To use all features of Artifactory Helm chart repositories, including resolution of Helm charts, you must use version 2.9.0 or above of the Helm client that supports basic authenticated access to Artifactory.
Before you can use your Helm client to resolve Helm charts from Artifactory, you need to configure it for authenticated access with your Artifactory user and password by adding the virtual Helm chart repository to be used for resolution as shown below:
helm repo add <REPO_KEY> http://<ARTIFACTORY_HOST>:<ARTIFACTORY_PORT>/artifactory/<REPO_KEY> --username <USERNAME> --password <PASSWORD> helm repo update
helm repo add helm-virtual http://10.1.16.114:32775/artifactory/helm-virtual --username admin --password password helm repo update
We recommend using an encrypted password instead of clear-text. For details, please refer to Centrally Secure Passwords.
The JFrog Helm Client was necessary for authenticated access to Artifactory before the Helm client supported basic authentication (before version 2.9.0).
If you are using the JFrog Helm Client, you need to configure it for authenticated access with your Artifactory user and password by adding the virtual Helm chart repository to be used for resolution as shown below:
helm repo add <REPO_KEY> http://<ARTIFACTORY_HOST>:<ARTIFACTORY_PORT>/artifactory/<REPO_KEY> <USERNAME> <PASSWORD> helm repo update
helm repo add helm-virtual http://10.1.16.114:32775/artifactory/helm-virtual admin password helm repo update
To enable calculation of Helm chart metadata, from the Administration module, select Repositories | Repositories | Local and set Helm to be the Package Type when you create your local repository.
You can create Helm remote repository to proxy and cache remote repositories or other Artifactory instances.
In order for Artifactory to properly cache Helm charts, resolve the charts only through a virtual repository.
Helm Charts requested by the Helm client frequently use external dependencies as defined in the
index.yaml file. These dependencies may, in turn, need additional dependencies. Therefore, when downloading a chart, you may not have full visibility into the full set of dependencies that your original chart needs (whether directly or transitively). As a result, you are at risk of downloading malicious dependencies from unknown external resources.
To manage this risk, and maintain the best practice of consuming external charts through Artifactory, you may specify a "safe" Allow List from which dependencies may be downloaded, cached in Artifactory, and configured to rewrite the dependencies so that the Helm client accesses dependencies through a remote repository as follows:
The fields under External Dependency Rewrite are connected to automatically rewriting external dependencies for Helm Charts that require them.
Enable Dependency Rewrite
|When selected, external dependencies are rewritten.|
Patterns Allow List
An Allow List of Ant-style path expressions that specify where external dependencies may be downloaded from. By default, this is set to
For example, if you limit the Patterns Allow List to https://github.com/**, the external dependencies will be cached in the "helm" remote repository, and only charts with a URL starting with https://github.com/ will be allowed to be cached.
For example, if you limit the Patterns Allow List to "github.com", the external dependencies will be cached in the "helm" remote repository, and only charts from
https://github.com/prometheus-community/helm-charts/ are allowed to be cached.
A Virtual Repository defined in Artifactory aggregates packages from both local and remote repositories.
This allows you to access both locally hosted Helm charts and remote proxied Helm charts repositories from a single URL defined for the virtual repository.
To define a virtual Helm chart repository, create a virtual repository, set the Package Type to be Helm, and select the underlying local and remote Helm repositories to include in the Basic settings tab.
This repository will be configured in the Helm client.
From Artifactory 7.24.1 (SaaS Version), you can explicitly state a specific aggregated local or remote repository to fetch from a virtual by assigning namespaces to local and remote repositories in Helm virtual repositories according to the following syntax.
By default, this feature is disabled but can be set when creating or updating a virtual Helm repository.
To support downloading files from multiple internal Artifactory URLs, you can create a list of URLs that are trusted by the repository.
By default, this feature is disabled but can be set for each aggregated remote repository separately.
The following example shows how to add the following configuration as an external dependency.
As a result, all the external URLs located in the
index.yaml file starting with the following pattern.
Will be replaced with the following syntax,
To resolve a Helm chart through Artifactory, use the following command:
helm install <REPO_KEY>/<CHART_NAME>
helm install helm-virtual/artifactory
Deploying Helm charts is done using cURL, Wget, JFrog CLI or any of the ways described in Deploying Artifacts.
To deploy Helm charts to a virtual Helm repository, make sure you have set the Default Deployment Repository.
Reindexing a Helm Chart repository
You can trigger an asynchronous reindexing of a local Helm chart repository either through the UI or using the REST API.
Through the UI, select your Helm chart repository in the Tree Browser and select Recalculate Index from the right-click menu, as shown below (requires Admin privileges).
To reindex a Helm chart repository through the REST API, please refer to Calculate Helm Chart Index.
Using the above REST API command or UI will reindex the
In the Tree Browsing, select your virtual Helm chart repository and drill down to find and select the package you want to inspect. The metadata is displayed in the Chart Info tab.
<iframe width="560" height="315" src="https://www.youtube.com/embed/QbTOQsQA_LE" frameborder="0" allowfullscreen></iframe>