Helm

Helm is the package management tool of choice for Kubernetes. Helm charts provide templating syntax for Kubernetes YAML manifest documents. With Helm, developers or cluster administrators can create configurable templates known as Charts, instead of just using static manifests. For more information about creating your own Chart catalog, check out the docs at https://helm.sh/docs/intro/quickstart/.

K3s does not require any special configuration to support Helm. Just be sure you have properly set the kubeconfig path as per the cluster access documentation.

K3s includes a Helm Controller that manages installing, upgrading/reconfiguring, and uninstalling Helm charts using a HelmChart Custom Resource Definition (CRD). Paired with auto-deploying AddOn manifests, installing a Helm chart on your cluster can be automated by creating a single file on disk.

Using the Helm Controller

The HelmChart Custom Resource captures most of the options you would normally pass to the helm command-line tool. Here’s an example of how you might deploy Apache from the Bitnami chart repository, overriding some of the default chart values. Note that the HelmChart resource itself is in the kube-system namespace, but the chart’s resources will be deployed to the web namespace, which is created in the same manifest. This can be useful if you want to keep your HelmChart resources separated from the the resources they deploy.

  1. apiVersion: v1
  2. kind: Namespace
  3. metadata:
  4.   name: web
  5. ---
  6. apiVersion: helm.cattle.io/v1
  7. kind: HelmChart
  8. metadata:
  9.   name: apache
  10.   namespace: kube-system
  11. spec:
  12.   repo: https://charts.bitnami.com/bitnami
  13.   chart: apache
  14.   targetNamespace: web
  15.   valuesContent: |-
  16.     service:
  17.       type: ClusterIP
  18.     ingress:
  19.       enabled: true
  20.       hostname: www.example.com
  21.     metrics:
  22.       enabled: true

An example of deploying a helm chart from a private repo with authentication:

  1. apiVersion: helm.cattle.io/v1
  2. kind: HelmChart
  3. metadata:
  4.   namespace: kube-system
  5.   name: example-app
  6. spec:
  7.   targetNamespace: example-space
  8.   createNamespace: true
  9.   version: v1.2.3
  10.   chart: example-app
  11.   repo: https://secure-repo.example.com
  12.   authSecret:
  13.     name: example-repo-auth
  14.   repoCAConfigMap:
  15.     name: example-repo-ca
  16.   valuesContent: |-
  17.     image:
  18.       tag: v1.2.2
  19. ---
  20. apiVersion: v1
  21. kind: Secret
  22. metadata:
  23.   namespace: kube-system
  24.   name: example-repo-auth
  25. type: kubernetes.io/basic-auth
  26. stringData:
  27.   username: user
  28.   password: pass
  29. ---
  30. apiVersion: v1
  31. kind: ConfigMap
  32. metadata:
  33.   namespace: kube-system
  34.   name: example-repo-ca
  35. data:
  36.   ca.crt: |-
  37.     -----BEGIN CERTIFICATE-----
  38.     <YOUR CERTIFICATE>
  39.     -----END CERTIFICATE-----

HelmChart Field Definitions

FieldDefaultDescriptionHelm Argument / Flag Equivalent
metadata.nameHelm Chart nameNAME
spec.chartHelm Chart name in repository, or complete HTTPS URL to chart archive (.tgz)CHART
spec.targetNamespacedefaultHelm Chart target namespace—namespace
spec.createNamespacefalseCreate target namespace if not present—create-namespace
spec.versionHelm Chart version (when installing from repository)—version
spec.repoHelm Chart repository URL—repo
spec.repoCAVerify certificates of HTTPS-enabled servers using this CA bundle. Should be a string containing one or more PEM-encoded CA Certificates.—ca-file
spec.repoCAConfigMapReference to a ConfigMap containing CA Certificates to be be trusted by Helm. Can be used along with or instead of repoCA—ca-file
spec.helmVersionv3Helm version to use (v2 or v3)
spec.bootstrapFalseSet to True if this chart is needed to bootstrap the cluster (Cloud Controller Manager, etc)
spec.setOverride simple default Chart values. These take precedence over options set via valuesContent.—set / —set-string
spec.jobImageSpecify the image to use when installing the helm chart. E.g. rancher/klipper-helm:v0.3.0 .
spec.backOffLimit1000Specify the number of retries before considering a job failed.
spec.timeout300sTimeout for Helm operations, as a duration string (300s, 10m, 1h, etc)—timeout
spec.failurePolicyreinstallSet to abort which case the Helm operation is aborted, pending manual intervention by the operator.
spec.authSecretReference to Secret of type kubernetes.io/basic-auth holding Basic auth credentials for the Chart repo.
spec.authPassCredentialsfalsePass Basic auth credentials to all domains.—pass-credentials
spec.dockerRegistrySecretReference to Secret of type kubernetes.io/dockerconfigjson holding Docker auth credentials for the OCI-based registry acting as the Chart repo.
spec.valuesContentOverride complex default Chart values via YAML file content—values
spec.chartContentBase64-encoded chart archive .tgz - overrides spec.chartCHART

Content placed in /var/lib/rancher/k3s/server/static/ can be accessed anonymously via the Kubernetes APIServer from within the cluster. This URL can be templated using the special variable %{KUBERNETES_API}% in the spec.chart field. For example, the packaged Traefik component loads its chart from https://%{KUBERNETES_API}%/static/charts/traefik-12.0.000.tgz.

Helm - 图1note

The name field should follow the Helm chart naming conventions. Refer to the Helm Best Practices documentation to learn more.

Customizing Packaged Components with HelmChartConfig

To allow overriding values for packaged components that are deployed as HelmCharts (such as Traefik), K3s supports customizing deployments via a HelmChartConfig resources. The HelmChartConfig resource must match the name and namespace of its corresponding HelmChart, and it supports providing additional valuesContent, which is passed to the helm command as an additional value file.

Helm - 图2note

HelmChart spec.set values override HelmChart and HelmChartConfig spec.valuesContent settings.

For example, to customize the packaged Traefik ingress configuration, you can create a file named /var/lib/rancher/k3s/server/manifests/traefik-config.yaml and populate it with the following content:

  1. apiVersion: helm.cattle.io/v1
  2. kind: HelmChartConfig
  3. metadata:
  4.   name: traefik
  5.   namespace: kube-system
  6. spec:
  7.   valuesContent: |-
  8.     image:
  9.       name: traefik
  10.       tag: v2.8.5
  11.     forwardedHeaders:
  12.       enabled: true
  13.       trustedIPs:
  14.         - 10.0.0.0/8
  15.     ssl:
  16.       enabled: true
  17.       permanentRedirect: false

Migrating from Helm v2

K3s can handle either Helm v2 or Helm v3. If you wish to migrate to Helm v3, this blog post by Helm explains how to use a plugin to successfully migrate. Refer to the official Helm 3 documentation here for more information. Just be sure you have properly set your kubeconfig as per the section about cluster access.

Helm - 图3note

Helm 3 no longer requires Tiller and the helm init command. Refer to the official documentation for details.