Storing Helm Charts and Archiving Old Versions to S3: A Practical Approach to Reliability

Introduction

Helm is like the app store for Kubernetes—making it incredibly easy to package, deploy, and manage even the most complex applications. When paired with Amazon Elastic Container Registry (ECR), you get a secure and scalable way to store and distribute your Helm charts, ensuring smooth deployments across different environments. But what about old versions? Storing archived Helm charts in Amazon S3 keeps your backups safe, ensuring you’re always prepared for rollbacks or disaster recovery.

In this guide, we’ll walk you through storing Helm charts in Amazon ECR for streamlined container orchestration while ensuring older versions are safely archived in Amazon S3 for disaster recovery. Whether you’re optimizing workflows or preparing for the unexpected, this approach will make your Kubernetes operations smoother, safer, and more efficient. Let’s dive in!

Why Should You Store Helm Charts in Amazon ECR?

Amazon ECR is an OCI-compliant registry that offers several advantages for Helm chart storage:

High Availability: Fully managed, highly available container registry.
Security: Supports IAM-based authentication and AWS PrivateLink.
Flexibility & Integration: Once your Helm charts are stored in ECR, you can access them from any environment. Whether AWS based or not, making it a versatile solution for cross-platform deployments.

Why Backup Helm Charts to Amazon S3?

Amazon S3 provides:

Durability: 99.999999999% (11 nines) of durability for stored objects.
Disaster Recovery: Secure backups in case of accidental deletion or corruption.

Prerequisites

Helm 3+ installed Installing Helm, see Helm Docs – Getting Started
Kubernetes Cluster
AWS access of S3 Bucket and ECR repository and IAM user

How to Seamlessly Push a Helm Chart to an Amazon ECR Repository

1. Authenticate AWS CLI
Ensure you have AWS CLI installed and configured with appropriate credentials.

				
					aws configure

2. Create a Helm chart named helm-test-chart

				
					helm create helm-test-chart

3. Package the chart.
The output will contain the filename of the packaged chart which you use when pushing the Helm chart

				
					helm package helm-test-chart

Output

				
					Successfully packaged chart and saved it to: /Users/username/helm-test-chart-0.1.0.tgz

4. Create a repository to store your Helm chart.
The name of your repository should match the name you used when creating the Helm chart in step 2. For more information, see Creating an Amazon ECR private repository to store images.

				
					aws ecr create-repository --repository-name helm-test-chart  --region <REGION-NAME>

5. Authenticate your Helm client to the Amazon ECR registry
which you intend to push your Helm chart. Authentication tokens must be obtained for each registry used, and the tokens are valid for 12 hours. For more information, see Private registry authentication in Amazon ECR.

				
					aws ecr get-login-password \
     --region <REGION> | helm registry login \
     --username <AWS-USERNAME> \
     --password-stdin <aws_account_id>.dkr.ecr.region.amazonaws.com

6. Push the Helm chart using the helm push The output should include the Amazon ECR repository URI and SHA digest.

				
					helm push helm-test-chart-0.1.0.tgz oci://aws_account_id.dkr.ecr.region.amazonaws.com/

7. Describe your Helm chart.

				
					aws ecr describe-images  --repository-name helm-test-chart  --region us-west-2

In the output, verify that the artifactMediaType parameter indicates the proper artifact type.

				
					{
    "imageDetails": [
        {
            "registryId": "aws_account_id",
            "repositoryName": "helm-test-chart",
            "imageDigest": "sha256:dd8aebdda7df991a0ffe0b3d6c0cf315fd582cd26f9755a347a52adEXAMPLE",
            "imageTags": [
                "0.1.0"
            ],
            "imageSizeInBytes": 1620,
            "imagePushedAt": "2021-09-23T11:39:30-05:00",
            "imageManifestMediaType": "application/vnd.oci.image.manifest.v1+json",
            "artifactMediaType": "application/vnd.cncf.helm.config.v1+json"
        }
    ]
}

Archiving old versions of Helm chart into S3 bucket

1. Get all image tags for the repository

				
					aws ecr get-login-password --region $AWS_REGION | helm registry login --username AWS --password-stdin $ECR_REPO

2. Save the image to a tar file

				
					helm pull oci://211125292961.dkr.ecr.ap-south-1.amazonaws.com/helm-test-chart --version 0.1.0

3. Create an S3 Bucket (If Not Created Already)

				
					aws s3 mb s3://<S3_BUCKET_NAME>

4. Upload the tar file to S3

				
					aws s3 cp helm-test-chart-0.1.0.tgz s3://<S3_BUCKET_NAME>/helm-charts/

5. Check if the file is in the S3 bucket

				
					aws s3 ls s3://<S3_BUCKET_NAME>/helm-charts/

Use Helm Chart from ECR and S3

1. Pull and Install a Helm Chart from Amazon ECR

				
					helm pull oci://<account-id>.dkr.ecr.ap-south-1.amazonaws.com/<ECR-REPO> --version 0.1.0
helm install my-release helm-test-chart-0.1.0.tgz

2. Retrieve and Install a Helm Chart from Amazon S3

				
					aws s3 cp s3://my-helm-backups/helm-test-chart-0.1.0.tgz .
helm install my-release helm-test-chart-0.1.0.tgz

Conclusion

By storing Helm charts in Amazon ECR, you ensure a secure, scalable, and highly available deployment process. Backing them up to Amazon S3 ensures durability, disaster recovery, and cost optimization. Automating these backups further strengthens your Kubernetes application lifecycle management, providing reliability and efficiency.