Helm Chart Development: Structuring Reusable Kubernetes Deployments

What Helm Actually Does

Helm is a templating engine for Kubernetes manifests. A chart is a directory containing YAML templates, a values file with parameters, and metadata. Running helm install renders the templates with the values, applies the result to a cluster, and tracks it as a release. The Helm documentation covers the chart structure, templating language, and release management.

That’s it. Everything else — dependencies, hooks, lifecycle management — is convenience on top of templating plus release tracking.

Chart Structure

A standard chart has: Chart.yaml (metadata), values.yaml (default parameters), templates/ (the YAML templates), and optionally charts/ (dependencies) and crds/ (CRDs that install before everything else).

Keep templates one-per-resource: deployment.yaml, service.yaml, ingress.yaml. Splitting into multiple resources per file makes diffs harder and partial deployment impossible.

Values Files Done Right

The shape of values.yaml is the user interface of your chart. Spending an hour up front to think about it saves months of breaking changes later.

Top-level keys should map to deployment concepts users care about: image, resources, ingress, replicas. Don’t expose every Kubernetes primitive — users who need that level of control aren’t your target audience.

Provide useful defaults. A chart that requires 30 values to install isn’t reusable; it’s a templated copy-paste.

Templating Patterns That Don’t Burn

Use named templates (templates/_helpers.tpl) for repeated patterns like labels and selectors. The standard chart pattern includes mychart.labels, mychart.selectorLabels, and mychart.fullname helpers — start with these.

Avoid deep conditional nesting. If you need three levels of {{ if }} to render a single field, the chart is too flexible for its own good. Consider splitting into multiple charts or using a Kustomize overlay instead.

Versioning and Distribution

Chart version follows the chart itself. App version follows the application the chart deploys. Bump both deliberately and follow semver.

Distribute charts via OCI registries (the modern path) or Helm chart repositories (the older path). The Helm Hub catalogs public charts from many organizations. OCI registries are simpler to operate and integrate with existing container registries.

Related Reading

• See our deeper guide at /containers/kubernetes-namespaces-guide/.

Chart Testing and Validation

A chart that lints cleanly can still produce broken Kubernetes manifests. helm template renders without applying, which catches template errors. kubeconform validates rendered manifests against Kubernetes schema. ct (chart-testing) runs full install-test cycles against a real cluster.

In CI, the standard pattern is: lint, template, schema-check, install-test. Each step catches a different class of problem. Skipping schema validation is the most common gap — many chart bugs only surface as kubectl-apply errors at install time.

Migration and Rollback

Helm releases track state, which makes rollback straightforward: helm rollback REVISION goes back to a prior installation. The state is stored as secrets in the release namespace by default, which is fine for small clusters and gets noisy at scale.

Helm 3’s storage backend supports alternatives. For organizations with many releases, configuring SQL storage centralizes release tracking and makes audit easier. Watch out for the upgrade path between Helm 2 and 3 — Helm 2 had Tiller and a different storage model; migration requires explicit conversion.

Common Mistakes in Helm Charts

Charts that hardcode namespace references, label selectors, or image names. These need to be configurable for reuse; hardcoding limits the chart to one specific deployment scenario.

Charts that don’t include proper helper templates for labels and selectors. The standard pattern (mychart.labels, mychart.selectorLabels) ensures consistency across resources and supports the standard Kubernetes label conventions.

Charts that put too much logic in templates. Helm’s templating is Go templates plus Sprig functions — powerful but easy to write unmaintainable mess. When a template has more conditionals than YAML, the chart is doing too much and probably needs to be split.

Distribution and Ecosystem

OCI registries (Docker Hub, ECR, GCR, GHCR) now serve as Helm chart repositories. Push and pull use OCI commands. This consolidates artifact storage — your charts live alongside your container images.

Public chart repositories (Bitnami’s, the artifact hub) provide pre-built charts for common applications. Use them as starting points; copy and customize for production use rather than pulling directly. Public charts evolve in ways your deployment may not be ready for, and pinning to specific versions is the safer practice.

Container Image Provenance

Knowing where your container images come from is foundational. Pinning by digest (not by tag) gives immutability. Signing with Sigstore or Notary provides authenticity.

Build provenance — recording how the image was built, from what source, by which CI system — adds an additional layer. SLSA attestations capture this in a standardized format.

For organizations subject to executive orders or regulatory frameworks requiring software supply chain controls, provenance becomes mandatory rather than optional. Building the practice into normal CI early is cheaper than retrofitting under audit pressure.

Observability for Kubernetes Workloads

Standard observability for Kubernetes includes: pod metrics (cAdvisor exposed via kubelet), node metrics (node-exporter), API server and controller metrics, and application metrics via service annotations or ServiceMonitor.

The kube-prometheus-stack Helm chart bundles all of this with pre-built dashboards and alerts. Most clusters that want quick observability install it and customize from there. For deeper observability — distributed tracing across pods, application-level instrumentation — OpenTelemetry layers on top.

Logs follow a similar pattern. Fluent Bit or Vector as the agent, shipping to a centralized log store (Loki, Elasticsearch, CloudWatch). Per-pod metadata enrichment makes logs searchable by deployment, namespace, and pod labels.

Capacity Planning and Right-Sizing

Kubernetes capacity planning has two layers: cluster capacity (how many nodes, what types) and workload capacity (resource requests and limits). Both deserve attention.

For cluster capacity, observe peak utilization and plan headroom. 70-80% peak utilization is a healthy target — below that, you’re paying for idle capacity; above that, autoscaling lag and burst patterns can cause issues.

For workload capacity, the right-sizing tools mentioned earlier surface candidates. Schedule quarterly right-sizing reviews. Service growth and traffic pattern changes mean yesterday’s right-size is today’s waste or saturation.

Image Optimization for Production

Beyond best practices in the Dockerfile, image optimization at the repository level pays back across many services. Standardize on a small set of base images, share optimization patterns across teams, and centralize the security-update process for those base images.

Internal base images that wrap upstream images with organization-specific additions (corporate certs, common tools, security agents) reduce per-service complexity. Build them with the same discipline as application images — pinned dependencies, signed, scanned.

Image size impacts pull time, which impacts pod startup, which impacts autoscaling responsiveness and rolling deploy duration. The end-to-end effect is larger than the per-image savings suggest.

Operational Recommendations

For teams running production Kubernetes workloads, a small set of disciplines pays back across nearly every dimension of cluster operation. Define resource requests and limits for all production workloads. Establish a network policy posture that defaults to deny. Run regular cluster upgrades on a defined cadence. Monitor cluster health alongside application health.

These aren’t novel recommendations — they appear in every Kubernetes best-practices guide. They’re rarely fully implemented in production clusters that grew organically. The work of bringing existing clusters to this baseline is significant but worthwhile.

For new clusters, build these in from the start. Templates and operators can enforce the baseline; documentation captures the intent. Each new service onboarded gets the right defaults rather than requiring later remediation.

Operational maturity in Kubernetes is incremental. Pick the next improvement, implement it, move on. The compounded effect over time is what separates well-operated clusters from clusters that work but feel fragile.

Key Takeaways

The most important point throughout this guide: practical engineering decisions depend on specific context. Best-practice recommendations are starting points, not destinations. The right answer for your team depends on your scale, your existing tooling investment, your team’s experience, and the specific constraints you face.

Three principles worth carrying forward regardless of specific tool choices. First, measure what you change. Engineering improvements without measurement become folklore — claims without evidence. Track the metrics that show whether interventions are working.

Second, default to simpler architectures and tools. Complexity has cost. Each additional moving part is something to monitor, debug, upgrade, and eventually replace. Choose the simplest thing that meets your actual requirements, not the most sophisticated thing you could build.

Third, invest continuously in the boring foundations. Reliable CI, good observability, sensible access controls, and clear documentation pay back across every project. Skipping these for short-term feature velocity accumulates debt that eventually consumes the velocity it was supposed to enable.

The teams that operate well over the long term are usually not the teams with the most exotic tooling. They’re the teams with disciplined fundamentals, deliberate decision-making, and continuous incremental improvement.

Frequently Asked Questions

Helm vs Kustomize?

Helm is for distribution and templating. Kustomize is for per-environment overlays of static manifests. They solve different problems and can be combined.

How do I test a chart?

helm template renders to stdout. helm lint checks for common issues. ct (chart-testing) runs full install-test cycles in CI.

Should I use subcharts?

Sparingly. Subcharts make dependency management harder. For most cases, separate top-level charts that compose at the application level work better.

What about Helmfile?

Useful for managing multiple Helm releases declaratively. Worth evaluating once you have more than a handful of charts to install per cluster.