← Back to Infrastructure

Helm Chart

InfrastructureMid

The Question

What is a Helm chart and why would you use one?

What a Strong Answer Covers

  • templating + values.yaml
  • "package manager for K8s

Senior-Level Answer

Helm is the package manager for Kubernetes. A **Helm chart** is a directory of files that together define a deployable unit: Go-templated Kubernetes manifests, a `values.yaml` file of defaults, a `Chart.yaml` with metadata, and optionally subcharts and lifecycle hooks.

The core value proposition is **parameterization with versioning**. Without Helm, teams maintain separate sets of manifests per environment (dev, staging, prod), leading to drift. With Helm, you write a chart once, define variable points with `{{ .Values.image.tag }}` or `{{ .Values.replicas }}`, and install the same chart with different `values.yaml` overrides per environment. The chart is versioned and can be published to a chart repository (Artifact Hub, OCI registries, Harbor), enabling reproducible installs and rollbacks with `helm rollback`.

A **release** is a specific installation of a chart into a namespace. Helm stores release state as Secrets in the target namespace (Helm 3), so the release history is durable and `helm history` shows every revision with its status.

Helm also manages the deployment lifecycle through **hooks** — Jobs or other resources that run at defined points: `pre-install`, `post-install`, `pre-upgrade`, `pre-rollback`. These are useful for running database migrations before an upgrade or sending a Slack notification on rollback.

For complex applications, charts can declare **dependencies** (subcharts) in `Chart.yaml`. For example, your app chart might depend on a `postgresql` subchart from Bitnami, pinned to a specific version, so a `helm dependency update` pulls it in before packaging.

The alternative to Helm is managing raw manifests with `kubectl apply -k` (Kustomize), which uses overlay patching rather than templating. Kustomize avoids template logic but requires more boilerplate for multi-environment variance. Many teams use both: Helm for third-party charts (databases, ingress controllers) and Kustomize for their own application manifests.

Helm 3 removed the server-side Tiller component from Helm 2, addressing a major security concern — all operations now happen client-side using the user's kubeconfig credentials.

What Separates a 2/3 from a 3/3

2/3 — Passing but Incomplete

Explains that Helm is a package manager, describes the values/template mechanism, and mentions versioned releases. Does not go into hooks, subcharts, or the Helm 2 vs. 3 security change.

3/3 — Strong Answer

Covers templating, values overrides, release management and rollback, hooks for lifecycle operations, subchart dependencies, release state storage, and can compare Helm vs. Kustomize trade-offs.

Common Mistakes

  • Describing Helm only as a templating tool without mentioning release management, versioning, and rollback.
  • Not knowing that Helm 3 removed Tiller and why that mattered for cluster security.
  • Confusing a chart (the package) with a release (a specific installation of that chart).
  • Being unable to articulate when you would choose Kustomize over Helm or use both.

Follow-Up Questions

  • How does Helm store release state, and what are the implications if those records are deleted? — Helm 3 stores state as Secrets in the release namespace. If deleted, Helm loses history and cannot rollback; helm install would re-create rather than upgrade.
  • Walk me through how you'd structure a chart that needs to run a DB migration before each upgrade. — Use a pre-upgrade hook Job with helm.sh/hook: pre-upgrade annotation. Discuss hook weight for ordering and deletion policy.
  • What is the difference between helm upgrade --install and a separate install/upgrade flow in CI/CD? — upgrade --install is idempotent — it installs if absent or upgrades if present, simplifying pipeline logic at the cost of less explicit control.
  • How would you manage secrets in a Helm chart without committing them to source control? — Options: helm-secrets plugin with SOPS, external values from Vault via ESO, or injecting values at CI time from a secrets manager.

Related Questions

  • K8s — Pod vs Deployment
  • K8s — Liveness vs Readiness
  • K8s — ConfigMap vs Secret
  • Docker — Container vs VM
  • CI/CD Pipeline

Can You Explain This Cold?

Reading the answer is step one. Explaining it unprompted — under interview pressure — is what actually matters. Get AI-graded feedback on your answer with follow-up probes on your weak points.

Get Graded — Free Assessment
GrindQuestionsAITechnical interview assessment
TermsPrivacyAbout