If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/helm/charts shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

WAIT — Stale — last commit 4y ago

• 4 active contributors
• Apache-2.0 licensed
• Tests present
• ⚠ Stale — last commit 4y ago
• ⚠ Small team — 4 contributors active in recent commits
• ⚠ Single-maintainer risk — top contributor 97% of recent commits
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live helm/charts repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/helm/charts.

What it runs against: a local clone of helm/charts — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in helm/charts | Confirms the artifact applies here, not a fork | | 2 | License is still Apache-2.0 | Catches relicense before you depend on it | | 3 | Default branch master exists | Catches branch renames | | 4 | Last commit ≤ 1569 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of helm/charts. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/helm/charts.git
#   cd charts
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of helm/charts and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "helm/charts(\\.git)?\\b" \\
  && ok "origin remote is helm/charts" \\
  || miss "origin remote is not helm/charts (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Apache-2\\.0)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Apache-2\\.0\"" package.json 2>/dev/null) \\
  && ok "license is Apache-2.0" \\
  || miss "license drift — was Apache-2.0 at generation time"

# 3. Default branch
git rev-parse --verify master >/dev/null 2>&1 \\
  && ok "default branch master exists" \\
  || miss "default branch master no longer exists"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 1569 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~1539d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/helm/charts"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

This is the archived source repository for Helm's stable and incubator chart repositories—curated collections of pre-packaged Kubernetes applications distributed as Helm charts. It provides templated Kubernetes manifests (YAML) for deploying complex applications like Artifactory, AWS ALB Ingress Controller, and Azure Monitor to Kubernetes clusters without manual YAML authoring. Monorepo structure: incubator/ and stable/ directories (not present in file list but referenced in README) each contain independent chart subdirectories (e.g., incubator/artifactory/, incubator/aws-alb-ingress-controller/). Each chart has its own Chart.yaml metadata, templates/ Kubernetes manifests, values.yaml defaults, and README.md. Shared templating logic uses Helm's .tpl helper files (e.g., _helpers.tpl).

Kubernetes cluster operators and SREs who need to deploy third-party applications (databases, monitoring tools, ingress controllers, CI/CD systems) via Helm rather than writing raw Kubernetes manifests, and chart maintainers who own specific applications in the incubator/ or stable/ directories.

⚠️ Officially deprecated and archived as of Nov 13, 2020. This repo is no longer accepting new charts or active development; it exists as a read-only archive. The README explicitly warns users to migrate charts to new Helm repos listed on Artifact Hub instead. This is a legacy project frozen in time, not suitable for new deployments.

Critical risk: project is archived and unmaintained. No active security patches, dependency updates, or new chart submissions since Nov 2020. Charts target Helm 2/3 compatibility with apiVersion: v1, meaning they may not support modern Kubernetes features or Helm 3-only capabilities. If you need these charts, migrate to the official Artifact Hub or the chart maintainer's new repository immediately.

Nothing—this is an archived project. The README explicitly states 'This GitHub project is the source for Helm stable and incubator Helm chart repositories. This is now an archive no longer under active development.' De-listing occurred Aug 13, 2020; formal end of support was Nov 13, 2020. No new PRs are being merged.

Clone the repository to browse archived charts: git clone https://github.com/helm/charts.git && cd charts. To use a chart from here, ensure Helm 2 or 3 is installed (helm version), then reference the local path: helm install my-release ./incubator/artifactory/ or add this repo locally with helm repo add local file://$(pwd). However, you should not deploy from this archived repo—instead, find the chart's new home on Artifact Hub or the maintainer's GitHub.

Daily commands: These are not executable applications—they are chart definitions. To deploy a chart locally: (1) Install Helm: curl https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash, (2) Install a chart: helm install test-release ./incubator/artifactory/ --namespace default, (3) Verify: helm list and kubectl get pods. To develop/test a chart: helm lint ./incubator/artifactory/ validates syntax; helm template ./incubator/artifactory/ renders manifests locally without installing.

• incubator/artifactory/Chart.yaml: Defines chart metadata (name, version, description, maintainers); required file for any Helm chart—shows standard chart structure.
• incubator/artifactory/values.yaml: Default configuration values injected into templates; critical for understanding what users can customize and for overriding defaults at install time.
• incubator/artifactory/templates/deployment.yaml: Kubernetes Deployment manifest using Helm templating (e.g., {{ .Values.image.repository }}); shows how charts generate actual k8s resources.
• incubator/artifactory/templates/_helpers.tpl: Reusable Helm template functions for labels, selectors, and naming; demonstrates DRY principle and common patterns across templates.
• README.md: Project-level documentation explaining deprecation timeline and directing users to Artifact Hub; critical for understanding project status.
• CONTRIBUTING.md: Guidelines for contributors (now obsolete); shows historical processes for chart submission and review.
• .github/PULL_REQUEST_TEMPLATE.md: PR template requiring changelog entries and chart type declaration; enforced standard for historical submissions.

Start in incubator/<chart-name>/: (1) Chart.yaml—bump version and describe changes, (2) values.yaml—add new configuration options with defaults, (3) templates/—modify Kubernetes manifests (YAML with Helm template syntax), (4) _helpers.tpl—add reusable template functions, (5) README.md—document new parameters and configuration. Run helm lint and helm template to validate before submitting a PR. Note: this repo no longer accepts new PRs.

Major trap: This repo is archived. Do not attempt to submit PRs or expect support. If you clone and modify a chart, understand that: (1) the chart may use deprecated Kubernetes APIs removed in modern k8s versions (check apiVersion in templates; extensions/v1beta1 Deployment API was removed in k8s 1.16+), (2) no security patches will be backported—review each chart's dependencies manually, (3) Helm 2-specific chart syntax (e.g., requirements.yaml instead of Helm 3's Chart.yaml dependencies) may not work with Helm 3. Always migrate to the chart maintainer's new repository or Artifact Hub listing instead of using this archive.

• Helm Chart — The core abstraction in this repo—a templated package of Kubernetes manifests; understanding chart structure (Chart.yaml, values.yaml, templates/) is essential to reading or modifying any file here.
• Helm Values and Template Rendering — Charts use Go's text/template syntax to inject values into YAML; understanding {{ .Values.key }}, conditionals, and loops is required to modify any template in incubator/*/templates/.
• Kubernetes Resource Definitions (Deployment, Service, ConfigMap, RBAC) — Each chart's templates/ directory contains Kubernetes resource YAML; familiarity with Deployment, Service, RBAC (ClusterRole, ClusterRoleBinding), ConfigMap, and DaemonSet manifests is required to understand what each chart deploys.
• Chart Repository Format and Chart.yaml Metadata — Each chart defines its version, dependencies, and metadata in Chart.yaml and a matching Chart.lock file; understanding versioning and Helm's chart discovery mechanism explains how charts are distributed and upgraded.
• Helm Templating Helpers (_helpers.tpl) — Reusable template functions in _helpers.tpl reduce boilerplate across templates (e.g., {{ include "chart.labels" . }}); understanding template function definition is required to modify or extend chart templates.
• apiVersion v1 vs v2 Charts — This repo contains only apiVersion: v1 charts (Helm 2/3 compatible); v2 charts (Helm 3+ only) are not accepted. Understanding the difference explains compatibility constraints and deprecation of this repo.
• Helm Hooks and Chart Lifecycle — Some charts use hooks (e.g., pre-install, post-upgrade) in templates for custom logic; understanding Helm's hook system explains advanced deployment patterns in complex charts.

• helm/helm — The Helm package manager itself; this charts repo is a collection of charts for Helm to deploy. Essential to understand Helm's templating engine and chart format.
• artifacthub/hub — The successor aggregator for Helm charts post-deprecation; users of this repo should migrate their charts or find alternatives on Artifact Hub.
• prometheus-community/helm-charts — Example of a modern, maintained Helm chart repository that moved off the official stable/incubator repos; shows best practices for independent chart hosting.
• bitnami/charts — Large, actively maintained Helm chart collection for popular applications (MySQL, PostgreSQL, RabbitMQ, etc.); many users migrated from helm/charts stable repo to Bitnami.
• jetstack/cert-manager — Example of a project that maintains its own Helm chart repository separately; shows the ecosystem shift toward distributed chart ownership.

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Create MIGRATION_GUIDE.md for chart relocations to Artifact Hub

This archived repo contains dozens of charts (artifactory, aws-alb-ingress-controller, azuremonitor-containers, burrow, buzzfeed-sso, etc.) that users may still be using. A concrete migration guide would help users transition from this deprecated repo to the official Artifact Hub locations. Currently README.md only warns the project is archived but provides no actionable path forward for each chart.

• [ ] Create MIGRATION_GUIDE.md at repo root documenting the transition plan
• [ ] Add a table mapping each chart in incubator/ and stable/ to its new Artifact Hub repository URL
• [ ] Include example helm repo add and helm install commands for migrating from this repo to official sources
• [ ] Link this guide prominently in README.md and .github/ISSUE_TEMPLATE/bug_report.md to redirect users
• [ ] Reference specific chart directories like incubator/artifactory, incubator/aws-alb-ingress-controller to show users where to find migration info

Add Helm chart linting CI workflow with chart-testing action

The repo contains 20+ charts across incubator/ but there's no visible CI validation. Charts could have syntax errors, missing required fields in Chart.yaml, or invalid values.yaml. Adding a GitHub Actions workflow using helm lint and chart-testing would catch regressions if charts are still being updated, and serve as documentation for contributors about chart quality standards.

• [ ] Create .github/workflows/lint-charts.yml using helm/chart-testing-action
• [ ] Configure the workflow to validate all Chart.yaml files in incubator/ and stable/ directories
• [ ] Add helm lint checks for template syntax validation (incubator//templates/.yaml)
• [ ] Add helm template dry-run validation against default values.yaml for each chart
• [ ] Document the linting requirements in CONTRIBUTING.md and REVIEW_GUIDELINES.md

Audit and document breaking changes between Helm 2 and Helm 3 in chart templates

The repo README mentions 'Helm 2 Support Plan' but the charts' templates directory structure suggests they may contain Helm 2-specific syntax (e.g., missing apiVersion fields, deprecated template functions). Since this is now archived, creating a reference document of which charts have Helm 2 dependencies would help users understand compatibility before attempting migration.

• [ ] Audit incubator/*/Chart.yaml files for apiVersion field (should be v2 for Helm 3 compatibility)
• [ ] Review incubator//templates/.yaml for deprecated Helm 2 functions like .Capabilities.APIVersions.Has()
• [ ] Create HELM2_HELM3_COMPAT.md documenting which charts require Helm 2 vs support Helm 3
• [ ] Flag charts like incubator/azuremonitor-containers with complex CRD templates for special attention
• [ ] Add version compatibility badges to each chart's README.md based on findings

• Audit and document which charts in incubator/ have been migrated to Artifact Hub—create a tracking issue mapping each chart to its new home URL, helping users find maintained versions.
• Add deprecation notices to the top of each chart's README.md (incubator/*/README.md) pointing to the chart's new repository on Artifact Hub, reducing user confusion.
• Create a migration guide document (e.g., MIGRATION.md) with shell scripts or tools to help users identify which charts they use and find their new repositories, plus instructions for updating Chart.yaml references.

This is an archived, unmaintained Helm charts repository with significant security concerns. The primary risk is the lack of active maintenance and security patches. Additionally, charts lack modern Kubernetes security best practices including restrictive security contexts, RBAC verification, image digest pinning, network policies, and resource limits. The repository should not be used for production deployments without comprehensive security audits and hardening. Users should migrate

• High · Archived Repository Without Active Maintenance — README.md, entire repository. This repository is explicitly marked as obsolete and no longer supported. The README indicates it has transitioned to 'maintenance mode' and is no longer under active development. This means security vulnerabilities discovered will not be patched, and users are at risk from unaddressed security issues. Fix: Migrate to the official Artifact Hub (https://artifacthub.io) for curated Helm charts. Do not deploy charts from this archived repository in production environments without thorough security audits.
• Medium · Potential Hardcoded Secrets in Template Files — incubator/*/templates/*-secret.yaml files. Multiple chart templates contain secret resource definitions (e.g., 'incubator/azuremonitor-containers/templates/omsagent-secret.yaml', 'incubator/buzzfeed-sso/templates/google-secret.yaml', 'incubator/buzzfeed-sso/templates/secret.yaml'). These files may contain hardcoded sensitive credentials or default values that could expose secrets. Fix: Ensure all secret files use templated values from values.yaml with secure defaults. Never hardcode credentials. Use external secret management tools (Sealed Secrets, External Secrets Operator) or Kubernetes secret injection mechanisms.
• Medium · RBAC Configuration in Charts Without Explicit Verification — incubator/aws-alb-ingress-controller/templates/clusterrole.yaml and similar RBAC files. Several charts define RBAC resources (ClusterRole, ClusterRoleBinding, ServiceAccount) such as 'aws-alb-ingress-controller' and 'azuremonitor-containers'. Without explicit verification, these may grant excessive permissions or insufficient restrictions, leading to privilege escalation risks. Fix: Review and apply principle of least privilege. Verify RBAC bindings grant only necessary permissions. Document rationale for each permission. Consider using NetworkPolicies and PodSecurityPolicies (or Pod Security Standards in Kubernetes 1.25+).
• Medium · Missing Security Context Specifications — incubator/*/templates/deployment.yaml, incubator/*/templates/daemonset*.yaml. Deployment and DaemonSet templates lack visible security context configurations (runAsNonRoot, readOnlyRootFilesystem, allowPrivilegeEscalation). This allows containers to run as root and with elevated privileges by default. Fix: Add comprehensive securityContext in all pod/container specifications: set runAsNonRoot: true, runAsUser to non-zero, allowPrivilegeEscalation: false, readOnlyRootFilesystem: true (where applicable), and drop unnecessary capabilities.
• Medium · Unverified External Dependencies in Charts — incubator/*/templates/*.yaml (image specifications). Charts reference external images and components without visible digest pinning or signature verification. Images specified in deployment templates may pull unverified or compromised versions. Fix: Pin container images to specific digest hashes rather than tags. Implement image scanning in your CI/CD pipeline. Use admission controllers to enforce image policies (ImagePolicyWebhook, Sigstore/Cosign verification).
• Low · No Visible Network Security Configuration — All chart templates. Charts do not show explicit NetworkPolicy definitions to restrict traffic between pods and to external services, potentially allowing unnecessary lateral movement. Fix: Implement NetworkPolicies to enforce network segmentation. Define ingress and egress rules following least privilege principles.
• Low · Missing Resource Limits in Container Definitions — incubator/*/templates/deployment.yaml, incubator/*/templates/daemonset*.yaml. Container definitions may lack CPU and memory limits, enabling resource exhaustion attacks and noisy neighbor issues in shared clusters. Fix: Define resource requests and limits for all containers in the charts to prevent resource exhaustion and ensure proper scheduling.

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.