Chapter 26. Validating Helm charts for certification


You can validate your Helm charts by using the chart-verifier CLI tool. Chart-verifier is a CLI based open source tool that runs a list of configurable checks to verify if your Helm charts have all the associated metadata and formatting required to meet the Red Hat Certification standards. It validates if the Helm charts are distribution ready and works seamlessly on the Red Hat OpenShift Container Platform and can be submitted as a certified Helm chart entry to the Red HatOpenShift Helm chart repository.

The tool also validates a Helm chart URL and provides a report in YAML format with human-readable descriptions in which each check has a positive or negative result. A negative result from a check indicates a problem with the chart, which needs correction. You can also customize the checks that you wish to execute during the verification process.

Note

Red Hat strongly recommends using the latest version of the chart-verifier tool to validate your Helm charts on your local test environment. This enables you to check the results on your own during the chart development cycle, preventing the need to submit the results to Red Hat every time.

Additional resources

For more information about the chart-verifier CLI tool, see chart-verifier.

26.1. Preparing the test environment

The first step towards certifying your product is setting up the environment where you can run the tests. To run the full set of chart-verifier tests, you require access to the Red Hat OpenShift cluster environment. You can install the chart-verifier tool and execute all the chart related tests in this environment. You can disable these tests by using several configurable command line options, but it is mandatory to run the tests for the certification to be approved by Red Hat.

Note

As an authorized Red Hat partner, you have free access to the Red Hat OpenShift Container Platform, and you can install a cluster in your own test environment using the Red Hat Partner Subscription (RHPS) program. To learn more about the benefits of software access as a part of the Red Hat Partner Connect program, see the program guide.

Procedure

  • Set up a test server with x86-64 based Red Hat Enterprise Linux system consisting of OpenShift command line interface (oc), Helm, and either Podman or the chart-verifier tool installed.
  • Install a fully managed cluster by using Red Hat Managed Services Openshift cluster. This is a trial option that is valid only for 60 days.
  • Alternatively, install a self-managed cluster on your cloud environment, datacenter or computer. By using this option you can use your partner subscriptions, also known as NFRs, for permanent deployments.

Additional resources

26.2. Running the Helm chart-verifier tool

The recommended directory structure for executing the chart-verifier tool is as follows:

.
└── src
    ├── Chart.yaml
    ├── README.md
    ├── templates
    │   ├── deployment.yaml
    │   ├── _helpers.tpl
    │   ├── hpa.yaml
    │   ├── ingress.yaml
    │   ├── NOTES.txt
    │   ├── serviceaccount.yaml
    │   ├── service.yaml
    │   └── tests
    │       └── test-connection.yaml
    ├── values.schema.json
    └── values.yaml

Prerequisites

  • A container engine in which Podman or Docker CLI is installed.
  • Internet connection to check that the images are Red Hat certified.
  • GitHub profile to submit the chart to the OpenShift Helm Charts Repository.
  • Red Hat OpenShift Container Platform cluster.
  • Before running the chart-verifier tool, package your Helm chart by using the following command:

    $ helm package <helmchart folder>

    This command will archive your Helm chart and convert it to a .tgz file format.

Procedure

You can run the full set of chart-verifier tool by using two methods:

26.2.1. By using Podman or Docker

  1. Run all the available checks for a chart available remotely using a universal resource identifier (uri), assuming that the kube config file is available at the location ${HOME}/.kube:

    $ podman run --rm -i                                  \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            "quay.io/redhat-certification/chart-verifier" \
            verify                                        \
            <chart-uri>

    In this command, chart-uri is the location of the chart archive available on the https uri. Ensure that the archive must be in .tgz format.

  2. Run all the available checks for a chart available locally on your system, assuming that the chart is available on the current directory and the kube config file is available at the location ${HOME}/.kube:

    $ podman run --rm                                     \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            -v $(pwd):/charts                             \
            "quay.io/redhat-certification/chart-verifier" \
            verify                                        \
            /charts/<chart>

    In this command, chart-uri is the location of the chart archive available in your local directory. Ensure that the archive must be in .tgz format.

  3. Run the following verify command to get the list of available options associated with the command along with its usage:

    $ podman run -it --rm quay.io/redhat-certification/chart-verifier verify --help

    The output of the command is similar to the following example:

    Verifies a Helm chart by checking some of its characteristics
    
    Usage:
      chart-verifier verify <chart-uri> [flags]
    
    Flags:
      -S, --chart-set strings           set values for the chart (can specify multiple or separate values with commas: key1=val1,key2=val2)
      -G, --chart-set-file strings      set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2)
      -X, --chart-set-string strings    set STRING values for the chart (can specify multiple or separate values with commas: key1=val1,key2=val2)
      -F, --chart-values strings        specify values in a YAML file or a URL (can specify multiple)
          --debug                       enable verbose output
      -x, --disable strings             all checks will be enabled except the informed ones
      -e, --enable strings              only the informed checks will be enabled
          --helm-install-timeout duration   helm install timeout (default 5m0s)
      -h, --help                        help for verify
          --kube-apiserver string       the address and the port for the Kubernetes API server
          --kube-as-group stringArray   group to impersonate for the operation, this flag can be repeated to specify multiple groups.
          --kube-as-user string         username to impersonate for the operation
          --kube-ca-file string         the certificate authority file for the Kubernetes API server connection
          --kube-context string         name of the kubeconfig context to use
          --kube-token string           bearer token used for authentication
          --kubeconfig string           path to the kubeconfig file
      -n, --namespace string            namespace scope for this request
      -V, --openshift-version string    set the value of certifiedOpenShiftVersions in the report
      -o, --output string               the output format: default, json or yaml
      -k, --pgp-public-key string       file containing gpg public key of the key used to sign the chart
      -W, --web-catalog-only            set this to indicate that the distribution method is web catalog only (default: true)
          --registry-config string      path to the registry config file (default "/home/baiju/.config/helm/registry.json")
          --repository-cache string     path to the file containing cached repository indexes (default "/home/baiju/.cache/helm/repository")
          --repository-config string    path to the file containing repository names and URLs (default "/home/baiju/.config/helm/repositories.yaml")
      -s, --set strings                 overrides a configuration, e.g: dummy.ok=false
      -f, --set-values strings          specify application and check configuration values in a YAML file or a URL (can specify multiple)
      -E, --suppress-error-log          suppress the error log (default: written to ./chartverifier/verifier-<timestamp>.log)
          --timeout duration            time to wait for completion of chart install and test (default 30m0s)
      -w, --write-to-file               write report to ./chartverifier/report.yaml (default: stdout)
    Global Flags:
          --config string   config file (default is $HOME/.chart-verifier.yaml)
  4. Run a subset of the checks:

    $ podman run --rm -i                                  \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            "quay.io/redhat-certification/chart-verifier" \
            verify -enable images-are-certified,helm-lint      \
            <chart-uri>
  5. Run all the checks except a subset:

    $ podman run --rm -i                                  \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            "quay.io/redhat-certification/chart-verifier" \
            verify -disable images-are-certified,helm-lint      \
            <chart-uri>
    Note

    Running a subset of checks is intended to reduce the feedback loop for development. To certify your chart, you must run all the required checks.

  6. Provide chart-override values:

    $ podman run --rm -i                                  \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            "quay.io/redhat-certification/chart-verifier" \
            verify –chart-set default.port=8080                   \
            <chart-uri>
  7. Provide chart-override values from a file located in the current directory:

    $ podman run --rm -i                                  \
            -e KUBECONFIG=/.kube/config                   \
            -v "${HOME}/.kube":/.kube                     \
            -v $(pwd):/values                             \
            "quay.io/redhat-certification/chart-verifier" \
            verify –chart-values /values/overrides.yaml              \
            <chart-uri>

26.2.1.1. Configuring the timeout option

Increase the timeout value if the chart-testing process is delayed. By default, the chart-testing process takes about 30 minutes to complete.

$ podman run --rm -i                                  \
        -e KUBECONFIG=/.kube/config                   \
        -v "${HOME}/.kube":/.kube                     \
        -v $(pwd):/values                             \
        "quay.io/redhat-certification/chart-verifier" \
        verify --timeout 40m                          \
        <chart-uri>
Note

If you observe a delay in the chart-testing process, Red Hat recommends you to submit the report to the Red Hat certification team for verification.

26.2.1.2. Saving the report

When the chart-testing process is complete, the report messages are displayed by default. You can save the report by redirecting it to a file.

For example:

  $ podman run --rm -i                                  \
          -e KUBECONFIG=/.kube/config                   \
          -v "${HOME}/.kube":/.kube                     \
          "quay.io/redhat-certification/chart-verifier" \
          verify –enable images-are-certified,helm-lint      \
          <chart-uri> > report.yaml

Along with this command use the -w option to write the report directly to the file ./chartverifier/report.yaml. To get this file, you have to volume mount the file to /app/chartverifer.

For example:

  $ podman run --rm -i                                  \
          -e KUBECONFIG=/.kube/config                   \
          -v "${HOME}/.kube":/.kube                     \
          -v $(pwd)/chartverifier:/app/chartverifier    \
          -w                                            \
          "quay.io/redhat-certification/chart-verifier" \
          verify –enable images-are-certified,helm-lint      \
          <chart-uri>

If the file already exists, it is overwritten by the new report.

26.2.1.3. Configuring the error log

By default, an error log is generated and saved to the file ./chartverifier/verify-<timestamp>.yaml. It includes the error messages, the results of each check and additional information about chart testing. To get a copy of the error log you have to volume mount the file to /app/chartverifer.

For example:

 $ podman run --rm -i                                  \
          -e KUBECONFIG=/.kube/config                   \
          -v "${HOME}/.kube":/.kube                     \
          -v $(pwd)/chartverifier:/app/chartverifier    \
          "quay.io/redhat-certification/chart-verifier" \
          verify –enable images-are-certified,helm-lint      \
          <chart-uri> > report.yaml

If you want to store multiple logs to the same directory, you can store a maximum of 10 log files at a time. When the maximum file limit is reached, older log files are automatically replaced with the newer log files.

Use the -E or –suppress-error-log option to suppress the error log output.

Note

Error and warning messages are standard error output messages and are not suppressed by using the -E or –suppress-error-log option.

26.2.2. By using the binary file

Note

This method is applicable only for Linux systems.

  1. Download and install the latest chart-verifier binary from the releases page.
  2. Unzip the tarball binary by using the following command:

    $ tar zxvf <tarball>
  3. Run the following command on the unzipped directory to perform all the Helm chart checks :

    $ ./chart-verifier verify <chart-uri>

    In this command, chart-uri is the location of the chart archive available on your server. Ensure that the archive must be in .tgz format. By default, the chart-verifier tool assumes that the kube config file is available at the default location $HOME/.kube. Set the environment variable to KUBECONFIG if the file is not available at the default location.

    The output of the chart-verifier includes the details of the tests executed along with a result status for each test. It also indicates whether each test is mandatory or recommended for Red Hat certification. For more detailed information, see Types of Helm chart checks.

Additional resources

To know more about the chart-verifier tool, see Helm chart checks for Red Hat OpenShift certification.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.