Maison/arti-api/CHARTMUSEUM_AUTH.md

# Chart Museum Configuration with htpasswd Authentication

Chart Museum supports htpasswd authentication using the same `/data/htpasswd` file managed by the Arti-API.

## Chart Museum Configuration

### Environment Variables
```bash
# Basic configuration
STORAGE=local
STORAGE_LOCAL_ROOTDIR=/charts
PORT=8080

# Authentication configuration
AUTH_ANONYMOUS_GET=false
BASIC_AUTH_USER=admin
BASIC_AUTH_PASS=password

# OR use htpasswd file (recommended)
HTPASSWD_PATH=/data/htpasswd
AUTH_REALM="Chart Museum"
```

### Docker Compose Configuration
```yaml
version: '3.8'

services:
  chartmuseum:
    image: chartmuseum/chartmuseum:latest
    container_name: chartmuseum
    environment:
      # Storage configuration
      - STORAGE=local
      - STORAGE_LOCAL_ROOTDIR=/charts
      - PORT=8080
      
      # Authentication with htpasswd
      - AUTH_ANONYMOUS_GET=false
      - HTPASSWD_PATH=/data/htpasswd
      - AUTH_REALM=Chart Museum
      
      # Optional: Allow chart overwrite
      - ALLOW_OVERWRITE=true
      
      # Optional: Enable API
      - DISABLE_API=false
      
      # Optional: Enable metrics
      - DISABLE_METRICS=false
      
      # Optional: Enable logging
      - LOG_JSON=true
      - DEBUG=false
    ports:
      - "8080:8080"
    volumes:
      - /data:/data  # Same volume as Arti-API
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3
```

### Kubernetes Configuration
```yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: chartmuseum
  labels:
    app: chartmuseum
spec:
  replicas: 1
  selector:
    matchLabels:
      app: chartmuseum
  template:
    metadata:
      labels:
        app: chartmuseum
    spec:
      containers:
      - name: chartmuseum
        image: chartmuseum/chartmuseum:latest
        ports:
        - containerPort: 8080
        env:
        - name: STORAGE
          value: "local"
        - name: STORAGE_LOCAL_ROOTDIR
          value: "/charts"
        - name: PORT
          value: "8080"
        - name: AUTH_ANONYMOUS_GET
          value: "false"
        - name: HTPASSWD_PATH
          value: "/data/htpasswd"
        - name: AUTH_REALM
          value: "Chart Museum"
        - name: ALLOW_OVERWRITE
          value: "true"
        - name: DISABLE_API
          value: "false"
        - name: LOG_JSON
          value: "true"
        volumeMounts:
        - name: artifactory-storage
          mountPath: /data
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
      volumes:
      - name: artifactory-storage
        persistentVolumeClaim:
          claimName: artifactory-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: chartmuseum-service
  labels:
    app: chartmuseum
spec:
  type: ClusterIP
  ports:
  - port: 8080
    targetPort: 8080
    protocol: TCP
  selector:
    app: chartmuseum
```

## Complete Artifactory Setup

### Full Docker Compose with All Services
```yaml
version: '3.8'

services:
  # Arti-API for management
  arti-api:
    build: .
    container_name: arti-api
    ports:
      - "8000:8000"
    volumes:
      - artifactory_data:/data
    environment:
      - PYTHONUNBUFFERED=1
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
    restart: unless-stopped

  # Chart Museum with htpasswd authentication
  chartmuseum:
    image: chartmuseum/chartmuseum:latest
    container_name: chartmuseum
    environment:
      - STORAGE=local
      - STORAGE_LOCAL_ROOTDIR=/data/charts
      - PORT=8080
      - AUTH_ANONYMOUS_GET=false
      - HTPASSWD_PATH=/data/htpasswd
      - AUTH_REALM=Chart Museum
      - ALLOW_OVERWRITE=true
      - DISABLE_API=false
      - LOG_JSON=true
    ports:
      - "8080:8080"
    volumes:
      - artifactory_data:/data
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Docker Registry with htpasswd authentication
  registry:
    image: registry:2
    container_name: docker-registry
    environment:
      - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data/docker
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
      - REGISTRY_AUTH_HTPASSWD_PATH=/data/htpasswd
      - REGISTRY_HTTP_ADDR=0.0.0.0:5000
    ports:
      - "5000:5000"
    volumes:
      - artifactory_data:/data
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5000/v2/"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Nginx for Debian repository
  nginx-debian:
    image: nginx:alpine
    container_name: nginx-debian
    ports:
      - "8081:80"
    volumes:
      - artifactory_data:/data
      - ./nginx-debian.conf:/etc/nginx/conf.d/default.conf:ro
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
      interval: 30s
      timeout: 10s
      retries: 3

volumes:
  artifactory_data:
    driver: local
```

## Authentication Management

### Using Arti-API to manage users for Chart Museum

```bash
# Create a user that can access Chart Museum
curl -X POST "http://localhost:8000/users" \
     -H "Content-Type: application/json" \
     -d '{"username": "chartuser", "password": "secure_password123"}'

# List all users
curl -X GET "http://localhost:8000/users"
```

### Test Chart Museum Authentication

```bash
# Without authentication (should fail)
curl -X GET "http://localhost:8080/api/charts"

# With authentication (should work)
curl -u chartuser:secure_password123 -X GET "http://localhost:8080/api/charts"

# Upload a chart with authentication
curl -u chartuser:secure_password123 \
     --data-binary "@mychart-0.1.0.tgz" \
     "http://localhost:8080/api/charts"
```

### Helm Client Configuration

```bash
# Add the authenticated repository
helm repo add myrepo http://chartuser:secure_password123@localhost:8080

# Or use helm repo add with separate credentials
helm repo add myrepo http://localhost:8080 \
     --username chartuser \
     --password secure_password123

# Update and search
helm repo update
helm search repo myrepo
```

## Benefits of This Setup

✅ **Unified Authentication**: Same htpasswd file for Docker Registry and Chart Museum
✅ **Centralized User Management**: Use Arti-API to manage all users
✅ **Secure**: bcrypt-hashed passwords
✅ **Standard Compatible**: Works with standard Helm and Docker clients
✅ **Scalable**: Can add more services using the same authentication
✅ **API-Driven**: Programmatic user management through REST API

## Security Notes

- The htpasswd file is shared between all services
- Users created through Arti-API work for both Docker Registry and Chart Museum
- Consider using HTTPS in production
- Regular password rotation is recommended
- Monitor access logs for security auditing