Helm 4
Helm 4 offers server-side apply, kstatus for stability, enhanced security, modularity, and improved plugins
Também em Português
Helm 4 is not just an incremental update; it’s a significant overhaul that aligns the tool with modern K8s best practices, focusing on stability, security, and efficiency.
1. Server-Side Apply (SSA)
The main architectural change. Helm 4 abandons the complex client-side three-way merge logic in favor of Kubernetes native Server-Side Apply (SSA).
Feature | Helm 3 (Old) | Helm 4 (SSA) |
Mechanism | Local Three-way Merge | Server-side Field Ownership |
Conflict Resolution | Prone to merge conflicts | K8s tracks the field owner |
Advantage | N/A | More robust deployments, especially with Operators and concurrent automations. |
SSA ensures that Helm only declares its intent for the fields defined in the Chart, delegating the final state resolution to K8s.
2. Stability with kstatus
Operations with --wait in Helm are now more reliable thanks to the kstatus library integration.
-
What it does:
kstatusprovides a granular, rule-based assessment of what constitutes a “ready” or “healthy” K8s resource. -
Technical Advantage: It goes beyond simple replica counting in a
Deployment. It considers complex conditions of more sophisticated resources (e.g., completed Jobs, stable StatefulSets). Your CI/CD will have safer deployments, ensuring the next step only starts when the application is effectively in service.
3. Supply Chain Security
Open Container Initiative (OCI) support has been improved with an explicit focus on integrity. This ensures that the downloaded and applied Chart is bit-for-bit identical to the original signed artifact, preventing tampering attacks in the supply chain.
It’s now possible to reference OCI Charts by digest (SHA256), not just by version tag.
-
helm install app oci://registry.com/charts/app@sha256:digest-hash-a42...
4. Modularity and Organization with Multi-Document Values
For enterprise or complex Charts, maintaining a single monolithic values.yaml was challenging. Now you can structure your environment configurations (Dev, Staging, Prod) or functional sections (DB, Caching, Monitoring) in a cleaner and more modular way.
Helm 4 accepts multiple YAML documents in the main values file or in files passed via the --values flag.
5. Refactored Plugins and Post-Renderers
Helm’s extension capabilities gained a more secure and formalized framework.
-
Post-Renderers: Tools that modify K8s manifests after the templating phase (e.g., kustomize, yq) are now primarily implemented as plugins.
-
Future: The plugin system is being revised with a vision for optional WebAssembly (Wasm) adoption, which will provide a sandboxed execution environment for extensions, increasing security.
6. CLI Flags (Breaking Changes)
To align command semantics, some command-line flags have been renamed.
Old Flag (Helm 3) | New Flag (Helm 4) | Purpose |
|
| Reverts the operation on failure. |
|
| Forces replacement of incompatible resources. |
Related Posts
Kubernetes Authentication - Kubeconfig
Understand the role of the kubeconfig file in Kubernetes authentication, its structure, and how to configure multiple clusters and contexts.
Kubernetes Certification Study Guide – How I Became a Kubestronaut
Throughout my professional journey with Kubernetes, I faced (and conquered!) the challenge of obtaining the main certifications offered by CNCF. It was months of focused study, intense practice, and continuous learning
What Happens When You Run kubectl apply?
Explore kubectl apply: see authentication, authorization, and admission in Kubernetes for efficient security and control