Overview of modern standards for custom Helm charts.

helm-chart-cheat-sheet.md

Modern Helm Charts: Gateway API, TLS Certificates, and CI/CD Automation

Helm is the de-facto package manager for Kubernetes, enabling developers to define, install, and manage applications across Kubernetes clusters. This document outlines best practices and standards for custom Helm chart architecture, focusing on applications using the Gateway API and incorporating TLS certificates with cert-manager.

Note: This guide may not always reflect the most current versions of the Gateway API, cert-manager, or other dependencies. Always review the latest official documentation for updates.

---

1. Directory Structure

A clear and organized directory structure simplifies navigation and ensures maintainability.

my-chart/
├── Chart.yaml           # Chart metadata
├── values.yaml          # Default configuration values
├── values.schema.json   # JSON schema for validating `values.yaml`
├── templates/           # Kubernetes resource templates
│   ├── _helpers.tpl     # Shared template helpers
│   ├── deployment.yaml  # Deployment resource
│   ├── service.yaml     # Service resource
│   ├── gateway.yaml     # Gateway API resource
│   ├── httproute.yaml   # HTTPRoute for Gateway API
│   ├── tls.yaml         # TLS configuration for cert-manager or secrets
│   ├── secrets.yaml     # Secrets for sensitive data
│   └── NOTES.txt        # Installation notes
├── charts/              # Dependencies (subcharts)
├── crds/                # Custom Resource Definitions
└── README.md            # Documentation

Key Points:

• _helpers.tpl: Store reusable templates like labels and annotations.
• Templates for Gateway and HTTPRoute replace traditional ingress configurations.
• Include a tls.yaml file to manage certificate configuration with cert-manager or Secrets.

---

2. Chart Metadata (Chart.yaml)

This file provides metadata for your Helm chart.

Example:

apiVersion: v2
name: my-chart
description: A Helm chart for applications using Gateway API with TLS
type: application
version: 1.0.0
appVersion: "1.2.3"
dependencies:
  - name: redis
    version: "14.8.7"
    repository: https://charts.bitnami.com/bitnami

• Semantic Versioning is used for version and appVersion.
• Add dependencies to manage subcharts.

---

3. Values File (values.yaml)

The values.yaml file defines default configurations and should be well-documented.

Example:

replicaCount: 3

image:
  repository: nginx
  tag: "1.21.6"
  pullPolicy: IfNotPresent

service:
  type: ClusterIP
  port: 80

gateway:
  enabled: true
  name: my-app-gateway
  namespace: default
  tlsSecretName: my-app-tls

httproute:
  enabled: true
  hostname: my-app.example.com
  serviceName: my-app-service
  servicePort: 80

tls:
  enabled: true
  issuer: letsencrypt-prod
  secretName: my-app-tls
  dnsNames:
    - my-app.example.com

Best Practices:

• Organize keys hierarchically.
• Include comments for clarity.
• Avoid storing sensitive data directly—use Secrets instead.

---

4. Template Standards

Resource templates should be modular and reusable, following these conventions:

• Indentation: Use 2 spaces for YAML.
• Reusability: Use _helpers.tpl for shared values.
• Dynamic Values: Reference values.yaml keys using {{ .Values }}.

Gateway Template Example

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: {{ .Values.gateway.name }}
  namespace: {{ .Values.gateway.namespace }}
spec:
  gatewayClassName: nginx
  listeners:
  - name: https
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
        - name: {{ .Values.gateway.tlsSecretName }}
  routes:
    namespaces:
      from: Same
    kind: HTTPRoute

HTTPRoute Template Example

apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: {{ .Release.Name }}-httproute
  namespace: {{ .Values.gateway.namespace }}
spec:
  hostnames:
    - {{ .Values.httproute.hostname }}
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: "/"
      forwardTo:
        - serviceName: {{ .Values.httproute.serviceName }}
          port: {{ .Values.httproute.servicePort }}

---

5. TLS Configuration

TLS certificates secure communications and can be managed using cert-manager or Kubernetes Secrets.

Cert-Manager Example

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ .Values.tls.secretName }}
  namespace: {{ .Values.gateway.namespace }}
spec:
  secretName: {{ .Values.tls.secretName }}
  issuerRef:
    name: {{ .Values.tls.issuer }}
    kind: ClusterIssuer
  dnsNames:
    {{- range .Values.tls.dnsNames }}
    - {{ . }}
    {{- end }}

Manually Managed TLS Secrets

If cert-manager is not used, create a Kubernetes Secret for TLS:

apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.gateway.tlsSecretName }}
  namespace: {{ .Values.gateway.namespace }}
type: kubernetes.io/tls
data:
  tls.crt: {{ .Values.tls.cert }}
  tls.key: {{ .Values.tls.key }}

---

6. JSON Schema Validation

Add a values.schema.json file to validate values.yaml values.

Example:

{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "gateway": {
      "type": "object",
      "properties": {
        "enabled": { "type": "boolean" },
        "name": { "type": "string" },
        "namespace": { "type": "string" },
        "tlsSecretName": { "type": "string" }
      },
      "required": ["enabled", "name", "namespace", "tlsSecretName"]
    },
    "tls": {
      "type": "object",
      "properties": {
        "enabled": { "type": "boolean" },
        "issuer": { "type": "string" },
        "secretName": { "type": "string" },
        "dnsNames": {
          "type": "array",
          "items": { "type": "string" }
        }
      },
      "required": ["enabled", "issuer", "secretName", "dnsNames"]
    }
  }
}

---

7. Documentation

Provide clear documentation in README.md with the following sections:

• Introduction: High-level overview of the chart.
• Installation: Step-by-step instructions for deploying the chart.
• Configuration: Explanation of all configurable values in values.yaml.
• Examples: Sample configurations for Gateway API and TLS setup.

---

8. Security Considerations

• TLS: Enforce HTTPS by managing certificates through cert-manager or manually created Secrets.
• Secrets: Store sensitive data securely in Kubernetes Secrets and restrict access using RBAC (Role-Based Access Control).
• Image Security: Use trusted, verified container images from official repositories or regularly maintained sources.
• API Versions: Monitor and update to the latest supported versions of Gateway API, cert-manager, and other components to ensure compatibility and security.

---

9. CI/CD and Release Automation

Integrate CI/CD pipelines to automate linting, testing, and publishing. Tools like GitHub Actions or Jenkins can help streamline the process:

• Version Updates: Automate version checks for dependencies such as Gateway API and cert-manager.
• Linting: Use helm lint to validate chart syntax and catch potential issues before deployment.
• Testing: Use helm test or deploy to a local Kubernetes cluster (e.g., kind) to verify functionality.
• Publishing: Use Helm repositories to package and distribute your charts, automating this step for consistent versioning and releases.

---

10. Resources

• Helm Documentation
• Gateway API Documentation
• Kubernetes Documentation
• Cert-Manager Documentation

---

By following this guide, you can create Helm charts that align with modern best practices, ensuring they are secure, maintainable, and scalable while leveraging Gateway API and TLS for optimal Kubernetes application deployment.

This content was generated with the assistance of ChatGPT. Content reviewed and edited for technical accuracy.