基于 Helm v3.14Kubernetes 1.28~1.31 兼容涵盖核心概念、工作负载模板、高级用法、CI/CD 集成与生产最佳实践。1. Helm 简介与核心架构Helm 是 Kubernetes 的包管理器用于定义、安装、升级和管理 Kubernetes 应用。它通过Chart图表打包一组 Kubernetes 资源模板通过Values实现环境差异化配置。 Helm v3 架构演进对比 v2特性Helm v2Helm v3服务端组件Tiller集群内运行权限大无 Tiller直接使用用户 RBAC 权限Release 存储ConfigMapSecret可配置为 ConfigMap依赖管理requirements.yamldependencies内置于Chart.yaml镜像仓库HTTP Chart Museum / GitHub Pages支持 OCI RegistryDocker Registry / Harbor / GHCRCRD 管理自动安装/删除仅创建不删除防误删数据2. 环境准备与安装 Linux / macOScurlhttps://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3|bashhelm version Windows (Scoop)scoop install helm✅ 验证与配置# 添加官方仓库helm repoaddbitnami https://charts.bitnami.com/bitnami helm repo update# 搜索 Charthelm search repo nginx3. Chart 目录结构与核心文件helm create myapp tree myapp/myapp/ ├── Chart.yaml # 元数据名称、版本、依赖、API版本 ├── values.yaml # 默认配置值 ├── charts/ # 子 Chart依赖 ├── templates/ # Kubernetes 资源模板 │ ├── deployment.yaml │ ├── service.yaml │ ├── ingress.yaml │ └── _helpers.tpl # 模板函数与命名规则 ├── crds/ # CRD 定义仅安装不卸载 └── tests/ # 测试用例Chart.yaml示例apiVersion:v2name:myappdescription:示例应用 Charttype:applicationversion:1.0.0# Chart 版本语义化appVersion:2.5.0# 应用镜像版本dependencies:-name:postgresqlversion:12.5.0repository:https://charts.bitnami.com/bitnamicondition:postgresql.enabled4. Helm 基础操作# 安装/升级幂等helminstallmy-release ./myapp--namespacedev --create-namespace helm upgrade my-release ./myapp-fvalues-prod.yaml--namespacedev# 回滚helm rollback my-release2--namespacedev# 查看状态helm status my-release-ndev helm list-A# 卸载helm uninstall my-release-ndev# 模板预览不提交集群helm template my-release ./myapp-fvalues.yaml5. Kubernetes 三大工作负载详解与 Helm 实践 5.1 Deployment无状态应用特点副本数灵活、支持滚动更新、Pod 无固定身份、适合快速扩缩容。templates/deployment.yamlapiVersion:apps/v1kind:Deploymentmetadata:name:{{include myapp.fullname .}}labels:{{-include myapp.labels .|nindent 4}}spec:replicas:{{.Values.replicaCount}}selector:matchLabels:{{-include myapp.selectorLabels .|nindent 6}}strategy:type:RollingUpdaterollingUpdate:maxSurge:1maxUnavailable:0template:metadata:labels:{{-include myapp.selectorLabels .|nindent 8}}spec:containers:-name:{{.Chart.Name}}image:{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}imagePullPolicy:{{.Values.image.pullPolicy}}ports:-name:httpcontainerPort:80protocol:TCPresources:{{-toYaml .Values.resources|nindent 12}} 适用场景Web 前端、REST API、微服务需要快速水平扩展的应用配置通过 ConfigMap/Secret 注入无本地持久化状态 5.2 StatefulSet有状态应用特点Pod 名称固定name-ordinal、有序部署/扩缩容、独立 PVC、Headless Service 提供稳定网络标识。templates/statefulset.yamlapiVersion:apps/v1kind:StatefulSetmetadata:name:{{include myapp.fullname .}}-dbspec:serviceName:{{include myapp.fullname .}}-headlessreplicas:{{.Values.db.replicaCount}}podManagementPolicy:OrderedReadyupdateStrategy:type:RollingUpdateselector:matchLabels:app.kubernetes.io/name:{{include myapp.name .}}-dbtemplate:metadata:labels:app.kubernetes.io/name:{{include myapp.name .}}-dbspec:containers:-name:dbimage:{{ .Values.db.image.repository }}:{{ .Values.db.image.tag }}ports:-containerPort:5432env:-name:POSTGRES_PASSWORDvalueFrom:secretKeyRef:name:{{include myapp.fullname .}}-db-secretkey:passwordvolumeClaimTemplates:-metadata:name:dataspec:accessModes:[ReadWriteOnce]storageClassName:{{.Values.db.storageClass}}resources:requests:storage:{{.Values.db.storageSize}} Headless Service必须配合 StatefulSetapiVersion:v1kind:Servicemetadata:name:{{include myapp.fullname .}}-headlessspec:clusterIP:None# 关键无 ClusterIPports:-port:5432targetPort:5432name:dbselector:app.kubernetes.io/name:{{include myapp.name .}}-db 适用场景数据库MySQL、PostgreSQL、MongoDB消息队列Kafka、RabbitMQ分布式协调服务ZooKeeper、etcd需要稳定 DNS 标识与独立存储的集群 5.3 DaemonSet节点级守护进程特点每个 Node 运行一个 Pod、自动跟随节点增删、通常使用hostNetwork/hostPath或特权模式。templates/daemonset.yamlapiVersion:apps/v1kind:DaemonSetmetadata:name:{{include myapp.fullname .}}-agentlabels:{{-include myapp.labels .|nindent 4}}spec:selector:matchLabels:app.kubernetes.io/name:{{include myapp.name .}}-agenttemplate:metadata:labels:app.kubernetes.io/name:{{include myapp.name .}}-agentspec:tolerations:-operator:Exists# 容忍所有污点包括控制面节点containers:-name:node-exporterimage:{{ .Values.agent.image.repository }}:{{ .Values.agent.image.tag }}args:---path.procfs/host/proc---path.sysfs/host/sysports:-containerPort:9100volumeMounts:-name:procmountPath:/host/procreadOnly:true-name:sysmountPath:/host/sysreadOnly:truevolumes:-name:prochostPath:path:/proc-name:syshostPath:path:/sys 适用场景日志收集Fluentd、Filebeat、Loki Promtail监控指标采集Prometheus Node Exporter、Datadog Agent网络插件Calico、Cilium、Flannel存储插件Ceph CSI、Rook6. 工作负载对比与选型指南维度DeploymentStatefulSetDaemonSetPod 身份随机命名可替换固定序号pod-0,pod-1与 Node 绑定通常唯一扩缩容随机调度并行严格按序号创建/删除自动跟随节点数量网络标识通过 Service 负载均衡Headless Service 稳定 DNS通常直接访问 Pod IP 或 hostPort存储模型共享 PVC 或无状态独立 PVCvolumeClaimTemplates通常hostPath或本地存储更新策略RollingUpdate / RecreateRollingUpdate有序OnDelete / RollingUpdate典型场景Web/API/微服务DB/缓存/消息队列监控/日志/CNI/CSIHelm 注意事项最常用模板简单需配 Headless Service注意storageClass兼容性注意tolerations、节点亲和性、权限升级选型口诀无状态跑 Deployment有状态上 StatefulSet管节点用 DaemonSet。7. 高级特性与最佳实践 7.1 依赖管理与子 Charthelm dependency update ./myapp helm dependency build ./myapp在templates/中覆盖子 Chart 值# values.yamlpostgresql:enabled:trueauth:postgresPassword:supersecretprimary:persistence:size:10Gi 7.2 Helm Hooks生命周期钩子apiVersion:batch/v1kind:Jobmetadata:name:{{include myapp.fullname .}}-db-initannotations:helm.sh/hook:post-install,post-upgradehelm.sh/hook-weight:5helm.sh/hook-delete-policy:hook-succeededspec:template:spec:containers:-name:initimage:{{ .Values.db.image.repository }}:{{ .Values.db.image.tag }}command:[sh,-c,psql -c CREATE DATABASE app;]restartPolicy:Never 7.3 OCI 仓库支持Helm v3.8# 登录helm registry login ghcr.io-uUSER-pTOKEN# 推送helm package ./myapp--version1.2.0 helm push myapp-1.2.0.tgz oci://ghcr.io/myorg/charts# 安装helminstallmyapp oci://ghcr.io/myorg/charts/myapp--version1.2.0 7.4 生产最佳实践值结构分层按环境拆分values-dev.yaml、values-staging.yaml、values-prod.yaml避免硬编码使用{{ .Values }} 默认值敏感信息走 Secret/外部密钥管理Chart 版本控制遵循 SemVerappVersion与镜像版本对齐Lint 与测试helm lint ./myapp helm unittest ./myapp# 需安装 pluginCRD 安全CRD 只增不删升级前手动评估兼容性资源限额始终定义resources.requests/limits配合 VPA/HPA8. CI/CD 与 GitOps 集成 GitHub Actions 示例name:Helm CIon:[push,pull_request]jobs:test:runs-on:ubuntu-lateststeps:-uses:actions/checkoutv4-uses:azure/setup-helmv3-run:helm lint ./myapp-run:helm template ./myapp-f values-test.yaml|kubeval--strict GitOpsArgoCD / FluxArgoCD原生支持 Helm自动同步helm install/upgrade状态Flux使用HelmReleaseCRD 声明式管理apiVersion:helm.toolkit.fluxcd.io/v2beta2kind:HelmReleasemetadata:name:myappnamespace:prodspec:interval:5mchart:spec:chart:./myappsourceRef:kind:GitRepositoryname:my-repovalues:replicaCount:3image:tag:2.5.0 变更预览插件helm plugininstallhttps://github.com/databus23/helm-diff helmdiffupgrade my-release ./myapp-fvalues-prod.yaml9. 常见坑与排错指南现象原因解决release xxx has no deployed releases首次安装失败但未清理helm uninstall xxx或helm install --atomicfailed to create resource: ... already exists手动创建了同名资源删除冲突资源或使用--replaceStatefulSet Pod 卡在PendingPVC 无法绑定 / StorageClass 不存在检查storageClassName与 Provisioner 状态Helm 升级后旧 Pod 未删除标签选择器变更使用kubectl rollout restart或调整selectorHook 执行阻塞升级Hook 未设置hook-delete-policy或超时添加helm.sh/hook-delete-policy: hook-succeededOCI 拉取 401未登录或 Token 过期helm registry login重新认证 调试命令速查helm template ./myapp--debugrendered.yaml helm get manifest my-release-ndev helmhistorymy-release-ndev kubectl describe podpod-name-ndev 附录Helm 常用命令速查表命令说明helm create name创建新 Charthelm install release chart安装 Releasehelm upgrade release chart升级 Releasehelm rollback release [revision]回滚到指定版本helm uninstall release删除 Release不删 CRD/PVChelm list [-A]列出已安装 Releasehelm repo add/update/search仓库管理helm dependency update/build拉取/构建依赖helm lint语法与规范检查helm template本地渲染模板helm package打包为.tgzhelm push推送至 OCI 仓库 延伸阅读官方文档https://helm.sh/docs/Chart 最佳实践https://helm.sh/docs/chart_best_practices/Kubernetes 工作负载官方指南https://kubernetes.io/docs/concepts/workloads/Helm 插件生态https://artifacthub.io/packages/search?kindplugin学习建议从helm create开始逐步替换deployment.yaml→statefulset.yaml→daemonset.yaml配合helm template --debug观察渲染结果最后接入 CI/CD 实现自动化。