Store your Helm charts in Singularity Container Services

By Staff

Jul 19, 2023 | Blog

OCI registries serve as centralized repositories for container images, facilitating efficient distribution and collaboration among teams. They provide a single source of truth for container images, making it easier to share, discover, and reuse images across different projects and organizations. By storing Helm charts in OCI registries, you align with industry-standard practices and benefit from the broader ecosystem built around it, like versioning and tagging your Helm charts, just like container images. This enables you to track different versions of your charts and easily manage their lifecycle. It is important to remark that OCI registries also bring built-in security features such as access control, authentication, and encryption. By storing Helm charts in a secure OCI registry, you can ensure that only authorized users have access to your charts, preventing unauthorized modifications or tampering. Many CI/CD tools and platforms have built-in integrations with OCI registries. Storing Helm charts in OCI registries allows you to seamlessly integrate chart publishing and distribution into your CI/CD pipelines, enabling automated deployments and updates. In theory, any Helm chart should work and for demonstration, we are going to use an example from the official Helm repository as a starting point, log in to Singularity Container Services registry, and finally, push that image:
$ singularity remote get-login-password | 
helm registry login --username USERNAME --password-stdin registry.sylabs.io
$ wget https://github.com/helm/helm/raw/1c4885fce74d44b94a8b100f660cca4cc633176c/pkg/repo/repotest/testdata/examplechart-0.1.0.tgz
$ helm push examplechart-0.1.0.tgz  
       oci://registry.sylabs.io/USERNAME/helm/example

Once the image has been pushed to the registry, an installation is performed as follows, pay attention to the “oci://” part of the URI, that indicates Helm will use an external OCI compliant registry.

$ helm install release-name 
  oci://registry.sylabs.io/USERNAME/helm/example/examplechart 
  --version 0.1.0
Pulled: registry.sylabs.io/USERNAME/helm/example/examplechart:0.1.0
Digest: sha256:a6c1484454156c2a03...311671c2dfae00eb1
NAME: release-name
LAST DEPLOYED: Mon Jun  5 21:55:15 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
TEST SUITE: None


$ helm list
NAME          	NAMESPACE	REVISION	UPDATED                                	STATUS  	CHART                            	APP VERSION
release-name	default  	1       	2023-06-05 21:55:15.767393721 -0600 CST	deployed	examplechart-0.1.0

It is also possible to pull the chart as a tarball:

$ helm pull oci://registry.sylabs.io/USERNAME/helm/example/examplechart 
       --version 0.1.0
Pulled: registry.sylabs.io/USERNAME/helm/example/examplechart:0.1.0
Digest: sha256:a6c1484454156c...311671c2dfae00eb1

And of course, this can be signed using cosign. First, obtain the digest:

DIGEST=$(crane digest registry.sylabs.io/josueneo/helm/example/examplechart:0.1.0)

Then, sign the chart:

$ cosign sign -y --key cosign.key 
         registry.sylabs.io/josueneo/helm/example/examplechart@$DIGEST

Storing Helm charts in Singularity Container Services registry provides a reliable, secure, and scalable solution for managing and distributing your deployments, promoting standardization and enabling efficient collaboration

Join Our Mailing List

Recent Posts

Related Posts