I'm working on configuring an air-gapped Kubernetes cluster where I already have all my manifests in a Git repository that gets deployed with FluxCD. Currently, I have multiple Helm releases in my cluster, and for this air-gapped setup, I've pushed all the Helm charts to GitLab. My goal is to make sure that all Helm repositories point to GitLab instead. While I could manually change the Helm repo manifests, that's not ideal since I don't want to have to re-deploy air-gapped clusters each time. Is there a method to patch some resources or make minimal changes to my manifests repository? I was considering patching the Helm repo, but I'm concerned that Flux will just reconcile it back to the original state. Any suggestions?
5 Answers
One approach is to render all your charts using a GitHub action or locally on your machine, so you won’t have to rely on Helm repos through FluxCD. Try using helmfile with the --out-dir-template flag and commit the rendered YAML files. This way, you can manage everything without worrying about Helm repo links.
You might want to use Kustomize overlays. Create a base configuration with your standard Helm repos, and then create an overlay specifically for air-gapped environments that changes the repo URLs to point to your GitLab instance.
Yes! We’ve had to do that when charts hardcoded image references. It’s worked well for us, but some open-source charts do present a challenge.
If you're dealing with an air-gapped cluster, make sure you have a plan for hosting your container images. Helm charts can also be pushed directly to compliant container registries. Every time I release code, I push both the image and the Helm chart, which means I don’t even need the Git repository available during deployment. You can also use tools like skopeo and crane for copying OCI artifacts between registries. Hope this helps!
Since you’re pushing artifacts to GitLab, why not push your Helm charts as OCI to GitLab and use that for all clusters? It would ensure that all your clusters are reproducible, even if the upstream repo goes away.
But how can they pull a Helm chart from GitLab if they're in an air-gapped environment?
Consider using OCI artifacts and setting up a local cache. You can configure a proxy in the OCI source for your Helm releases, making deployments easier in air-gapped setups.
Exactly! That setup can streamline things quite a bit.
That sounds solid! Plus, it's great because PRs will make version updates and value changes very transparent.