What Is Helm in Kubernetes? Charts and values.yaml on EKS
Helm is the package manager for Kubernetes. It bundles all the YAML manifests an application needs into a single versioned unit called a chart, and it tracks every installation as a named release you can upgrade or roll back. On Amazon EKS, Helm is how most teams install shared cluster components like the AWS Load Balancer Controller, cert-manager, and Prometheus.
If you are new to Kubernetes, it helps to understand what Kubernetes is and how kubectl works before adding Helm into the mix. By the end of this page you will understand how Helm charts and releases work, how to configure charts with values.yaml, and how to install, upgrade, and roll back releases on EKS.
Helm explained simply
Running a real application on Kubernetes means creating a Deployment, a Service, possibly an Ingress, a ConfigMap, and more. That is many YAML files to write, keep in sync, and apply in the right order.
Helm solves this by:
- Packaging all those YAML files into a single chart you can share and reuse
- Configuring the chart for your environment using a
values.yamlfile - Installing the chart as a named release and recording everything it created
- Upgrading the release when you change config or move to a newer chart version
- Rolling back to any previous state if something breaks
You interact with Helm through the helm CLI. It communicates with the Kubernetes API using your existing kubeconfig, with no extra cluster-side component required.
Think of a Helm chart as a recipe. The recipe tells you what ingredients you need (Kubernetes resources) and how to combine them. Your values file is where you adjust the recipe to your taste: more replicas, a different image tag, a specific hostname. Helm bakes the recipe into real Kubernetes resources and records everything it created under a named release. If the dish comes out wrong, you can roll back to the previous version.
Core Helm concepts
There are four ideas worth understanding clearly before running your first command.
Chart: a directory of YAML templates and a default values.yaml file. A chart describes how to deploy an application or tool. Charts are versioned and shareable; thousands are published on Artifact Hub and in vendor-maintained repositories.
Release: a running instance of a chart in your cluster. If you install the same chart twice under different names, you get two independent releases, each with their own Kubernetes resources and revision history. Upgrading or rolling back one release does not affect the other.
Repository: a collection of charts, similar to a package registry. You add repos by URL using helm repo add, then pull charts from them by name.
Values: the variables that configure a chart. Every chart ships with defaults in values.yaml. You override them with your own values file or --set flags at install time. Values are what make a single chart work across development, staging, and production without duplicating templates.
The most common point of confusion: a chart is the blueprint and a release is what Helm creates when it installs that blueprint into your cluster. You can have one chart and ten releases of it in different namespaces or with different names. Each release is fully independent with its own revision history.
Why teams use Helm on Amazon EKS
A fresh EKS cluster ships with very little pre-installed. Teams use Helm to add the components their clusters need:
- AWS Load Balancer Controller: manages Application Load Balancers for Kubernetes Services and Ingress resources. The official AWS installation method is Helm.
- cert-manager: automates TLS certificate issuance and renewal. Distributed as a Helm chart from the Jetstack repository.
- Prometheus and Grafana: the standard Kubernetes monitoring stack. The
kube-prometheus-stackchart brings up the whole setup in minutes. See Monitoring EKS Clusters. - Fluent Bit: ships container logs to CloudWatch or OpenSearch. Available from the EKS charts repository. See Logging in Kubernetes on AWS.
- Argo CD, External Secrets, External DNS: popular GitOps and platform tools, all distributed as Helm charts.
Beyond third-party tools, teams use Helm for their own applications when the same deployment needs to run across multiple environments with different configuration: different image tags, replica counts, or hostnames. A single chart with per-environment values files handles this cleanly.
Install Helm
Before using Helm you need a working Kubernetes cluster with kubectl configured. If you have not done that yet, start with creating your first EKS cluster.
# macOS
brew install helm
# Linux (official install script)
curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
# Windows (Chocolatey)
choco install kubernetes-helm
# Verify the installation
helm versionHelm uses your existing kubeconfig context to communicate with the cluster, the same context that kubectl uses. There is no server-side component to install on the cluster.
Add repositories and search for charts
# Add common repositories
helm repo add bitnami https://charts.bitnami.com/bitnami
helm repo add eks https://aws.github.io/eks-charts
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo add cert-manager https://charts.jetstack.io
# Update the local cache of chart metadata
helm repo update
# Search charts in your added repositories
helm search repo nginx
# Search Artifact Hub (the public Helm chart registry)
helm search hub cert-managerhelm search repo searches the repositories you have added locally using a cached index. helm search hub searches Artifact Hub directly, which indexes charts from hundreds of publishers.
Always run helm repo update before installing or upgrading a chart. Helm caches repository metadata locally and will not pick up new chart versions unless you refresh the cache first.
Install and configure a chart
The recommended flow is: install a chart, then customise it with a values file stored in version control.
Step 1: install a chart into a dedicated namespace
# helm install <release-name> <repo/chart>
helm install my-nginx bitnami/nginx \
--namespace web \
--create-namespaceStep 2: override a value inline (quick tests only)
helm install my-nginx bitnami/nginx \
--set replicaCount=3 \
--set service.type=ClusterIP \
--namespace web \
--create-namespaceStep 3: use a values file (recommended for everything else)
First, inspect the chart’s available options:
helm show values bitnami/nginxCreate a my-values.yaml overriding only what you need:
# my-values.yaml
replicaCount: 3
service:
type: ClusterIP
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 256Mi
ingress:
enabled: true
hostname: myapp.example.com
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/scheme: internet-facingInstall using the file:
helm install my-nginx bitnami/nginx \
--values my-values.yaml \
--namespace webStore your values files in Git alongside your application code. They are the auditable record of how a release is configured in each environment.
For sensitive values like passwords or tokens, use Kubernetes Secrets or an external secrets solution and reference them from your chart values. Do not commit plaintext credentials to your values files.
Common Helm commands
Inspect releases
# List releases in the current namespace
helm list
# List across all namespaces
helm list --all-namespaces
# Check the status of a specific release
helm status my-nginx --namespace web
# See all revisions of a release
helm history my-nginx --namespace webUpgrade a release
# Upgrade with updated values
helm upgrade my-nginx bitnami/nginx \
--values my-values.yaml \
--namespace web
# Upgrade to a specific chart version
helm upgrade my-nginx bitnami/nginx \
--version 18.1.0 \
--values my-values.yaml \
--namespace webRoll back
# Roll back to the previous revision
helm rollback my-nginx --namespace web
# Roll back to a specific revision number
helm rollback my-nginx 2 --namespace webEach helm upgrade creates a new revision. helm rollback restores the Kubernetes resources to exactly the state they were in at the target revision, including reverting configuration changes made during the upgrade. When upgrading EKS clusters, you may also need to upgrade chart versions for compatibility with the new Kubernetes version.
Uninstall
helm uninstall my-nginx --namespace webThis removes all Kubernetes resources Helm created for the release. You do not need the original YAML files because Helm tracks what it created in a Kubernetes Secret.
Helm vs kubectl vs Kustomize
All three tools apply configuration to a Kubernetes cluster. They solve different problems.
| Tool | Best for | Strengths | Limitations |
|---|---|---|---|
| kubectl | Direct cluster operations, one-off applies, debugging | Simple, universal, no abstraction layer | No templating, no release tracking, no rollback history |
| Helm | Installing packaged third-party tools; multi-environment app deploys | Release tracking, upgrade/rollback, large chart ecosystem | Templating adds indirection; external charts are a supply-chain dependency |
| Kustomize | Customising base YAML you own across environments | No templating, native kubectl support, manifests stay readable | No release history; less suited to third-party charts |
Most EKS clusters use all three: kubectl for inspection and debugging, Helm for third-party tools, and Kustomize or plain YAML for in-house applications.
When to use Helm and when not to
Use Helm when:
- Installing third-party tools that are already distributed as charts: the AWS Load Balancer Controller, Prometheus, cert-manager, Argo CD, Fluent Bit.
- You need the same application deployed across development, staging, and production with different configuration per environment.
- You want versioned releases with upgrade and rollback history.
Skip Helm when:
- Your application has simple, stable configuration that does not change between environments.
- You own the base manifests and prefer per-environment patches over templating. Kustomize is a better fit.
- You want every byte of YAML visible and reviewable without a rendering step.
Helm adds a templating layer between your intent and the YAML that lands in the cluster. For a simple application you fully control, that layer is overhead without benefit. If you are reaching for Helm just because it feels more professional, start with plain kubectl. Add Helm when you genuinely need multi-environment configuration or rollback history.
Common mistakes
- Overusing
—setinstead of a values file. Longhelm installcommands with many—setflags are hard to read, easy to mistype, and impossible to review in a pull request. Move all overrides into avalues.yamlfile from the start. - Skipping
helm repo update. Helm caches chart metadata locally. Without refreshing the cache before an install or upgrade, you may get an outdated chart version even if a newer one has been published. - Installing everything into the
defaultnamespace. Cluster tools should live in dedicated namespaces:kube-system,monitoring,cert-manager. Installing todefaultmakes access control harder and resource ownership unclear. - Editing Helm-managed resources with kubectl directly. If you modify a resource that Helm owns using kubectl, Helm will overwrite your change on the next upgrade. Manage Helm-owned resources through Helm only: update the values file and run
helm upgrade.
This is the mistake that causes the most confusion. You kubectl edit a Deployment. The next helm upgrade silently reverts your edit. The cluster looks healthy, but your change is gone. Own each resource with one tool and never cross the line.
- Forgetting IRSA setup for charts that call AWS APIs. Charts like the AWS Load Balancer Controller and External DNS need IAM permissions. Configure IAM Roles for Service Accounts (IRSA) and pass the role ARN via your values file before installing these charts.
Real-world EKS example
A platform team manages three EKS clusters: development, staging, and production. Each cluster needs the same infrastructure components: the AWS Load Balancer Controller, External DNS, cert-manager, Prometheus and Grafana, and Fluent Bit.
The team maintains a cluster-platform Git repository with one directory per component, each containing a values file per environment:
cluster-platform/
aws-load-balancer-controller/
values-dev.yaml
values-staging.yaml
values-prod.yaml
cert-manager/
values.yaml
kube-prometheus-stack/
values-dev.yaml
values-prod.yaml
fluent-bit/
values.yamlA bootstrap script runs helm upgrade --install for each component in order, using the matching values file. Setting up a new cluster takes under 30 minutes, and every component version and configuration value is tracked in Git.
When a chart needs upgrading, the team bumps the version in the values file, opens a pull request, and applies with helm upgrade. If the upgrade breaks something, helm rollback restores the previous state while they investigate.
This pattern breaks down if team members start making ad-hoc kubectl edits to Helm-managed resources. Keep the rule simple: if Helm installed it, Helm manages it.
For security practices that apply to this setup, see Securing EKS Clusters.
Summary
- Helm packages Kubernetes YAML into versioned charts, installs them as named releases, and tracks every change as a revision you can roll back.
- Helm uses your existing kubeconfig; there is no server-side component to install on the cluster.
- Most EKS infrastructure tools (AWS Load Balancer Controller, cert-manager, Prometheus, Fluent Bit) are installed via Helm.
- Use a
values.yamlfile stored in Git rather than—setflags. It is reproducible, reviewable, and auditable. - Use Helm for third-party tools and multi-environment deployments. Use Kustomize or plain YAML for simple applications you own and control entirely.
Frequently asked questions
What is a Helm chart?
A Helm chart is a collection of YAML templates with configurable variables. The templates describe Kubernetes resources like Deployments, Services, and ConfigMaps. When you install a chart, Helm fills in the variables from a values file and applies the resulting manifests to the cluster. A chart is the template; a release is the live deployment.
Do I need Helm to use EKS?
No. You can manage everything with plain kubectl and YAML manifests. However, most popular Kubernetes add-ons (the AWS Load Balancer Controller, cert-manager, Prometheus, Argo CD, Fluent Bit) are distributed as Helm charts. In practice, nearly every EKS cluster ends up needing Helm at some point.
Helm vs kubectl: what is the difference?
kubectl applies individual YAML manifests to a cluster one at a time. Helm packages many manifests into a chart, tracks them as a named release, and lets you upgrade or roll back the whole set as a unit. Use kubectl for direct cluster operations and debugging; use Helm to install and manage packaged applications.
Is Helm safe for production?
Yes. Helm is widely used in production. Since Helm 3 removed the Tiller server component that caused security concerns in Helm 2, all release state is stored as Kubernetes Secrets in the release namespace. Keep values files in version control, pin chart versions, and test upgrades before applying to production to reduce risk.
What does values.yaml do?
values.yaml is the configuration layer for a Helm chart. Every chart ships with a default values file that sets sensible defaults. You create your own values file to override only the settings you need to change: replica counts, image tags, resource limits, hostnames. Your values file is how you customise a chart for your environment without modifying the chart itself.