Managing Spin Apps with Helm¶
Build Your App, then Clean Up the Generated YAML¶
With Spin, we recommend creating your application by hand first. Create all the volumes and secrets and make sure your app works. Next, follow these guidelines for deploying your app with Helm:
-
Download the YAML files of the workloads in your app and put them in a
templates
directory. -
Also download the yaml files for every volume and tell Helm to not recreate them on every update by setting:
helm.sh/resource-policy: keep
-
Creating .yaml files for secrets is also possible if you have a vault-like store where you keep them
-
You can remove most of the kubernetes and rancher annotations with some notable exceptions:
-
field.cattle.io/creatorId
-
workload.user.cattle.io/workloadselector
-
You can now pull out any configuration values (for example, env vars, ports, endpoint urls, etc.) and place them in a
values.yaml
file. -
Ingresses are a bit of a black box. It seems that most annotations can be safely removed from the ingress definition, but the Rancher UI may have trouble displaying the ingress afterwards (the ingress will still work)
-
DNS propagation may take a while so you may want to keep ingresses from being recreated by setting
helm.sh/resource-policy: keep
(like for volumes) -
To connect the ingress to a service,
-
Specify backend service name and port in ingress spec (
spec.rules.http.paths.backend
) -
Expose the port in the backend service spec (
spec.containers.port
) -
You do not need any of the rancher-specific ingress annotations
-
-
Some users reported that workloads manually edited by NERSC staff become unmanageable by helm. The only way to recover is to perform a helm uninstall and then reinstall.
-
If you are missing the following in a workload that is pulling private images from your project registry, you will get a permissions error on startup when trying to pull the image:
imagePullSecrets: - name: registry-nersc
Deploying the Result to SPIN¶
You can deploy a helm chart via: helm install --set rancherUserId=$RANCHER_USERID <release-name> <chart dir>
or upgrade: helm upgrade --set rancherUserId=$RANCHER_USERID iris-test <release-name> <char dir>
where release-name
can be anything and chart dir
is the directory containing your helm chart (eg. ".").
You can either set the default namespace via kubectl
: kubectl config set-context --current --namespace=<your namespace>
or, specify it via the helm commands, such as: helm -n $NAMESPACE -f myvalues.yaml install --set rancherUserId=$RANCHER_USERID <release-name> <char dir>
where -n
will set the namespace and -f
the values file that has your environment-specific values to substitute in the templates.
Using Helm Charts from an OCI Registry¶
Container image registeries with OCI support can be used to store Helm charts. NERSC's image registry at registry.nersc.gov
is one of these registeries. Please refer to this page for getting access to the registry and best practices when using the registry.
To use Helm charts from NERSC's registry, follow these steps:
-
Authenticate with the Registry using the Helm CLI:
helm registry login registry.nersc.gov
. You will be prompted to enter your username and password. -
Push a Helm Chart to the Registry
-
Package your Helm chart into a
.tgz
file:helm package <chart-dir>
-
Push the packaged chart to the registry:
helm push <chart-name>.tgz oci://registry.nersc.gov/<project-name>
-
-
Pull a Helm Chart from the Registry:
helm pull oci://registry.nersc.gov/<project-name>/<chart-name> --version <chart-version>
-
Install a Helm Chart from the Registry:
helm install <release-name> oci://registry.nersc.gov/<project-name>/<chart-name> --version <chart-version>
. Replace<project-name>
,<chart-name>
, and<chart-version>
with the appropriate values for your chart.
Notes
- Ensure you have the necessary permissions to access the registry and the specified project.
- Use the
--set
or-f
options to customize values during installation as needed. - The
oci://
protocol is required for interacting with OCI-compliant Helm registries. - For more details, refer to the Helm OCI documentation.
Using Helm Charts from a ChartMuseum-based Repository¶
Deprecation of ChartMuseum in NERSC's registry
Starting from June 1, 2025, the ChartMuseum-based Helm Charts in NERSC's registry will no longer be accessible. They have been converted to OCI Helm Charts stored in their original projects using the same chart name. Please refer to the section above for usage instructions.
To use Helm charts from a ChartMuseum-based repository, follow these steps:
-
Add the ChartMuseum repository to Helm:
helm repo add <repo-name> https://<chartmuseum-url> [--username username] [--password-stdin]
. Replace<repo-name>
with a name for the repository and<chartmuseum-url>
with the URL of the ChartMuseum instance. If the repository is private, you may need to provide login info via the--username
and--password-std
options. -
Search for available charts in the repository:
helm search repo <repo-name>
-
Install a chart from the repository:
helm install <release-name> <repo-name>/<chart-name> --version <chart-version>
. Replace<release-name>
,<chart-name>
, and<chart-version>
with the desired values. -
Update the repository to fetch the latest charts:
helm repo update
Notes
- Ensure you have network access to the ChartMuseum instance.
- Use the
--set
or-f
options to customize values during installation as needed. - ChartMuseum-based repositories are considered deprecated in favor of OCI registries. Consider migrating to OCI if possible.
- For more details, refer to the Helm documentation.