CoursesHelmBeginner

Values & overrides

Configure a chart per environment.

Intermediate12 min · lesson 4 of 12

values.yaml is the chart’s configuration surface: the defaults a chart author exposes, which templates read as .Values.<path>. Users override them without touching the templates — with -f myvalues.yaml (a file) or --set key=value (inline). This is how one chart serves dev, staging, and prod: same templates, different values files. Override precedence is later files/flags win, with --set beating -f.

VALUES OVERRIDE PRECEDENCE
1values.yaml defaults
chart author's baseline, read as .Values.<path>
2-f prod-values.yaml
override only the keys that differ per env
3--set key=value
inline override, highest precedence
4Effective values
rendered manifests; inspect via helm get values/manifest
Later -f files win over earlier ones and --set beats -f; render locally with helm template to preview the result.
values.yaml + override
# chart default values.yaml
replicaCount: 1
image:
repository: registry.internal/payments-api
tag: "2.1.0"
resources:
limits: { cpu: 500m, memory: 256Mi }
---
# prod-values.yaml (override just what differs)
replicaCount: 4
resources:
limits: { cpu: "2", memory: 1Gi }
terminal
$ helm install payments ./payments-api -f prod-values.yaml
$ helm upgrade payments ./payments-api -f prod-values.yaml --set replicaCount=6
# --set overrides the file; later -f files override earlier ones

Inspecting effective values

To see what a release actually used, helm get values shows the overrides and helm get manifest shows the rendered result. During development, helm template --values prod-values.yaml renders the whole chart locally so you can review exactly what would be applied before touching the cluster. Reviewing the rendered output is the single best habit for catching values mistakes.

Do not put secrets in values files in Git
values.yaml is plain config, frequently committed — so a password or token placed there lands in version control in plaintext. Keep secrets out of values files: reference existing Kubernetes Secrets, or use a secrets tool (SOPS, the External Secrets Operator, Vault). The security lesson returns to this; for now, treat values as non-secret configuration.