How to Deploy Helm Chart

Helm is the package manager for Kubernetes, designed to simplify the deployment, management, and scaling of applications on Kubernetes clusters. A Helm chart is a collection of files that describe a related set of Kubernetes resourcessuch as Deployments, Services, ConfigMaps, Secrets, and Ingress rulespackaged together for easy distribution and reuse. Deploying a Helm chart enables teams to manage complex applications with a single command, ensuring consistency across environments, reducing human error, and accelerating delivery cycles.

As Kubernetes adoption grows, so does the need for standardized, repeatable deployment workflows. Helm fills this gap by abstracting away the complexity of YAML manifests and offering templating, versioning, and dependency management capabilities. Whether youre deploying a simple web application or a multi-component microservice architecture, Helm streamlines the process and empowers DevOps teams to focus on innovation rather than infrastructure minutiae.

This comprehensive guide walks you through every step required to deploy a Helm chartfrom setting up your environment to troubleshooting common issues. Youll also learn industry best practices, recommended tools, real-world examples, and answers to frequently asked questions. By the end of this tutorial, youll have the confidence and knowledge to deploy Helm charts efficiently and securely in any Kubernetes environment.

Step-by-Step Guide

Prerequisites

Before deploying a Helm chart, ensure your system meets the following requirements:

• Kubernetes Cluster: You must have access to a running Kubernetes cluster. This can be a local cluster like Minikube or Kind, or a managed service such as Amazon EKS, Google GKE, or Azure AKS.
• kubectl: The Kubernetes command-line tool must be installed and configured to communicate with your cluster. Verify this by running kubectl cluster-info.
• Helm CLI: Install the latest stable version of Helm. You can download it from the official Helm installation page or use package managers like Homebrew (brew install helm) or apt (apt-get install helm).
• Basic Understanding of YAML and Kubernetes Objects: Familiarity with Kubernetes resources like Deployments, Services, and ConfigMaps is helpful but not mandatory.

Once prerequisites are satisfied, proceed to the next step.

Step 1: Add a Helm Repository

Helm charts are stored in repositories, similar to how Docker images are stored in registries. The most common public repository is bitnami, which hosts thousands of pre-built charts for popular applications like WordPress, PostgreSQL, Redis, and more. Another widely used repository is stable (now deprecated but still referenced in legacy guides), and argo for CI/CD tools.

To add a repository, use the helm repo add command:

helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update

The helm repo update command ensures your local Helm client fetches the latest chart metadata from all configured repositories. You can list all added repositories using:

helm repo list

Output example:

NAME   	URL
bitnami	https://charts.bitnami.com/bitnami

Step 2: Search for a Chart

Once repositories are added, you can search for available charts using the helm search repo command:

helm search repo bitnami/wordpress

This returns details such as chart name, version, description, and latest app version:

NAME                    	CHART VERSION	APP VERSION	DESCRIPTION
bitnami/wordpress       	15.2.10      	6.5.5      	Web publishing platform for building blogs and ...

You can also search for all charts in a repository:

helm search repo bitnami

This helps you discover related chartsfor example, if youre deploying WordPress, you might also need MySQL or Redis. Search results provide a quick overview of whats available before you proceed to installation.

Step 3: Inspect the Chart

Before deploying any chart, its critical to inspect its contents. This ensures you understand what resources will be created and what configurable values are available.

Use the helm show chart command to view metadata:

helm show chart bitnami/wordpress

This returns details like the charts name, version, dependencies, and app version.

To view the default values used by the chart, run:

helm show values bitnami/wordpress

This outputs a comprehensive YAML file containing all configurable parameterssuch as image tags, resource limits, ingress settings, persistence configurations, and environment variables. Reviewing this file helps you determine which values need customization for your environment.

For deeper inspection, you can download the chart locally:

helm pull bitnami/wordpress --version 15.2.10 --untar

This extracts the chart into a directory named wordpress/, where you can examine templates, values.yaml, Chart.yaml, and other files. This is especially useful for debugging or creating custom overrides.

Step 4: Customize Values (Optional)

While Helm charts come with sensible defaults, real-world deployments often require customization. Common customizations include:

• Changing the image tag to a specific version
• Setting resource requests and limits
• Enabling TLS via Ingress
• Configuring persistent storage size
• Setting environment-specific secrets

Create a custom values file to override defaults without modifying the original chart. For example, create a file named wordpress-values.yaml:

image:
tag: "6.5.5-php8.2"
service:
type: LoadBalancer
ingress:
enabled: true
hostname: wordpress.example.com
tls: true
persistence:
size: 20Gi
mariadb:
persistence:
size: 15Gi
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"

This file overrides the default settings with production-ready configurations. Always store custom values files in version control (e.g., Git) to maintain audit trails and enable reproducible deployments.

Step 5: Install the Helm Chart

Now that youve reviewed and customized the chart, its time to deploy it. Use the helm install command:

helm install my-wordpress bitnami/wordpress -f wordpress-values.yaml

Breakdown of the command:

• my-wordpress: The release name. Choose a descriptive, unique name for your deployment.
• bitnami/wordpress: The chart name in the format repository/chart.
• -f wordpress-values.yaml: Applies your custom configuration file.

Helm will output a summary of installed resources:

NAME: my-wordpress
LAST DEPLOYED: Thu Apr  4 10:30:22 2024
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
1. Get the WordPress URL:
export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=wordpress,app.kubernetes.io/instance=my-wordpress" -o jsonpath="{.items[0].metadata.name}")
kubectl port-forward $POD_NAME 8080:80
echo "Visit http://127.0.0.1:8080 to use your WordPress site"
2. Get your WordPress admin password:
echo "WordPress Admin User: user"
echo "WordPress Admin Password: $(kubectl get secret --namespace default my-wordpress-wordpress -o jsonpath="{.data.wordpress-password}" | base64 --decode)"

Helm creates a release object in Kubernetes and tracks the deployment state. You can verify the deployment with:

kubectl get pods
kubectl get services
kubectl get ingress

Wait a few moments for all pods to reach the Running state. If any pod remains in ContainerCreating or ImagePullBackOff, check logs with kubectl logs <pod-name> and events with kubectl describe pod <pod-name>.

Step 6: Verify the Deployment

Once the pods are running, confirm the application is accessible:

• If you configured an Ingress with TLS, access the URL via browser: https://wordpress.example.com
• If you used a LoadBalancer service, retrieve the external IP: kubectl get svc my-wordpress-wordpress
• If you used NodePort, access via http://<node-ip>:<node-port>
• For local testing, use port-forwarding: kubectl port-forward svc/my-wordpress-wordpress 8080:80

Visit the endpoint in your browser. You should see the WordPress setup wizard. Use the admin password retrieved earlier to log in.

Step 7: Manage the Release

Helm provides commands to manage the lifecycle of your deployment:

• List releases: helm list Shows all deployed releases in the current namespace.
• View release history: helm history my-wordpress Displays revision history, including updates and rollbacks.
• Upgrade a release: helm upgrade my-wordpress bitnami/wordpress -f wordpress-values.yaml Updates the chart to a newer version or changes configuration.
• Rollback a release: helm rollback my-wordpress 1 Reverts to a previous revision if the upgrade fails.
• Uninstall a release: helm uninstall my-wordpress Removes all resources associated with the release.

Each upgrade creates a new revision. Helm retains the previous state, enabling safe rollbacks. This versioning system is one of Helms most powerful features for production reliability.

Step 8: Secure and Monitor

After successful deployment, apply security and monitoring best practices:

• Enable Pod Security Policies or use Pod Security Admission (PSA) to restrict privileged containers.
• Set resource quotas at the namespace level to prevent resource exhaustion.
• Integrate with prometheus-operator and grafana for metrics collection.
• Use logging agents like Fluentd or Loki to aggregate logs.
• Enable network policies to restrict pod-to-pod communication.

Monitor deployment health using:

kubectl get all -l app.kubernetes.io/instance=my-wordpress
kubectl top pods

Regularly audit your Helm releases and ensure charts are updated to patched versions to mitigate vulnerabilities.

Best Practices

Use Version-Controlled Values Files

Never hardcode values into Helm install commands. Always use external values.yaml files stored in Git repositories. This ensures:

• Reproducibility across environments (dev, staging, prod)
• Auditability and change tracking
• Collaboration among team members

Organize values files by environment:

values/
??? base.yaml
??? dev.yaml
??? staging.yaml
??? prod.yaml

Use Helms -f flag to layer configurations:

helm install my-app bitnami/chart -f values/base.yaml -f values/prod.yaml

Pin Chart Versions

Always specify an exact chart version during installation or upgrade:

helm install my-app bitnami/wordpress --version 15.2.10

Using latest or omitting the version introduces unpredictability. Chart versions change independently of app versions, and an unexpected update can break your application.

Use Helmfile for Multi-Chart Deployments

For complex applications with multiple Helm charts (e.g., WordPress + Redis + PostgreSQL + Monitoring), use Helmfile. Helmfile is a declarative tool that manages multiple Helm releases from a single YAML file.

Example helmfile.yaml:

repositories:
- name: bitnami
url: https://charts.bitnami.com/bitnami
releases:
- name: wordpress
namespace: default
chart: bitnami/wordpress
version: 15.2.10
values:
- values/wordpress-prod.yaml
- name: redis
namespace: default
chart: bitnami/redis
version: 17.5.0
values:
- values/redis-prod.yaml

Deploy with: helmfile sync

Implement CI/CD Integration

Automate Helm deployments using CI/CD pipelines. Examples:

• GitHub Actions: Trigger Helm install/upgrade on Git push to main branch.
• GitLab CI: Use Helm in a job with Kubernetes context configured.
• Argo CD: Use Helm as a source type for GitOps workflows.

Example GitHub Actions snippet:

- name: Install Helm
uses: azure/setup-helm@v3
with:
version: 'v3.14.3'
- name: Add Helm Repo
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo update
- name: Deploy with Helm
run: |
helm upgrade --install my-app bitnami/wordpress \
--namespace default \
--create-namespace \
-f values/prod.yaml

Separate Environments with Namespaces

Use Kubernetes namespaces to isolate environments:

• dev For development and testing
• staging For QA and staging
• prod For production

Install Helm releases into specific namespaces:

helm install my-app bitnami/wordpress --namespace dev --create-namespace

This prevents naming conflicts and enforces access controls via RBAC.

Validate Charts Before Deployment

Use helm template to render templates locally without installing:

helm template my-wordpress bitnami/wordpress -f wordpress-values.yaml

Review the output to verify resource definitions. You can also pipe it into kubectl diff to compare against live state:

helm template my-wordpress bitnami/wordpress -f wordpress-values.yaml | kubectl diff -f -

Regularly Audit and Update Charts

Security vulnerabilities in container images or Helm charts are common. Use tools like:

• Trivy Scans Helm chart dependencies and container images.
• Checkov Validates Kubernetes manifests for security misconfigurations.
• Helmfile + Snyk Integrates vulnerability scanning into CI/CD.

Subscribe to chart maintainers security advisories. For example, Bitnami publishes CVE alerts for their charts.

Use Helm Hooks for Lifecycle Management

Helm supports hooksspecial annotations that trigger actions at specific points in the deployment lifecycle:

• pre-install Run before installation (e.g., create database schema)
• post-install Run after successful installation (e.g., send notification)
• pre-upgrade Run before upgrade
• post-upgrade Run after upgrade
• pre-delete Run before deletion

Example hook in a template:

apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "wordpress.fullname" . }}-init
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "5"
"helm.sh/hook-delete-policy": hook-succeeded
spec:
template:
spec:
containers:
- name: init
image: busybox
command: ['sh', '-c', 'echo "Initializing database..."']
restartPolicy: Never

Tools and Resources

Essential Helm Tools

• Helm CLI The core tool for installing, upgrading, and managing charts. Available at helm.sh.
• Helmfile Declarative tool for managing multiple Helm releases. GitHub: roboll/helmfile.
• Helm Secrets Encrypts sensitive values using SOPS or AWS KMS. GitHub: futuresimple/helm-secrets.
• Kubeseal Encrypts Kubernetes Secrets for safe storage in Git. GitHub: bitnami-labs/sealed-secrets.
• Argo CD GitOps operator that natively supports Helm charts as a source. Website: argo-cd.readthedocs.io.
• Kubeval Validates Kubernetes manifests against schemas. GitHub: instrumenta/kubeval.
• Checkov Infrastructure-as-code security scanner supporting Helm templates. Website: checkov.io.

Public Helm Repositories

Explore these trusted repositories for production-ready charts:

• Bitnami github.com/bitnami/charts Over 200 charts for databases, web servers, monitoring tools.
• Artifact Hub artifacthub.io Centralized catalog of Helm charts, operators, and OLM packages.
• Jetstack jetstack/cert-manager For TLS certificate automation.
• Prometheus Community prometheus-community/helm-charts Monitoring stack for Kubernetes.
• HashiCorp hashicorp/helm-charts For Vault, Consul, Nomad.

Learning Resources

• Helm Documentation helm.sh/docs Official, comprehensive guide.
• Kubernetes Helm Tutorial (Kubernetes.io) kubernetes.io/docs/tasks/tools
• YouTube: Helm in 10 Minutes By TechWorld with Nana.
• Book: Kubernetes Best Practices by Brendan Burns, et al. Includes Helm deployment patterns.
• GitHub Examples Search for helm chart example to find real-world repos.

Real Examples

Example 1: Deploying WordPress with HTTPS and Persistent Storage

Scenario: You need to deploy WordPress on a production cluster with TLS, auto-scaling, and 20GB persistent storage.

values.yaml:

image:
tag: "6.5.5-php8.2"
service:
type: LoadBalancer
ingress:
enabled: true
hostname: wordpress.mycompany.com
tls: true
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
persistence:
enabled: true
size: 20Gi
mariadb:
enabled: true
persistence:
size: 15Gi
auth:
rootPassword: "supersecretrootpass"
database: "wordpress_db"
username: "wp_user"
password: "wp_pass"
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "1Gi"
cpu: "500m"
extraEnvVars:
- name: WORDPRESS_CONFIG_EXTRA
value: |
define('WP_MEMORY_LIMIT', '256M');
define('WP_MAX_MEMORY_LIMIT', '512M');

Deployment Command:

helm install wordpress bitnami/wordpress -f values.yaml --namespace wordpress --create-namespace

Post-Deployment Steps:

• Wait for Ingress to get an external IP.
• Ensure cert-manager issues a Lets Encrypt certificate.
• Access https://wordpress.mycompany.com to complete setup.

Example 2: Deploying a Custom Internal Microservice

Scenario: You have a Go-based microservice with a custom Helm chart in your organizations Git repo.

Chart Structure:

my-service/
??? Chart.yaml
??? values.yaml
??? templates/
?   ??? deployment.yaml
?   ??? service.yaml
?   ??? ingress.yaml
?   ??? configmap.yaml
??? charts/

Chart.yaml:

apiVersion: v2
name: my-service
description: Internal microservice for user analytics
type: application
version: 1.0.0
appVersion: "1.2.3"

Install from local directory:

helm install my-service ./my-service -f values-prod.yaml --namespace production

CI/CD Integration:

Use GitHub Actions to build, test, and deploy on tag:

- name: Deploy to Production
if: github.ref == 'refs/tags/v*'
run: |
helm upgrade --install my-service ./my-service \
--namespace production \
--values values/prod.yaml \
--set image.tag=${{ github.ref_name }}

Example 3: Rolling Back a Failed Deployment

Scenario: After upgrading a chart, your application becomes unreachable.

Steps:

1. Check release history: helm history my-app
2. Identify the last working revision (e.g., revision 3).
3. Rollback: helm rollback my-app 3
4. Verify: kubectl get pods and test application.

Helm automatically reverts all resources to the state of revision 3, including ConfigMaps, Secrets, and Deployments. No manual cleanup is required.

FAQs

What is the difference between Helm and kubectl apply?

kubectl apply applies raw Kubernetes YAML manifests directly to the cluster. Its simple but lacks versioning, templating, and dependency management. Helm packages multiple manifests into a chart, supports templating with Go templates, allows versioned releases, and provides rollback capabilities. Helm is ideal for complex applications; kubectl apply is better for one-off resources or simple deployments.

Can I use Helm with any Kubernetes cluster?

Yes. Helm works with any standard Kubernetes cluster, whether its self-hosted (kubeadm), cloud-managed (EKS, GKE, AKS), or local (Minikube, Kind). Helm communicates via the Kubernetes API, so as long as kubectl can connect, Helm can too.

Is Helm secure? Can I use it in production?

Yes, Helm is widely used in production by enterprises globally. To ensure security:

• Use signed charts with Helm 3s OCI support and Helm Registry.
• Validate charts before deployment using helm template and kubeval.
• Store secrets externally (e.g., sealed-secrets, HashiCorp Vault).
• Restrict Helm access via RBAC.
• Regularly audit chart dependencies for vulnerabilities.

How do I update a Helm chart to a newer version?

Use helm upgrade with the new chart version:

helm upgrade my-app bitnami/wordpress --version 16.0.0 -f values.yaml

Helm will apply changes incrementally. You can check what will change before applying with helm upgrade --dry-run --debug.

What happens if I delete a Helm release?

Running helm uninstall my-release deletes all Kubernetes resources created by that release. However, persistent volumes (PVs) are not automatically deleted unless the chart explicitly sets persistentVolume.reclaimPolicy: Delete. Always check your charts persistence settings before uninstalling.

Can I use Helm without a repository?

Yes. You can install charts directly from local directories or tarballs:

helm install my-app ./my-chart
helm install my-app ./my-chart.tgz

This is useful for private/internal charts not hosted in public repositories.

How do I manage secrets with Helm?

Never store secrets directly in values.yaml. Use:

• Sealed Secrets Encrypt secrets in Git, decrypt at runtime.
• Helm Secrets Plugin Encrypt values.yaml with SOPS or GPG.
• External Secret Operators Pull secrets from AWS Secrets Manager, Azure Key Vault, or HashiCorp Vault.

Why is my Helm deployment stuck in Pending?

Common causes:

• Insufficient cluster resources (CPU/memory)
• Image pull errors (wrong tag, private registry without credentials)
• Missing PersistentVolume or StorageClass
• NetworkPolicy blocking connectivity

Check with: kubectl describe pod <pod-name> and kubectl get events --sort-by='.metadata.creationTimestamp'.

Is Helm 3 backward compatible with Helm 2?

No. Helm 3 removed Tiller and introduced major architectural changes. Helm 2 charts can be migrated using the helm 2to3 plugin, but its recommended to upgrade charts to Helm 3 format (using helm create and updating apiVersion to v2).

Conclusion

Deploying Helm charts is a foundational skill for modern Kubernetes operations. By abstracting complexity, enabling version control, and supporting automated workflows, Helm transforms how teams manage applications at scale. This guide has walked you through the entire lifecyclefrom installing Helm and adding repositories, to customizing values, deploying, upgrading, and securing releases.

Remember that success with Helm doesnt come from using it blindlyit comes from understanding its architecture, respecting its versioning system, and integrating it thoughtfully into your DevOps pipeline. Always use version-controlled values files, pin chart versions, separate environments, and automate deployments with CI/CD. Leverage tools like Helmfile and Argo CD to manage multi-chart applications, and never compromise on security when handling secrets.

As Kubernetes continues to evolve, Helm remains the de facto standard for application packaging. Whether youre deploying a single service or orchestrating a full microservices platform, mastering Helm chart deployment empowers you to deliver reliable, repeatable, and scalable applications with confidence.

Start smalldeploy a WordPress chart today. Then, graduate to custom charts and GitOps workflows. The journey from manual YAML to automated Helm-driven deployments is one of the most impactful steps you can take toward becoming a proficient Kubernetes operator.