Private Helm Chart Repository on an Offshore VPS

Helm charts are how Kubernetes applications get packaged and distributed. The public Artifact Hub and the various per-vendor chart repos (Bitnami, Prometheus Community, ingress-nginx) cover most open-source software. But for your own applications - internal services, customer-specific deployments, proprietary middleware - you need a private place to publish charts. Pushing private charts to a public repo is obviously a non-starter. Using GitHub Pages or similar trick works but mixes your chart distribution into your source hosting platform's terms of service and rate limits. A dedicated chart repo on an offshore VPS keeps the chart artifacts separate, gives you full control over retention and authentication, and avoids any SaaS coupling. The Helm 3 model now supports OCI-compatible registries, which means any OCI-compliant container registry can also host Helm charts. If you already run Harbor or another OCI registry, you do not need a separate chart repo at all. For teams without an OCI registry, ChartMuseum is the simplest standalone option - a single Go binary that serves charts from a backend (local disk, S3, GCS, Azure Blob).

ChartMuseum is the simplest path. Single binary, supports auth via basic auth or anonymous, backend storage of your choice. Run it as a systemd service on a 1 GB RAM VPS and it handles teams of any practical size. The drawback is no built-in vulnerability scanning, no RBAC beyond a single shared credential, and no UI. Harbor is the all-in-one option. It already does container images, OCI artifacts, and Helm charts in one place with full RBAC, vulnerability scanning, and signing. If you run a self-hosted container registry anyway, just enable Harbor's chart repository feature and host charts in the same project as your images. The trade-off is the larger resource footprint (4 GB RAM minimum). For really minimal setups, a static file server works. `helm package mychart/ && helm repo index .` produces a chart tarball and an `index.yaml` file. Serve those over HTTPS from any web server and point `helm repo add` at the URL. No authentication, no RBAC, but for fully internal use behind a VPN or with HTTP basic auth at the reverse proxy, this is the lowest-overhead option.

On a fresh Ubuntu 22.04 VPS, download the ChartMuseum binary: `wget https://get.helm.sh/chartmuseum-v0.16.2-linux-amd64.tar.gz && tar xzf chartmuseum-*.tar.gz && mv linux-amd64/chartmuseum /usr/local/bin/ && chmod +x /usr/local/bin/chartmuseum`. Create a system user and data directory: `useradd -r chartmuseum && mkdir -p /var/lib/chartmuseum && chown chartmuseum:chartmuseum /var/lib/chartmuseum`. Write a systemd unit at `/etc/systemd/system/chartmuseum.service` that runs `/usr/local/bin/chartmuseum --storage="local" --storage-local-rootdir="/var/lib/chartmuseum" --basic-auth-user=USER --basic-auth-pass=STRONG_PASSWORD --port=8080` as the chartmuseum user. Start: `systemctl daemon-reload && systemctl enable --now chartmuseum`. Put Caddy or Nginx with TLS in front of port 8080. On your laptop, add the repo: `helm repo add private https://charts.yourdomain.tld --username USER --password STRONG_PASSWORD`. Package and push a chart: `helm package mychart/ && curl --data-binary "@mychart-0.1.0.tgz" -u USER:STRONG_PASSWORD https://charts.yourdomain.tld/api/charts`. Verify with `helm repo update && helm search repo private`. Install with `helm install myrelease private/mychart` from any cluster that can reach the chart repo.