easylinux/Maison
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c3176e8d793c6e037ac39f34ee80cf19ec126348
Maison/arti-api/CHARTMUSEUM_AUTH.md
Serge NOEL c3176e8d79 Initialisation depot
2026-02-10 12:12:11 +01:00

7.4 KiB
Raw Blame History

Chart Museum Configuration with htpasswd Authentication

Chart Museum supports htpasswd authentication using the same /data/htpasswd file managed by the Arti-API.

Chart Museum Configuration

Environment Variables

# Basic configuration
STORAGE=local
STORAGE_LOCAL_ROOTDIR=/charts
PORT=8080

# Authentication configuration
AUTH_ANONYMOUS_GET=false
BASIC_AUTH_USER=admin
BASIC_AUTH_PASS=password

# OR use htpasswd file (recommended)
HTPASSWD_PATH=/data/htpasswd
AUTH_REALM="Chart Museum"

Docker Compose Configuration

version: '3.8'

services:
  chartmuseum:
    image: chartmuseum/chartmuseum:latest
    container_name: chartmuseum
    environment:
      # Storage configuration
      - STORAGE=local
      - STORAGE_LOCAL_ROOTDIR=/charts
      - PORT=8080
      
      # Authentication with htpasswd
      - AUTH_ANONYMOUS_GET=false
      - HTPASSWD_PATH=/data/htpasswd
      - AUTH_REALM=Chart Museum
      
      # Optional: Allow chart overwrite
      - ALLOW_OVERWRITE=true
      
      # Optional: Enable API
      - DISABLE_API=false
      
      # Optional: Enable metrics
      - DISABLE_METRICS=false
      
      # Optional: Enable logging
      - LOG_JSON=true
      - DEBUG=false
    ports:
      - "8080:8080"
    volumes:
      - /data:/data  # Same volume as Arti-API
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3

Kubernetes Configuration

apiVersion: apps/v1
kind: Deployment
metadata:
  name: chartmuseum
  labels:
    app: chartmuseum
spec:
  replicas: 1
  selector:
    matchLabels:
      app: chartmuseum
  template:
    metadata:
      labels:
        app: chartmuseum
    spec:
      containers:
      - name: chartmuseum
        image: chartmuseum/chartmuseum:latest
        ports:
        - containerPort: 8080
        env:
        - name: STORAGE
          value: "local"
        - name: STORAGE_LOCAL_ROOTDIR
          value: "/charts"
        - name: PORT
          value: "8080"
        - name: AUTH_ANONYMOUS_GET
          value: "false"
        - name: HTPASSWD_PATH
          value: "/data/htpasswd"
        - name: AUTH_REALM
          value: "Chart Museum"
        - name: ALLOW_OVERWRITE
          value: "true"
        - name: DISABLE_API
          value: "false"
        - name: LOG_JSON
          value: "true"
        volumeMounts:
        - name: artifactory-storage
          mountPath: /data
        livenessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /health
            port: 8080
          initialDelaySeconds: 5
          periodSeconds: 5
        resources:
          requests:
            memory: "128Mi"
            cpu: "100m"
          limits:
            memory: "256Mi"
            cpu: "200m"
      volumes:
      - name: artifactory-storage
        persistentVolumeClaim:
          claimName: artifactory-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: chartmuseum-service
  labels:
    app: chartmuseum
spec:
  type: ClusterIP
  ports:
  - port: 8080
    targetPort: 8080
    protocol: TCP
  selector:
    app: chartmuseum

Complete Artifactory Setup

Full Docker Compose with All Services

version: '3.8'

services:
  # Arti-API for management
  arti-api:
    build: .
    container_name: arti-api
    ports:
      - "8000:8000"
    volumes:
      - artifactory_data:/data
    environment:
      - PYTHONUNBUFFERED=1
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
      interval: 30s
      timeout: 10s
      retries: 3
    restart: unless-stopped

  # Chart Museum with htpasswd authentication
  chartmuseum:
    image: chartmuseum/chartmuseum:latest
    container_name: chartmuseum
    environment:
      - STORAGE=local
      - STORAGE_LOCAL_ROOTDIR=/data/charts
      - PORT=8080
      - AUTH_ANONYMOUS_GET=false
      - HTPASSWD_PATH=/data/htpasswd
      - AUTH_REALM=Chart Museum
      - ALLOW_OVERWRITE=true
      - DISABLE_API=false
      - LOG_JSON=true
    ports:
      - "8080:8080"
    volumes:
      - artifactory_data:/data
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:8080/health"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Docker Registry with htpasswd authentication
  registry:
    image: registry:2
    container_name: docker-registry
    environment:
      - REGISTRY_STORAGE_FILESYSTEM_ROOTDIRECTORY=/data/docker
      - REGISTRY_AUTH=htpasswd
      - REGISTRY_AUTH_HTPASSWD_REALM=Registry Realm
      - REGISTRY_AUTH_HTPASSWD_PATH=/data/htpasswd
      - REGISTRY_HTTP_ADDR=0.0.0.0:5000
    ports:
      - "5000:5000"
    volumes:
      - artifactory_data:/data
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost:5000/v2/"]
      interval: 30s
      timeout: 10s
      retries: 3

  # Nginx for Debian repository
  nginx-debian:
    image: nginx:alpine
    container_name: nginx-debian
    ports:
      - "8081:80"
    volumes:
      - artifactory_data:/data
      - ./nginx-debian.conf:/etc/nginx/conf.d/default.conf:ro
    depends_on:
      - arti-api
    restart: unless-stopped
    healthcheck:
      test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "http://localhost/"]
      interval: 30s
      timeout: 10s
      retries: 3

volumes:
  artifactory_data:
    driver: local

Authentication Management

Using Arti-API to manage users for Chart Museum

# Create a user that can access Chart Museum
curl -X POST "http://localhost:8000/users" \
     -H "Content-Type: application/json" \
     -d '{"username": "chartuser", "password": "secure_password123"}'

# List all users
curl -X GET "http://localhost:8000/users"

Test Chart Museum Authentication

# Without authentication (should fail)
curl -X GET "http://localhost:8080/api/charts"

# With authentication (should work)
curl -u chartuser:secure_password123 -X GET "http://localhost:8080/api/charts"

# Upload a chart with authentication
curl -u chartuser:secure_password123 \
     --data-binary "@mychart-0.1.0.tgz" \
     "http://localhost:8080/api/charts"

Helm Client Configuration

# Add the authenticated repository
helm repo add myrepo http://chartuser:secure_password123@localhost:8080

# Or use helm repo add with separate credentials
helm repo add myrepo http://localhost:8080 \
     --username chartuser \
     --password secure_password123

# Update and search
helm repo update
helm search repo myrepo

Benefits of This Setup

Unified Authentication: Same htpasswd file for Docker Registry and Chart Museum Centralized User Management: Use Arti-API to manage all users Secure: bcrypt-hashed passwords Standard Compatible: Works with standard Helm and Docker clients Scalable: Can add more services using the same authentication API-Driven: Programmatic user management through REST API

Security Notes

  • The htpasswd file is shared between all services
  • Users created through Arti-API work for both Docker Registry and Chart Museum
  • Consider using HTTPS in production
  • Regular password rotation is recommended
  • Monitor access logs for security auditing
Reference in New Issue View Git Blame Copy Permalink