README
ΒΆ
β chart2kro
Transform Helm charts into KRO ResourceGraphDefinitions
chart2kro reads a Helm chart, renders its templates, and produces a fully functional KRO ResourceGraphDefinition (RGD) β turning your chart into a reusable, composable platform abstraction.
Quick Start Β· Go Library Β· Examples Β· Documentation
β¨ Features
| Feature | Description | |
|---|---|---|
| π | Convert | Helm charts (local, OCI, repository) β KRO ResourceGraphDefinitions |
| π | Inspect | Preview resources, exposed values, and transformations before conversion |
| β | Validate | Check generated RGDs against KRO schemas and Kubernetes conventions |
| π€ | Export | Output as YAML, JSON, or directly apply via kubectl |
| π | Diff | Detect drift and breaking schema changes against prior versions |
| π‘οΈ | Harden | Apply Pod Security Standards, NetworkPolicies, RBAC, and SLSA provenance |
| π | Audit | Scan for security issues and best-practice violations |
| π | Docs | Auto-generate documentation for the custom resource API |
| π | Plan | Terraform-like dry-run with schema fields, resources, and evolution analysis |
| π | Watch | Auto-re-convert on file changes with debouncing, validation, and auto-apply |
| π | Extensible | Transformer plugin system with built-in and config-based overrides |
| π¦ | Go Library | Embed chart2kro in your own tools via the pkg/chart2kro API |
π¦ Installation
Go Install
go install github.com/hupe1980/chart2kro/cmd/chart2kro@latest
From Source
git clone https://github.com/hupe1980/chart2kro.git
cd chart2kro
just build # or: CGO_ENABLED=0 go build -o chart2kro ./cmd/chart2kro/
Docker
docker run --rm ghcr.io/hupe1980/chart2kro version
π Quick Start
# Convert a local Helm chart
chart2kro convert ./my-chart/
# Convert from an OCI registry
chart2kro convert oci://ghcr.io/org/my-chart:1.0.0
# Convert from a Helm repository
chart2kro convert my-chart --repo-url https://charts.example.com --version "^1.0.0"
# Customise Kind and API group
chart2kro convert ./my-chart/ --kind MyApp --group myapp.kro.run
# Save to file
chart2kro convert ./my-chart/ -o rgd.yaml
# Preview without writing
chart2kro convert ./my-chart/ --dry-run
# Pipe directly to kubectl
chart2kro convert ./my-chart/ | kubectl apply -f -
π‘ Check out the examples/ directory for ready-to-run charts including NGINX, Redis, and a production microservice.
π― Chart Sources
| Source | Example |
|---|---|
| π Local directory | chart2kro convert ./my-chart/ |
| π¦ Packaged archive | chart2kro convert my-chart-1.0.0.tgz |
| π³ OCI registry | chart2kro convert oci://ghcr.io/org/chart:1.0.0 |
| π Helm repository | chart2kro convert my-chart --repo-url https://charts.example.com |
Values & Rendering
Values are merged in the same order as helm install:
chart2kro convert ./my-chart/ \
-f base-values.yaml \
-f env-values.yaml \
--set image.tag=v2.0.0 \
--set-string annotations.commit=abc123 \
--set-file config=./app.conf \
--release-name myapp \
--namespace production \
--strict
π§ Commands
See docs/cli-reference.md for the full CLI reference.
convert
Convert a Helm chart to a KRO ResourceGraphDefinition.
chart2kro convert <chart-reference> [flags]
π All convert flags
| Flag | Short | Default | Description |
|---|---|---|---|
--repo-url |
Helm repository URL | ||
--version |
Chart version constraint | ||
--username |
Repository/registry username | ||
--password |
Repository/registry password | ||
--ca-file |
TLS CA certificate file | ||
--cert-file |
TLS client certificate file | ||
--key-file |
TLS client key file | ||
--release-name |
release |
Helm release name | |
--namespace |
default |
Kubernetes namespace | |
--strict |
false |
Fail on missing template values | |
--timeout |
30s |
Rendering timeout | |
--values |
-f |
Values YAML file (repeatable) | |
--set |
Set values on the command line | ||
--set-string |
Set string values | ||
--set-file |
Set values from file content | ||
--include-hooks |
false |
Include hooks as regular resources | |
--kind |
Custom Kind for the generated RGD | ||
--api-version |
v1alpha1 |
Custom API version for the generated RGD | |
--group |
kro.run |
Custom API group for the generated RGD | |
--include-all-values |
false |
Include all values in schema, even unreferenced | |
--flat-schema |
false |
Flatten nested values into camelCase fields | |
--output |
-o |
Write output to file instead of stdout | |
--dry-run |
false |
Show what would be generated without writing | |
--comments |
false |
Add inline comments on CEL expressions | |
--split |
false |
Write one file per resource (requires --output-dir) |
|
--output-dir |
Output directory for --split |
||
--embed-timestamp |
false |
Add chart2kro.io/generated-at annotation |
|
--harden |
false |
Enable security hardening | |
--security-level |
restricted |
PSS level: none, baseline, restricted |
|
--generate-network-policies |
false |
Generate deny-all NetworkPolicies per workload | |
--generate-rbac |
false |
Generate ServiceAccount/Role/RoleBinding per workload | |
--resolve-digests |
false |
Resolve image tags to sha256 digests from registries |
inspect
Preview a chart before converting it:
chart2kro inspect ./my-chart/
chart2kro inspect ./my-chart/ --format json
plan
Terraform-like preview showing schema fields, resources, and status projections:
chart2kro plan ./my-chart/
chart2kro plan ./my-chart/ --existing rgd.yaml # with evolution analysis
diff
Detect drift and breaking schema changes:
chart2kro diff ./my-chart/ --existing rgd.yaml
chart2kro diff ./my-chart/ --existing rgd.yaml --format json # CI-friendly
Exit code
8signals breaking changes β safe for CI/CD gates.
validate
chart2kro validate rgd.yaml
chart2kro validate --strict rgd.yaml # also fail on warnings
export
chart2kro export rgd.yaml # canonical YAML
chart2kro export rgd.yaml --format json # JSON
chart2kro export rgd.yaml --format kustomize --output-dir ./out # Kustomize
audit
chart2kro audit ./my-chart/
chart2kro audit ./my-chart/ --fail-on high --format sarif > results.sarif
docs
chart2kro docs my-rgd.yaml
chart2kro docs my-rgd.yaml --format html -o api-reference.html
watch
Auto-re-convert on file changes:
chart2kro watch ./my-chart/ -o rgd.yaml
chart2kro watch ./my-chart/ -o rgd.yaml --apply # auto-apply to cluster
chart2kro watch ./my-chart/ -o rgd.yaml --debounce 1s # custom debounce
π‘οΈ Security Hardening
# Enable hardening (PSS restricted + resource defaults + SLSA provenance)
chart2kro convert ./my-chart/ --harden -o rgd.yaml
# Full hardening with NetworkPolicy and RBAC generation
chart2kro convert ./my-chart/ --harden --generate-network-policies --generate-rbac
# Resolve image tags to sha256 digests
chart2kro convert ./my-chart/ --harden --resolve-digests
π What --harden does
| Policy | Description |
|---|---|
| Pod Security Standards | Enforces runAsNonRoot, readOnlyRootFilesystem, drops all capabilities, sets seccomp profile |
| Resource Requirements | Injects default CPU/memory requests and limits |
| Image Policy | Warns on :latest tags, unapproved registries, missing digests |
| Digest Resolution | Resolves image tags to sha256 digests from container registries |
| NetworkPolicy | Generates deny-all + DNS egress policies per workload |
| RBAC | Generates least-privilege ServiceAccount/Role/RoleBinding |
| Provenance | Adds SLSA v1.0 attestation annotations |
Customize via .chart2kro.yaml:
harden:
images:
deny-latest-tag: true
allowed-registries: ["gcr.io/", "quay.io/"]
resources:
cpu-request: "200m"
memory-request: "256Mi"
ποΈ Resource Filtering & Profiles
For enterprise charts with many subcharts:
--exclude-kinds Secret,ConfigMap # exclude by kind
--exclude-subcharts postgresql,redis # exclude by subchart
--exclude-labels "component=database" # exclude by label
--externalize-secret db-creds=externalDb # externalize resources
--use-external-pattern postgresql # smart patterns
--profile enterprise # preset filter bundles
Custom profiles can be defined in .chart2kro.yaml. See docs/cli-reference.md for details.
βοΈ Transformation Pipeline
chart2kro convert executes a multi-phase pipeline:
Load & Render β Parse Resources β Analyze Dependencies β Filter & Externalize
β Assign Resource IDs β Detect Parameters β Apply Field Mappings
β Extract Schema β Build Dependency Graph β Generate Readiness & Status
β Security Hardening (optional) β Assemble RGD
See docs/transformation-pipeline.md for the full architecture reference.
π§ Configuration
Configuration is loaded from three sources (highest precedence first):
- CLI flags β e.g.
--log-level debug - Environment variables β e.g.
CHART2KRO_LOG_LEVEL=debug - Config file β
.chart2kro.yaml(auto-discovered in.or$HOME/.config/chart2kro/)
| Flag | Env Variable | Default | Description |
|---|---|---|---|
--config |
β | .chart2kro.yaml |
Path to config file |
--log-level |
CHART2KRO_LOG_LEVEL |
info |
debug Β· info Β· warn Β· error |
--log-format |
CHART2KRO_LOG_FORMAT |
text |
text Β· json |
--no-color |
CHART2KRO_NO_COLOR |
false |
Disable colored output |
--quiet, -q |
CHART2KRO_QUIET |
false |
Suppress non-essential output |
See docs/configuration.md for the full reference.
οΏ½ Go Library
chart2kro can be used as a Go library in your own tools. The public API lives in pkg/chart2kro and uses the functional options pattern.
Install
go get github.com/hupe1980/chart2kro/pkg/chart2kro
Basic Usage
package main
import (
"context"
"fmt"
"log"
"github.com/hupe1980/chart2kro/pkg/chart2kro"
)
func main() {
result, err := chart2kro.Convert(context.Background(), "./my-chart/")
if err != nil {
log.Fatal(err)
}
fmt.Println(string(result.YAML))
}
With Options
result, err := chart2kro.Convert(ctx, "oci://ghcr.io/org/my-chart:1.0.0",
chart2kro.WithReleaseName("my-release"),
chart2kro.WithNamespace("production"),
chart2kro.WithIncludeAllValues(),
chart2kro.WithTimeout(60 * time.Second),
chart2kro.WithSchemaOverrides(map[string]chart2kro.SchemaOverride{
"replicaCount": {Type: "integer", Default: 3},
}),
)
Result
The Result struct provides:
| Field | Type | Description |
|---|---|---|
YAML |
[]byte |
Rendered RGD YAML |
RGDMap |
map[string]interface{} |
Structured RGD for further manipulation |
ChartName |
string |
Source chart name |
ChartVersion |
string |
Source chart version |
ResourceCount |
int |
Number of Kubernetes resources |
SchemaFieldCount |
int |
Number of extracted schema parameters |
DependencyEdges |
int |
Number of dependency edges in the graph |
HardenResult |
*HardenSummary |
Hardening details (when enabled) |
See docs/library-api.md for the full API reference.
οΏ½π Shell Completion
# Bash
source <(chart2kro completion bash)
# Zsh
chart2kro completion zsh > "${fpath[1]}/_chart2kro"
# Fish
chart2kro completion fish > ~/.config/fish/completions/chart2kro.fish
π Documentation
| Document | Description |
|---|---|
| π CLI Reference | Complete command and flag reference |
| βοΈ Configuration | .chart2kro.yaml configuration reference |
| ποΈ Transformation Pipeline | Architecture and pipeline stage details |
| π‘ Examples | Working examples with real Helm charts |
| π¦ Library API | Go library API reference and examples |
π License
Apache 2.0 β see LICENSE for details.
Directories
ΒΆ
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
chart2kro
command
chart2kro transforms Helm charts into KRO ResourceGraphDefinition resources.
|
chart2kro transforms Helm charts into KRO ResourceGraphDefinition resources. |
|
internal
|
|
|
audit
Package audit provides security analysis and best-practice checks for Kubernetes resources.
|
Package audit provides security analysis and best-practice checks for Kubernetes resources. |
|
cli
Package cli implements the cobra command tree for chart2kro.
|
Package cli implements the cobra command tree for chart2kro. |
|
config
Package config provides configuration management for chart2kro.
|
Package config provides configuration management for chart2kro. |
|
docs
Package docs generates human-readable API documentation from a KRO ResourceGraphDefinition.
|
Package docs generates human-readable API documentation from a KRO ResourceGraphDefinition. |
|
filter
Package filter implements resource filtering for chart2kro's transformation pipeline.
|
Package filter implements resource filtering for chart2kro's transformation pipeline. |
|
harden
Package harden provides security hardening policies for Kubernetes resources.
|
Package harden provides security hardening policies for Kubernetes resources. |
|
helm/chartmeta
Package chartmeta provides a convenient wrapper around Helm chart metadata.
|
Package chartmeta provides a convenient wrapper around Helm chart metadata. |
|
helm/deps
Package deps handles Helm subchart dependency resolution.
|
Package deps handles Helm subchart dependency resolution. |
|
helm/hooks
Package hooks detects and handles Helm lifecycle hooks in rendered manifests.
|
Package hooks detects and handles Helm lifecycle hooks in rendered manifests. |
|
helm/loader
Package loader provides chart loading from multiple source types (directory, archive, OCI registry, Helm repository) with automatic source-type detection.
|
Package loader provides chart loading from multiple source types (directory, archive, OCI registry, Helm repository) with automatic source-type detection. |
|
helm/renderer
Package renderer executes Helm template rendering in-memory using the Helm SDK engine and provides values merging from multiple sources.
|
Package renderer executes Helm template rendering in-memory using the Helm SDK engine and provides values merging from multiple sources. |
|
k8s
Package k8s provides Kubernetes resource abstractions for parsed manifests.
|
Package k8s provides Kubernetes resource abstractions for parsed manifests. |
|
k8s/parser
Package parser splits multi-document YAML manifests and parses them into k8s.Resource structs.
|
Package parser splits multi-document YAML manifests and parses them into k8s.Resource structs. |
|
kro
Package kro assembles KRO ResourceGraphDefinition resources from transformation results.
|
Package kro assembles KRO ResourceGraphDefinition resources from transformation results. |
|
logging
Package logging initialises a log/slog logger from the application configuration and provides context-based logger propagation.
|
Package logging initialises a log/slog logger from the application configuration and provides context-based logger propagation. |
|
maputil
Package maputil provides shared utilities for map and slice deep-copying used throughout the transformation and RGD assembly pipeline.
|
Package maputil provides shared utilities for map and slice deep-copying used throughout the transformation and RGD assembly pipeline. |
|
output
Package output provides deterministic YAML/JSON serialization, output writers, resource splitting, and validation for KRO ResourceGraphDefinitions.
|
Package output provides deterministic YAML/JSON serialization, output writers, resource splitting, and validation for KRO ResourceGraphDefinitions. |
|
transform
Package transform - ast.go implements Go template AST analysis for fast mode.
|
Package transform - ast.go implements Go template AST analysis for fast mode. |
|
transform/transformer
Package transformer defines the Transformer interface and Registry for per-resource-kind transformation logic.
|
Package transformer defines the Transformer interface and Registry for per-resource-kind transformation logic. |
|
version
Package version provides build-time metadata for the chart2kro binary.
|
Package version provides build-time metadata for the chart2kro binary. |
|
watch
Package watch provides file-watching capabilities for chart2kro's live-reload development workflow.
|
Package watch provides file-watching capabilities for chart2kro's live-reload development workflow. |
|
yamlutil
Package yamlutil provides shared YAML utilities used across chart2kro.
|
Package yamlutil provides shared YAML utilities used across chart2kro. |
|
pkg
|
|
|
chart2kro
Package chart2kro provides a public Go API for converting Helm charts into KRO ResourceGraphDefinition YAML.
|
Package chart2kro provides a public Go API for converting Helm charts into KRO ResourceGraphDefinition YAML. |
Click to show internal directories.
Click to hide internal directories.