Kubernetes has revolutionized the way we deploy applications, but managing numerous Kubernetes resources for complex applications can quickly grow to become a heavy burden. That’s where Helm, the package manager for Kubernetes, comes in. However, as your deployments become more complex and approach production environments, vanilla Helm may not be enough. As with any production system, you need robust tooling to ensure that your Helm charts are clean, maintainable and secure.

In this article, I’ll cover the essential plugins and features that will step up your Helm deployments to a level of production quality. These tools will help you with validation, security, testing, documentation and more — providing everything you need to create reliable, repeatable deployments in your Kubernetes clusters.

TL;DR: Essential Tools for Production-Ready Helm Charts

1. Visualizing Changes with helm-diff

What is helm-diff?

Helm-diff is a plugin that shows a preview of what a helm upgrade would change, presented as a colored diff. This allows you to catch potential issues before they reach your cluster and provides visibility into exactly what’s changing in your deployments.

Key Benefits

  • Prevent Unexpected Changes: Visualize all changes before applying them to your cluster
  • Pre-Deployment Verification: Ensure your configuration updates will have the intended effect
  • Integration with CI/CD: Add verification steps in your pipeline to confirm expected changes
  • Support for Multiple Commands: Use with upgrade, rollback, and revision to compare different states

Getting Started with helm-diff

Installation is straightforward:

1

helm plugin install https://github.com/databus23/helm-diff

To see what changes a Helm upgrade would introduce:

1

helm diff upgrade my-release my-chart

For comparing specific releases or revisions:

1
2
3
4
5

# Compare two release revisions
helm diff revision my-release 2 3

# Preview changes before an upgrade with custom values
helm diff upgrade my-release my-chart --values custom-values.yaml

The plugin helps you catch configuration drift and avoid unintended side effects when updating applications, making it an indispensable tool for production environments.

2. Securing Secrets with helm-secrets

What is helm-secrets?

Helm-secrets is a plugin that helps securely manage sensitive information in your Helm deployments. It supports various backends including SOPS (Mozilla’s Secrets OPerationS) and vals, allowing you to store secrets in cloud providers like AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault.

Key Benefits

  • Secure Secret Management: Keep sensitive data encrypted in your Git repositories
  • Multiple Backend Support: Use your preferred secret store, from cloud-native solutions to local encryption
  • Cloud Integration: Reference secrets directly from your cloud provider
  • GitOps Friendly: Works well with GitOps workflows, including ArgoCD integration

Getting Started with helm-secrets

Install the plugin:

1

helm plugin install https://github.com/jkroepke/helm-secrets

Create encrypted values files (example with SOPS backend):

1
2
3
4
5

# Encrypt your secrets file
helm secrets encrypt secrets.yaml

# Deploy using encrypted secrets
helm secrets install my-release my-chart -f values.yaml -f secrets.yaml

Using cloud provider secrets with vals:

1
2
3

# Deploy with AWS Secrets Manager integration
helm secrets --backend vals template my-chart --name-template my-release \
  --set password=ref+awsssm://path/to/secret?key=password

Helm-secrets ensures your sensitive data remains protected throughout your development and deployment processes, a critical requirement for production deployments.

3. Managing API Deprecations with helm-mapkubeapis

What is helm-mapkubeapis?

Helm-mapkubeapis is a plugin that updates Helm release metadata containing deprecated or removed Kubernetes APIs to use supported APIs. This is crucial when upgrading your Kubernetes cluster to a version that removes APIs used in your existing Helm releases.

Key Benefits

  • Kubernetes Upgrade Readiness: Ensure your Helm releases continue to work after cluster upgrades
  • Metadata Modernization: Update release data to use supported APIs without changing the deployed resources
  • No Reinstallation Required: Fix API issues without redeploying your applications
  • Supports Multiple Resources: Works with various resource types affected by API deprecations

Getting Started with helm-mapkubeapis

Install the plugin:

1

helm plugin install https://github.com/helm/helm-mapkubeapis

Map a release’s APIs to supported versions:

1
2
3
4
5
6
7
8

# Run mapkubeapis
helm mapkubeapis my-release

# Perform a dry run first
helm mapkubeapis my-release --dry-run

# Specify a custom mapping file
helm mapkubeapis my-release --mapfile custom-mapping.yaml

With Kubernetes constantly evolving, this plugin is essential for maintaining the health of long-running Helm deployments across cluster upgrades.

4. Testing Charts with Chart Testing (ct) and helm-unittest

What is Chart Testing (ct)?

Chart Testing (ct) is a tool designed for testing Helm charts. It’s particularly useful in CI environments and provides comprehensive testing capabilities including linting, installing, and testing Helm charts, and generating comprehensive reports.

Key Benefits

  • Comprehensive Testing: Performs linting, validation, installation, and chart testing
  • CI/CD Integration: Designed for seamless integration with CI platforms
  • Version Management: Detects and tests only changed charts
  • Multiple Cluster Support: Can test charts across different Kubernetes versions
  • Extensible: Supports custom validators and test hooks

Getting Started with Chart Testing

Install chart-testing:

1

brew install chart-testing

Create a ct.yaml configuration file:

1
2
3
4
5
6

chart-dirs:
  - charts
chart-repos:
  - bitnami=https://charts.bitnami.com/bitnami
helm-extra-args: --timeout 600s
debug: true

Run chart testing:

1
2
3
4
5
6
7
8

# Lint and validate charts
ct lint --config ct.yaml

# Install and test
ct install --config ct.yaml --namespace test

# Only test charts that have changed compared to the target branch
ct lint --config ct.yaml --target-branch main

5. Unit Testing with helm-unittest

Helm-unittest is a plugin that allows you to write and run unit tests for your Helm charts in YAML. It provides a way to validate chart templates locally without deploying to a cluster.

Key Benefits

  • Local Testing: Test charts without a Kubernetes cluster
  • Comprehensive Testing: Validate template rendering, values injection, and more
  • YAML-based Tests: Write tests in a familiar YAML format
  • CI/CD Integration: Easily incorporate into your continuous integration workflows

Getting Started with helm-unittest

Install the plugin:

1

helm plugin install https://github.com/helm-unittest/helm-unittest.git

Create a test file in charts/mychart/tests/:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16

suite: test deployment
templates:
  - deployment.yaml
tests:
  - it: should work
    set:
      image.tag: latest
    asserts:
      - isKind:
          of: Deployment
      - matchRegex:
          path: metadata.name
          pattern: -my-chart$
      - equal:
          path: spec.template.spec.containers[0].image
          value: nginx:latest

Run your tests:

1

helm unittest mychart

Unit testing your Helm charts ensures they behave as expected with different input values, critical for maintaining reliability in production deployments.

6. Documenting Charts with helm-docs

What is helm-docs?

Helm-docs automatically generates documentation from your Helm chart’s values.yaml file and other metadata, ensuring your chart documentation stays up-to-date with your code.

Key Benefits

  • Automated Documentation: Keep README files in sync with chart changes
  • Standardized Format: Ensure consistent documentation across all charts
  • Multiple Output Formats: Generate Markdown, AsciiDoc, or other formats
  • Template Customization: Define your own templates for specialized documentation

Getting Started with helm-docs

Install helm-docs:

1
2
3
4
5

# Using Homebrew
brew install norwoodj/tap/helm-docs

# Using Go
go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest

Create a .helm-docs.yaml configuration:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

template.gotemplate: |
  {{ define "chart.title" }}# {{ .Name }}{{ end }}

  {{ define "chart.description" }}{{ .Description }}{{ end }}

  {{ define "chart.values" }}
  ## Values

  | Key | Type | Default | Description |
  |-----|------|---------|-------------|
  {{- range .Values }}
  | {{ .Key }} | {{ .Type }} | {{ .Default }} | {{ .Description }} |
  {{- end }}
  {{ end }}

Generate documentation:

1
2
3
4
5

# Generate docs for all charts in the current directory
helm-docs

# Generate docs for a specific chart
helm-docs -c mychart

Having well-maintained documentation is essential for team collaboration and maintenance of production-grade Helm charts.

7. Cost Estimation with Infracost

What is Infracost?

While originally designed for Terraform, Infracost now supports analyzing Helm charts to provide cloud cost estimates before deployment. This helps you understand the financial implications of your Kubernetes infrastructure.

Key Benefits

  • Cost Awareness: Understand the cost implications of your deployments
  • Resource Optimization: Identify expensive components before deployment
  • Budget Planning: Project costs for new services and upgrades
  • Cloud Provider Comparison: Compare costs across different providers

Getting Started with Infracost

Install Infracost:

1
2

# Using Homebrew
brew install infracost

Initialize with your API key and scan a Helm chart:

1
2
3
4
5
6
7
8

# init the infracost CLI
infracost auth login

# Generate a cost estimate for a Helm chart
infracost breakdown --path . --format json --out-file infracost.json

# Generate an HTML report
infracost output --path infracost.json --format html --out-file infracost.html

Incorporating cost estimates into your Helm workflow helps maintain financial control while scaling your Kubernetes applications.

8. Declarative Management with Helmfile

What is Helmfile?

Helmfile is a declarative specification for deploying and managing multiple Helm charts. It lets you define your entire application stack in a single file or organized directory structure.

Key Benefits

  • Declarative Configuration: Define your entire stack in version-controlled files
  • Environment Management: Deploy to multiple environments with different values
  • Template Support: Use Go templating for dynamic values
  • Dependency Management: Handle relationships between different charts
  • Release Ordering: Control the sequence of deployments

Getting Started with Helmfile

Install Helmfile:

1
2
3
4
5

# Using Homebrew
brew install helmfile

# Using Go
go install github.com/helmfile/helmfile@latest

Create a helmfile.yaml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

repositories:
- name: prometheus-community
  url: https://prometheus-community.github.io/helm-charts

releases:
- name: prom-norbac-ubuntu
  namespace: prometheus
  chart: prometheus-community/prometheus
  set:
  - name: rbac.create
    value: false

- name: database
    namespace: backend
    chart: bitnami/postgresql
    values:
      - ./values/postgresql-values.yaml

- name: api
  namespace: backend
  chart: ./charts/api
  values:
    - ./values/api-values.yaml
  needs:
    - backend/database

Apply your configuration:

1
2
3
4
5
6
7
8

# Sync your Kubernetes cluster state to the desired one
helmfile apply

# Sync all releases in helmfile
helmfile sync

# Apply changes to a specific environment
helmfile -e production sync

Helmfile brings GitOps best practices to your Helm deployments, making it easier to manage complex applications across multiple environments.

9. Security Scanning with Trivy

What is Trivy for Helm?

Trivy is a comprehensive security scanner that can analyze Helm charts for vulnerabilities and misconfigurations. It identifies security issues before deployment, helping you maintain a strong security posture in your Kubernetes environments.

Key Benefits

  • Comprehensive Security Scanning: Detects vulnerabilities and misconfigurations in Helm charts
  • Built-in Policies: Includes security policies based on industry best practices
  • Custom Policy Support: Define your own security policies with Rego
  • CI/CD Integration: Seamlessly integrates with popular CI/CD platforms
  • Wide Detection Scope: Scans for issues in templates, values, and container images referenced in charts

Getting Started with Trivy

Install Trivy:

1

brew install trivy

Scan a Helm chart:

1
2
3
4
5
6
7
8

# Basic Helm chart scan
trivy config --scanners config ./my-chart

# Scan with rendered templates
trivy config --scanners config <(helm template ./my-chart)

# Generate a report
trivy config --format json --output trivy-results.json ./my-chart

By incorporating Trivy into your Helm workflow, you can catch security issues early in the development lifecycle, reducing the risk of deploying vulnerable applications to production.

Conclusion

In this article, we’ve explored the essential plugins and features that can transform your Helm deployments into production-ready, robust and easy-to-maintain solutions. By including these tools in your workflow, you can create a sustainable approach to Kubernetes application management that is secure, testable and well-documented.

The right combination of these tools will depend on your specific needs, but together they provide a comprehensive toolkit for the professional development and deployment of Helm charts. As your Kubernetes infrastructure grows, these tools will help you maintain the quality and reliability of all your applications.

Originally published in AWS Morocco on Medium, where people are continuing the conversation by highlighting and responding to this story.