Generic

A multi-purpose Helm chart for Kubernetes workloads that need a reusable platform contract instead of application-specific templates. It supports Deployments, StatefulSets, DaemonSets, Jobs, CronJobs, multiple containers, Services, Ingress, storage, security resources, observability hooks, autoscaling, Gateway API, and arbitrary extra manifests rendered through Helm tpl.

Breaking feature release

The default image is now pinned to docker.io/library/nginx:1.27.5, image pull policy defaults to IfNotPresent, pod templates are deterministic, and stricter validation blocks invalid combinations such as HPA on DaemonSets. Review image, HPA, PDB, and rollout values before upgrading.

Jobs and CronJobs are separate lists

workload.type accepts Deployment, StatefulSet, and DaemonSet. One-shot Jobs and scheduled CronJobs are configured with jobs[] and cronjobs[]. Set workload.enabled: false for a batch-only release.

Key Features

Workloads — Deployment, StatefulSet, DaemonSet, Job, and CronJob.
Images — pinned default image, digest support, per-container overrides, and global.imageRegistry.
Networking — primary Service, additional Services, headless Service mode, Ingress custom backends, and HTTPRoute.
Security — ServiceAccount token control, Secrets, ExternalSecret, SealedSecret, RBAC, and NetworkPolicy.
Security presets — opt-in baseline and restricted pod/container contexts when explicit contexts are absent.
Storage — legacy persistence.storage[], declarative PVCs, explicit opt-in PVs, and StatefulSet claim templates.
Observability — ServiceMonitor, PodMonitor, PrometheusRule, HPA, VPA, and KEDA.
Rollout control — explicit rollout.restartAt and optional ConfigMap/Secret checksums.
Extensibility — extraManifests[] supports Helm templating with tpl.

CRD-backed resources are opt-in

Gateway API, ExternalSecret, SealedSecret, ServiceMonitor, PodMonitor, PrometheusRule, VPA, and KEDA resources require their CRDs to be installed first. The chart does not render them by default.

Disabled Service routing is explicit

When service.enabled: false, Ingress paths must set backend and HTTPRoute rules must set backendRefs. The chart blocks fallback routes to a primary Service that it is not rendering.

Installation

helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install my-app helmforge/generic -f values.yaml

helm install my-app oci://ghcr.io/helmforgedev/helm/generic -f values.yaml

Examples

workload:
  enabled: true
  type: Deployment

image:
  repository: docker.io/library/nginx
  tag: '1.27.5'
  pullPolicy: IfNotPresent

containers:
  - name: app
    ports:
      - name: http
        containerPort: 80

service:
  enabled: true
  port: 80
  targetPort: 80

ingress:
  enabled: true
  hosts:
    - host: app.example.com
      paths:
        - path: /
          pathType: Prefix

workload:
  enabled: true
  type: StatefulSet
  podManagementPolicy: Parallel
  persistentVolumeClaimRetentionPolicy:
    whenDeleted: Retain
    whenScaled: Retain
  volumeClaimTemplates:
    - metadata:
        name: data
      spec:
        accessModes: ['ReadWriteOnce']
        resources:
          requests:
            storage: 10Gi

service:
  headless:
    enabled: true

serviceAccount:
  create: true
  automountServiceAccountToken: false

secrets:
  - name: app
    stringData:
      password: change-me

rbac:
  create: true
  rules:
    - apiGroups: ['']
      resources: ['configmaps']
      verbs: ['get', 'list']

networkPolicy:
  enabled: true
  defaultDeny: true
  ingress:
    - from:
        - podSelector: {}
      ports:
        - protocol: TCP
          port: 80

workload:
  enabled: false

service:
  enabled: false

jobs:
  - name: db-migrate
    image:
      repository: docker.io/my-org/my-app
      tag: '1.0.0'
    command: ['./bin/migrate']
    backoffLimit: 2
    hooks:
      enabled: true
      events: ['pre-install', 'pre-upgrade']
      deletePolicy: before-hook-creation,hook-succeeded

cronjobs:
  - name: cleanup
    schedule: '0 2 * * *'
    timeZone: America/Sao_Paulo
    image:
      repository: docker.io/my-org/my-app
      tag: '1.0.0'
    command: ['./bin/cleanup']
    concurrencyPolicy: Forbid

rollout:
  restartAt: ''
  checksum:
    enabled: true
    configMaps: true
    secrets: true

podMonitor:
  enabled: true
  podMetricsEndpoints:
    - port: http
      path: /metrics

prometheusRule:
  enabled: true
  groups:
    - name: generic.rules
      rules:
        - alert: GenericDown
          expr: up == 0

gatewayApi:
  enabled: true
  httpRoutes:
    - name: web
      parentRefs:
        - name: public
      hostnames:
        - app.example.com
      rules:
        - matches:
            - path:
                type: PathPrefix
                value: /

Configuration Reference

This section covers the Generic chart values surface used by operators. For nested Kubernetes-native shapes, such as container probes, affinity, tolerations, Ingress backends, HTTPRoute matches, and KEDA triggers, use the upstream Kubernetes or operator API fields inside the corresponding value.

Core and Image

Parameter	Default	Description
`replicaCount`	`1`	Replica count when HPA is disabled.
`nameOverride`	`""`	Override the release name component.
`fullnameOverride`	`""`	Override the generated full name.
`commonLabels`	`{}`	Labels added to chart-managed resources.
`workload.enabled`	`true`	Render the long-running workload.
`workload.type`	`Deployment`	`Deployment`, `StatefulSet`, or `DaemonSet`.
`workload.*`	varies	StatefulSet and DaemonSet-specific workload fields.
`global.imageRegistry`	`""`	Registry prefix for image repositories without a registry.
`image.repository`	`docker.io/library/nginx`	Default image repository.
`image.tag`	`1.27.5`	Default image tag.
`image.digest`	`""`	Image digest; takes precedence over tag.
`image.pullPolicy`	`IfNotPresent`	Default image pull policy.
`imagePullSecrets`	`[]`	Pull secrets for private registries.
`containers[]`	app container	Workload containers with image, env, ports, probes, and more.
`initContainers[]`	`[]`	Init containers using the same container shape.
`env`	`[]`	Global environment variables for workloads and batch jobs.
`envFrom`	`[]`	Global ConfigMap or Secret environment sources.

Networking

Parameter	Default	Description
`service.enabled`	`true`	Render the primary Service.
`service.nameOverride`	`""`	Override primary Service name.
`service.headless.enabled`	`false`	Render primary Service with `clusterIP: None`.
`service.extraPorts`	`[]`	Extra ports on the primary Service.
`services[]`	`[]`	Additional Service resources.
`ingress.enabled`	`false`	Render Ingress.
`ingress.ingressClassName`	`traefik`	Ingress class name.
`ingress.annotations`	`{}`	Annotations for Ingress.
`ingress.defaultBackend`	`{}`	Optional default backend for Ingress.
`ingress.hosts[]`	`[]`	Ingress host rules; paths require explicit `backend` when `service.enabled=false`.
`ingress.tls`	`[]`	Ingress TLS entries.
`gatewayApi.enabled`	`false`	Render Gateway API HTTPRoutes.
`gatewayApi.httpRoutes[]`	`[]`	Gateway API HTTPRoutes; rules require `backendRefs` when `service.enabled=false`.

Security and Storage

Parameter	Default	Description
`serviceAccount.create`	`false`	Render a ServiceAccount.
`serviceAccount.automountServiceAccountToken`	`false`	Mount API token into pods.
`resources`	`{}`	Default container resources.
`livenessProbe`	`{}`	Global liveness probe for the first container.
`readinessProbe`	`{}`	Global readiness probe for the first container.
`startupProbe`	`{}`	Global startup probe for the first container.
`podSecurityContext`	`{}`	Pod-level security context.
`securityContext`	`{}`	Container-level security context.
`securityPreset`	`""`	Optional `baseline` or `restricted` security context preset.
`configMaps[]`	`[]`	Chart-managed ConfigMaps.
`secrets[]`	`[]`	Chart-managed Secrets.
`externalSecrets.enabled`	`false`	Render ExternalSecret resources.
`sealedSecrets.enabled`	`false`	Render SealedSecret resources.
`rbac.create`	`false`	Render Role and RoleBinding.
`rbac.clusterRole.create`	`false`	Render a ClusterRole and binding.
`networkPolicy.enabled`	`false`	Render NetworkPolicy.
`persistence.volumes[]`	`[]`	Pod volume definitions.
`persistence.mounts[]`	`[]`	Container volume mounts.
`persistence.storage[]`	`[]`	Legacy PV/PVC helper definitions.
`persistence.persistentVolumeClaims[]`	`[]`	Declarative PVCs.
`persistence.persistentVolumes[]`	`[]`	Explicit opt-in PVs.

Scheduling and Rollout

Parameter	Default	Description
`updateStrategy`	`RollingUpdate 25%`	Deployment rollout strategy.
`nodeSelector`	`{}`	Node selector.
`tolerations`	`[]`	Pod tolerations.
`affinity`	`{}`	Pod affinity and anti-affinity rules.
`topologySpreadConstraints`	`[]`	Pod topology spread constraints.
`priorityClassName`	`""`	PriorityClass name.
`preemptionPolicy`	`""`	Pod preemption policy.
`terminationGracePeriodSeconds`	`30`	Pod termination grace period.
`runtimeClassName`	`""`	RuntimeClass name.
`schedulerName`	`""`	Scheduler name.
`hostNetwork`, `hostPID`, `hostIPC`	`false`	Host namespace toggles.
`shareProcessNamespace`	`false`	Share process namespace between containers.
`enableServiceLinks`	`true`	Inject Service environment variables.
`dnsPolicy`	`""`	Pod DNS policy.
`dnsConfig`	`{}`	Pod DNS configuration.
`hostAliases`	`[]`	Pod host aliases.
`rollout.restartAt`	`""`	Explicit pod restart marker.
`rollout.podAnnotations`	`{}`	Rollout-only pod annotations.
`rollout.checksum`	enabled	ConfigMap/Secret checksum rollout controls.

Observability and Autoscaling

Parameter	Default	Description
`serviceMonitor.enabled`	`false`	Render ServiceMonitor.
`podMonitor.enabled`	`false`	Render PodMonitor.
`prometheusRule.enabled`	`false`	Render PrometheusRule.
`hpa.enabled`	`false`	Render HPA; not valid for DaemonSet.
`hpa.minReplicas`	`1`	HPA minimum replicas.
`hpa.maxReplicas`	required when enabled	HPA maximum replicas.
`hpa.metrics`	`[]`	HPA metrics.
`hpa.behavior`	`{}`	HPA scaling behavior.
`vpa.enabled`	`false`	Render VerticalPodAutoscaler.
`vpa.updateMode`	`Off`	VPA update mode.
`keda.enabled`	`false`	Render KEDA ScaledObject/ScaledJob resources.
`keda.scaledObject`	disabled	Scales the chart workload; requires `workload.enabled=true`.
`keda.scaledJobs[]`	`[]`	KEDA ScaledJob definitions for batch scaling.
`pdb.enabled`	`false`	Render PodDisruptionBudget.
`pdb.minAvailable`	unset	Minimum available pods; mutually exclusive with maxUnavailable.
`pdb.maxUnavailable`	unset	Maximum unavailable pods; mutually exclusive with minAvailable.

Deployment and StatefulSet HPA resources use the Kubernetes autoscaling/v2 API. StatefulSet scaling should be enabled only after validating the workload’s identity, storage, and clustering behavior. KEDA ScaledObjects target the chart-managed Deployment or StatefulSet; use ScaledJobs for event-driven batch releases without a long-running workload. KEDA, VPA, PodMonitor, and PrometheusRule remain disabled by default and require their CRDs before installation.

Batch

Parameter	Default	Description
`jobs[]`	`[]`	One-time Job definitions.
`cronjobs[]`	`[]`	Scheduled CronJob definitions.
`jobs[].hooks`	disabled	Optional Helm hook annotations for Jobs.
`extraManifests[]`	`[]`	Arbitrary Kubernetes manifests rendered through Helm `tpl`.

Upgrade Notes

Replace any inherited latest assumptions with an explicit tag or digest.
Set service.enabled: false for batch-only releases that should not render a Service.
Set hpa.maxReplicas whenever hpa.enabled: true.
Configure exactly one of pdb.minAvailable or pdb.maxUnavailable when enabling PDB.
Use rollout.restartAt or checksum settings instead of relying on render-time timestamps.