An Early Look At Helm 3

The first beta of Helm 3 is now available! This is a particularly important milestone because it signals the finalization of the big helm rewrite. From now on, the Helm team’s focus will be in bug fixes and stability. Which means that we can start to build charts targeting Helm 3, right?

I really wanted to try Helm 3 around, but didn’t want to mess my local machine (the Helm and Helm 3 binaries are not compatible, so you need to keep separate installs, $HELM_HOMEand whatnots), so instead of testing it in my machine, I decided to launch a development environment in Okteto Cloud and test everything from there.

Launch your development environment in Okteto Cloud

If this is your first time using Okteto, start by installing the Okteto CLI. We’ll need it to launch the development environment into Okteto Cloud.

We’ll start by initializing our development environment, using the okteto init command to create our manifest (this tells Okteto what kind of development environment to launch). Since we are working on an empty directory, okteto will ask us to pick a runtime. Pick the first one.

1
2
3
$ mkdir helm3
$ cd helm3
$ okteto init

Now that we have our development environment defined, we need to configure our local environment to work with Okteto Cloud.

First, run the okteto login command to create your Okteto Cloud account and link it to your local computer (you only need to do this once per computer).

1
2
3
$ okteto login 
✓ Logged in as rberrelleza
Run `okteto namespace` to activate your download your Kubernetes credeentials.

Second, run the okteto namespace command to download the Kubernetes credentials for Okteto Cloud, and to set it as our current context.

1
2
$ okteto namespace 
✓ Updated context 'cloud_okteto_com' in '/Users/ramiro/.kube/config'

Now we are ready to go! Run the okteto up command to launch our development environment directly into Okteto Cloud:

1
2
3
4
5
6
7
8
9
10
11
$ okteto up

Deployment okteto-helm3 doesn't exist in namespace rberrelleza. Do you want to create a new one? [y/n]: y
✓ Persistent volume provisioned
✓ Files synchronized
✓ Okteto Environment activated
Namespace: rberrelleza
Name: okteto-helm3

Welcome to your development environment. Happy coding!
okteto>

The okteto up command launches a development environment in Okteto Cloud, keeps your code synchronized between your development environment and your local machine and automatically opens a shell into the development environment for you. From now on we’ll be running all the commands directly in our remote development environment (note the okteto> bash symbol in the code samples 😎).

Install Helm 3 in the development environment

Download the v3.0.0-beta.1 release from github, and install it in /usr/bin/local.

1
2
3
4
okteto> wget https://get.helm.sh/helm-v3.0.0-beta.1-linux-amd64.tar.gz -O /tmp/helm-v3.0.0-beta.1-linux-amd64.tar.gz
okteto> tar -xvzf /tmp/helm-v3.0.0-beta.1-linux-amd64.tar.gz -C /tmp
okteto> mv /tmp/linux-amd64/helm /usr/local/bin/helm
okteto> chmod +x /usr/local/bin/helm

Run helm version to make sure everything is OK (We are dealing with beta software, after all).

1
2
okteto> helm version
version.BuildInfo{Version:"v3.0.0-beta.1", GitCommit:"f76b5f21adb53a85de8925f4a9d4f9bd99f185b5", GitTreeState:"clean", GoVersion:"go1.12.9"}

High level review

The biggest change introduced by Helm 3 (in my opinion) is that Tiller is gone. This makes Helm a lot simpler to use, since the Helm commands now run under the credentials you’re using instead of those of an intermediate service. This has huge implications, specially if you’re working on a shared or multi-tenant cluster. This is particularly exciting for us, since it allow us to fully support Helm as a 1st class citizen in Okteto Cloud.

Helm 3 will also bring a more powerfulcChart model, that’s going to leverage Open Container Images (OCI) and registries for distribution. I imagine it’s going to be something similar (or complementary?) to the work done in the CNAB project. Sadly, installing 3rd party charts is broken on this beta, so I didn’t get a chance to try that out.

What I did got a chance to try out was the full lifecycle of a local chart. As you can expect, it’s pretty much the same as Helm v2, but without the Tiller-related complexities.

Deploying our first chart

To keep exploring Helm 3, we are going to create a simple chart by running helm create. This command creates a chart with a deployment of an NGINX container and its corresponding service.

1
2
okteto> helm create hello-world
Creating hello-world

Deploy your chart by running the helm install command:

1
2
3
4
5
6
okteto> helm install hello-world ./hello-world
NAME: hello-world
LAST DEPLOYED: 2019-08-29 23:01:17.851466604 +0000 UTC m=+0.128796294
NAMESPACE: rberrelleza
STATUS: deployed
....

You can then run helm list to see all the installed releases:

1
2
3
okteto> helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART
hello-world rberrelleza 1 2019-08-29 23:06:40.982957007 +0000 UTC deployed hello-world-0.1.0

When you launch a development environment in Okteto Cloud, a set of credentials is automatically created for you. The credentials are automatically mounted on your development environment, so you can start using tools like helm or kubectl without requiring extra configuration.

Another big change that’s being introduced with Helm 3 is that now every release has it’s own secret, clearly tagged with the name of the release and the version, and stored in the same namespace (no more searching across namespaces to find why a certain value was applied!). This makes rolling back versions easier, since Helm only needs to apply the contents of the secret, instead of having Tiller do complicated calculations.

You can see the content by running the kubectl get secret command:

1
okteto> kubectl get secret hello-world.v1 -oyaml

I couldn’t figure out how to decode/decrypt the content of the secret, I’ll update blog post once I do.

Now that our application is installed and ready, let’s try it out. Instead of having to run a port-forward to our local machine, we will let Okteto Cloud automatically create a publicly accessible SSL endpoint for our application by annotating the service with dev.okteto.com/auto-ingress=true. The chart created by helm create doesn’t support annotations, so we’ll just use kubectl annotate directly:

1
2
okteto> kubectl annotate service hello-world dev.okteto.com/auto-ingress=true
service/hello-world annotated

Let’s open our browser and head out to Okteto Cloud to see the application’s endpoint.

Go ahead and click on the URL to see our application up and running.

Upgrading the chart

Let’s change the boring “Welcome to nginx page!” with something with more flair. We’ll upgrade our chart and change the container image from nginx to ramiro/hello using the helm upgrade command.

1
okteto> helm upgrade --set image.repository=ramiro/hello hello-world ./hello-world

Run helm list to see the state of the release. Notice how the value of revision changed from 1 to 2 to indicate that a new version was deployed.

1
2
3
okteto> helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART
hello-world rberrelleza 2 2019-08-30 00:05:57.204015932 +0000 UTC deployed hello-world-0.1.0

If you run the kubectl get secret command you’ll also see that a new secret was created for our new release, along with the older one (for rollback purposes).

1
2
3
4
5
6
okteto> kubectl get secret
NAME TYPE DATA AGE
...
hello-world.v1 helm.sh/release 1 10m
hello-world.v2 helm.sh/release 1 4m22s
...

Go back to your browser, reload the page, and verify that it was correctly upgraded 🐶.

Rolling back the chart

Now let’s simulate that we have a bad build. We’ll rollback to the previous stable version by using the helm rollback command.

1
2
> helm rollback hello-world 1
Rollback was a success! Happy Helming!
1
2
3
okteto> helm list
NAME NAMESPACE REVISION UPDATED STATUS CHART
hello-world website-rberrelleza 3 2019-09-04 01:50:17.464392339 +0000 UTC deployed hello-world-0.1.0

If we go back to our browser and reload the page, we should see NGINX’s welcome page once again. You can rollback to any specific revision, as long as the secret is still available.

Cleanup

Use the helm uninstall command to uninstall the chart and remove all the related resources.

1
2
okteto> helm uninstall hello-world
release "hello-world" uninstalled

Once you’re done playing with your development environment, exit the terminal and run the okteto down command to shut it down. But don’t worry, all the files you created there (like the chart) were automatically synchronized back to your local machine.

Conclusion

I’m really excited about Helm 3. The team managed to keep all the good things about it (repeatable installations, manifest-driven approach, easy to share charts, same commands) while removing the need to have a central service to keep all the state (buh bye Tiller!). I’m particularly curious to try the new chart model, as well as the helm test command (In my experience testing charts on Helm 2 is pretty much impossible). Beta v2 is already in prerelease, so we should have more information on all of this pretty soon!

Ephemeral development environments are a great way to keep different tech stacks from messing with each other, or to quickly try out beta software without “polluting” our machine. Making them super easy to use for everyone is one of our main motivations with building Okteto.

I would ❤️ to hear what you think about this feature.