Private Repositories
Overview
This guide explains how to use FluxCD to work with private Helm chart repositories.
- Helm charts can come from public or private sources
- Private Helm repos need authentication to access
- We'll set up a private repo using ChartMuseum
FluxCD supports private chart repositories by using basic authentication. This can be simulated using ChartMuseum and Docker.
Pre-requisites
Using ChartMuseum
ChartMuseum is an open source tool that can be used to host a private Helm repo using Docker.
-
Create a Docker volume to store your charts. This ensures the charts stay intact even if the container restarts.
docker volume create chartmuseum-storage -
Run ChartMuseum using a Docker container
docker run -d \
--name chart-museum-helm-repo \
-p 8080:8080 \
-v chartmuseum-storage:/bitnami \
-e STORAGE=local \
-e STORAGE_LOCAL_ROOTDIR=/charts \
-e ALLOW_OVERWRITE=true \
-e AUTH_ENABLE=true \
-e BASIC_AUTH_USER=chartuser \
-e BASIC_AUTH_PASS=************* \
-e DEBUG=true \
--user 0:0 \
ghcr.io/helm/chartmuseum:v0.14.0infoOfficial website: Get ChartMuseum
-
Verify its running:
$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
117701a6fe26 ghcr.io/helm/chartmuseum:v0.14.0 "/chartmuseum" 27 seconds ago Up 26 seconds 0.0.0.0:8080->8080/tcp chart-museum-helm-repo
ff5adef26bf3 kindest/node:v1.29.2 "/usr/local/bin/entr…" 28 hours ago Up 28 hours 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 127.0.0.1:33783->6443/tcp kind-control-plane -
Verify access with authentication:
curl -u chartuser:<your_password> http://localhost:8080/index.yamlIf it works, you should see:
apiVersion: v1
entries: {}
generated: "2025-05-17T18:29:46Z"
serverInfo: {}
Now we have a private chart repo running locally with basic auth.
Create the Helm Chart
Create a new Helmchart and upload it to the private repository.
Make sure you are in the user's home. You can also go to /tmp and run the command.
helm create busybox
By default, Helm will use Nginx as the server whenever we create a new Helm chart. Modify it to use BusyBox instead of Nginx.
cd busybox
vi templates/deployment.yaml
Remove this:
## templates/deployment.yaml
ports:
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- with .Values.livenessProbe }}
livenessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.readinessProbe }}
readinessProbe:
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.resources }}
And then replace with this:
command:
- sleep
- infinity
BusyBox doesn’t auto-run, so add the command section will ensure it's always running.
Next, update the values.yaml to use the busybox image:
image:
repository: busybox
tag: latest
pullPolicy: IfNotPresent
Package and Push
Package the chart first. The command below will create a gzipped tar archived with the chart name and version.
helm package .
Next, push this artifact to the private Helm repository:
curl -u chartuser --data-binary "@busybox-0.1.0.tgz" http://localhost:8080/api/charts
If successful, it should return:
{"saved":true}
Now the chart is stored in the private repository.
Access the Private Repository
We need to confirm that Helm can access the repo before FluxCD does.
-
Add the private repo to Helm:
helm repo add chart-museum-helm-repo --username chartuser http://localhost:8080 -
Search the repo to confirm it works:
$ helm search repo busybox
NAME CHART VERSION APP VERSION DESCRIPTION
chart-museum-helm-repo/busybox 0.1.0 1.16.0 A Helm chart for Kubernetes
This confirms Helm can access and use the private chart. FluxCD will use the same endpoint and credentials.