Namespaces in ChartCenter are currently reserved on a first-come, first-serve basis. We are also considering enhanced options for chart inclusion, but the goal of this outline is to discuss namespacing issues.

Proposal Details:

• Naming conventions
• Guidelines for prohibited namespaces
• How to check ownership of the Helm repo to reserve the namespace?
• Will it be a manual process?

Discussion of Repos:

• We need to support adding charts from git repos from source
• User should be able to choose the name (which becomes the namespace) of the Helm repo name in ChartCenter
• That repo can include many git repositories that the user owns, so this becomes validation of the ownership
• Some users may not want to have their own repo, should we provide e.g. stable repo where they can put their charts?
• Charts must be versioned: e.g. github/bitbucket/gitlab release, we should not use the code from the master

Questions / Considerations:

• Do we allow maintainers to change a namespace?
• Issues with immutability
• Issues with ownership verification
• Issues with reserved namespaces

Should we support/endorse official namespaces?:

• Create a 2nd Tier Verification Process to verify organizational ownership
• Create criteria to make stability, security, and maintenance of official namespaces a focus
• Provide a badge on the ChartCenter UI to signify official namespaces from organizations

As posted over on the Helm Hub repository, we've found that a number of users have published 'alternate' versions of our Helm chart. This can cause confusion and potentially big issues around upgrade for end-users.

Full details can be found in helm/hub#402 😄

Wondering if there's any recourse to do the same here (although I appreciate/understand that you only pull these repos in because Helm Hub also pulls them in 😄)

Is your feature request related to a problem? Please describe.
Index of 3rd party repositories will help to identify desired chart easily.
e.g nginx-ingress chart maintained by Nginx vs Kubernetes Community

Describe the solution you'd like
Add index of repositories possibly with their remote URLs.

Issue to Discuss

We launched ChartCenter with vulnerability scanning from JFrog Xray and quickly realized that most charts have some components (and base layers inside containers) with vulnerabilities. These components are widely used and show up in many Helm chart dependencies.

Our goal is to work with Helm chart maintainers on creating safer charts moving forward. We’ve already had great discussions with partners on the value of seeing this information in one place, but they also had concerns about not having the correct level of control in mitigating issues - especially on the ChartCenter UI. We decided to build out a way for chart maintainers to provide “maintainer notes” and an overall “mitigation summary”. You can see how that works here.

Our next goal is to understand how to improve this feature. We’re considering creating a login experience where chart maintainers will have a dedicated portal on ChartCenter where they can login to and see a full list of vulnerabilities (high severity issues to low and unknown issues) and be able to tag CVE IDs inside the GUI to provide their notes. This feature is all about opening up the conversation between Helm chart users and Helm chart creators and making the community safer for all.

Proposal Details

Chart Maintainers should be able to:

• Visit ChartCenter and be able to Create a Username if you have a chart on the center
• Be able to login and see the full scan that JFrog Xray provides for public vulnerabilities
• Be able to see high, medium, low, and unknown severities using the CVSS v2 ratings
• Be able to tag CVE IDs in the UI and set a chart range
• Be able to tag CVE IDs in the UI and set an application range
• Be able to see statistics / graph view of security over time
• Should the authenticated login also be able to support chart/repo inclusion?
• The ability to toggle high severity issues on/off so there is time to mitigate.

Additional considerations

What would else would you like to see in an authenticated login experience regarding security and mitigation on ChartCenter?

At this moment, it is not possible to know what is the original Helm repository for charts without visiting the inclusion yaml files on GitHub.

It should be helpful if that information was available in the UI so users can easily reach out to the original content.

Currently, ChartCenter supports including new charts by making a pull request to a repos.yaml file and providing us the name, the source url of your repositories, and your name and email as the maintainer. The domain of this source url must match your email address so that we can verify that you are the owner of the repo and chart.

Proposal to Discuss:

The goal of this issue is to discuss standardization of the inclusion process. This should help ChartCenter and other chart repositories ingest HelmCharts in ways that support the community - and should be a shared exercise that other community members also use and endorse.

Details:

Moving forward, we hope to be able to support other ways to include charts in ChartCenter:

• Push from source (how is ownership verified)
• Login with GitHub and to authenticate ownership and push directly
• Login with Bitbucket and to authenticate ownership and push directly
• Login with GitLab and to authenticate ownership and push directly

Issues with Repos/Versioning

• Chart versioning isn’t standardized. We need standards to version new charts so we can find them in repos automatically
  Folder Path

See Issue with Reserving Namespaces

• Namespaces must be unique
• If we allow push from source, how do we keep namespace reservations safe from abuse? (We should allow organizations to reserve their namespaces)

Issues / Questions:

• If a chart fails validation - how should maintainers be informed?
• Checking ownership of the Helm repo may be different based on the different inclusion type we support.
• License and legal compliance - what licenses should we automatically clear and will they include language for redistribution?

Describe the bug
When downloading the index.yaml for a namespace (e.g. https://repo.chartcenter.io/jfrog/) the download URLs contain an additional "/empty".
For example: https://repo.chartcenter.io/empty/jfrog/artifactory-10.0.12.tgz

To Reproduce
Steps to reproduce the behavior:

1. Download any namespaced index.yaml (e.g. https://repo.chartcenter.io/jfrog/index.yaml)
2. check the download URLs (e.g. entries.artifactory[].urls)

Expected behavior
Get download URLs like
https://repo.chartcenter.io/jfrog/artifactory-oss-2.5.1.tgz
instead of
https://repo.chartcenter.io/empty/jfrog/artifactory-oss-2.5.1.tgz

Additional context
In my case i tried to deploy Artifactory with FluxCD. Flux needs namespaced repos referenced directly (e.g. https://repo.chartcenter.io/jfrog).
Referencing the main repository and using the namespace in the artifact doesn't work with flux (e.g. jfrog/artifactory-oss instead of artifactoy-oss).
So currently there is no way to deploy a helm chart from chartcenter.io with FluxCD.

When using chartcenter, the charts have an extra path element that is the original repo. This works fine for installation and fetching, but how do you use them as subcharts?

dependencies:
  - name: bitnami/rabbitmq
    version: 7.5.8
    repository: https://repo.chartcenter.io

When I try to use the above in a chart, I can run helm dependency update and it pulls down a file called rabbitmq-7.5.8.tgz but when you try to use the chart you get:

Error: found in Chart.yaml, but missing in charts/ directory: bitnami/rabbitmq

I'm assuming this is because of the extra path element. Is there some trick to make this work?