Push & Pull Helm 2 Charts with Enterprise Edition - Container Registry

Helm is a package manager for Kubernetes that bundles application configurations into portable packages called charts. This guide shows how to use an Alibaba Cloud Container Registry (ACR) Enterprise Edition instance as a private Helm chart repository to push and pull charts using Helm 2.

This guide applies to Helm V2.x only. Helm 2 reached end-of-life (EOL) in November 2020 and is no longer actively maintained. If you are starting a new project, use [Push and pull a chart using Helm 3]() instead.

Prerequisites

Before you begin, make sure you have:

An ACR Enterprise Edition instance
Helm V2.x installed — run helm version -c to verify. The example in this guide uses V2.14.2. Download Helm from the Helm releases page
Git installed on the machine where you run the Helm plugin installation command
Network access from the machine running Helm commands to the ACR instance, either over the Internet or a virtual private cloud (VPC)

Step 1: Configure the Enterprise Edition instance

This step covers five configuration tasks: creating a namespace, creating a chart repository, setting an access credential, configuring access control, and optionally enabling anonymous pull.

Create a namespace

Log on to the Container Registry console.
In the left-side navigation pane, click Instances, then click the Enterprise Edition instance you want to use.
In the navigation pane, choose Helm Chart > Namespace.
Click Create Namespace.
In the Create Namespace dialog box, set Namespace, Automatically Create Repository, and Default Configurations for Automatically Created Repositories, then click Confirm.

When Automatically Create Repository is enabled, Helm can push charts to a new repository without creating it in the console first.

Create a chart repository

Chart repository addresses use the following formats:

Access type	Format
Internet	`<Instance name>-chart.<Region ID>.cr.aliyuncs.com/<Namespace>/<Chart repository name>`
VPC	`<Instance name>-chart-vpc.<Region ID>.cr.aliyuncs.com/<Namespace>/<Chart repository name>`

Chart versions follow the format <Chart name>-<Version number>.

On the Overview page, turn on Charts in the Component Settings section.
In the navigation pane, choose Helm Chart > Repositories.
Click Create Repositories.
In the Create Helm Chart dialog box, set Namespace, Repository Name, and Type, then click Confirm.

Set an access credential

In the navigation pane, choose Instances > Access Credential.
Click Set Password.
In the Set Password dialog box, set Password and Confirm Password, then click Confirm.

You can also use a temporary token as the access credential instead of a password.

Configure access control

Enable Internet or VPC access so Helm can push and pull charts. The steps below enable Internet access.

In the navigation pane, click Access Control.
Click the Internet tab.
Turn on Enable Access over Internet, then click Add Internet Whitelist.
In the Add Internet Whitelist dialog box, specify the CIDR blocks allowed to access the instance and add notes, then click Confirm.

For VPC access, see Configure a VPC ACL.

(Optional) Enable anonymous pull

After enabling anonymous pull, users can pull charts from public repositories without logging in.

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances, then click the Enterprise Edition instance.
In the Instance Settings section on the Overview page, turn on Pull from Anonymous Users.
In the Tips dialog box, click OK.

Step 2: Install and configure the Helm client

Download Helm V2.x from the Helm releases page.

Decompress the package and move the binary to your PATH:

# Decompress the installation package
tar -zxvf helm-v2.14.2-linux-amd64.tgz
# Move the binary to the specified directory
mv linux-amd64/helm /usr/local/bin/helm

Install the Helm plugin provided by Alibaba Cloud:

helm plugin install https://github.com/AliyunContainerService/helm-acr

Initialize Helm based on your cluster type:
- ACK cluster: tiller is initialized by default. Initialize the client only. Use --skip-refresh to skip fetching the default Google chart repository
```
helm init --client-only --skip-refresh
```
- Self-managed Kubernetes cluster: Run a full initialization. Use --skip-refresh to skip fetching the default Google chart repository
```
helm init --skip-refresh
```

Step 3: Push and pull charts

All commands in this step use environment variables for credentials. Set them once before running any push or pull commands:

export HELM_REPO_USERNAME='<Account in the access credential of the Enterprise Edition instance>'
export HELM_REPO_PASSWORD='<Password in the access credential of the Enterprise Edition instance>'

Map a local repository to ACR

Add a local repository alias that maps to your chart repository in ACR. Use the Internet or VPC address based on how you configured access control in Step 1.

Internet access:

helm repo add <local-repo-name> acr://<Instance name>-chart.<Region ID>.cr.aliyuncs.com/<Namespace>/<Chart repository> \
  --username ${HELM_REPO_USERNAME} \
  --password ${HELM_REPO_PASSWORD}

VPC access:

helm repo add <local-repo-name> acr://<Instance name>-chart-vpc.<Region ID>.cr.aliyuncs.com/<Namespace>/<Chart repository> \
  --username ${HELM_REPO_USERNAME} \
  --password ${HELM_REPO_PASSWORD}

Push a chart

# Create a local chart
helm create <Chart name>

# Push the chart directory
helm push <Chart name> <local-repo-name>

# Or push a compressed chart package
helm cm-push <Chart name>-<Chart version>.tgz <local-repo-name>

To verify the push, go to Helm Chart > Repositories in the Container Registry console, click the chart repository name, and check the Versions tab for the new chart version.

Pull a chart

# Update the local chart index from ACR
helm repo update

# Pull a specific chart version
helm fetch <local-repo-name>/<Chart name> --version <Chart version>

# Or install a chart directly
helm install -f values.yaml <local-repo-name>/<Chart name> --version <Chart version>