Prerequisites

  • Technical IAM user with programmatic access only, used to push new Helm Charts to the repo, e.g. ci-user-accesskey
  • New S3 bucket, in this how to using my-helm-repo
  • awscli, helm, helm-s3 plugin

Get started

  • Create local awscli profiles, allowing to test the S3 bucket policy later on:
1
2
3
4

# default AWS user (enter AWS Access Key ID, Key, region,...)
aws configure
# CI user
aws configure --profile ci-user
  • Go to the AWS console > Amazon S3 > my-helm-chart-repo and add the following Bucket policy (adjust as needed):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowListObjects",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::101010101:root"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::my-helm-repo",
                "arn:aws:s3:::my-helm-repo/*"
            ]
        },
        {
            "Sid": "AllowObjectsFetchAndCreate",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::101010101:user/ci-user-accesskey"
            },
            "Action": [
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:ListMultipartUploadParts",
                "s3:AbortMultipartUpload",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-helm-repo",
                "arn:aws:s3:::my-helm-repo/*"
            ]
        }
    ]
}
  • The idea here is to allow any user on behalf of the main account to read the repository’s charts, where only the continuous integration user is allowed to push new Helm Charts to the repo
  • Initilaize and add the Helm repo:
1
2
3
4

helm S3 init s3://my-helm-repo/charts
helm repo add my-helm-repo s3://my-helm-repo/charts
# List repos
helm repo list
  • Perform a first test in order to verify if access to the S3 bucket works as expected:
1
2
3
4
5

# Switch awscli profile and list bucket content as the CI-user
export AWS_PROFILE=ci-user
aws s3 ls s3://my-helm-repo/charts/
# unset
unset AWS_PROFILE
  • Create and upload a test helm chart:
1
2
3
4
5
6
7
8
9
10
11
12

helm create test-chart
rm -rf test-chart/templates/*.*
cat >test-chart/templates/configmap.yaml <<EOL
apiVersion: v1  
kind: ConfigMap  
metadata:  
  name: test-chart-configmap
data:  
  myvalue: "Hello World"
EOL
helm package ./test-chart
helm s3 push ./test-chart-0.1.0.tgz my-helm-repo

CI pipeline integration

  • Depending on the CI-product being used (e.g. Jenkins, Gitlab), add the following variables to your pipeline configuration in order to have them being passed into the build runner or build job as environment variables:
AWS_ACCESS_KEY_ID = "ci-user key id"
AWS_SECRET_ACCESS_KEY = "ci-user key"
AWS_DEFAULT_REGION = "s3 bucket region"
  • As soon as a new Helm Chart is being created and pushed to the repo, this way awscli driven by the helm-s3 plugin will use these env vars, respectively these credentials from within the build runner