Stable Helm Chart

[mssola]

Description

Previous efforts have been made to get a proper Helm chart, and now the community is also pushing for a new one. This issue is a reminder to help as much as possible on this effort.

[Informatic]

Any updates on this?

I'm looking into deploying portus in our environment. I've quickly hacked together https://github.com/kubic-project/caasp-services/tree/master/contrib/helm-charts/portus with support for automatic cert-manager self-signing keypair generation (for authentication tokens) running behind nginx-ingress-controller (with cert-manager set up for Let's Encrypt as well), and it seems to kinda work. I can drop a very messy patch if you want.

Update: darn, docker-registry doesn't seem to like self-signed https:// notification URLs... I'll try to play with it later this week.

[mssola]

@Informatic I'm currently working on it, but if you have something that works, I'd appreciate a patch, so we can merge ideas :smile:

[Informatic]

https://git.io/fp58s (+ required ClusterIssuer/Issuer object: https://git.io/fp58W)

As you can see, it is very dirty, and, as stated above, does not really work yet. But IMO employing cert-manager to do certificate management on intialization would be a great feature. (even as an option)

[Informatic]

I'm not 100% sure how TLS certificates are used when communicating between all components in Portus, but if any component needed to sign some certificates, there's an option for that in Cert-Manager Certificate spec: http://docs.cert-manager.io/en/latest/reference/api-docs/index.html#certificate-v1alpha1 → isCA

Running Kubernetes/Portus in our environment is not very high on our todo lists yet, but I'll try to help with development & testing in my free time later.

[Informatic]

Hey, out of curiosity: do we have any updates on that?

In the end I only had a couple of hours to hack on this, and, sadly, didn't go any further. (ie. didn't get it to run successfuly... :/)

Ah. Last time, I ended up having problems with getting Portus to communicate with registry running with self-signed TLS certificates. I'll try to play with it further tonight.

[simon-scherzinger]

Hey @Informatic,

did you have time to fiddle with it again? I'm also at the point where I struggle to secure communication with the registry and self-signed TLS certificates. For the sake of simplicity I created the certificate manually (see #1730) but it looks like no one wants to talk with a self signed certificate. I would happy if you could show off your final helm chart. ;-)

Take care,

Simon

[insertjokehere]

I'm also interested if anyone has got this working; I manage to deploy the helm chart, and with the patches @Informatic proposed. All the services come up OK, I can log into the Portus interface and I can push to the registry using the credentials I created. The point I'm getting stuck is getting the registry added to Portus - no matter what I try I get SSL errors. It seems like Portus isn't picking up the /certificates/portus.crt certificate as trusted?

[simon-scherzinger]

Hey @insertjokehere,

try it adding isCA: true under spec in the certificate.yaml file. With this I can add the registry to Portus. Pushing and pulling images works as well, but the registry still does not talk back to Portus. This leaves the repositories unknown to Portus (UI).

[simon-scherzinger]

I think I made progress today. It was not the registry which could not talk to Portus, it was the Portus background process. Simply because the self signed certificate was not mounted into the background container. After adding the certificate stuff from portus container to portus-background in portus-deployment.yaml it worked.

I will add my final helm chart after I added some small things I'm missing – like saving images to S3 instead of a volume.

[asoltesz]

Any update on this?

Kubernetes is now in very widespread use.

Not having a proper, stable Helm chart is a pretty big disadvantage IMHO.

[insertjokehere]

To back up @asoltesz - I ended up deploying goharbor/harbor rather than Portus because having a helm chart makes it a load simpler

[asoltesz]

The instructions for the "incubator/portus" chart do not work anymore. There is no portus chart in incubator.

[SerialVelocity]

You might want to remove this quote from the installation instructions considering it doesn't work:

Moreover, to maintain Kubernetes applications the community has developed Helm. Because of this, we have been working on proper Helm charts to deploy Portus in your Kubernetes cluster. We are working on pushing these charts into the main repository, but for now you can use the charts from this repository.

I understand if this isn't a high priority issue for you but maybe replace that with a link to this issue asking for a :+1: if it is a wanted feature? That way you can gauge interest.