ChartMuseum is an open source application which makes it easy to privately host and manage a repository of Helm charts. Some of its key features include multi-tenancy support, caching and a full-featured API.

ChartMuseum can be used to store Helm charts replicated from the VMware Tanzu Application Catalog for Tanzu Advanced. This enables Tanzu Advanced users to maintain private copies of Tanzu Application Catalog Helm charts behind the enterprise firewall. This approach ensures maximum security for the replicated Helm charts and gives enterprise development teams the confidence that they are using trusted, "known good" sources.

Assumptions and prerequisites

When replicating Tanzu Application Catalog Helm charts to ChartMuseum, there are two strategies available to store and retrieve the corresponding container images:

  • Strategy 1: Container images are replicated from the Tanzu Application Catalog for Tanzu Advanced registry and stored in/retrieved from a private Harbor registry.
  • Strategy 2: Container images are retrieved directly from the Tanzu Application Catalog for Tanzu Advanced registry as needed.

This article explains how to configure ChartMuseum to replicate Helm charts from the Tanzu Application Catalog for Tanzu Advanced chart repository under both strategies.

In both cases, this article assumes that:

  • You have an active deployment of ChartMuseum, configured in line with existing enterprise requirements, and administrator access to it. If you don't already have ChartMuseum, you can install it from the official website using these installation instructions.
  • You have credentials (consisting of a username and token) for the Tanzu Application Catalog for Tanzu Advanced registry.

For Strategy 1 only, this article additionally assumes that:

  • You have administrator access to a pre-existing installation of Harbor, configured in line with existing enterprise requirements. If you don't already have Harbor, you can install it using Bitnami's Harbor Helm chart, and you can learn more about Harbor on its website.

IMPORTANT: For Strategy 1, start with Step 1 below. For Strategy 2, start with Step 3 below. Note also that depending on which strategy you follow, the configuration and commands in Step 3 and Step 5 are different.

Step 1: Configure a registry

IMPORTANT: This step is only required if you wish to store Tanzu Application Catalog for Tanzu Advanced container images in a private Harbor registry (Strategy 1). If this is not the case, proceed directly to Step 3.

The first step is to define the source registry which hosts the container images. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Registries" page.
  3. Click the "New Endpoint" button to create a new registry endpoint.
  4. In the resulting dialog, configure the registry endpoint as follows:

    • Set the "Provider" field to Docker Registry.
    • Enter a name and description for the registry.
    • Set the "Endpoint URL" to https://registry.pivotal.io.
    • Enter your Tanzu Application Catalog for Tanzu Advanced username and token in the "Access ID" and "Access Secret" fields respectively.

    Here is a screenshot of the configuration dialog:

    Registry configuration

  5. Click the "Test Connection" button to test the connection to the endpoint. If the test passes, click "OK" to create the registry.

The new registry should appear in the list of registries.

Registry list

Step 2: Configure and test container image replication

IMPORTANT: This step is only required if you wish to store Tanzu Application Catalog for Tanzu Advanced container images in a private Harbor registry (Strategy 1). If this is not the case, proceed directly to Step 3.

Once the private Harbor registry has been created, the next step is to configure replication between this registry and the source catalog. A separate rule is to be configured for each container image and Helm chart that you wish to replicate.

As an example, this article will show you how to replicate the MySQL container image from the Tanzu Application Catalog for Tanzu Advanced to the private Harbor registry. Follow these steps:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Click the "New Replication Rule" button to create a new rule.
  4. In the resulting dialog, configure the replication rule as follows:

    • Enter a descriptive name for the rule in the "Name" field, such as mysql-container.
    • Set the "Replication mode" to Pull-based.
    • Set the source registry to the one created in Step 1.
    • Enter the complete path to the source image in the "Source resource filter" field. For example, to replicate the MySQL image, enter the value tac-for-tanzu-advanced/containers/mysql. You can obtain the path from the container's detail page (in the "Digest" section) in the Tanzu Application Catalog interface.

      TAC tags

    • Enter specific tags or labels as required (optional, enter ** to replicate all tags and labels).

    • Set the destination namespace to tac-for-tanzu-advanced/containers/.
    • Set the "Trigger Mode" to Manual.
    • Tick the "Override" checkbox if you want pre-existing images with the same name in the private registry to be overwritten by fresh versions.

    NOTE: It is extremely important to set the destination namespace only to the value tac-for-tanzu-advanced/containers/, so that container references in Helm charts are correctly followed.

    Here is a screenshot of the configuration dialog:

    Replication configuration

  5. Click "Save" to save the replication rule.

TIP: If you plan to synchronize images on a fixed schedule, set the "Trigger Mode" to Scheduled instead and provide a cron string to define the schedule.

The new rule should appear in the list of replication rules.

Replication rules list

Repeat this step for every container image that you wish to replicate, modifying the source resource filter path/name as required.

TIP: It is also possible to replicate several container images with a single replication rule. For example, setting the "Source resource filter" field to tac-for-tanzu-advanced/containers/{mysql,mongodb,redis,postgresql} will create a rule to replicate multiple container images.

You can now proceed to test the replication for container images, as follows:

  1. Log in to Harbor with administrator credentials.
  2. Navigate to the "Administration > Replications" page.
  3. Select the rule for the container image you wish to replicate - in this case, the mysql-container rule. Click the "Replicate" button.
  4. Confirm the replication request.

The replication process will begin. You will be able to watch the status in the "Executions" list.

Replication status

To see details on what was replicated, or to stop the process, click the event ID in the "Executions" list. This will transfer you to the event detail page. Click the "Logs" icon to view a detailed log of the replication process, or click the "Stop" button to stop the operation.

Replication logs

Follow the same procedure to replicate other container images.

TIP: For more information, refer to our detailed tutorial on consuming Tanzu Application Catalog for Tanzu Advanced container images using a private Harbor registry.

Step 3: Install and configure charts-syncer

Bitnami's charts-syncer utility is designed specifically to synchronize Helm chart packages between chart repositories - in this case, between the Tanzu Application Catalog for Tanzu Advanced chart repository and your private ChartMuseum repository. Follow the steps below to install the charts-syncer utility:

  1. Download the latest release of charts-syncer from its GitHub repository. Replace the X.Y.Z placeholder in the command below with the version number of the latest release. This guide uses v0.6.2, which is the most current release at time of writing.

    $ curl -LO https://github.com/bitnami-labs/charts-syncer/releases/download/v0.6.2/charts-syncer_X.Y.Z_linux_x86_64.tar.gz
    
  2. Uncompress the release package and move the binary file to a location in your system path:

    $ tar xzf charts-syncer_X.Y.Z_linux_x86_64.tar.gz
    $ chmod +x ./charts-syncer
    $ mv ./charts-syncer /usr/local/bin
    

Once the utility is installed, the next step is to create a configuration file with the source and destination repositories. This configuration file differs depending on whether you are following Strategy 1 or Strategy 2.

NOTE: The example configuration files shown in the next sections replicate only a single chart - the MySQL Helm chart - from the Tanzu Advanced repository to the private ChartMuseum repository. To replicate additional charts, add the chart names to the list in the charts: section of the configuration file.

Strategy 1

Under Strategy 1, the Tanzu Application Catalog for Tanzu Advanced container images are stored in your private Helm repository. Create the configuration file shown below for charts-syncer, performing the following replacements:

  • Replace the USERNAME and TOKEN placeholders with your credentials for the Tanzu Application Catalog for Tanzu Advanced registry.
  • Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for your Harbor registry.
  • Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository.
  • Replace the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

    charts:
    - mysql
    source:
      repo:
        kind: OCI
        url: https://registry.pivotal.io/tac-for-tanzu-advanced/charts
        auth:
            username: USERNAME
            password: TOKEN
    target:
      containerRegistry: REGISTRY-ENDPOINT
      containerRepository: tac-for-tanzu-advanced/containers
      repo:
        kind: CHARTMUSEUM
        url: CHARTMUSEUM-ENDPOINT
        auth:
          username: 'CHARTMUSEUM-USERNAME'
          password: 'CHARTMUSEUM-PASSWORD'
    

Once complete, save the above configuration file as syncer.yml.

Strategy 2

Under Strategy 2, the Tanzu Application Catalog for Tanzu Advanced container images are stored in the Tanzu Advanced registry. Create the configuration file shown below for charts-syncer, performing the following replacements:

  • Replace the USERNAME and TOKEN placeholders with your credentials for the Tanzu Application Catalog for Tanzu Advanced registry.
  • Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository.
  • Replace the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

    charts:
    - mysql
    source:
      repo:
        kind: OCI
        url: https://registry.pivotal.io/tac-for-tanzu-advanced/charts
        auth:
            username: USERNAME
            password: TOKEN
    target:
      containerRegistry: registry.pivotal.io
      containerRepository: tac-for-tanzu-advanced/containers
      repo:
        kind: CHARTMUSEUM
        url: CHARTMUSEUM-ENDPOINT
        auth:
          username: 'CHARTMUSEUM-USERNAME'
          password: 'CHARTMUSEUM-PASSWORD'
    

Once complete, save the above configuration file as syncer.yml.

Step 4: Replicate Helm charts to ChartMuseum with charts-syncer

With configuration complete, use charts-syncer to replicate the Helm charts listed in the configuration by executing the following command:

$ charts-syncer sync --config syncer.yml

Depending on how many charts are listed in the configuration file, the process may take some time. Once it completes, proceed to the next step.

Step 5: Use the replicated Helm charts

You can now begin using the replicated Helm charts from the private ChartMuseum repository. Before doing this, it is necessary to create a Kubernetes ImagePullSecret for the container image registry. This secret may be set globally or in your namespace. The steps to create this secret vary depending on whether you are following Strategy 1 or Strategy 2.

Strategy 1

The example commands below demonstrate how to create an ImagePullSecret under Strategy 1. Replace the REGISTRY-ENDPOINT placeholder with the correct endpoint for the local Harbor registry and the USERNAME and TOKEN placeholders with the credentials for the Harbor registry.

$ export your_registry=REGISTRY-ENDPOINT
$ export DOCKER_USER='USERNAME'
$ export DOCKER_PASSWORD='PASSWORD'
$ kubectl create secret docker-registry mysecret \
  --docker-server ${your_registry}/tac-for-tanzu-advanced \
  --docker-username $DOCKER_USER \
  --docker-password $DOCKER_PASSWORD

Once the ImagePullSecret has been created, charts can be deployed using standard Helm commands.

The example commands below demonstrate how to add your private ChartMuseum repository to Helm and deploy the replicated Tanzu Application Catalog Helm chart for MySQL from it. Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository and the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

$ helm repo add myrepo CHARTMUSEUM-ENDPOINT --username CHARTMUSEUM-USERNAME --password CHARTMUSEUM-PASSWORD
$ helm install myrepo/mysql --generate-name --set "global.imagePullSecrets[0]=mysecret"

Strategy 2

The example commands below demonstrate how to create an ImagePullSecret under Strategy 2. Replace the USERNAME and TOKEN placeholders with the credentials for the Tanzu Application Catalog for Tanzu Advanced registry.

$ export DOCKER_USER='USERNAME'
$ export DOCKER_PASSWORD='PASSWORD'
$ kubectl create secret docker-registry mysecret \
  --docker-server registry.pivotal.io/tac-for-tanzu-advanced \
  --docker-username $DOCKER_USER \
  --docker-password $DOCKER_PASSWORD

Once the ImagePullSecret has been created, charts can be deployed using standard Helm commands.

The example commands below demonstrate how to add your private ChartMuseum repository to Helm and deploy the replicated Tanzu Application Catalog Helm chart for MySQL from it. Replace the CHARTMUSEUM-ENDPOINT placeholder with the URL endpoint for your private ChartMuseum repository and the CHARTMUSEUM-USERNAME and CHARTMUSEUM-PASSWORD placeholders with the corresponding credentials for your private ChartMuseum repository.

$ helm repo add myrepo CHARTMUSEUM-ENDPOINT --username CHARTMUSEUM-USERNAME --password CHARTMUSEUM-PASSWORD
$ helm install myrepo/mysql --generate-name --set "global.imagePullSecrets[0]=mysecret"

Useful links

To learn more about the topics discussed in this guide, use the links below:

check-circle-line exclamation-circle-line close-line
Scroll to top icon