Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/helmforgedev/charts

Open-source Helm charts, forged to last. The alternative to Bitnami — official upstream images, Apache 2.0 licensed, Cosign signed.
https://github.com/helmforgedev/charts

cosign devops helm helm-charts k8s kubernetes oci open-source production-ready self-hosted

Last synced: 7 days ago
JSON representation

Open-source Helm charts, forged to last. The alternative to Bitnami — official upstream images, Apache 2.0 licensed, Cosign signed.

Awesome Lists containing this project

README 

          


  HelmForge




HelmForge Charts





  Production-ready Helm charts for self-hosted and platform workloads.






  Tests

  Publish

  

    Quality

  

  

    Security

  

  

    Upstream

  

  GitHub stars

  Buy Me a Coffee

  License: Apache-2.0

  Artifact Hub

  Charts count

  GPG + Cosign Signed

  Helm 4

  Kubernetes >=1.26

  Open issues

  Open pull requests

  Last commit

  PRs Welcome






  Website ·

  Documentation ·

  Helm Repository ·

  Support ·

  Contributing ·

  Governance




## Quick Start



HelmForge publishes charts through both a standard HTTPS Helm repository and an OCI registry on GHCR.

Use the HTTPS repository when you want classic `helm repo` workflows,

and OCI when you prefer registry-native pulls and signatures.



### HTTPS repository



```bash

helm repo add helmforge https://repo.helmforge.dev

helm repo update

helm search repo helmforge/

helm install  helmforge/ --version  -f values.yaml

```



### OCI registry



```bash

helm install  oci://ghcr.io/helmforgedev/helm/ --version  -f values.yaml



# Show default values

helm show values oci://ghcr.io/helmforgedev/helm/ --version 

```



Check each chart's README and [git tags](../../tags) for available versions.



### Verify a packaged chart



Every published chart package is signed with GPG provenance, and OCI artifacts are signed with Cosign by the release workflow. Import the HelmForge public key before using Helm provenance verification.



```bash

# HTTPS repository provenance verification

helm pull helmforge/ --version  --verify



# OCI signature verification

cosign verify \

  --certificate-oidc-issuer https://token.actions.githubusercontent.com \

  --certificate-identity-regexp 'https://github.com/helmforgedev/charts/.github/workflows/publish.yml@refs/heads/main' \

  ghcr.io/helmforgedev/helm/:

```



## Why HelmForge



HelmForge is built on a simple principle: **use what upstream ships, make the Kubernetes contract explicit, and keep releases verifiable**.



- **Official upstream images** — charts prefer images published by the application maintainers. No proprietary rebuild layer or vendor-specific runtime wrapper.

- **Pinned version tags** — charts reference explicit, immutable image tags. No `:latest`, no floating tags, no surprises after a pull.

- **Apache-2.0 licensed** — the charts, tests, and docs use a CNCF-aligned permissive license. No open-core, no paid tiers, no license traps.

- **GPG + Cosign signed** — every release includes GPG provenance files for Helm verification and [Sigstore Cosign](https://www.sigstore.dev/) keyless signatures on OCI artifacts via GitHub Actions OIDC.

- **No vendor lock-in** — standard Helm, standard Kubernetes APIs, standard images. If you stop using HelmForge tomorrow, nothing breaks.

- **Explicit values contracts** — product-oriented `values.yaml` files map directly to application and Kubernetes configuration, with schemas and validations where they prevent bad releases.

- **HelmForge-native dependencies** — charts that need databases, caches, queues, or coordination services use HelmForge subcharts when available, keeping dependency behavior consistent across the catalog.

- **Operator-first docs** — chart READMEs, site docs, examples, and test values are kept close to the release surface.



## Support and Star Tracking



HelmForge is maintained in the open and funded by practical community signals: stars, issues, reviews, and direct support.





  

    GitHub stars

  

  

    Support HelmForge on Buy Me a Coffee

  




If HelmForge helps your cluster or saves maintenance time, please give the repository a star.

Stars help track real adoption, make the project easier to discover, and guide where maintenance time should go next.

For direct support, use [Buy Me a Coffee](https://buymeacoffee.com/mberlofa).



## Charts



60+ production-ready charts covering databases, authentication, CMS, analytics, automation, AI tooling, observability, and platform infrastructure.



Browse the full catalog with descriptions, install commands, and playground configs at **[helmforge.dev/docs/charts](https://helmforge.dev/docs/charts)**.



Common categories include:



- **Databases and data stores** — PostgreSQL, MySQL, MariaDB, MongoDB, Redis, Valkey, Kafka, ZooKeeper, RabbitMQ, Elasticsearch, and Druid.

- **Identity and access** — Keycloak, Authelia, and application charts with ingress/auth integration patterns.

- **Automation and operations** — n8n, Cronicle, FastMCP Server, Cloudflared, Velero, DDNS Updater, and Envoy Gateway.

- **Content and community apps** — WordPress, Ghost, Drupal, Gitea, Wallabag, Castopod, Komga, OpenWebUI, and more.



### Generic platform chart



The [`generic`](charts/generic) chart is the reusable platform chart for workloads that need a Kubernetes contract

instead of an application-specific chart. It is useful for internal services, workers, batch releases,

sidecar-based apps, and platform integration tests where a full bespoke chart would add more maintenance than value.



It supports:



- Deployments, StatefulSets, DaemonSets, Jobs, and CronJobs.

- Multiple containers, init containers, global env/envFrom, probes, rollout checksums, and explicit restarts.

- Primary and additional Services, headless Service mode, Ingress, and Gateway API HTTPRoutes.

- RBAC, NetworkPolicy, ServiceMonitor, PodMonitor, PrometheusRule, VPA, HPA, and KEDA.

- Safer validation for disabled-Service routing and KEDA ScaledObject targets.



## Automation and Governance



The repository is governed by a comprehensive suite of GitHub Actions workflows that enforce quality, security, and operational intelligence automatically.



| Workflow | Trigger | Purpose |

|----------|---------|----------|

| **[ci.yml](../../actions/workflows/ci.yml)** | PR | Dependency build, lint, template, unit test, kubeconform, ArtifactHub lint |

| **[publish.yml](../../actions/workflows/publish.yml)** | Push to main | Semver bump, package, sign, publish to GHCR + Pages |

| **[code-quality.yml](../../actions/workflows/code-quality.yml)** | PR | Markdown lint, values quality checks, SPDX license headers |

| **[security-scan.yml](../../actions/workflows/security-scan.yml)** | PR | Kubescape MITRE + NSA + SOC2 compliance scanning |

| **[pr-governance.yml](../../actions/workflows/pr-governance.yml)** | PR | Conventional commit enforcement, auto-labeling |

| **[upstream-watch.yml](../../actions/workflows/upstream-watch.yml)** | Weekly (Mon 8AM UTC) | Monitors upstream image tags across Docker Hub, GHCR, and Quay.io |

| **[community.yml](../../actions/workflows/community.yml)** | Daily | Stale issue/PR management |

| **[repo-health.yml](../../actions/workflows/repo-health.yml)** | Daily | Helm index, OCI registry, and badge endpoint monitoring |



## Tests and Publishing



Charts are automatically tested and published via GitHub Actions.



```text

PR        --> ci.yml           --> [Lint] [Template] [Unit Test] [Kubeconform] [ArtifactHub Lint]

          --> code-quality.yml --> [Markdown Lint] [Values Quality] [License Headers]

          --> security-scan.yml --> [Kubescape MITRE+NSA+SOC2]

          --> pr-governance.yml --> [Conventional Commits] [Auto Labels]

Push main --> publish.yml      --> Detect --> Semver --> Package --> Sign --> Publish --> Git tag

Weekly    --> upstream-watch.yml --> Scan all charts --> Create issues for outdated images

```



PR workflows (`ci.yml`, `code-quality.yml`, `security-scan.yml`) dynamically detect which charts changed

and run jobs only for affected charts using a matrix strategy.

Changes to docs (`README.md`, `examples/`, `docs/`) are ignored.

Scheduled workflows run against the full repository.



The `Tests` workflow runs for pull requests and pushes to `main` that affect chart templates,

chart metadata, tests, or the workflow itself. The `Publish` workflow runs on pushes to `main`

and publishes chart releases. Documentation-only changes are intentionally excluded

from chart tests and release publishing.



Quality gates include:



- `helm dependency build` for charts with subcharts.

- `helm lint` and `helm lint --strict`.

- `helm template` with default values and every `ci/*.yaml` scenario.

- `helm unittest` when a chart has a test suite.

- `kubeconform` against Kubernetes schemas and CRD schemas from the Datree CRDs catalog.

- Kubescape security compliance scanning (MITRE, NSA, SOC2 frameworks).

- Markdown linting and SPDX license header enforcement on changed files.

- Artifact Hub package lint before release metadata is published.

- Signed package publishing to GHCR and the HTTPS Helm repository.



### Versioning



Versions are calculated automatically from Conventional Commits affecting each chart.



| Commit prefix | Bump | Example |

|---------------|------|---------|

| `fix:`, `docs:`, `refactor:` | PATCH | `fix(generic): correct HPA indentation` |

| `feat:` | MINOR | `feat(generic): add DaemonSet support` |

| `feat!:` or `BREAKING CHANGE` | MAJOR | `feat(generic)!: restructure workload config` |



Tags follow the format `{chart}-v{version}` (for example `generic-v1.2.3`).



### Release Notes



Every chart release automatically creates a [GitHub Release](https://github.com/helmforgedev/charts/releases) with categorized notes generated from Conventional Commits:



- **Breaking Changes** — commits with `!:` or `BREAKING CHANGE`

- **Features** — `feat(...):`

- **Bug Fixes** — `fix(...):`

- **Other Changes** — `docs`, `refactor`, `ci`, etc.



Each release includes install instructions for both OCI and Helm repository.



### Testing



Each chart can include a `ci/` directory with test values files. The pipeline runs `helm template`

and kubeconform against every `ci/*.yaml` file automatically, in addition to default values, lint,

Artifact Hub lint, and chart unit tests when present.



For local chart work:



```bash

# For charts with HelmForge OCI subcharts, authenticate to GHCR if your environment is not already logged in.

echo "$GHCR_TOKEN" | helm registry login ghcr.io -u "$GHCR_USERNAME" --password-stdin

helm dependency build charts/

helm lint charts/ --strict

helm template test-release charts/

helm unittest charts/

helm template test-release charts/ \

  | kubeconform -strict -summary \

      -schema-location default \

      -schema-location 'https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/{{.Group}}/{{.ResourceKind}}_{{.ResourceAPIVersion}}.json' \

      -exit-on-error

ah lint -p charts/

kubescape scan framework "MITRE,NSA,SOC2" charts/

```



For runtime validation, use a local k3d cluster instead of a production Kubernetes context.



### Kubernetes Compatibility



All charts require **Helm 4** (`apiVersion: v2`) and target **Kubernetes 1.26+**.



| Kubernetes Version | Status |

|--------------------|--------|

| 1.26.x | Supported (minimum) |

| 1.27.x | Supported |

| 1.28.x | Supported |

| 1.29.x | Supported |

| 1.30.x | Supported |

| 1.31.x | Supported |

| 1.32.x | Supported |

| 1.33.x | Supported |

| 1.34.x | Supported |

| 1.35.x | Supported |



The Tests workflow validates rendered manifests with [kubeconform](https://github.com/yannh/kubeconform)

against the default Kubernetes JSON schemas. Local runtime validation uses [k3d](https://k3d.io/) clusters.



Charts use standard stable APIs (`apps/v1`, `batch/v1`, `networking.k8s.io/v1`) and avoid alpha/beta API versions to maximize compatibility.



## Contributing



Contributions are welcome. Please read the [contributing guide](CONTRIBUTING.md) for branch flow, validation requirements, commit conventions, and chart standards.



Community and project governance documents:



- [Code of Conduct](CODE_OF_CONDUCT.md)

- [Governance](GOVERNANCE.md)

- [Maintainers](MAINTAINERS.md)

- [Adopters](ADOPTERS.md)

- [Security Policy](SECURITY.md)



## Contributors





  HelmForge Charts contributors




## License



Apache License 2.0