./charts-syncer /usr/local/bin
```
Once the utility is installed, the next step is to create a configuration file with the source and destination repositories. This configuration file differs depending on whether you are following Strategy 1 or Strategy 2.

Note
The example configuration files shown in the next sections replicate only a single chart - the MySQL Helm chart - from the Tanzu Advanced repository to the private ChartMuseum repository. To replicate additional charts, add the chart names to the list in the charts: section of the configuration file.

Strategy 1

Under Strategy 1, the VMware Application Catalog for Tanzu Advanced container images are stored in your private Helm repository. Create the configuration file shown below for charts-syncer, performing the following replacements:

Replace the USERNAME and TOKEN placeholders with your credentials for the VMware Application Catalog for Tanzu Advanced registry.
Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.
Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository.

Replace the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

charts:
- mysql
source:
  repo:
    kind: OCI
    url: https://registry.pivotal.io/tac-for-tanzu-advanced/charts
    auth:
        username: USERNAME
        password: TOKEN
target:
  containerRegistry: REGISTRY-ENDPOINT
  containerRepository: tac-for-tanzu-advanced/containers
  repo:
    kind: CHARTMUSEUM
    url: CHARTMUSEUM-ENDPOINT
    auth:
      username: 'CHARTMUSEUM-USERNAME'
      password: 'CHARTMUSEUM-PASSWORD'

Once complete, save the above configuration file as syncer.yml.

Strategy 2

Under Strategy 2, the VMware Application Catalog for Tanzu Advanced container images are stored in the Tanzu Advanced registry. Create the configuration file shown below for charts-syncer, performing the following replacements:

Replace the USERNAME and TOKEN placeholders with your credentials for the VMware Application Catalog for Tanzu Advanced registry.
Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository.

Replace the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

charts:
- mysql
source:
  repo:
    kind: OCI
    url: https://registry.pivotal.io/tac-for-tanzu-advanced/charts
    auth:
        username: USERNAME
        password: TOKEN
target:
  containerRegistry: registry.pivotal.io
  containerRepository: tac-for-tanzu-advanced/containers
  repo:
    kind: CHARTMUSEUM
    url: CHARTMUSEUM-ENDPOINT
    auth:
      username: 'CHARTMUSEUM-USERNAME'
      password: 'CHARTMUSEUM-PASSWORD'

Once complete, save the above configuration file as syncer.yml.

Replicate Helm charts to ChartMuseum with charts-syncer

With configuration complete, use charts-syncer to replicate the Helm charts listed in the configuration by executing the following command:

$ charts-syncer sync --config syncer.yml

Depending on how many charts are listed in the configuration file, the process may take some time. Once it completes, proceed to the next step.

Use the replicated Helm charts

You can now begin using the replicated Helm charts from the private ChartMuseum repository. Before doing this, it is necessary to create a Kubernetes ImagePullSecret for the container image registry. This secret may be set globally or in your namespace. The steps to create this secret vary depending on whether you are following Strategy 1 or Strategy 2.

Strategy 1

The example commands below demonstrate how to create an ImagePullSecret under Strategy 1. * Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for the local Harbor registry and the USERNAME and TOKEN placeholders with the credentials for the Harbor registry.

  $ export your_registry=REGISTRY-ENDPOINT
  $ export DOCKER_USER='USERNAME'
  $ export DOCKER_PASSWORD='PASSWORD'
   $ kubectl create secret docker-registry mysecret \
  --docker-server ${your_registry}/tac-for-tanzu-advanced \
  --docker-username $DOCKER_USER \
  --docker-password $DOCKER_PASSWORD

Once the ImagePullSecret has been created, charts can be deployed using standard Helm commands.

The example commands below demonstrate how to add your private ChartMuseum repository to Helm and deploy the replicated VMware Application Catalog Helm chart for MySQL from it. * Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository and the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

  $ helm repo add myrepo CHARTMUSEUM-ENDPOINT --username CHARTMUSEUM-USERNAME --password CHARTMUSEUM-PASSWORD
  $ helm install myrepo/mysql --generate-name --set "global.imagePullSecrets[0]=mysecret"

Strategy 2

The example commands below demonstrate how to create an ImagePullSecret under Strategy 2. * Replace the USERNAME and TOKEN placeholders with the credentials for the VMware Application Catalog for Tanzu Advanced registry.

   $ export DOCKER_USER='USERNAME'
   $ export DOCKER_PASSWORD='PASSWORD'
   $ kubectl create secret docker-registry mysecret \
  --docker-server registry.pivotal.io/tac-for-tanzu-advanced \
  --docker-username $DOCKER_USER \
  --docker-password $DOCKER_PASSWORD

Once the ImagePullSecret has been created, charts can be deployed using standard Helm commands.

  $ helm repo add myrepo CHARTMUSEUM-ENDPOINT --username CHARTMUSEUM-USERNAME --password CHARTMUSEUM-PASSWORD
  $ helm install myrepo/mysql --generate-name --set "global.imagePullSecrets[0]=mysecret"

Consume VMware Application Catalog for Tanzu Advanced using a Private ChartMuseum repository

What to do first

Configure a registry

Configure and test container image replication

Install and configure charts-syncer

Strategy 1

Strategy 2

Replicate Helm charts to ChartMuseum with charts-syncer

Use the replicated Helm charts

Strategy 1

Strategy 2

Useful links