Inspecting Helm Values and Manifests
Often when working with installed Helm releases, it is desirable to be able to inspect the current and previous state of a Helm release.
Prerequisites
- A kubeconfig for the desired cluster
- Flux binary
- Helm binary
Listing Helm Releases
To start, identify the relevant installed Helm release using this command:
helm list -Aa
Example output:
NAME                                    NAMESPACE                       REVISION        UPDATED                                 STATUS          CHART                               APP VERSION
authservice-authservice                 authservice                     2               2025-04-07 18:07:26.676751014 +0000 UTC deployed        authservice-1.0.4-bb.1
...
The NAMESPACE field is the namespace that the manifests were deployed into, not necessarily the Helm release namespace. Most Helm releases are installed into the bigbang namespace. You can verify this by checking the Flux Helm Releases using the following command:
flux get hr -A
Example output:
NAMESPACE               NAME                            REVISION                        SUSPENDED       READY   MESSAGE                                                                                                                                      
bigbang                 authservice                     1.0.4-bb.1                      False           True    Helm upgrade succeeded for release authservice/authservice-authservice.v2 with chart authservice@1.0.4-bb.1
...
For the rest of the doc, we will use authservice as an example.
Listing Helm Release Revisions
Using the Chart NAME from the helm list command and the NAMESPACE from the flux get hr command, we can get the revisions for a Helm chart:
helm history authservice-authservice -n bigbang
Example output:
REVISION        UPDATED                         STATUS          CHART                   APP VERSION     DESCRIPTION     
1               Mon Apr  7 17:56:52 2025        superseded      authservice-1.0.4-bb.1  1.0.4           Install complete
2               Mon Apr  7 18:07:26 2025        deployed        authservice-1.0.4-bb.1  1.0.4           Upgrade complete
Comparing Helm Chart Revisions
There are two useful ways to compare Helm chart revisions:
- Comparing input values
- Comparing rendered manifests
Input values and rendered manifests can contain sensitive data. Handle output files appropriately.
Comparing Input Values
By comparing input values from one revision to another, you can easily identify what inputs have influenced the rendered manifests.
Getting values for a revision is simple. The following example gets the values from two revisions and stores them in a file, then uses diff to determine what changed:
helm get values authservice-authservice -n bigbang --revision 1 > /tmp/authservice-values-1.yaml
helm get values authservice-authservice -n bigbang --revision 2 > /tmp/authservice-values-2.yaml
diff -y /tmp/authservice-values-1.yaml /tmp/authservice-values-2.yaml
Example output:
USER-SUPPLIED VALUES:                                           USER-SUPPLIED VALUES:
chains:                                                         chains:
                                                              >   alertmanager:
                                                              >     authorization_uri: https://keycloak.10-32-4-232.nip.io/au
                                                              >     callback_uri: https://alertmanager.10-32-4-232.nip.io/log
                                                              >     client_id: alertmanager
                                                              >     client_secret: <REDACTED>
                                                              >     logout_redirect_uri: https://keycloak.10-32-4-232.nip.io/
                                                              >     match:
                                                              >       header: :authority
                                                              >       prefix: alertmanager.10-32-4-232.nip.io
                                                              >     token_uri: https://keycloak.10-32-4-232.nip.io/auth/realm
  minimal:                                                        minimal:
    callback_uri: https://localhost/login                           callback_uri: https://localhost/login
                                                              >   prometheus:
                                                              >     authorization_uri: https://keycloak.10-32-4-232.nip.io/au
                                                              >     callback_uri: https://prometheus.10-32-4-232.nip.io/login
                                                              >     client_id: prometheus
                                                              >     client_secret: <REDACTED>
                                                              >     logout_redirect_uri: https://keycloak.10-32-4-232.nip.io/
                                                              >     match:
                                                              >       header: :authority
                                                              >       prefix: prometheus.10-32-4-232.nip.io
                                                              >     token_uri: https://keycloak.10-32-4-232.nip.io/auth/realm
global:                                                         global:
  authorization_uri: https://keycloak.10-32-4-232.nip.io/auth     authorization_uri: https://keycloak.10-32-4-232.nip.io/auth
                                                              >   client_id: authservice
                                                              >   client_secret: <REDACTED>
  jwks_uri: https://keycloak.10-32-4-232.nip.io/auth/realms/s     jwks_uri: https://keycloak.10-32-4-232.nip.io/auth/realms/s
  logout_redirect_uri: https://keycloak.10-32-4-232.nip.io/au     logout_redirect_uri: https://keycloak.10-32-4-232.nip.io/au
<some content removed for brevity>
diff will truncate lines that are too long. To view the actual data, view the file directly.
Comparing Rendered Manifests
The same method can be used as above to compare the rendered manifests by using the helm get manifest command:
helm get manifest authservice-authservice -n bigbang --revision 1 > /tmp/authservice-manifests-1.yaml
helm get manifest authservice-authservice -n bigbang --revision 2 > /tmp/authservice-manifests-2.yaml
diff -y /tmp/authservice-manifests-1.yaml /tmp/authservice-manifests-2.yaml