Announcing JFrog Artifactory integration in Kubeapps 0.7.0

One of the most requested feature for Kubeapps has been for users to be able to access charts from private Helm repositories. So for the 0.7.0 release of Kubeapps we decided to do just that. As JFrog Artifactory is the number one choice amongst enterprises to setup private Helm repositories we worked on ensuring that this feature worked really well with JFrog Artifactory.

For the initial feature implementation we decided to support the HTTP authentication scheme using the Authorization request header. This meant that Kubeapps would be able to access any private Helm repository that implements this scheme.

So, without any further ado, lets walk through setting up a private Helm repository in Artifactory and configure Kubeapps to authenticate and pull charts from this Helm repository.

We assume that you have already installed Kubeapps in your cluster. If not, it’s really easy to setup. Follow this two step getting started guide to get up and running with Kubeapps.

We also assume that you have Artifactory deployed with the Helm integration. If not, use the Kubeapps dashboard to deploy the stable/artifactory Helm chart in your cluster.

Setting up a Private Helm Repository

In the default configuration, Artifactory allows anonymous access to the charts (artifacts) in the Helm repositories. Since we want to set up a private repository, we’ll first disable the anonymous access.

Login to the Artifactory web interface and open the Admin/Permissions page. Here you will notice that Artifactory permits anonymous access to the Any Remote and Anything permission targets.

Edit these permissions to remove the anonymous access privileges. After which, the permissions management page should look similar to the following screenshot.

This is all that’s required to create a private Helm repository in Artifactory.

Uploading charts to the repository

For the sake of demonstration we’ll use the helmclient to download the stable/dokuwiki chart from the official Helm repository.

$ helm fetch stable/dokuwiki --version 1.0.1

Next, we’ll upload the dokuwiki chart to our private repository using the curl client.

$ curl -u{USER}:{PASSWORD} -T dokuwiki-1.0.1.tgz "http://{REPO_URL}/artifactory/helm/"

Note: Please replace the {USER} , {PASSWORD}, and {REPO_URL} placeholders in the command examples with their respective values.

Attempting to download the dokuwiki chart from our private repository anonymously should return an unauthorized access error indicating that only authorized users can download charts from the repository.

$ curl http://{REPO_URL}/artifactory/helm/dokuwiki-1.0.1.tgz
{
  "errors" : [ {
    "status" : 401,
    "message" : "Unauthorized"
  } ]
}

Creating an access token for Kubeapps

We’ll generate a non expiring bearer token with read-only access using the Artifactory API. This token will be used by Kubeapps to access charts from the private Helm repository.

$ curl -u{USER}:{PASSWORD} -XPOST "http://{REPO_URL}/artifactory/api/security/token?expires_in=0" -d "username=kubeapps" -d "scope=member-of-groups:readers"
{
  "scope" : "member-of-groups:readers api:*",
  "access_token" : "eyJ2ZXIiOiIyIiwidHlwIj...",
  "token_type" : "Bearer"
}

The above command generates a bearer token with the identifier kubeapps. which can be managed from the Admin/Access Tokens page. The output of the command displays the value of the bearer token in the access_token field. This will be used in the Kubeapps dashboard to authorize access to the private Helm repository.

Before we continue, let’s make a quick test to verify that we’re now able to authenticate and download charts from the repository using the curl client.

$ curl -OH "Authorization: Bearer {ACCESS_TOKEN}"  http://{REPO_URL}/artifactory/helm/dokuwiki-1.0.1.tgz

The above command specifies the bearer token in the Authorization header of the HTTP request. If everything goes as expected you should notice that the dokuwiki-1.0.1.tgz chart is downloaded successfully.

Adding the repository to Kubeapps

Now that we have a secure, private Helm repository setup using Artifactory, the following steps configure Kubeapps dashboard to authenticate and fetch charts from this repository.

Visit the Configure/App Repositories page and add a new app repository as shown in the screenshot below.

The bearer token generated in the previous section should be specified in the Authorization Header field with the prefix “Bearer”. Once added Kubeapps will begin synchronizing charts from the private Helm repository and all available charts will be listed under the Charts tab of the dashboard.

Users should now be able to list, install and upgrade charts from your private Helm repository directly using the Kubeapps dashboard.

That’s it! We hope you enjoy the Kubeapps 0.7.0 release. Cheers!

Kubeapps is a dashboard that supercharges your Kubernetes cluster with simple browse and click deployment of applications. Kubeapps provides a complete application delivery environment that empowers users to launch, review and share applications.

Artifactory by JFrog is a universal artifact repository supporting major packaging formats, build tools and CI servers. The helm integration for Artifactory enables users to deploy on-premise, private and secure Helm repositories to share Helm charts across your organization.