This repository contains all Helm charts that I use personally and that I maintain.
Why maintaining these charts will you ask?
There are several reasons:
- Some charts made by the community are not what I expect of the usage of Helm.
- For example, I don't want to have a sort of "generic engine" where every chart must use a common Helm library
that could handle everything, and we just need to configure the
values.yaml( like TrueCharts or k8s-at-home).
I can understand this choice with the number of charts that they maintain, but I found that really hard to edit, to audit and to create a new chart.
- For example, I don't want to have a sort of "generic engine" where every chart must use a common Helm library
that could handle everything, and we just need to configure the
- I would use this repository as a sandbox to test new features or to try new things, like signing the Helm charts, adding some security checks or json-schema.
- I want to have a repository that I can trust, and that I can audit easily.
- I want to improve myself in write and exploiting Helm charts.
- Finally, it's fun for me to spend time trying to do my best to make the best charts possible (best... for me 😅).
helm repo add beluga-cloud https://beluga-cloud.github.io/charts
helm install my-release beluga-cloud/<chart>All charts documentation is available in the
charts/<chart>/README.mdfile or on artifacthub.io.
-
actual- /charts/actual- Actual is a local-first personal finance tool. It is 100% free and open-source, written in NodeJS, it has a synchronization element so that all your changes can move between devices without any heavy lifting.
-
cert-manager-issuers- /charts/cert-manager-issuers- This chart is used to deploy the
ClusterIssuerandIssuerresources used by thecert-managerto generate certificates.
- This chart is used to deploy the
-
help-dashboard- /charts/help-dashboard- Helm Dashboard is an open-source project which offers a UI-driven way to view the installed Helm charts, see their revision history and corresponding k8s resources.
-
jellyfin- /charts/jellyfin- Jellyfin is a free software media system that puts you in control of managing and streaming your media.
Even if this repository is a personal repository, I am open to any suggestions, improvements or new ideas. So, if you want to contribute to this repository:
- Start by reading the Contributing guide.
- Learn how to set up your environment with the Development guide ... that I never wrote 😅.
- Feel free to open an issue or a pull request.
Beluga Cloud charts follow good practices of security, but 100% security cannot be assured. Charts are provided "as is" without any warranty. Use at your own risk.
For more information and to report security issues, please refer to our security documentation.
In order to ensure the integrity of the charts, all charts are signed with a GPG key. The public key is available at https://raw.githubusercontent.com/beluga-cloud/charts/main/charts/beluga-cloud.asc.
For example, if you want to verify the integrity of the beluga-cloud/jellyfin chart during the installation:
curl --silent https://raw.githubusercontent.com/beluga-cloud/charts/main/charts/beluga-cloud.asc | gpg --import
helm repo add beluga-cloud https://beluga-cloud.github.io/charts
helm install jellyfin beluga-cloud/jellyfin --verifyLike Helm charts, all images are signed using cosign,
and a SBOM and a vulnerability list are attached to each image as attestation.
# Verify the image signature (e.g. for the jellyfin image)
cosign verify --certificate-identity-regexp '^https://github.com/beluga-cloud/charts/.github/workflows/.+?.yaml@refs/heads/main$' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' ghcr.io/beluga-cloud/jellyfin/jellyfin:v10.8.10
# Fetch the SBOM and the vulnerability list of the image
cosign verify-attestation --certificate-identity-regexp '^https://github.com/beluga-cloud/charts/.github/workflows/.+?.yaml@refs/heads/main$' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' ghcr.io/beluga-cloud/jellyfin/jellyfin:v10.8.10-amd64-linux --type cyclonedx | jq '.payload | @base64d | fromjson'
cosign verify-attestation --certificate-identity-regexp '^https://github.com/beluga-cloud/charts/.github/workflows/.+?.yaml@refs/heads/main$' --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' ghcr.io/beluga-cloud/jellyfin/jellyfin:v10.8.10-amd64-linux --type vuln | jq '.payload | @base64d | fromjson'NOTE: the vulnerability attestations are updated and pushed each Sunday and Wednesday at 09:32 UTC.
All images are scanned using Trivy and published on the GitHub vulnerability dashboard.
When possible, I will try to open an issue and/or a pull request to fix it. However, I cannot fix all issues on dependencies myself, so I will try to update the dependencies as soon as possible when a fix is published.
This repository is distributed under the Apache License 2.0.
