Skip to content
Shoehorn

Helm Release Detection

Shoehorn can detect the Helm releases running in your Kubernetes clusters and show which workloads each release manages.

Overview

Section titled “Overview”

When Helm detection is enabled, the K8s agent reads Helm’s release data and reports each release to Shoehorn along with the resources it renders (Deployments, Services, ConfigMaps, and so on). This connects a workload in the catalog back to the Helm release that owns it.

Helm stores each release as a Secret of type helm.sh/release.v1. The agent lists those Secrets on a timer, decodes the latest revision of each release, and pushes a summary: chart name and version, app version, status, health, and the list of resources the release manages.

Detection is off by default.

Enabling Helm detection

Section titled “Enabling Helm detection”

In your K8s agent values file:

agent:
  helm:
    enabled: true
    namespace: ""     # scan one namespace, or "" for all namespaces
    interval: 5m      # how often to rescan (30s to 1h)

Turning this on grants the agent read (list) access to Secrets, which is where Helm keeps release data. The Helm chart adds that RBAC automatically when agent.helm.enabled is true. Kubernetes RBAC can’t scope access to a single Secret type, so the agent is granted list on Secrets in the configured scope. It reads only release Secrets.

Terraform module

Section titled “Terraform module”

The shoehorn-kubernetes Terraform module exposes these as first-class variables:

VariablePurpose
agent_helm_enabledTurn Helm detection on. Off by default.
agent_helm_namespaceNamespace to scan, or empty for all namespaces.
agent_helm_intervalHow often to rescan (30s to 1h).

Viewing Helm releases

Section titled “Viewing Helm releases”

Once the agent reports releases, the Operations resource list shows the Helm release that manages each workload. Open a workload’s Operations tab to see its release: chart, version, status, and last deployed time.

How matching works

Section titled “How matching works”

A release reports the (kind, namespace, name) of every resource it renders. Shoehorn matches those tuples to the workloads the agent already tracks, so a Deployment shows the release that deployed it without any extra annotation.

Notes

Section titled “Notes”
  • The agent reports the latest revision of each release. Older revisions Helm keeps for rollback are ignored.
  • When a release is uninstalled, it drops out of the next scan and disappears from Shoehorn.
  • Detection is read-only. The agent never installs, upgrades, or uninstalls releases.