Initialisation depot

2026-02-10 12:12:11 +01:00
commit c3176e8d79
818 changed files with 52573 additions and 0 deletions
--- a/arti-api/CHARTMUSEUM_AUTH.md
+++ b/arti-api/CHARTMUSEUM_AUTH.md
@@ -0,0 +1,309 @@
+# Chart Museum Configuration with htpasswd Authentication
+
+Chart Museum supports htpasswd authentication using the same `/data/htpasswd` file managed by the Arti-API.
+
+## Chart Museum Configuration
+
+### Environment Variables
+```bash
+# Basic configuration
+STORAGE=local
+STORAGE_LOCAL_ROOTDIR=/charts
+PORT=8080
+
+# Authentication configuration
+AUTH_ANONYMOUS_GET=false
+BASIC_AUTH_USER=admin
+BASIC_AUTH_PASS=password
+
+# OR use htpasswd file (recommended)
+HTPASSWD_PATH=/data/htpasswd
+AUTH_REALM="Chart Museum"
+```
+
+### Docker Compose Configuration
+```yaml
+version: '3.8'
+
+services:
+  chartmuseum:
+    image: chartmuseum/chartmuseum:latest
+    container_name: chartmuseum
+    environment:
+      # Storage configuration
+      - STORAGE=local
+      - STORAGE_LOCAL_ROOTDIR=/charts
+      - PORT=8080
+      
+      # Authentication with htpasswd
+      - AUTH_ANONYMOUS_GET=false
+      - HTPASSWD_PATH=/data/htpasswd
+      - AUTH_REALM=Chart Museum
+      
+      # Optional: Allow chart overwrite
+      - ALLOW_OVERWRITE=true
+      
+      # Optional: Enable API
+      - DISABLE_API=false
+      
+      # Optional: Enable metrics
+      - DISABLE_METRICS=false
+      
+      # Optional: Enable logging
+      - LOG_JSON=true
+      - DEBUG=false
+    ports:
+      - "8080:8080"
+    volumes:
+      - /data:/data  # Same volume as Arti-API
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+```
+
+### Kubernetes Configuration
+```yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: chartmuseum
+  labels:
+    app: chartmuseum
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: chartmuseum
+  template:
+    metadata:
+      labels:
+        app: chartmuseum
+    spec:
+      containers:
+      - name: chartmuseum
+        image: chartmuseum/chartmuseum:latest
+        ports:
+        - containerPort: 8080
+        env:
+        - name: STORAGE
+          value: "local"
+        - name: STORAGE_LOCAL_ROOTDIR
+          value: "/charts"
+        - name: PORT
+          value: "8080"
+        - name: AUTH_ANONYMOUS_GET
+          value: "false"
+        - name: HTPASSWD_PATH
+          value: "/data/htpasswd"
+        - name: AUTH_REALM
+          value: "Chart Museum"
+        - name: ALLOW_OVERWRITE
+          value: "true"
+        - name: DISABLE_API
+          value: "false"
+        - name: LOG_JSON
+          value: "true"
+        volumeMounts:
+        - name: artifactory-storage
+          mountPath: /data
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 5
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "100m"
+          limits:
+            memory: "256Mi"
+            cpu: "200m"
+      volumes:
+      - name: artifactory-storage
+        persistentVolumeClaim:
+          claimName: artifactory-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: chartmuseum-service
+  labels:
+    app: chartmuseum
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8080
+    targetPort: 8080
+    protocol: TCP
+  selector:
+    app: chartmuseum
+```
+
+## Complete Artifactory Setup
+
+### Full Docker Compose with All Services
+```yaml
+version: '3.8'
+
+services:
+  # Arti-API for management
+  arti-api:
+    build: .
+    container_name: arti-api
+    ports:
+      - "8000:8000"
+    volumes:
+      - artifactory_data:/data
+    environment:
+      - PYTHONUNBUFFERED=1
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+    restart: unless-stopped
+
+  # Chart Museum with htpasswd authentication
+  chartmuseum:
+    image: chartmuseum/chartmuseum:latest
+    container_name: chartmuseum
+    environment:
+      - STORAGE=local
+      - STORAGE_LOCAL_ROOTDIR=/data/charts
+      - PORT=8080
+      - AUTH_ANONYMOUS_GET=false
+      - HTPASSWD_PATH=/data/htpasswd
+      - AUTH_REALM=Chart Museum
+      - ALLOW_OVERWRITE=true
+      - DISABLE_API=false
+      - LOG_JSON=true
+    ports:
+      - "8080:8080"
+    volumes:
+      - artifactory_data:/data
+    depends_on:
+      - arti-api
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Docker Registry with htpasswd authentication
+  registry:
+    image: registry:2
+    container_name: docker-registry
+    environment:
+      - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data/docker
+      - REGISTRY_AUTH=htpasswd
+      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
+      - REGISTRY_AUTH_HTPASSWD_PATH=/data/htpasswd
+      - REGISTRY_HTTP_ADDR=0.0.0.0:5000
+    ports:
+      - "5000:5000"
+    volumes:
+      - artifactory_data:/data
+    depends_on:
+      - arti-api
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5000/v2/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+  # Nginx for Debian repository
+  nginx-debian:
+    image: nginx:alpine
+    container_name: nginx-debian
+    ports:
+      - "8081:80"
+    volumes:
+      - artifactory_data:/data
+      - ./nginx-debian.conf:/etc/nginx/conf.d/default.conf:ro
+    depends_on:
+      - arti-api
+    restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+
+volumes:
+  artifactory_data:
+    driver: local
+```
+
+## Authentication Management
+
+### Using Arti-API to manage users for Chart Museum
+
+```bash
+# Create a user that can access Chart Museum
+curl -X POST "http://localhost:8000/users" \
+     -H "Content-Type: application/json" \
+     -d '{"username": "chartuser", "password": "secure_password123"}'
+
+# List all users
+curl -X GET "http://localhost:8000/users"
+```
+
+### Test Chart Museum Authentication
+
+```bash
+# Without authentication (should fail)
+curl -X GET "http://localhost:8080/api/charts"
+
+# With authentication (should work)
+curl -u chartuser:secure_password123 -X GET "http://localhost:8080/api/charts"
+
+# Upload a chart with authentication
+curl -u chartuser:secure_password123 \
+     --data-binary "@mychart-0.1.0.tgz" \
+     "http://localhost:8080/api/charts"
+```
+
+### Helm Client Configuration
+
+```bash
+# Add the authenticated repository
+helm repo add myrepo http://chartuser:secure_password123@localhost:8080
+
+# Or use helm repo add with separate credentials
+helm repo add myrepo http://localhost:8080 \
+     --username chartuser \
+     --password secure_password123
+
+# Update and search
+helm repo update
+helm search repo myrepo
+```
+
+## Benefits of This Setup
+
+✅ **Unified Authentication**: Same htpasswd file for Docker Registry and Chart Museum
+✅ **Centralized User Management**: Use Arti-API to manage all users
+✅ **Secure**: bcrypt-hashed passwords
+✅ **Standard Compatible**: Works with standard Helm and Docker clients
+✅ **Scalable**: Can add more services using the same authentication
+✅ **API-Driven**: Programmatic user management through REST API
+
+## Security Notes
+
+- The htpasswd file is shared between all services
+- Users created through Arti-API work for both Docker Registry and Chart Museum
+- Consider using HTTPS in production
+- Regular password rotation is recommended
+- Monitor access logs for security auditing