Helm charts for Kubernetes. Hosted on GitHub Pages via chart-releaser.
helm repo add teerakarna https://teerakarna.github.io/helm-charts
helm repo update| Chart | Description | Version |
|---|---|---|
| echoserver | HTTP echo server for testing ingress, load balancing, and network policies | 0.2.0 |
| netshoot | Network troubleshooting pod (nicolaka/netshoot) — DNS, connectivity, routing, network policy | 0.1.0 |
| sleep | Minimal Alpine pod that sleeps indefinitely — exec in to run commands inside a namespace | 0.1.0 |
| dbclient | Database client debug pod — psql, redis-cli, and mysql in one Alpine container | 0.1.0 |
| scoutsuite | Multi-cloud security auditing (ScoutSuite) — CronJob/Job for AWS, GCP, Azure and more | 0.1.0 |
| kube-bench | CIS Kubernetes Benchmark auditing (kube-bench) — Job/CronJob with ClusterRole | 0.1.0 |
| kube-hunter | Kubernetes penetration testing (kube-hunter) — hunt for security weaknesses in-cluster | 0.1.0 |
| gonymizer | PostgreSQL data anonymization (Gonymizer) — dump, anonymize, and reload PII/PHI for QA | 0.1.0 |
| bombardier | Fast HTTP/S load testing (bombardier) — Job/CronJob to benchmark in-cluster services | 0.1.0 |
| trivy | Vulnerability scanner (Trivy) — Job/CronJob to scan images, filesystems, or entire clusters | 0.1.0 |
| k6 | Scriptable load testing (Grafana k6) — Job/CronJob with a ConfigMap-mounted JS test script | 0.1.0 |
| toxiproxy | Network fault injection proxy (Toxiproxy) — Deployment to inject latency, packet loss, and timeouts | 0.1.0 |
| zaproxy | Web application security scanner (OWASP ZAP) — Job/CronJob with Automation Framework plan | 0.1.0 |
# HTTP echo server — test ingress and routing
helm install echo teerakarna/echoserver
kubectl port-forward svc/echo-echoserver 8080:80
curl http://localhost:8080/
# Network troubleshooting pod — exec in to diagnose DNS/connectivity issues
helm install netshoot teerakarna/netshoot -n <namespace>
kubectl exec -it -n <namespace> \
$(kubectl get pod -n <namespace> -l app.kubernetes.io/instance=netshoot -o jsonpath="{.items[0].metadata.name}") \
-- bash
# Minimal debug pod — exec in to run arbitrary commands inside a namespace
helm install debug teerakarna/sleep -n <namespace>
kubectl exec -it -n <namespace> \
$(kubectl get pod -n <namespace> -l app.kubernetes.io/instance=debug -o jsonpath="{.items[0].metadata.name}") \
-- sh
# Database client pod — psql, redis-cli, mysql
helm install db teerakarna/dbclient \
--set image.repository=ghcr.io/YOUR_USERNAME/dbclient \
-n <namespace>
kubectl exec -it -n <namespace> \
$(kubectl get pod -n <namespace> -l app.kubernetes.io/instance=db -o jsonpath="{.items[0].metadata.name}") \
-- bash
# CIS Kubernetes Benchmark — one-off audit
helm install kb teerakarna/kube-bench
kubectl wait --for=condition=complete job -l app.kubernetes.io/instance=kb --timeout=10m
kubectl logs -l app.kubernetes.io/instance=kb
# Kubernetes penetration test — hunt from inside the cluster
helm install hunter teerakarna/kube-hunter
kubectl logs -l app.kubernetes.io/instance=hunter
# HTTP load test — benchmark an in-cluster service
helm install load teerakarna/bombardier \
--set image.repository=ghcr.io/YOUR_USERNAME/bombardier \
--set target.url=http://echo-echoserver.default.svc.cluster.local/
kubectl logs -l app.kubernetes.io/instance=load
# Vulnerability scan — scan an image for HIGH/CRITICAL CVEs
helm install scan teerakarna/trivy \
--set target=nginx:latest
kubectl logs -l app.kubernetes.io/instance=scan
# Scriptable load test — run a k6 JS script against an in-cluster service
helm install k6 teerakarna/k6 \
--set env.TARGET_URL=http://echo-echoserver.default.svc.cluster.local/
kubectl logs -l app.kubernetes.io/instance=k6
# DAST scan — spider and passive-scan a service with OWASP ZAP
helm install zap teerakarna/zaproxy \
--set target.url=http://echo-echoserver.default.svc.cluster.local/
kubectl logs -l app.kubernetes.io/instance=zap -f
# Network fault injection — wrap a service with Toxiproxy for chaos testing
helm install toxi teerakarna/toxiproxy \
--set 'proxies[0].name=redis' \
--set 'proxies[0].listen=0.0.0.0:26379' \
--set 'proxies[0].upstream=redis-master.default.svc.cluster.local:6379' \
--set 'proxies[0].enabled=true'
# Add latency via the API:
kubectl port-forward svc/toxi-toxiproxy 8474:8474
curl -X POST http://localhost:8474/proxies/redis/toxics \
-d '{"name":"latency","type":"latency","attributes":{"latency":100}}'- Helm >= 3.14
- helm-unittest plugin
- chart-testing (ct)
helm plugin install https://github.com/helm-unittest/helm-unittest
pip install yamllintct lint --config ct.yaml --charts <chart-name>
ct lint --config ct.yaml # lint all changed chartshelm unittest <chart-name>
helm unittest kube-bench kube-hunter dbclient bombardierhelm template my-release <chart-name>
helm template my-release kube-bench
helm template my-release bombardier --set target.url=http://example.com/Charts are released automatically on merge to main via chart-releaser-action.
To release a new chart version:
- Bump
versionin the chart'sChart.yaml - Open a PR — CI lints and runs unit tests
- Merge to
main— chart-releaser packages the chart, creates a GitHub Release, and updates the Helm repository index on thegh-pagesbranch
First-time setup: After the first release workflow runs and creates the
gh-pagesbranch, enable GitHub Pages in the repo settings pointing to that branch.
All chart packages and Docker images are signed with cosign using keyless signing (GitHub Actions OIDC). No key management required — signatures are verifiable against the public Rekor transparency log.
Download the .tgz and .bundle files from the GitHub Release assets, then:
cosign verify-blob \
--bundle kube-bench-0.1.0.tgz.bundle \
--certificate-identity-regexp "https://github.com/teerakarna/helm-charts/.github/workflows/release.yml@refs/heads/main" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
kube-bench-0.1.0.tgzcosign verify \
--certificate-identity-regexp "https://github.com/teerakarna/helm-charts/.github/workflows/build-.*@refs/heads/main" \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
ghcr.io/teerakarna/dbclient:latestReplace dbclient with scoutsuite or bombardier as appropriate.
{chart-name}/ # One directory per chart
Chart.yaml
values.yaml
templates/
tests/ # helm-unittest test files
docker/ # Dockerfile (charts with custom images)
.github/workflows/
ci.yml # PR: ct lint + helm unittest
release.yml # Push to main: chart-releaser
build-*.yml # Manual: build and push custom Docker images
ct.yaml # chart-testing config
artifacthub-repo.yml # ArtifactHub metadata