helm
Helm Lint examines Helm charts for potential issues, misconfigurations, and adherence to best practices. It validates chart structure, templates, and values to ensure charts can be successfully deployed and function correctly in Kubernetes environments.
Key Features:
- Chart Validation: Verifies chart structure, metadata, and required files are present and correctly formatted
- Template Rendering: Tests that all templates render properly with default and provided values
- YAML Syntax Checking: Validates YAML syntax and structure across all chart files
- Kubernetes API Compliance: Ensures generated manifests comply with Kubernetes API schemas and versions
- Best Practice Enforcement: Checks for common Helm chart antipatterns and recommended practices
- Dependency Validation: Verifies chart dependencies are properly declared and accessible
- Subchart Support: Can recursively lint subcharts and their dependencies
helm documentation
- Version in MegaLinter: 3.16.3
- Visit Official Web Site
- See How to configure helm rules
- See How to disable helm rules in files
Configuration in MegaLinter
- Enable helm by adding
KUBERNETES_HELMin ENABLE_LINTERS variable - Disable helm by adding
KUBERNETES_HELMin DISABLE_LINTERS variable
| Variable | Description | Default value |
|---|---|---|
| KUBERNETES_HELM_ARGUMENTS | User custom arguments to add in linter CLI call Ex: -s --foo "bar" |
|
| KUBERNETES_HELM_COMMAND_REMOVE_ARGUMENTS | User custom arguments to remove from command line before calling the linter Ex: -s --foo "bar" |
|
| KUBERNETES_HELM_CLI_LINT_MODE | Override default CLI lint mode ⚠️ As default value is project, overriding might not work - file: Calls the linter for each file- list_of_files: Call the linter with the list of files as argument- project: Call the linter from the root of the project |
project |
| KUBERNETES_HELM_FILE_EXTENSIONS | Allowed file extensions. "*" matches any extension, "" matches empty extension. Empty list excludes all filesEx: [".py", ""] |
[".yml", ".yaml", ".json"] |
| KUBERNETES_HELM_FILE_NAMES_REGEX | File name regex filters. Regular expression list for filtering files by their base names using regex full match. Empty list includes all files Ex: ["Dockerfile(-.+)?", "Jenkinsfile"] |
Include every file |
| KUBERNETES_HELM_PRE_COMMANDS | List of bash commands to run before the linter | None |
| KUBERNETES_HELM_POST_COMMANDS | List of bash commands to run after the linter | None |
| KUBERNETES_HELM_UNSECURED_ENV_VARIABLES | List of env variables explicitly not filtered before calling KUBERNETES_HELM and its pre/post commands | None |
| KUBERNETES_HELM_DISABLE_ERRORS | Run linter but consider errors as warnings | false |
| KUBERNETES_HELM_DISABLE_ERRORS_IF_LESS_THAN | Maximum number of errors allowed | 0 |
| KUBERNETES_HELM_CLI_EXECUTABLE | Override CLI executable | ['helm'] |
| KUBERNETES_DIRECTORY | Directory containing KUBERNETES files (use any to always activate the linter) |
`` |
MegaLinter Flavors
This linter is available in the following flavors
| Flavor | Description | Embedded linters | Info | |
|---|---|---|---|---|
 |
all | Default MegaLinter Flavor | 126 |   |
| c_cpp | Optimized for pure C/C++ projects | 56 |   |
|
| cupcake | MegaLinter for the most commonly used languages | 87 |   |
|
| documentation | MegaLinter for documentation projects | 49 |   |
|
| dotnet | Optimized for C, C++, C# or VB based projects | 64 |   |
|
| dotnetweb | Optimized for C, C++, C# or VB based projects with JS/TS | 73 |   |
|
| go | Optimized for GO based projects | 51 |   |
|
| java | Optimized for JAVA based projects | 54 |   |
|
| javascript | Optimized for JAVASCRIPT or TYPESCRIPT based projects | 59 |   |
|
| php | Optimized for PHP based projects | 54 |   |
|
| python | Optimized for PYTHON based projects | 65 |   |
|
| ruby | Optimized for RUBY based projects | 50 |   |
|
| rust | Optimized for RUST based projects | 50 |   |
|
| salesforce | Optimized for Salesforce based projects | 54 |   |
|
| security | Optimized for security | 24 |   |
|
| swift | Optimized for SWIFT based projects | 50 |   |
|
| terraform | Optimized for TERRAFORM based projects | 54 |   |
Behind the scenes
How are identified applicable files
- Activated only if sub-directory
` is found. (directory name can be overridden withKUBERNETES_DIRECTORY`) - Activated only if one of these files is found:
Chart.yml, Chart.yaml - File extensions:
.yml,.yaml,.json - Detected file content (regex):
apiVersion:,kustomize\.config\.k8s\.io,tekton
How the linting is performed
helm is called once on the whole project directory (project CLI lint mode)
- filtering can not be done using MegaLinter configuration variables,it must be done using helm configuration or ignore file (if existing)
VALIDATE_ALL_CODEBASE: falsedoesn't make helm analyze only updated files
Example calls
helm lint .
helm lint --with-subcharts .
Help content
The Kubernetes package manager
Common actions for Helm:
- helm search: search for charts
- helm pull: download a chart to your local directory to view
- helm install: upload the chart to Kubernetes
- helm list: list releases of charts
Environment variables:
| Name | Description |
|------------------------------------|------------------------------------------------------------------------------------------------------------|
| $HELM_CACHE_HOME | set an alternative location for storing cached files. |
| $HELM_CONFIG_HOME | set an alternative location for storing Helm configuration. |
| $HELM_DATA_HOME | set an alternative location for storing Helm data. |
| $HELM_DEBUG | indicate whether or not Helm is running in Debug mode |
| $HELM_DRIVER | set the backend storage driver. Values are: configmap, secret, memory, sql. |
| $HELM_DRIVER_SQL_CONNECTION_STRING | set the connection string the SQL storage driver should use. |
| $HELM_MAX_HISTORY | set the maximum number of helm release history. |
| $HELM_NAMESPACE | set the namespace used for the helm operations. |
| $HELM_NO_PLUGINS | disable plugins. Set HELM_NO_PLUGINS=1 to disable plugins. |
| $HELM_PLUGINS | set the path to the plugins directory |
| $HELM_REGISTRY_CONFIG | set the path to the registry config file. |
| $HELM_REPOSITORY_CACHE | set the path to the repository cache directory |
| $HELM_REPOSITORY_CONFIG | set the path to the repositories file. |
| $KUBECONFIG | set an alternative Kubernetes configuration file (default "~/.kube/config") |
| $HELM_KUBEAPISERVER | set the Kubernetes API Server Endpoint for authentication |
| $HELM_KUBECAFILE | set the Kubernetes certificate authority file. |
| $HELM_KUBEASGROUPS | set the Groups to use for impersonation using a comma-separated list. |
| $HELM_KUBEASUSER | set the Username to impersonate for the operation. |
| $HELM_KUBECONTEXT | set the name of the kubeconfig context. |
| $HELM_KUBETOKEN | set the Bearer KubeToken used for authentication. |
| $HELM_KUBEINSECURE_SKIP_TLS_VERIFY | indicate if the Kubernetes API server's certificate validation should be skipped (insecure) |
| $HELM_KUBETLS_SERVER_NAME | set the server name used to validate the Kubernetes API server certificate |
| $HELM_BURST_LIMIT | set the default burst limit in the case the server contains many CRDs (default 100, -1 to disable) |
| $HELM_QPS | set the Queries Per Second in cases where a high number of calls exceed the option for higher burst values |
Helm stores cache, configuration, and data based on the following configuration order:
- If a HELM_*_HOME environment variable is set, it will be used
- Otherwise, on systems supporting the XDG base directory specification, the XDG variables will be used
- When no other location is set a default location will be used based on the operating system
By default, the default directories depend on the Operating System. The defaults are listed below:
| Operating System | Cache Path | Configuration Path | Data Path |
|------------------|---------------------------|--------------------------------|-------------------------|
| Linux | $HOME/.cache/helm | $HOME/.config/helm | $HOME/.local/share/helm |
| macOS | $HOME/Library/Caches/helm | $HOME/Library/Preferences/helm | $HOME/Library/helm |
| Windows | %TEMP%\helm | %APPDATA%\helm | %APPDATA%\helm |
Usage:
helm [command]
Available Commands:
completion generate autocompletion scripts for the specified shell
create create a new chart with the given name
dependency manage a chart's dependencies
env helm client environment information
get download extended information of a named release
help Help about any command
history fetch release history
install install a chart
lint examine a chart for possible issues
list list releases
package package a chart directory into a chart archive
plugin install, list, or uninstall Helm plugins
pull download a chart from a repository and (optionally) unpack it in local directory
push push a chart to remote
registry login to or logout from a registry
repo add, list, remove, update, and index chart repositories
rollback roll back a release to a previous revision
search search for a keyword in charts
show show information of a chart
status display the status of the named release
template locally render templates
test run tests for a release
uninstall uninstall a release
upgrade upgrade a release
verify verify that a chart at the given path has been signed and is valid
version print the client version information
Flags:
--burst-limit int client-side default throttling limit (default 100)
--debug enable verbose output
-h, --help help for helm
--kube-apiserver string the address and the port for the Kubernetes API server
--kube-as-group stringArray group to impersonate for the operation, this flag can be repeated to specify multiple groups.
--kube-as-user string username to impersonate for the operation
--kube-ca-file string the certificate authority file for the Kubernetes API server connection
--kube-context string name of the kubeconfig context to use
--kube-insecure-skip-tls-verify if true, the Kubernetes API server's certificate will not be checked for validity. This will make your HTTPS connections insecure
--kube-tls-server-name string server name to use for Kubernetes API server certificate validation. If it is not provided, the hostname used to contact the server is used
--kube-token string bearer token used for authentication
--kubeconfig string path to the kubeconfig file
-n, --namespace string namespace scope for this request
--qps float32 queries per second used when communicating with the Kubernetes API, not including bursting
--registry-config string path to the registry config file (default "/root/.config/helm/registry/config.json")
--repository-cache string path to the directory containing cached repository indexes (default "/root/.cache/helm/repository")
--repository-config string path to the file containing repository names and URLs (default "/root/.config/helm/repositories.yaml")
Use "helm [command] --help" for more information about a command.
Installation on mega-linter Docker image
- APK packages (Linux):