Chapter 26. Validating Helm charts for certification
You can validate your Helm charts by using the chart-verifier CLI tool. Chart-verifier is a CLI based open source tool that runs a list of configurable checks to verify if your Helm charts have all the associated metadata and formatting required to meet the Red Hat Certification standards. It validates if the Helm charts are distribution ready and works seamlessly on the Red Hat OpenShift Container Platform and can be submitted as a certified Helm chart entry to the Red HatOpenShift Helm chart repository.
The tool also validates a Helm chart URL and provides a report in YAML format with human-readable descriptions in which each check has a positive or negative result. A negative result from a check indicates a problem with the chart, which needs correction. You can also customize the checks that you wish to execute during the verification process.
Red Hat strongly recommends using the latest version of the chart-verifier tool to validate your Helm charts on your local test environment. This enables you to check the results on your own during the chart development cycle, preventing the need to submit the results to Red Hat every time.
Additional resources
For more information about the chart-verifier CLI tool, see chart-verifier.
26.1. Preparing the test environment
The first step towards certifying your product is setting up the environment where you can run the tests. To run the full set of chart-verifier tests, you require access to the Red Hat OpenShift cluster environment. You can install the chart-verifier tool and execute all the chart related tests in this environment. You can disable these tests by using several configurable command line options, but it is mandatory to run the tests for the certification to be approved by Red Hat.
As an authorized Red Hat partner, you have free access to the Red Hat OpenShift Container Platform, and you can install a cluster in your own test environment using the Red Hat Partner Subscription (RHPS) program. To learn more about the benefits of software access as a part of the Red Hat Partner Connect program, see the program guide.
Procedure
- Set up a test server with x86-64 based Red Hat Enterprise Linux system consisting of OpenShift command line interface (oc), Helm, and either Podman or the chart-verifier tool installed.
- Install a fully managed cluster by using Red Hat Managed Services Openshift cluster. This is a trial option that is valid only for 60 days.
- Alternatively, install a self-managed cluster on your cloud environment, datacenter or computer. By using this option you can use your partner subscriptions, also known as NFRs, for permanent deployments.
Additional resources
- For more information on setting up your environment, see Try Red Hat OpenShift.
To know more about installing the cluster and configuring your helm charts, see:
26.2. Running the Helm chart-verifier tool
The recommended directory structure for executing the chart-verifier tool is as follows:
. └── src ├── Chart.yaml ├── README.md ├── templates │ ├── deployment.yaml │ ├── _helpers.tpl │ ├── hpa.yaml │ ├── ingress.yaml │ ├── NOTES.txt │ ├── serviceaccount.yaml │ ├── service.yaml │ └── tests │ └── test-connection.yaml ├── values.schema.json └── values.yaml
Prerequisites
- A container engine in which Podman or Docker CLI is installed.
- Internet connection to check that the images are Red Hat certified.
- GitHub profile to submit the chart to the OpenShift Helm Charts Repository.
- Red Hat OpenShift Container Platform cluster.
Before running the chart-verifier tool, package your Helm chart by using the following command:
$ helm package <helmchart folder>
This command will archive your Helm chart and convert it to a
.tgz
file format.
Procedure
You can run the full set of chart-verifier tool by using two methods:
26.2.1. By using Podman or Docker
Run all the available checks for a chart available remotely using a universal resource identifier (uri), assuming that the kube config file is available at the location
${HOME}/.kube:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ "quay.io/redhat-certification/chart-verifier" \ verify \ <chart-uri>
In this command, chart-uri is the location of the chart archive available on the https uri. Ensure that the archive must be in
.tgz
format.Run all the available checks for a chart available locally on your system, assuming that the chart is available on the current directory and the kube config file is available at the location
${HOME}/.kube
:$ podman run --rm \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ -v $(pwd):/charts \ "quay.io/redhat-certification/chart-verifier" \ verify \ /charts/<chart>
In this command, chart-uri is the location of the chart archive available in your local directory. Ensure that the archive must be in
.tgz
format.Run the following verify command to get the list of available options associated with the command along with its usage:
$ podman run -it --rm quay.io/redhat-certification/chart-verifier verify --help
The output of the command is similar to the following example:
Verifies a Helm chart by checking some of its characteristics Usage: chart-verifier verify <chart-uri> [flags] Flags: -S, --chart-set strings set values for the chart (can specify multiple or separate values with commas: key1=val1,key2=val2) -G, --chart-set-file strings set values from respective files specified via the command line (can specify multiple or separate values with commas: key1=path1,key2=path2) -X, --chart-set-string strings set STRING values for the chart (can specify multiple or separate values with commas: key1=val1,key2=val2) -F, --chart-values strings specify values in a YAML file or a URL (can specify multiple) --debug enable verbose output -x, --disable strings all checks will be enabled except the informed ones -e, --enable strings only the informed checks will be enabled --helm-install-timeout duration helm install timeout (default 5m0s) -h, --help help for verify --kube-apiserver string the address and the port for the Kubernetes API server --kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups. --kube-as-user string username to impersonate for the operation --kube-ca-file string the certificate authority file for the Kubernetes API server connection --kube-context string name of the kubeconfig context to use --kube-token string bearer token used for authentication --kubeconfig string path to the kubeconfig file -n, --namespace string namespace scope for this request -V, --openshift-version string set the value of certifiedOpenShiftVersions in the report -o, --output string the output format: default, json or yaml -k, --pgp-public-key string file containing gpg public key of the key used to sign the chart -W, --web-catalog-only set this to indicate that the distribution method is web catalog only (default: true) --registry-config string path to the registry config file (default "/home/baiju/.config/helm/registry.json") --repository-cache string path to the file containing cached repository indexes (default "/home/baiju/.cache/helm/repository") --repository-config string path to the file containing repository names and URLs (default "/home/baiju/.config/helm/repositories.yaml") -s, --set strings overrides a configuration, e.g: dummy.ok=false -f, --set-values strings specify application and check configuration values in a YAML file or a URL (can specify multiple) -E, --suppress-error-log suppress the error log (default: written to ./chartverifier/verifier-<timestamp>.log) --timeout duration time to wait for completion of chart install and test (default 30m0s) -w, --write-to-file write report to ./chartverifier/report.yaml (default: stdout) Global Flags: --config string config file (default is $HOME/.chart-verifier.yaml)
Run a subset of the checks:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ "quay.io/redhat-certification/chart-verifier" \ verify -enable images-are-certified,helm-lint \ <chart-uri>
Run all the checks except a subset:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ "quay.io/redhat-certification/chart-verifier" \ verify -disable images-are-certified,helm-lint \ <chart-uri>
NoteRunning a subset of checks is intended to reduce the feedback loop for development. To certify your chart, you must run all the required checks.
Provide chart-override values:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ "quay.io/redhat-certification/chart-verifier" \ verify –chart-set default.port=8080 \ <chart-uri>
Provide chart-override values from a file located in the current directory:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ -v $(pwd):/values \ "quay.io/redhat-certification/chart-verifier" \ verify –chart-values /values/overrides.yaml \ <chart-uri>
26.2.1.1. Configuring the timeout option
Increase the timeout value if the chart-testing process is delayed. By default, the chart-testing process takes about 30 minutes to complete.
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ -v $(pwd):/values \ "quay.io/redhat-certification/chart-verifier" \ verify --timeout 40m \ <chart-uri>
If you observe a delay in the chart-testing process, Red Hat recommends you to submit the report to the Red Hat certification team for verification.
26.2.1.2. Saving the report
When the chart-testing process is complete, the report messages are displayed by default. You can save the report by redirecting it to a file.
For example:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ "quay.io/redhat-certification/chart-verifier" \ verify –enable images-are-certified,helm-lint \ <chart-uri> > report.yaml
Along with this command use the -w
option to write the report directly to the file ./chartverifier/report.yaml
. To get this file, you have to volume mount the file to /app/chartverifer
.
For example:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ -v $(pwd)/chartverifier:/app/chartverifier \ -w \ "quay.io/redhat-certification/chart-verifier" \ verify –enable images-are-certified,helm-lint \ <chart-uri>
If the file already exists, it is overwritten by the new report.
26.2.1.3. Configuring the error log
By default, an error log is generated and saved to the file ./chartverifier/verify-<timestamp>.yaml
. It includes the error messages, the results of each check and additional information about chart testing. To get a copy of the error log you have to volume mount the file to /app/chartverifer
.
For example:
$ podman run --rm -i \ -e KUBECONFIG=/.kube/config \ -v "${HOME}/.kube":/.kube \ -v $(pwd)/chartverifier:/app/chartverifier \ "quay.io/redhat-certification/chart-verifier" \ verify –enable images-are-certified,helm-lint \ <chart-uri> > report.yaml
If you want to store multiple logs to the same directory, you can store a maximum of 10 log files at a time. When the maximum file limit is reached, older log files are automatically replaced with the newer log files.
Use the -E
or –suppress-error-log
option to suppress the error log output.
Error and warning messages are standard error output messages and are not suppressed by using the -E
or –suppress-error-log
option.
26.2.2. By using the binary file
This method is applicable only for Linux systems.
- Download and install the latest chart-verifier binary from the releases page.
Unzip the tarball binary by using the following command:
$ tar zxvf <tarball>
Run the following command on the unzipped directory to perform all the Helm chart checks :
$ ./chart-verifier verify <chart-uri>
In this command,
chart-uri
is the location of the chart archive available on your server. Ensure that the archive must be in.tgz
format. By default, the chart-verifier tool assumes that the kube config file is available at the default location$HOME/.kube
. Set the environment variable toKUBECONFIG
if the file is not available at the default location.The output of the chart-verifier includes the details of the tests executed along with a result status for each test. It also indicates whether each test is mandatory or recommended for Red Hat certification. For more detailed information, see Types of Helm chart checks.
Additional resources
To know more about the chart-verifier tool, see Helm chart checks for Red Hat OpenShift certification.