Deploy a Helm chart

Upgrade a Helm Chart was renamed to Deploy a Helm chart in the Octopus Deploy 2024.1 release. The functionality remains the same. This is only a name change to make our terminology clearer.

Helm Charts are like a package manager for Kubernetes applications, allowing users to reuse and share complex resource configurations.

Helm chart sources

You can source your Helm charts from two different sources:

  • Packages from Helm or OCI feeds
  • Git Repository

Helm feed

A Helm Feed in Octopus refers to a Helm Chart repository. This repository is effectively just an HTTP server that houses an index.yaml which describes the charts available on that server. Octopus uses this index file to determine the available “packages” (Charts) and versions. A chart is a tarball that looks like alpine-0.1.2.tgz which for this example Octopus will interpret as having PackageID alpine and version 0.1.2. There are various ways you can host a chart repository, including third-party tools like ChartMuseum, Artifactory, Cloudsmith, or even hosting your own static web server.

Helm Feed

The built-in repository is capable of storing Helm Charts. However, the mechanism for determining the PackageID and Version may differ depending on the contents of the .tgz file. If the .tgz file contains a chart.yaml file, the PackageID is determined by the name, and the version is determined by the version sections of the YAML.

apiVersion: v2
name: petclinic-chart
description: A Helm chart for Kubernetes

type: application

version: 1.0.0

appVersion: "1.16.0"

If the .tgz does not have a chart.yaml file, the PackageID and version are interpreted by the filename as described above.

For more information about Helm Chart repositories and how to run your own private repository, check out the living documentation on their GitHub repo.

OCI-based registry feed

Octopus version 2023.3.4127 added support for Helm repositories stored in OCI-based registries.

The Open Container Initiative (OCI) is a lightweight, open governance structure (project), formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtimes

An OCI-based registry can contain zero or more Helm repositories and each of those repositories can contain zero or more packaged Helm charts.

OCI Registry Feed

For more information about using OCI-based registries and how to run your own private repository, check out the living documentation on their GitHub repo.

Git repository

Octopus version 2024.1 added support for Helm charts stored in Git repositories.

You can find more information about this feature in this blog post on using Git resources directly in deployments.

Sourcing your Helm charts from a Git Repository can streamline your deployment process by reducing the amount of steps required to get them into Octopus.

To configure a Git Repository source, select the Git Repository option as your Chart Source.

Database projects

If you are storing your project configuration directly in Octopus (i.e. not in a Git repository using the Configuration as code feature), you can source your charts from a Git repository by entering the details of the repository, including:

  • URL
  • Credentials (either anonymous or selecting a Git credential from the Library)

When creating a Release, you choose the tip of a branch for your Helm charts. The commit hash for this branch is saved to the Release. This means redeploying that release will only ever use that specific commit and not the new tip of the branch.

Version-controlled projects

If you are storing your project configuration in a Git repository using the Configuration as code feature, in addition to the option above, you can source your charts from the same Git repository as your deployment process by selecting Project as the Git repository source. When creating a Release using this option, the commit hash used for your deployment process will also be used to source the chart files.

Helm upgrade step

Since the helm upgrade command provides the ability to ensure that the chart is installed when it runs for the first time (by using the --install argument), this upgrade command is the most practical step to provide.

Remember that since the Kubernetes cluster connection context is available via the kubectl script step, any helm commands that you want to perform that don’t fit into the existing helm upgrade step can easily be scripted as per usual.

Upgrade options

Upgrade options

Kubernetes release

The Kubernetes release uniquely identifies the released chart in the cluster. Because of the unique naming requirements of the release name, the default value provided includes both the project and environment name to ensure that successive Octopus releases do not conflict with one another. When redeploying new versions of the chart, this name is what is used to uniquely identify the resources that are related to that Octopus deployment. Helm requires that this name consist of only lowercase alpha numeric and dash (-) characters.

Due to the design of Helm, the release names must be unique across the entire cluster, not just namespaces.

Reset values

By default Helm will carry forward any existing configuration between deployments if not explicitly overridden. To ensure that the Octopus provided configuration acts as the source of truth, the --reset-values argument is set on the invoked command however this can be disabled if desired.

Helm client tool

Helm performs some strict version checks when performing any commands against the cluster and requires that the client have the same minor version as the tiller service (the helm component running in your cluster) in your Kubernetes cluster.

Like the other Kubernetes steps, the Octopus Server or workers will run the Helm commands directly during execution and need to have the helm executable installed.

Since it is quite common to have different versions of Helm across your deployment workers or even across different environments clusters, this option lets you override the helm client tool that is invoked. By default, Octopus will expect the helm command to be directly available to the execution context. Provide either the explicit full path to the desired version of the helm tool or include a version of helm as a package. The available version can be downloaded via the helm public GitHub repository. Unlike some other Octopus steps like Azure Powershell Scripts, the helm client tools are not automatically embedded or installed by Octopus. This is due to the strict version requirements that would differ between Octopus Server installations, and the diverse number of different platform builds available.

Template values

Template Values

The configuration for the Kubernetes resources required in a Helm Chart can be provided by making use of Chart Templates. In each of the following options, the values file are passed into the helm upgrade command with the -f argument. The template values are applied in the order that they are displayed (i.e. with values provided the Explicit key values option taking a higher precedence than the same value obtained via the Raw values YAML option).

  • Explicit Key Values: This option provides the ability to quickly provide key/value pairs of template configuration.
  • Raw values YAML: Standard Octopus variable substitution syntax can be used so long as the final contents are a valid YAML file.
  • Files in Chart Package: If there are any other values files contained within the selected chart (by default, ./values.yaml in the root of the package is picked up by helm), they can be referenced with this option. Octopus Variable replacement will be performed on the file before being used.
  • Files in Additional Packages: When using publicly available Helm Charts as the package source for this step, you may want to source your custom values files from outside Octopus, for example, through files committed to a GitHub feed. Files obtained through this option will have Octopus Variable replacement performed before being used.

Separating image updates from Helm chart updates

Application updates are often rolled up into full Helm chart version updates because that is the only mechanism provided. When deploying Helm charts with Octopus Deploy, a values file can be used for container image tags so that your Helm charts only get updated when your infrastructure definition changes.

Setting up referenced images with Helm chart deployments

Using this Helm hello-world chart as an example.

For each of the container images referenced by the Helm chart, add a referenced image under Docker image references. The following snippet assumes the referenced package has the Name nginx.

Edit the RAW Values YAML to update the image repository and tag. Take a look inside the example Helm chart to see how they’ve configured their template to use these values.

  repository: #{Octopus.Action.Package[nginx].PackageId}
  tag: #{Octopus.Action.Package[nginx].PackageVersion}

Automatically creating releases

Using referenced images with your Helm chart step allow external feed triggers to automatically create releases when one or more new images are pushed to your registries.

Further to this, lifecycles can be used to fully automate deploying your releases to selected environments.

Known limitations

Please note that Cloud Dynamic Workers come with Helm 2.9.1 installed. This means that if you chose V3 on the Helm Step Template, it will fall back to V2 during execution. To get around this problem, use the Execution Containers feature with the worker tools image.

Helm provides provenance tools that assist in verifying the integrity and origin of a package. Octopus does not currently automatically perform validation checks during a deployment using these tools however this may change in the future.

Although the helm client tool can be overridden for use during the step execution as noted above, the acquisition process currently requires a version of the helm client locally to retrieve the chart. The version of helm available does not need to match the version of the tiller service.

Helm deployments using Tar.gz packages can fail if the path is 100+ characters, to get around this problem use ZIP packages or shorter paths/filenames instead. See for more info.

Due to how deployment cancellation currently works, the Helm --atomic argument does not result in automatic rollbacks when a deployment is cancelled. This means that any Helm chart changes that were being deployed may become stuck or only partially deployed, and require manual clean-up. Furthermore, if the Octopus deployment timeout is set lower than the Helm timeout, a similar issue may arise if the Helm chart deployment is interrupted midway. To ensure a smooth deployment experience, we recommend setting a larger Octopus timeout than the Helm timeout.

Learn more

Help us continuously improve

Please let us know if you have any feedback about this page.

Send feedback

Page updated on Tuesday, April 23, 2024