Chapter 29. Submitting your Helm chart for certification
After configuring and setting up your Helm chart component on the Red Hat Partner Connect, submit your Helm charts for certification by creating a pull request to the Red Hat’s OpenShift Helm chart repository. In the pull request, you can either include your chart or the report generated by the chart-verifier tool or both. Based on the content of your pull request, the chart will be certified, and the chart-verifier will run if a report is not provided.
Prerequisites
Before creating a pull request, ensure to have the following prerequisites:
Fork the Red Hat’s OpenShift Helm chart repository and clone it to your local system. Here, you can see a directory already created for your company under the partner’s directory.
NoteThe directory name is the same as the container registry namespace that you set while certifying your containers.
Within your company’s directory, there will be a subdirectory for each chart certification component you created in the previous step. To verify if this is set up correctly, review the
OWNERS
file. TheOWNERS
file is automatically created in your chart directory within your organization directory. It contains information about your component, including the GitHub users authorized to certify Helm charts on behalf of your company. You can locate the file at the locationcharts/partners/acme/awesome/OWNERS
. If you want to edit the GitHub user details, navigate to the Settings page.For example, if your organization name is
acme
and the chart name isawesome
. The content of theOWNERS
file is as follows:chart: name: awesome shortDescription: A Helm chart for Awesomeness publicPgpKey: null providerDelivery: False users: - githubUsername: <username-one> - githubUsername: <username-two> vendor: label: acme name: ACME Inc.
The name of the chart that you are submitting must match the value in the
OWNERS
file.Before submitting the Helm chart source or the Helm chart verification report, create a directory with its version number. For example, if you are publishing the
0.1.0 version
of theawesome
chart, create a directory as follows:charts/partners/acme/awesome/0.1.0/
NoteFor charts that represent a product supported by Red Hat, submit the pull request to the main branch with the
OWNERS
file located at the charts, redhat directory available in your organization directory. For example, for a Red Hat chart named awesome, submit your pull request to the main branch located atcharts/redhat/redhat/awesome/OWNERS
. Note that for Red Hat supported components, your organization name is also redhat.
Procedure
You can submit your Helm chart for certification by using three methods:
29.1. Submitting a Helm chart without the chart verification report
You can submit your Helm chart for certification without the chart verification report in two different formats:
29.1.1. Chart as a tarball
If you want to submit your Helm chart as a tarball, you can create a tarball of your Helm chart using the Helm package command and place it directly in the 0.1.0 directory.
For example, if your Helm chart is awesome
for an organization acme
charts/partners/acme/awesome/0.1.0/awesome-0.1.0.tgz charts/partners/acme/awesome/0.1.0/awesome-0.1.0.tgz.prov
29.1.2. Chart in a directory
If you want to submit your Helm chart in a directory, place your Helm chart in a directory with the chart source.
If you have signed the chart, place the providence file in the same directory. You can include a base64 encoded public key for the chart in the OWNERS
file. When a base64 encoded public key is present, the key will be decoded and specified when the chart-verifier is used to create a report for the chart.
If the public key does not match the chart, the verifier report will include a check failure, and the pull request will end with an error.
If the public key matches with the chart and there are no other failures, a release will be created, which will include the tarball, the providence file, the public key file, and the generated report.
For example,
awesome-0.1.0.tgz awesome-0.1.0.tgz.prov awesome-0.1.0.tgz.key report.yaml
If the OWNERS
file does not include the public key, the chart verifier check is skipped and will not affect the outcome of the pull request. Further, the public key file will not be included in the release.
If the chart is a directory with the chart source, create a src directory to place the chart source.
For example,
A Path
can be charts/partners/acme/awesome/0.1.0/src/
And the file structure can be
. └── src ├── Chart.yaml ├── README.md ├── templates │ ├── deployment.yaml │ ├── _helpers.tpl │ ├── hpa.yaml │ ├── ingress.yaml │ ├── NOTES.txt │ ├── serviceaccount.yaml │ ├── service.yaml │ └── tests │ └── test-connection.yaml ├── values.schema.json └── values.yaml
29.2. Submitting a chart verification report without the Helm chart
Generate the report using the chart-verifier tool and save it with a file name report.yaml in the directory 0.1.0. You can submit two types of reports:
29.2.1. For submitting a signed report
Before submitting your report for certification, you can add a PGP public key
to the chart verification report. Adding a PGP public key
is optional. When you add it to your report, you can find your public key in the OWNER
S file under your chart directory within your organization directory. The PGP public key
is available in the publicPgpKey
attribute. The value of this attribute must follow ASCII armor format.
When submitting a chart verification report without the chart, you can sign your report and save the signature in ASCII armor format.
For example,
gpg --sign --armor --detach-sign --output report.yaml.asc report.yaml
You can see a warning message on the console if the signature verification fails.
29.2.2. For submitting a report for a signed chart
For submitting the chart verification report for a signed chart, when you provide a PGP public key
to the chart verifier tool while generating the report, it includes a digest of the key along with the report.
Also, when you include a base64 encoded PGP public key to the OWNERS
file, a check is made to confirm if the digest of the decoded key in the OWNERS
file matches the key digest in the report.
When they do not match, the pull request fails. But if the key digest matches with the report and there are no other errors when processing the pull request, a release is generated containing the public key and the report.
For example,
awesome-0.1.0.tgz.key report.yaml
A release is not generated if you have enabled the provider control delivery.
29.3. Submitting a chart verification report along with the Helm chart
You can also submit a chart along with the report. Follow Submitting a Chart without Chart Verification Report procedure and place the source or tarball in the version number directory. Similarly, follow the steps in Submitting a Chart Verification Report without the Chart and place the report.yaml
file in the same version number directory.
29.3.1. For submitting a signed report
You can sign the report and submit for verification. You can see a warning message on the console if the signature verification fails. For more information, see, 'For submitting a signed report' section of Submitting a Chart Verification Report without the Chart.
29.3.2. For submitting a signed Helm chart
For a signed chart you must include a tarball and a providence file in addition to the report file. For more information, see, 'For submitting a report for a signed chart' section of Submitting a Chart Verification Report without the Chart.
29.4. Summary of certification submission options
Follow the table that summarizes the scenarios for submitting your Helm charts for certification, depending on how you want to access your chart and also to check whether the chart tests have some dependencies on your local environment.
Objective | Include Helm chart | Include chart verification report | Red Hat certification outcome | Methods to publish your certified Helm chart |
---|---|---|---|---|
If you want to perform the following actions:
| Yes | No | The chart-verifier tool is executed in the Red Hat CI environment to ensure compliance. |
Your customers can download the certified Helm charts from |
If you want to perform the following actions:
| Yes | Yes | The Red Hat certification team reviews the results to ensure compliance. |
Your customers can download the certified Helm charts from |
If you don’t want to store your certified charts at | No | Yes | The Red Hat certification team reviews the results to ensure compliance. |
Your customers can download the certified Helm chart from your designated Helm chart repository. A corresponding entry is added to the |
29.5. Verification Steps
After submitting the pull request, it will take a few minutes to run all the checks and merge the pull request automatically. Perform the following steps after submitting your pull request:
- Check for any messages in the new pull request.
- If you see an error message, see Troubleshooting Pull Request Failures. Update the pull request accordingly with necessary changes to rectify the issue.
If you see a success message, it indicates that the chart repository index is updated successfully. You can verify it by checking the latest commit in the gh-pages branch. The commit message is in this format:
<partner-label>-<chart-name>-<version-number> index.yaml (#<PR-number>) (e.g, acme-psql-service-0.1.1 index.yaml (#7)).
You can see your chart related changes in the
index.yaml
file.-
If you have submitted a chart source, a GitHub release with the chart and corresponding report is available on the GitHub releases page. The release tag is in this format:
<partner-label>-<chart-name>-<version-number> (e.g., acme-psql-service-0.1.1)
. - You can find the certified Helm charts on the Red Hat’s official Helm chart repository. Follow the instructions listed here to install the certified Helm chart on your OpenShift cluster.