Helm Tools: Helmfile, helm-docs, helm-secrets, Chart Testing

Introduction

Helm is the standard package manager for Kubernetes, but managing Helm charts at scale requires additional tooling. Helmfile provides declarative chart management across environments. helm-docs generates README documentation from chart metadata. helm-secrets securely manages sensitive values. Chart-testing validates charts in CI pipelines. This article covers each tool with practical examples.

Helmfile

Declarative management of Helm releases across environments:

# helmfile.yaml

repositories:

- name: bitnami

url: https://charts.bitnami.com/bitnami

- name: prometheus-community

url: https://prometheus-community.github.io/helm-charts

environments:

development:

values:

- env/development.yaml

production:

values:

- env/production.yaml

- env/secrets.yaml # Encrypted values

releases:

# Core infrastructure

- name: prometheus-stack

namespace: monitoring

chart: prometheus-community/kube-prometheus-stack

version: 62.0.0

values:

- values/prometheus.yaml

- {{ env "PROMETHEUS_VALUES" | default "values/prometheus-default.yaml" }}

- name: ingress-nginx

namespace: ingress

chart: ingress-nginx/ingress-nginx

version: 4.11.0

values:

- values/ingress-{{ .Environment.Name }}.yaml

set:

- name: controller.replicaCount

value: {{ .Values.ingress.replicas }}

installed: true

wait: true

# Application charts

- name: my-app

namespace: {{ .Values.app.namespace }}

chart: ./charts/my-app

version: 0.2.0

values:

- values/app-{{ .Environment.Name }}.yaml

labels:

app: my-app

env: {{ .Environment.Name }}

hooks:

- events: ["presync", "postsync"]

command: "helm test {{ .Release.Name }}"

# Apply environment

helmfile -e production apply

# Diff changes before applying

helmfile -e development diff

# Sync specific releases

helmfile -e staging -l app=my-app sync

# Destroy releases

helmfile -e development destroy

helm-docs

Automatically generate README documentation from chart metadata:

# Install

go install github.com/norwoodj/helm-docs/cmd/helm-docs@latest

brew install helm-docs

# Generate README for all charts in repo

helm-docs

# Or for a specific chart

helm-docs --chart-search-root ./charts/my-app

# charts/my-app/values.yaml

# -- Number of replicas to run

replicaCount: 3

image:

# -- Container image repository

repository: my-app

# -- Image tag

tag: "latest"

# -- Image pull policy

pullPolicy: Always

# -- Resource limits and requests

resources:

limits:

# -- CPU limit

cpu: "1"

# -- Memory limit

memory: 512Mi

requests:

cpu: 250m

memory: 256Mi

# {{ .Name }}

{{ .Description }}

## Installation

helm repo add myrepo https://charts.example.com

helm install myrepo/{{ .Name }}

## Parameters

| Name | Description | Default |

|------|-------------|---------|

{{- range .Values }}

| {{ .Key }} | {{ .Description }} | {{ .Default }} |

{{- end }}

helm-secrets

Encrypt sensitive values using SOPS with various backends:

# Install

helm plugin install https://github.com/jkroepke/helm-secrets

# Encrypt values file

helm secrets encrypt secrets.yaml > secrets.enc.yaml

# Decrypt and use with Helm

helm secrets install my-app ./chart -f secrets.enc.yaml

# With helmfile

# helmfile.yaml references secrets.enc.yaml

helmfile -e production apply

# .sops.yaml — SOPS configuration

creation_rules:

- path_regex: secrets\.yaml

age: age1abc123...

- path_regex: production/.*\.yaml

pgp: "FINGERPRINT"

encrypted_regex: "^(password|token|key|secret)$"

Chart Testing (ct)

Validate charts in CI pipelines:

# ct.yaml — chart testing configuration

chart-dirs:

- charts

chart-repos:

- bitnami=https://charts.bitnami.com/bitnami

helm-extra-args: --timeout 600s

validate-maintainers: true

# Linting options

lint-conf: |

--strict

--namespace default

# Test installation

# ct install --charts charts/my-app

# .github/workflows/helm-ci.yml

name: Helm Chart CI

on:

pull_request:

paths:

- "charts/**"

jobs:

lint-test:

runs-on: ubuntu-latest

steps:

- uses: actions/checkout@v4

- uses: helm/chart-testing-action@v2

- name: Lint charts

run: ct lint --all --check-version-increment

- name: Create kind cluster

uses: helm/kind-action@v1

- name: Install and test charts

run: ct install --all

Essential Helm CLI Tips

# Template rendering (debugging)

helm template my-app ./chart --values values.yaml

# Dry-run install

helm install my-app ./chart --dry-run --debug

# Rollback

helm rollback my-app 2

# Get notes

helm get notes my-app

# View release history

helm history my-app

# Plugin management

helm plugin list

helm plugin install https://github.com/databus23/helm-diff

helm diff release my-app ./chart

Comparison

| Tool | Purpose | Essential For |

|------|---------|---------------|

| Helmfile | Declarative release management | Managing multiple charts across environments |

| helm-docs | Documentation generation | Keeping chart docs in sync with values |

| helm-secrets | Secret encryption | Securely managing sensitive values |

| chart-testing | CI validation | Automated chart linting and testing |

| helm-diff | Change preview | Reviewing changes before apply |

Recommendations

* **Multi-environment deployments**: Helmfile is essential for managing differences across dev, staging, and production.

* **Public or shared charts**: Use helm-docs to maintain README documentation automatically.

* **Production deployments**: Use helm-secrets with SOPS and age/PGP for encrypted values.

* **CI/CD pipeline**: Use chart-testing to validate chart changes before merging.

* **Review before apply**: Use helm-diff to preview changes without actually applying them.

The most complete Helm workflow combines all these tools: Helmfile for release management, helm-secrets for secure values, helm-docs for documentation, chart-testing for CI validation, and helm-diff for change preview.