The Chart Best Practices Guide

This guide covers the Helm Team’s considered best practices for creating charts.It focuses on how charts should be structured.

We focus primarily on best practices for charts that may be publicly deployed.We know that many charts are for internal-use only, and authors of such chartsmay find that their internal interests override our suggestions here.

Table of Contents

General Conventions

This part of the Best Practices Guide explains general conventions.

Chart Names

Chart names should use lower case letters and numbers, and start with a letter.

Hyphens (-) are allowed, but are known to be a little trickier to work with in Helm templates (see issue #2192 for more information).

Here are a few examples of good chart names from the Helm Community Charts:

  1. drupal
  2. cert-manager
  3. oauth2-proxy

Neither uppercase letters nor underscores should be used in chart names. Dots should not be used in chart names.

The directory that contains a chart MUST have the same name as the chart. Thus, the chart cert-manager MUST be created in a directory called cert-manager/. This is not merely a stylistic detail, but a requirement of the Helm Chart format.

Version Numbers

Wherever possible, Helm uses SemVer 2 to represent version numbers. (Note that Docker image tags do not necessarily follow SemVer, and are thus considered an unfortunate exception to the rule.)

When SemVer versions are stored in Kubernetes labels, we conventionally alter the + character to an _ character, as labels do not allow the + sign as a value.

Formatting YAML

YAML files should be indented using two spaces (and never tabs).

Usage of the Words Helm, Tiller, and Chart

There are a few small conventions followed for using the words Helm, helm, Tiller, and tiller.

  • Helm refers to the project, and is often used as an umbrella term
  • helm refers to the client-side command
  • Tiller is the proper name of the backend
  • tiller is the name of the binary run on the backend
  • The term ‘chart’ does not need to be capitalized, as it is not a proper noun. When in doubt, use Helm (with an uppercase ‘H’).

Restricting Tiller by Version

A Chart.yaml file can specify a tillerVersion SemVer constraint:

  1. name: mychart
  2. version: 0.2.0
  3. tillerVersion: ">=2.4.0"

This constraint should be set when templates use a new feature that was notsupported in older versions of Helm. While this parameter will accept sophisticatedSemVer rules, the best practice is to default to the form >=2.4.0, where 2.4.0is the version that introduced the new feature used in the chart.

This feature was introduced in Helm 2.4.0, so any version of Tiller older than2.4.0 will simply ignore this field.

Values

This part of the best practices guide covers using values. In this part of theguide, we provide recommendations on how you should structure and use yourvalues, with focus on designing a chart’s values.yaml file.

Naming Conventions

Variables names should begin with a lowercase letter, and words should beseparated with camelcase:

Correct:

  1. chicken: true
  2. chickenNoodleSoup: true

Incorrect:

  1. Chicken: true # initial caps may conflict with built-ins
  2. chicken-noodle-soup: true # do not use hyphens in the name

Note that all of Helm’s built-in variables begin with an uppercase letter toeasily distinguish them from user-defined values: .Release.Name,.Capabilities.KubeVersion.

Flat or Nested Values

YAML is a flexible format, and values may be nested deeply or flattened.

Nested:

  1. server:
  2. name: nginx
  3. port: 80

Flat:

  1. serverName: nginx
  2. serverPort: 80

In most cases, flat should be favored over nested. The reason for this is thatit is simpler for template developers and users.

For optimal safety, a nested value must be checked at every level:

  1. {{ if .Values.server }}
  2. {{ default "none" .Values.server.name }}
  3. {{ end }}

For every layer of nesting, an existence check must be done. But for flatconfiguration, such checks can be skipped, making the template easier to readand use.

  1. {{ default "none" .Values.serverName }}

When there are a large number of related variables, and at least one of themis non-optional, nested values may be used to improve readability.

Make Types Clear

YAML’s type coercion rules are sometimes counterintuitive. For example,foo: false is not the same as foo: "false". Large integers like foo: 12345678will get converted to scientific notation in some cases.

The easiest way to avoid type conversion errors is to be explicit about strings,and implicit about everything else. Or, in short, quote all strings.

Often, to avoid the integer casting issues, it is advantageous to store yourintegers as strings as well, and use {{ int $value }} in the template to convertfrom a string back to an integer.

In most cases, explicit type tags are respected, so foo: !!string 1234 shouldtreat 1234 as a string. However, the YAML parser consumes tags, so the typedata is lost after one parse.

Consider How Users Will Use Your Values

There are four potential sources of values:

  • A chart’s values.yaml file
  • A values file supplied by helm install -f or helm upgrade -f
  • The values passed to a —set or —set-string flag on helm install or helm upgrade
  • The content of a file passed to —set-file flag on helm install or helm upgrade When designing the structure of your values, keep in mind that users of yourchart may want to override them via either the -f flag or with the —setoption.

Since —set is more limited in expressiveness, the first guidelines for writingyour values.yaml file is make it easy to override from —set.

For this reason, it’s often better to structure your values file using maps.

Difficult to use with —set:

  1. servers:
  2. - name: foo
  3. port: 80
  4. - name: bar
  5. port: 81

The above cannot be expressed with —set in Helm <=2.4. In Helm 2.5, theaccessing the port on foo is —set servers[0].port=80. Not only is it harderfor the user to figure out, but it is prone to errors if at some later time theorder of the servers is changed.

Easy to use:

  1. servers:
  2. foo:
  3. port: 80
  4. bar:
  5. port: 81

Accessing foo’s port is much more obvious: —set servers.foo.port=80.

Document ‘values.yaml’

Every defined property in ‘values.yaml’ should be documented. The documentation string should begin with the name of the property that it describes, and then give at least a one-sentence description.

Incorrect:

  1. # the host name for the webserver
  2. serverHost = example
  3. serverPort = 9191

Correct:

  1. # serverHost is the host name for the webserver
  2. serverHost = example
  3. # serverPort is the HTTP listener port for the webserver
  4. serverPort = 9191

Beginning each comment with the name of the parameter it documents makes it easy to grep out documentation, and will enable documentation tools to reliably correlate doc strings with the parameters they describe.

Templates

This part of the Best Practices Guide focuses on templates.

Structure of templates/

The templates directory should be structured as follows:

  • Template files should have the extension .yaml if they produce YAML output. Theextension .tpl may be used for template files that produce no formatted content.
  • Template file names should use dashed notation (my-example-configmap.yaml), not camelcase.
  • Each resource definition should be in its own template file.
  • Template file names should reflect the resource kind in the name. e.g. foo-pod.yaml,bar-svc.yaml

Names of Defined Templates

Defined templates (templates created inside a {{ define }} directive) areglobally accessible. That means that a chart and all of its subcharts will haveaccess to all of the templates created with {{ define }}.

For that reason, all defined template names should be namespaced.

Correct:

  1. {{- define "nginx.fullname" }}
  2. {{/* ... */}}
  3. {{ end -}}

Incorrect:

  1. {{- define "fullname" -}}
  2. {{/* ... */}}
  3. {{ end -}}

It is highly recommended that new charts are created via helm create command as the template names are automatically defined as per this best practice.

Formatting Templates

Templates should be indented using two spaces (never tabs).

Template directives should have whitespace after the opening braces and before theclosing braces:

Correct:

  1. {{ .foo }}
  2. {{ print "foo" }}
  3. {{- print "bar" -}}

Incorrect:

  1. {{.foo}}
  2. {{print "foo"}}
  3. {{-print "bar"-}}

Templates should chomp whitespace where possible:

  1. foo:
  2. {{- range .Values.items }}
  3. {{ . }}
  4. {{ end -}}

Blocks (such as control structures) may be indented to indicate flow of the template code.

  1. {{ if $foo -}}
  2. {{- with .Bar }}Hello{{ end -}}
  3. {{- end -}}

However, since YAML is a whitespace-oriented language, it is often not possible for code indentation to follow that convention.

Whitespace in Generated Templates

It is preferable to keep the amount of whitespace in generated templates toa minimum. In particular, numerous blank lines should not appear adjacent to eachother. But occasional empty lines (particularly between logical sections) isfine.

This is best:

  1. apiVersion: batch/v1
  2. kind: Job
  3. metadata:
  4. name: example
  5. labels:
  6. first: first
  7. second: second

This is okay:

  1. apiVersion: batch/v1
  2. kind: Job
  3. metadata:
  4. name: example
  5. labels:
  6. first: first
  7. second: second

But this should be avoided:

  1. apiVersion: batch/v1
  2. kind: Job
  3. metadata:
  4. name: example
  5. labels:
  6. first: first
  7. second: second

Resource Naming in Templates

Hard-coding the name: into a resource is usually considered to be bad practice.Names should be unique to a release. So we might want to generate a name fieldby inserting the release name - for example:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: {{ .Release.Name }}-myservice

Or if there is only one resource of this kind then we could use .Release.Name or the template fullname function defined in _helpers.tpl (which uses release name):

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. name: {{ template "fullname" . }}

However, there may be cases where it is known that there won’t be naming conflicts from a fixed name.In these cases a fixed name might make it easier for an application to find a resource such as a Service.If the option for fixed names is needed then one way to manage this might be to make the setting of the name explicit by using a service.name value from the values.yaml if provided:

  1. apiVersion: v1
  2. kind: Service
  3. metadata:
  4. {{- if .Values.service.name }}
  5. name: {{ .Values.service.name }}
  6. {{- else }}
  7. name: {{ template "fullname" . }}
  8. {{- end }}

Comments (YAML Comments vs. Template Comments)

Both YAML and Helm Templates have comment markers.

YAML comments:

  1. # This is a comment
  2. type: sprocket

Template Comments:

  1. {{- /*
  2. This is a comment.
  3. */ -}}
  4. type: frobnitz

Template comments should be used when documenting features of a template, such as explaining a defined template:

  1. {{- /*
  2. mychart.shortname provides a 6 char truncated version of the release name.
  3. */ -}}
  4. {{ define "mychart.shortname" -}}
  5. {{ .Release.Name | trunc 6 }}
  6. {{- end -}}

Inside of templates, YAML comments may be used when it is useful for Helm users to (possibly) see the comments during debugging.

  1. # This may cause problems if the value is more than 100Gi
  2. memory: {{ .Values.maxMem | quote }}

The comment above is visible when the user runs helm install —debug, whilecomments specified in {{- / / -}} sections are not.

Use of JSON in Templates and Template Output

YAML is a superset of JSON. In some cases, using a JSON syntax can be morereadable than other YAML representations.

For example, this YAML is closer to the normal YAML method of expressing lists:

  1. arguments:
  2. - "--dirname"
  3. - "/foo"

But it is easier to read when collapsed into a JSON list style:

  1. arguments: ["--dirname", "/foo"]

Using JSON for increased legibility is good. However, JSON syntax should notbe used for representing more complex constructs.

When dealing with pure JSON embedded inside of YAML (such as init containerconfiguration), it is of course appropriate to use the JSON format.

Requirements Files

This section of the guide covers best practices for requirements.yaml files.

Versions

Where possible, use version ranges instead of pinning to an exact version. The suggested default is to use a patch-level version match:

  1. version: ~1.2.3

This will match version 1.2.3 and any patches to that release. In other words, ~1.2.3 is equivalent to >= 1.2.3, < 1.3.0

For the complete version matching syntax, please see the semver documentation

Repository URLs

Where possible, use https:// repository URLs, followed by http:// URLs.

If the repository has been added to the repository index file, the repository name can be used as an alias of URL. Use alias: or @ followed by repository names.

File URLs (file://…) are considered a “special case” for charts that are assembled by a fixed deployment pipeline. Charts that use file:// in a requirements.yaml file are not allowed in the official Helm repository.

Conditions and Tags

Conditions or tags should be added to any dependencies that are optional.

The preferred form of a condition is:

  1. condition: somechart.enabled

Where somechart is the chart name of the dependency.

When multiple subcharts (dependencies) together provide an optional or swappable feature, those charts should share the same tags.

For example, if both nginx and memcached together provided performance optimizations for the main app in the chart, and were required to both be present when that feature is enabled, then they might both have atags section like this:

  1. tags:
  2. - webaccelerator

This allows a user to turn that feature on and off with one tag.

Labels and Annotations

This part of the Best Practices Guide discusses the best practices for usinglabels and annotations in your chart.

Is it a Label or an Annotation?

An item of metadata should be a label under the following conditions:

  • It is used by Kubernetes to identify this resource
  • It is useful to expose to operators for the purpose of querying the system. For example, we suggest using helm.sh/chart: NAME-VERSION as a label so that operatorscan conveniently find all of the instances of a particular chart to use.

If an item of metadata is not used for querying, it should be set as an annotationinstead.

Helm hooks are always annotations.

Standard Labels

The following table defines common labels that Helm charts use. Helm itself never requires that a particular label be present. Labels that are marked RECare recommended, and should be placed onto a chart for global consistency. Those marked OPT are optional. These are idiomatic or commonly in use, but are not relied upon frequently for operational purposes.

NameStatusDescription
app.kubernetes.io/nameRECThis should be the app name, reflecting the entire app. Usually {{ template "name" . }} is used for this. This is used by many Kubernetes manifests, and is not Helm-specific.
helm.sh/chartRECThis should be the chart name and version: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}.
app.kubernetes.io/managed-byRECThis should always be set to {{ .Release.Service }}. It is for finding all things managed by Tiller.
app.kubernetes.io/instanceRECThis should be the {{ .Release.Name }}. It aids in differentiating between different instances of the same application.
app.kubernetes.io/versionOPTThe version of the app and can be set to {{ .Chart.AppVersion }}.
app.kubernetes.io/componentOPTThis is a common label for marking the different roles that pieces may play in an application. For example, app.kubernetes.io/component: frontend.
app.kubernetes.io/part-ofOPTWhen multiple charts or pieces of software are used together to make one application. For example, application software and a database to produce a website. This can be set to the top level application being supported.

You can find more information on the Kubernetes labels, prefixed with app.kubernetes.io, in the Kubernetes documentation.

Pods and PodTemplates

This part of the Best Practices Guide discusses formatting the Pod and PodTemplateportions in chart manifests.

The following (non-exhaustive) list of resources use PodTemplates:

  • Deployment
  • ReplicationController
  • ReplicaSet
  • DaemonSet
  • StatefulSet

Images

A container image should use a fixed tag or the SHA of the image. It should not use the tags latest, head, canary, or other tags that are designed to be “floating”.

Images may be defined in the values.yaml file to make it easy to swap out images.

  1. image: {{ .Values.redisImage | quote }}

An image and a tag may be defined in values.yaml as two separate fields:

  1. image: "{{ .Values.redisImage }}:{{ .Values.redisTag }}"

ImagePullPolicy

helm create sets the imagePullPolicy to IfNotPresent by default by doing the following in your deployment.yaml:

  1. imagePullPolicy: {{ .Values.image.pullPolicy }}

And values.yaml:

  1. pullPolicy: IfNotPresent

Similarly, Kubernetes defaults the imagePullPolicy to IfNotPresent if it is not defined at all. If you want a value other than IfNotPresent, simply update the value in values.yaml to your desired value.

PodTemplates Should Declare Selectors

All PodTemplate sections should specify a selector. For example:

  1. selector:
  2. matchLabels:
  3. app.kubernetes.io/name: MyName
  4. template:
  5. metadata:
  6. labels:
  7. app.kubernetes.io/name: MyName

This is a good practice because it makes the relationship between the set andthe pod.

But this is even more important for sets like Deployment.Without this, the entire set of labels is used to select matching pods, andthis will break if you use labels that change, like version or release date.

Custom Resource Definitions

This section of the Best Practices Guide deals with creating and using Custom Resource Definitionobjects.

When working with Custom Resource Definitions (CRDs), it is important to distinguishtwo different pieces:

  • There is a declaration of a CRD. This is the YAML file that has the kind CustomResourceDefinition
  • Then there are resources that use the CRD. Say a CRD defines foo.example.com/v1. Any resourcethat has apiVersion: example.com/v1 and kind Foo is a resource that uses the CRD.

Install a CRD Declaration Before Using the Resource

Helm is optimized to load as many resources into Kubernetes as fast as possible.By design, Kubernetes can take an entire set of manifests and bring them allonline (this is called the reconciliation loop).

But there’s a difference with CRDs.

For a CRD, the declaration must be registered before any resources of that CRDskind(s) can be used. And the registration process sometimes takes a few seconds.

Method 1: Separate Charts

One way to do this is to put the CRD definition in one chart, and then put anyresources that use that CRD in another chart.

In this method, each chart must be installed separately.

Method 2: Crd-install Hooks

To package the two together, add a crd-install hook to the CRD definition sothat it is fully installed before the rest of the chart is executed.

Note that if you create the CRD with a crd-install hook, that CRD definitionwill not be deleted when helm delete is run.

Role-Based Access Control

This part of the Best Practices Guide discusses the creation and formatting of RBAC resources in chart manifests.

RBAC resources are:

  • ServiceAccount (namespaced)
  • Role (namespaced)
  • ClusterRole
  • RoleBinding (namespaced)
  • ClusterRoleBinding

YAML Configuration

RBAC and ServiceAccount configuration should happen under separate keys. They are separate things. Splitting these two concepts out in the YAML disambiguates them and make this clearer.

  1. rbac:
  2. # Specifies whether RBAC resources should be created
  3. create: true
  4. serviceAccount:
  5. # Specifies whether a ServiceAccount should be created
  6. create: true
  7. # The name of the ServiceAccount to use.
  8. # If not set and create is true, a name is generated using the fullname template
  9. name:

This structure can be extended for more complex charts that require multiple ServiceAccounts.

  1. serviceAccounts:
  2. client:
  3. create: true
  4. name:
  5. server:
  6. create: true
  7. name:

RBAC Resources Should be Created by Default

rbac.create should be a boolean value controlling whether RBAC resources are created. The default should be true. Users who wish to manage RBAC access controls themselves can set this value to false (in which case see below).

Using RBAC Resources

serviceAccount.name should set to the name of the ServiceAccount to be used by access-controlled resources created by the chart. If serviceAccount.create is true, then a ServiceAccount with this name should be created. If the name is not set, then a name is generated using the fullname template, If serviceAccount.create is false, then it should not be created, but it should still be associated with the same resources so that manually-created RBAC resources created later that reference it will function correctly. If serviceAccount.create is false and the name is not specified, then the default ServiceAccount is used.

The following helper template should be used for the ServiceAccount.

  1. {{/*
  2. Create the name of the service account to use
  3. */}}
  4. {{- define "mychart.serviceAccountName" -}}
  5. {{- if .Values.serviceAccount.create -}}
  6. {{ default (include "mychart.fullname" .) .Values.serviceAccount.name }}
  7. {{- else -}}
  8. {{ default "default" .Values.serviceAccount.name }}
  9. {{- end -}}
  10. {{- end -}}