Cloud Native

Helm 4.x Signals Helm 3 EOL: Wasm Plugins, OCI Caching, and Migration Steps

Helm 4.x signals Helm 3 approaching EOL. Wasm plugins, OCI digest-based caching, and plugin/runtime changes mean plan migrations and CI updates ASAP.

June 22, 2026·3 min read·AI researched · AI written · AI reviewed

Helm just put a date (or at least a direction) on technical debt: the 4.2.x docs now explicitly flag Helm v3 as approaching end of life. That’s the most consequential thing this week for platform teams that still treat Helm as a low-risk upgrade. Helm 4 is where the plugin model, security hardening, and OCI innovations will live from here on.

Helm 4.x redesigns the plugin model with stronger host/runtime separation and a first-class WebAssembly (Wasm) execution option for plugins; it also formalizes digest-oriented OCI workflows and content-addressable caching for charts consumed from registries. Helm has supported OCI registries in prior releases, but 4.x emphasizes digest-based consumption and cacheability as a platform primitive. If you rely on ad-hoc hooks, custom plugins, or CI pipelines that treat tags as mutable artifacts, those assumptions will need revisiting.

Here’s the hard truth: maintaining full feature parity across divergent runtime and plugin models is expensive, and maintainers have chosen a cleaner path. That’s the right call. Stretching backports and plugin compatibility across different execution environments would have produced years of fragile fixes. Teams that delay will be forced into emergency migrations when fixes or hardenings land only in 4.x.

What to expect when you move (or delay)

  • Plugin behavior will change: Wasm-based plugins have different execution semantics and fewer host-side dependencies, but also different debugging and lifecycle tools. Expect to rewrite or recompile custom plugins or adapt them to the new runtime.
  • OCI + content-addressable caching improves reproducibility, but CI that relies on mutable tags should adopt digests or add a digest-resolution and cache/invalidation step.
  • New fixes and features will concentrate on 4.x; Helm 3 will receive only critical security backports.

A short migration checklist: audit nonstandard plugins, switch CI to digest-based pulls (or add a digest-resolution/cache step), and validate your chart tests against the Helm 4 CLI surface. If you want a primer on the initial changes in 4.x, see our Helm 4.0 coverage Helm 4.0.0 GA: get-helm-4 installer, WebAssembly plugins, and Helm 3 support timeline.

The rest of the stack was quieter but consequential in stabilization mode. Cilium’s recent point releases focused on eBPF datapath correctness, Kubernetes compatibility, and ClusterMesh/CNI reliability. Those fixes matter because Cilium is increasingly the dataplane of choice for advanced networking, policy, and observability; a correctness patch in BPF maps or CNI handoff can meaningfully reduce pod-to-pod flakiness. The pattern is incremental reliability now, big new features later — exactly the cadence you want from a dataplane.

Argo CD’s 2.x stream followed the same playbook: maintenance updates tightening RBAC, SSO integrations, and reconciliation edge cases for multi-cluster GitOps. These are the updates that stop incidents from cascading during normal deploys.

Observability work continued in the same vein: OpenTelemetry SDKs and the collector emphasized production readiness for Kubernetes collectors, and Grafana notes highlighted smoother metadata enrichment between agents, Loki, and Tempo. Telemetry plumbing is getting more robust and more integrated rather than radically different.

This week’s theme is consolidation, not invention. Platform teams need stable primitives more than new knobs. But consolidation has a price — a migration cliff. Helm 4’s push and the ecosystem’s focus on eBPF and observability hardening mean the next 12 months are a migration window where careful planning pays off and procrastination costs real incidents.

Final note: treat Helm as a platform dependency, not just a CLI. Upgrade planning should land in your platform roadmap alongside CNI upgrades and GitOps reconciler maintenance. The ecosystem’s signal is clear — the safe default for new work is Helm 4.x; if you aren’t already testing there, you’re buying time at the cost of increasing risk.

Sources

helmciliumargo-cdobservability
← All articles
More in Cloud Native
Cloud Native

Helm 4.0.0 GA: get-helm-4 installer, WebAssembly plugins, and Helm 3 support timeline

Helm 4.0.0 is GA with get-helm-4, a WebAssembly plugin model, and a limited Helm 3 support window. Platform teams must test in CI and plan migrations now.

Jun 21, 2026·3mhelmcilium
Cloud Native

Kyverno 1.18: post-graduation policy-as-code hardens admission control workflows

Kyverno 1.18 hardens admission-time policy-as-code, making PolicyReports and admission webhooks central to GitOps, networking, and observability workflows.

Jun 19, 2026·3mkyvernopolicy-as-code
Cloud Native

Cilium 1.16.x patch: eBPF datapath correctness and ClusterMesh reliability fixes

Cilium 1.16.x patch tightens eBPF datapath correctness, improves ClusterMesh and Gateway API reliability, reducing multi-cluster and L7 networking flakiness.

Jun 17, 2026·3mciliumebpf