Frequently Asked Questions
Common questions about installing, configuring, and operating HelmForge charts.
Installation
How do I add the HelmForge Helm repository?
helm repo add helmforge https://repo.helmforge.dev
helm repo updateYou can also install charts directly from the OCI registry without adding a repo:
helm install my-release oci://ghcr.io/helmforgedev/helm/redisCan I install charts using OCI instead of the Helm repo?
Yes. All HelmForge charts are published as OCI artifacts on GitHub Container Registry:
helm install my-release oci://ghcr.io/helmforgedev/helm/<chart-name>All releases include GPG provenance files and Cosign keyless signatures. You can verify them with:
# Cosign (OCI artifacts)
cosign verify ghcr.io/helmforgedev/helm/<chart-name>:<version> \
--certificate-identity-regexp="github.com/helmforgedev" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
# GPG (Helm provenance)
helm verify <chart-name>-<version>.tgz --keyring pgp-public-key.ascHow do I upgrade a chart without downtime?
For most charts, helm upgrade performs a rolling update by default:
helm upgrade my-release helmforge/<chart-name> -f values.yamlFor database charts, check the architecture-specific docs:
- Standalone: brief downtime during pod restart is expected
- Replication: the upgrade rolls replicas first, then the primary, minimizing downtime
Always back up data before upgrading database charts.
How do I install a specific chart version?
helm install my-release helmforge/<chart-name> --version 1.2.3To list all available versions:
helm search repo helmforge/<chart-name> --versionsConfiguration
How do I use a different ingress controller?
Set ingress.className in your values:
ingress:
enabled: true
className: nginx # or traefik, haproxy, etc.
hosts:
- host: app.example.com
paths:
- path: /
pathType: PrefixHelmForge charts default to traefik as the ingress class, but any controller that supports the IngressClass resource will work.
How do I enable TLS with cert-manager?
Add the cert-manager annotation and a TLS section:
ingress:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: app.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: app-tls
hosts:
- app.example.comHow do I set resource requests and limits?
Most charts support a resources block:
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512MiCheck the chart’s values.yaml for the exact path — some charts have per-component resources (e.g., primary.resources, secondary.resources).
How do I use an existing Secret instead of chart-generated credentials?
Most charts support existingSecret:
auth:
existingSecret: my-precreated-secretThe secret must contain the expected keys. Check the chart’s README for the required key names.
Backup
How do I configure S3 backup with MinIO?
Database charts that support backup accept S3-compatible endpoints:
backup:
enabled: true
schedule: '0 2 * * *'
s3:
endpoint: http://minio.minio.svc.cluster.local:9000
bucket: backups
accessKey: minioadmin
secretKey: minioadmin
region: us-east-1For production, store credentials in a Kubernetes Secret and reference it via backup.existingSecret.
Which charts support automated backups?
Charts with built-in S3 backup CronJobs:
- PostgreSQL —
pg_dumpto S3 - MySQL —
mysqldumpto S3 - MongoDB —
mongodumpto S3 - MariaDB —
mariadb-dumpto S3
All backup jobs support S3-compatible endpoints (AWS S3, MinIO, DigitalOcean Spaces, etc.).
How do I restore from a backup?
Backup restoration is application-specific. General steps:
- Download the backup from S3
- Create a new release or scale down the existing one
- Restore using the application’s native tool (
psql,mysql,mongorestore) - Verify data integrity
- Scale back up
Check the chart’s docs for detailed restore procedures.
Networking
How do I expose a service without an ingress controller?
Use a NodePort or LoadBalancer service type:
service:
type: LoadBalancer
port: 80Or use port-forwarding for development:
kubectl port-forward svc/my-release-<chart> 8080:80How do I use Pi-hole with Cloudflared for DNS-over-HTTPS?
Deploy both charts and point Pi-hole’s upstream DNS to Cloudflared:
# Pi-hole values
pihole:
dns:
upstream:
- 'cloudflared.default.svc.cluster.local#5053'See the Network Stack preset in the Stack Builder for a one-click setup.
Compatibility
What Kubernetes versions are supported?
HelmForge charts are tested on Kubernetes 1.28+. Most charts work on 1.26+ but we recommend staying on a supported Kubernetes version.
Can I use HelmForge charts with ArgoCD or Flux?
Yes. For ArgoCD, create an Application resource:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: my-redis
namespace: argocd
spec:
destination:
namespace: default
server: https://kubernetes.default.svc
source:
repoURL: https://repo.helmforge.dev
chart: redis
targetRevision: '*'
helm:
values: |
architecture: standalone
project: defaultFor Flux, create a HelmRelease:
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: my-redis
namespace: default
spec:
chart:
spec:
chart: redis
sourceRef:
kind: HelmRepository
name: helmforge
version: '*'
values:
architecture: standaloneThe Stack Builder can generate both ArgoCD and Helmfile manifests.
Do HelmForge charts use official images?
Yes. HelmForge charts use official upstream images whenever available. When an official image does not exist, the chart documents this clearly and specifies a trusted community image.
All image tags are pinned to specific versions — never latest or floating tags.
Are charts signed?
Yes. HelmForge uses dual signing: GPG provenance files for helm verify and Sigstore Cosign keyless signatures on OCI artifacts. Both are generated automatically in the CI/CD pipeline. See the installation section above for verification commands.
What license are the charts under?
All HelmForge charts are released under the MIT License. You can use them freely in personal and commercial projects.