content/manuals/dhi/how-to/helm.md
Docker Hardened Image (DHI) charts are Docker-provided Helm charts built from upstream sources, designed for compatibility with Docker Hardened Images. These charts are available as OCI artifacts within the DHI catalog on Docker Hub. For more details, see Docker Hardened Image charts.
DHI charts incorporate multiple layers of supply chain security that aren't present in upstream charts:
You can use a DHI chart like any other Helm chart stored in an OCI registry. When you have a Docker Hardened Images subscription, you can also customize DHI charts to reference customized images and mirrored repositories. The customized chart build pipeline ensures that your customizations are built securely, use the latest base charts, and include attestations.
To find a Docker Helm chart for DHI:
If you want to mirror to your own third-party registry, you can follow the instructions in Mirror a Docker Hardened Image repository for either the chart, the image, or both.
The same regctl tool that is used for mirroring container images can also be used for mirroring Helm charts, as Helm
charts are OCI artifacts.
For example:
regctl image copy \
"${SRC_CHART_REPO}:${TAG}" \
"${DEST_REG}/${DEST_CHART_REPO}:${TAG}" \
--referrers \
--referrers-src "${SRC_ATT_REPO}" \
--referrers-tgt "${DEST_REG}/${DEST_CHART_REPO}" \
--force-recursive
You need to create a Kubernetes secret for pulling images from dhi.io, Docker
Hub, or your own registry. This is necessary because Docker Hardened Image
repositories require authentication. If you mirror the images to your own
registry, you still need to create this secret if the registry requires
authentication.
For dhi.io or Docker Hub, create a personal access token
(PAT) using your Docker account or an
organization access token (OAT).
Ensure the token has at least read-only access to the Docker Hardened Image
repositories.
Create a secret in Kubernetes using the following command. Replace <your-secret-name>, <your-username>,
<your-personal-access-token>, and <your-email> with your own values.
[!NOTE]
You need to create this secret in each Kubernetes namespace that uses a DHI. If you've mirror your DHIs to another registry, replace
dhi.iowith your registry's hostname. Replace<your-username>,<your-access-token>, and<your-email>with your own values.<your-username>is Docker ID if using a PAT or your organization name if using an OAT.<your-secret-name>is a name you choose for the secret.
$ kubectl create secret docker-registry <your-secret-name> \
--docker-server=dhi.io \
--docker-username=<your-username> \
--docker-password=<your-access-token> \
--docker-email=<your-email>
For example:
$ kubectl create secret docker-registry dhi-pull-secret \
--docker-server=dhi.io \
--docker-username=docs \
--docker-password=dckr_pat_12345 \
[email protected]
To install a Helm chart from Docker Hardened Images:
Sign in to the registry using Helm:
$ echo $ACCESS_TOKEN | helm registry login dhi.io --username <your-username> --password-stdin
Replace <your-username> and set $ACCESS_TOKEN.
Install the chart using helm install. Optionally, you can also use the --dry-run flag to test the installation without
actually installing anything.
$ helm install <release-name> oci://dhi.io/<helm-chart-repository> --version <chart-version> \
--set "imagePullSecrets[0].name=<your-secret-name>"
Replace <helm-chart-repository> and <chart-version> accordingly. If the
chart is in your own registry or another repository, replace
dhi.io/<helm-chart-repository> with your own location. Replace
<your-secret-name> with the name of the image pull secret created
from Create a Kubernetes secret for pulling images.
You can customize Docker Hardened Image Helm charts to reference customized images and mirrored repositories. For more details, see Customize Docker Hardened Images and charts.
You can verify Helm charts. For more details, see Verify Helm chart attestations.