今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

The Helm Chart Is a Platform Contract — Not a Template

sanjay sankhla 2026年07月05日 23:25 4 次阅读 来源:Dev.to

Early in building our cloud infrastructure, we had a problem nobody talks about — because it happens so slowly you almost don't notice it. We had eight separate Helm charts. One for services that needed KEDA scaling. One for standard HPA. One for backends that exposed HTTP. One for workers that didn't. One for Azure Functions. One for frontends. Eight charts, all living in the same repository, all drifting apart from each other. The charts started as copies of each other. Over time each one picked up its own fixes, its own conventions, its own slightly-different take on security contexts and ServiceAccount annotations and rolling update strategy. Nobody made a decision to diverge. It just happened. Every time we fixed something in one chart — say, wiring up Azure Workload Identity to every ServiceAccount — we had to remember to propagate that fix to seven others. Sometimes we did. Sometimes we didn't. We'd find out when something broke in an unexpected way six weeks later. Helm chart drift is more dangerous than dependency drift. At least with a dependency, you know what version you're on. With eight loosely related charts, you just don't know what you don't know. This is the story of how we replaced all eight with a single versioned chart, published to an OCI registry, and consumed by 70+ services through ArgoCD multi-source Applications — and what that structure forced us to think clearly about. The Two-Questions Framework The first thing we had to do was figure out why we had eight charts in the first place. What was actually different between services that justified a different chart? We landed on two questions: Does it expose HTTP? — This determines whether it needs an ingress, a Service, liveness/readiness probes on an HTTP path. What drives its scaling? — Standard CPU/memory HPA, or event-driven scaling via KEDA (Azure Service Bus, Event Hubs)? That's it. Everything else — security contexts, Workload Identity, pod anti-affinity, rolling update strategy, how s

本文内容来源于互联网,版权归原作者所有
查看原文