3.17.4

Latest release in branch 3.17
Released 16 Jul 2025 (9 months ago)

SoftwareHelm
Branch3.17
Status
End of life
Initial release3.17.0
15 Jan 2025 (1 year ago)
Latest patch release3.17.4
16 Jul 2025 (9 months ago)
Supported
Kubernetes versions		1.32.x - 1.29.x
Active support end19 May 2025 (Ended 11 months ago)
Release noteshttps://github.com/helm/helm/releases/tag/v3.17.4
Source codehttps://github.com/helm/helm/tree/v3.17.4
Downloadhttps://github.com/helm/helm/releases/tag/v3.17.4
Helm 3.17 ReleasesView full list
SEE ALSO: Kubernetes Kubernetes New Terraform Terraform New

What Is New in Helm 3.17 (summary table)

Category Highlights
New Features
  • Install and pull charts by OCI digest
  • New --take-ownership flag for helm install and helm upgrade
  • Chart metadata now includes annotations and dependencies
  • Username/password support for helm push and dependency commands
  • Configurable authorizer and registry authorizer in the SDK
  • Added toYamlPretty template function
Improvements
  • Removed the Kubernetes config file permissions check
  • Updated Go to 1.23 and several Go modules for stability
  • Enhanced error messages for broken chart versions
Bug Fixes
  • Fixed OCI reference handling and template rendering issues
  • Resolved multiple test failures and upgrade conflicts
  • Corrected hook deletion order and label naming bugs
  • Addressed chart lint errors and dependency loading problems
Security
  • Upgraded golang.org/x/net to patch CVE‑2024‑45338
  • Added explicit username/password handling for OCI registries
  • Made authorizer configuration flexible for custom auth flows
Deprecated / Removed
  • Removed the file‑permission check on the kubeconfig file

What are the major change groups in Helm 3.17?

OCI enhancements

Helm now accepts an OCI digest directly, letting you pull and install a chart without a tag name. This shortens CI pipelines that rely on immutable digests.

Ownership handling

The --take-ownership flag gives the installing user control over resource adoption during upgrades, reducing manual cleanup of orphaned objects.

Metadata enrichment

Chart metadata output now includes annotations and dependencies, making it easier for automation tools to discover chart relationships without unpacking the archive.

Authentication & authorizer flexibility

Username/password can be passed to helm push and dependency commands, and the SDK’s authorizer is now configurable, supporting custom token providers and corporate registries.

Template utilities & permission changes

The new toYamlPretty function produces readable YAML in templates, and the kubeconfig permission check has been removed, simplifying local development environments.

FAQ

How do I install a chart using an OCI digest?
Use helm install myrel myrepo/chart@sha256:abcdef.... The digest is verified against the registry before the chart is unpacked.

What does the --take-ownership flag actually do?
It tells Helm to adopt existing resources that match the release’s selectors, preventing “resource already exists” errors during upgrades.

Can I still see chart annotations after the metadata change?
Yes. Running helm get metadata RELEASE now prints the annotations field alongside version and description.

How do I provide credentials for an OCI registry?
Supply --username USER --password PASS on helm push or on helm dependency build. The credentials are passed to the underlying ORAS client.

Is the removal of the kubeconfig permission check safe for production?
The check was only a convenience guard for local setups. Production clusters typically manage kubeconfig files via RBAC and secret management, so the change does not affect runtime security.

Releases In Branch 3.17

VersionRelease date
3.17.416 Jul 2025
(9 months ago)
3.17.015 Jan 2025
(1 year ago)