Today, we are happy to announce that the Helm Hub is moving to the Artifact Hub. That means, when you go to the Helm Hub you will be redirected to the Artifact Hub.

What This Means For You

If you search the Helm Hub or list your charts in the Helm Hub you might wonder, what does this mean for me?

The Artifact Hub lists all of the same charts the Helm Hub has listed. It provides search that is faster and includes faceted search. You should be able to discover charts in a similar way to what you did before. Searching continues to work with the Helm CLI, as well.

with a nod to Lewis Carroll...

“The time has come,” the maintainers said,
  “To talk of software fates:
Of upgrades -- and shipping Helm v3 --
  Of bugfixes -- and k8s --”

Helm v3 was released in November 2019, the result of ongoing community effort to evolve Helm to meet the community’s needs. With a streamlined client-only experience, a renewed focus on security, and tighter integration with Kubernetes APIs, Helm v3 continues to provide production-tested package management for Kubernetes. And as a graduated CNCF project, Helm is a key part of the cloud native ecosystem.

We recognize that rolling out a major version change in production requires time. The Helm maintainers committed to providing bugfixes for Helm v2 until May 2020 (which they extended to August 2020) and security patches for Helm v2 until November 2020. And now the bugfix window is closing; Helm v2.16.10 will be the final bugfix release and 2.17.0 will follow with the download location updated.

Today we are happy to see Helm reach the final stage of the CNCF ladder. Helm has moved from the incubating level to the graduated level as a CNCF project, alongside Kubernetes and other select projects.

Given Helm's humble beginnings as a hackathon project at Deis, a small startup, we are ecstatic to see our little baby all grown up. And we have certainly learned a lot about coding, community, and organizational politics over the last five years. But those are not the big reasons why we are celebrating Helm's graduation.

As our world comes together to fight the global pandemic, the Helm maintainers want to ensure that we're doing our part to help you maintain your critical systems while they are operating at peak demand in a time where normal development and operation schedules have had to be adjusted.

When Helm v3 was released in November 2019, our original commitment was that we would offer six months of Helm v2 bug fixes, which would end May 13, 2020, followed by six more months of security fixes for Helm v2. Given the expectation that current priorities require a singular focus on fighting the pandemic, we now plan to release Helm v2 bug fixes for an extra three months, until August 13th, 2020, giving Helm users more time for serving their communities' most immediate needs.

Next week is the annual KubeCon and CloudNativeCon in North America. The Helm project and maintainers have several things going on and we wanted to invite you to them.

Helm will have two maintainer track sessions that focus on an Introduction to Helm and a Helm 3 Deep Dive. Anyone who is new to Helm or would be interested in learning how and why they should use Helm, please consider attending the Introduction to Helm. If you are curious about the recently released Helm 3, the Helm 3 Deep Dive is for you. Please let others know about these talks if you think they will interest them!

The Helm Team is proud to announce the first stable release of Helm 3.

Helm 3 is the latest major release of the CLI tool. Helm 3 builds upon the success of Helm 2, continuing to meet the needs of the evolving ecosystem.

The internal implementation of Helm 3 has changed considerably from Helm 2. The most apparent change is the removal of Tiller, but it's worth checking out the other changes by diving into the new release. A rich set of new features have been added as a result of the community's input and requirements. Some features have been deprecated or refactored in ways that make them incompatible with Helm 2. Some new experimental features have also been introduced, including OCI support.

Devstats and stats on GitHub are able to capture many different types of contributions to an open source project. But there is one type of contribution for which we have yet to figure out a good metric, and it has been essential for Helm's success. That is community management.

Karen Chu has handled community management for Helm since the project was first announced at the inaugural KubeCon in San Francisco. Her work ranges from big things, like planning and executing two Helm Summits, down to smaller (but still essential) things like managing the Helm twitter account.

Today, the Helm Maintainers are proud to announce that we have successfully completed a 3rd party security audit for Helm 3. Helm has been recommended for public deployment.

A security audit is part of the graduation criteria for CNCF projects. Specifically, the graduation criteria says:

Have completed an independent and third party security audit with results published of similar scope and quality as the following example (including critical vulnerabilities addressed): https://github.com/envoyproxy/envoy#security-audit and all critical vulnerabilities need to be addressed before graduation.

Read More…

Part of the process for Helm to become a graduated CNCF project is to complete an independent and third party security audit with the results being published. As part of the audit of Helm 3 a security issue was found that also impacts Helm v2. Cure53 performed the audit and found the issue. More about the audit will be covered in a future post.

The vulnerability found impacts all versions of Helm between Helm >=2.0.0 and < 2.15.2. Helm commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include content not intended in the chart or to execute a denial of service (DOS) on the computer performing the packaging via the use of symlinks.

Helm 2.15.0 was released last week. The 2.15.0 release of Helm introduces several improvements to helm test. Several commands - helm search, helm repo list, and helm install - received the --output flag for machine-readable output.

In addition to these new features (and many more!), many bugs and edge cases in Helm continue to fixed by members of the community. Several parts of the codebase have been refactored for easier maintainability, usability, and better testing.