MVH

Appearance

Chart Fetcher

A lightweight Helm chart client that solves authentication problems in Kustomize-based GitOps workflows.

Overview

Chart Fetcher was born from a limitation I hit while scaling a Kustomize-based GitOps approach. Specifically, the problem of authenticated Helm registries.

The Problem

Scaling GitOps requires clear separation of concerns. You can't have your deployment manifests tightly coupled to specific tooling if you want portability.

Sure, you could use Argo CD's Application CRD to pull Helm charts directly. But that creates a hard dependency on Argo CD. While this has its use cases, I see it as an anti-pattern that limits flexibility.

I prefer a Kustomize-based approach using the built-in HelmChartInflationGenerator. It's cleaner and more portable. But there's a catch: it doesn't support authenticated Helm registries.

The Evolution

My first solution was something I called "ChartHost." It was a Kubernetes Deployment that pulled charts from Azure Storage. It worked, but it had problems:

  • Manual process to download and upload charts
  • Cloud-specific (Azure Storage dependency)
  • Not scalable across different environments

The Solution

Chart Fetcher takes a simpler approach. It's a lightweight client that:

  1. Pulls Helm charts based on a config file
  2. Stores them locally to a shared volume

That's it. Chart Fetcher doesn't serve the charts itself. To actually host them, you should deploy something I like to call a chart-proxy, which combines chart-fetcher with a webserver (like nginx) in a Kubernetes Deployment.

The result is an authenticating proxy for your Helm registries. You handle auth once at the chart-fetcher level (via environment variables), store the charts on a shared volume, and the webserver serves them without authentication. Everything downstream stays simple.

This is particularly useful in corporate environments with strict pull policies or in airgapped setups where you need controlled chart distribution.

Getting Started

IMPORTANT

Chart Fetcher isn't a full-featured Helm client. If that's what you need, check out Helmper instead.

The quickest way to get started is using the example deployment from the repository. It sets up a complete chart proxy (chart-fetcher + webserver) that serves Helm charts locally.

Basic Setup

  1. Deploy the chart-proxy using the example manifests
  2. Configure your chart sources in the config file
  3. Supply authentication credentials via environment variables, preferably using a secret management tool like External Secrets Operator or Sealed Secrets
  4. Point your HelmChartInflationGenerator to the local proxy as such:
    yaml
    apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
helmCharts: 
- name: my-chart
  repo: https://chart-proxy.cluster.local/charts
  version: v0.0.1
  releaseName: my-release
  namespace: default
  includeCRDs: true

The proxy handles all the authentication complexity, so your Kustomize manifests stay clean and portable.

Integrate with Argo CD

When integrating with Argo CD, you may need to add the chart-proxy's CA certificate to your Argo CD ConfigMap if you're using self-signed certificates.

This allows Argo CD to trust the chart-proxy's HTTPS endpoint when pulling charts during sync operations.