OpenShift Helm charts repository hosts Helm charts that are available by default with OpenShift. You can use this repository to submit the charts that need to be certified through a pull request. Once your pull request is merged, a CI/CD pipeline is created which publishes the chart in the gitHub release which is further reflected on the Helm charts repository index.
The submission process of a Helm chart for OpenShift Helm Repository and Certification has been documented on the OpenShift Helm Repository. Note the instructions mentioned on the repository before submitting a chart.
The following options are available for submitting a chart for Red Hat OpenShift certification:
Option | Description |
---|---|
Helm chart Tarball or the extracted Tarball | Submit your chart with the specific or the extracted tarball. Here the chart-verifier report is optional. |
Verification report only | Submit your chart-verifier report without the chart. |
Both verification report and the chart | Submit both the chart-verifier report and the chart by placing the source or tarball under the versioned directory. |
NOTE: A chart-verifier report is an integral part of the submission process. With the options that do not require a report, a report will be generated as part of the submission process.
NOTE: It is recommended when submitting a chart to submit chart source over a tarball.
NOTE: When submitting a Verification report only the report must be generated using the public url for the chart.
NOTE: When submitting a Verification report do not modify the report after it is generated by the chart verifier. The report includes a sha value which is used to check this requirement is met.
For more information on the submission process, see: OpenShift Helm Charts Repository documentation.
For troubleshooting report related submission failures see: Troubleshooting
There are three methods of distribution for certified helm charts.
- Publish your chart in the Red Hat Helm Chart repository
- Submissions should include either a chart or chart and report.
- Publish you chart in your own Helm Chart repository
- Submissions should be report only using a publicly available chart URL.
- Web catalog only
- This submission should be report only using a private chart URL.
For more information on the different Helm Chart Distribution methods, see: Creating a Helm Chart Certification Project
Web catalog only distribution method was previously described as provider delivery.
Generally chart submissions will be made available within the Helm Chart Catalog on successful certification. In the event that this case is undesirable, the provider should consider the web catalog only distribution method if they wish not to make the chart publicly available. With web catalog only distribution method, the provider of the chart controls access to the chart. This will impact report generation:
- The report must be generated using a tarball so that a package digest can be determined and included in the report.
- if a tarball is not used the report will fail to generate.
- The chart URL may be considered private to the provider so the chart URL is not included in the report.
Web catalog only distribution method is then based on the following conditions:
-
When generating the Verification report the
--web-catalog-only
flag is used. Example:$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube:z \ "quay.io/redhat-certification/chart-verifier" \ verify --web-catalog-only \ <chart-uri>
This ensures that the webCatalogOnly annotation is set to the value True in the verification report.
-
The OWNERS file for the submitted chart in the openshift helm charts github repository includes a
providerDelivery
attribute which is set to the value True. Example:
chart:
name: mychart
shortDescription: Test chart for testing chart submission workflows.
publicPgpKey: null
providerDelivery: True
users:
- githubUsername: myusername
vendor:
label: redhat
name: Redhat
If these preceding conditions are met when the chart is submitted for certification, successful certification will not result in the chart being published in the OpenShift catalog.