Skip to content

TrueCharts News

Cluster-Wide Certificates

We are happy to announce that support for cluster-wide certificates is now available for Truecharts! You can now create a single certificate and use it throughout your cluster. We call these certificates “cluster certificates”.

Before you use the new feature, you should sync the Truecharts catalog and update all of your already installed apps to their latest version.

In addition to the cert-manager and clusterissuer apps you need for normal certificates, to use cluster certificates you also need to install our new kubernetes-reflector app from the enterprise train. For most setups installing the app with default settings is sufficient.

Once installed, edit your clusterissuer app and add a new cluster certificate. Note down the name you called it. Edit the app you wish to use the cluster certificate for and go to the Ingress section. If you have previously used a clusterissuer certificate, remove the issuer name. Click on Show Advanced Settings and add a TLS entry. Enter the name of your cluster certificate, and the certificate host(s) which it will be used for.

For a more detailed guide, see our docs.

Cert-Manager Operator

After building our own MetalLB, CNPG and Prometheus operator charts, we’ve also now finished the work on building our own Cert-Manager operator chart. As of today this chart will be a requirement for new users if they want to use Cert-Manager and required for all users starting August 1, 2023.

If you have already installed clusterissuer follow the below guidance for installation of the Cert-Manager operator chart.

If you have not already done so add the operator train to TrueCharts [as outlined here](/

  1. Run this in the system shell as root:
    k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete4
  2. Install cert-manager from the operators train.
  3. Update clusterissuer to the latest version of (2.0.1+).
  • If you are already on the latest version perform an empty edit of clusterissuer (Edit app and save without making any changes).

If you run into additional issues, please file a ticket with our dedicated support staff via the #support channel of our discord as normal.

Deprecating Old Operators

As part of limiting our promise not to introduce breaking changes to the charts within our Enterprise train, we’ve ensured both the new and old way of dealing with “operators” were both supported.

Starting August 1, 2023, we will completely drop support for the old (pre-July installs only, internal not user controlled) way of handling operators.

After August 1, 2023, additional checks for operators will be enabled, preventing users from making the mistake of installing charts without the right operator from the operator train present. This means that charts will prevent themselves from being updated when you’re still using the old operators at that time.

If you have already installed the metallb, prometheus-operator, and cloudnative-pg operators then no further action is required.

Prerequisites

Add the operator train to TrueCharts [as outlined here](/

MetalLB

The MetalLB operator is only required for users of MetalLB, anyone who does not use or plan to use MetalLB can skip this section.

  1. Uninstall current metallb from Enterprise train.
  2. Run this in the system shell as root: k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete
  3. Complete MetalLB installation as outlined here

Prometheus

The Prometheus operator is required for the use of app metrics. Its installation is recommended.

  1. Run this in the system shell as root: k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete3
  2. Install prometheus-operator from the operators train.

CNPG

The cloudnative-pg operator is required for any applications that utilize postgres. Its installation is recommended.

  1. Follow the [CNPG Operator Migration Guide](/ to migrate to the new CNPG operator. Ensure you follow the guide carefully as data loss can occur with this migration if proper steps are not followed.

If you run into additional issues, please file a ticket with our dedicated support staff via the #support channel of our discord as normal.

New CloudNative-PG (CNPG) operator chart.

After building our own MetalLB operator chart, we’ve also now finished the work on building our own CloudNative-PG Chart. As of today this chart will be a requirement for new users if they want to run applications featuring a postgresql database.

Updating to the new Cloudnative-PG helm chart for existing users

We want to point out though, that users should update the new CloudNative-PG Helm chart as soon as possible. To update an existing install with applications using postgresql databases to the new system, the following procedure can be used:

We want to explicitly highlight that this procedure will COMPLETELY DESTROY all your databases. It’s absolutely crucial to export your databases manually beforehand.

  • export all your databases manually, on SCALE using the [following guide](/ (do not rely on heavyscript backups for this!)
  • run this in a root shell: k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete2
  • install the new cloudnative-pg chart from the operators train
  • wait a few minutes
  • Hit edit and save without changes on all applications using postgresql databases.
  • wait a few minutes
  • Restore all your databases manually, on SCALE using the [following guide](/ (do not rely on heavyscript backups for this!)

If you run into additional issues, please file a ticket with our dedicated support staff via the #support channel of our discord as normal.

New MetalLB chart and our own operator charts.

Introdocution: Our own Operator Charts

The last few months, we’ve experimented with injecting so-called “operators” into the cluster directly when using our charts. Manifests for things like: MetalLB, Cert-Manager and CNPG where always loaded. While this system guaranteed users where always running the latest operator versions, we’ve also encountered some downsides. Primarily:

  • Loading manifests from the web is a security issue
  • Loading manifests required a pre-install job, with full-cluster permissions. Which is also a security issue.
  • Mistakes in the manifests, directly affect all users regardless of version
  • It requires creating namespaces outside of the ix-something style, while not an issue that’s something somehow iX developers voiced annoyance with.
  • It lacks any configurability for users that need a customization
  • It prevents users from using these operators outside of the TrueCharts scope on non-scale systems

To fix all of these issues, we’ve had quite the challenge. First off we needed to figure out a way of preventing users from installing multiple instances of the same operator. But we also needed to ensure ourselves that users always had the correct operators installed for the charts they want to install.

We’ve by now designed an industry leading helm logic, that scans your cluster for references of installed operators and compares those to the required operators.

Besides this logic, we also need to write the Helm Charts ourselves. This is a lot of work, as operators are often notoriosly complex to write helm charts for. Luckily we’ve enough experienced Kubernetes developers that we’re certain to pull this off!

First chart: MetalLB

As a first example of our new logic, we’re super happy to introduce our first self-build operator helm chart: MetalLB. It will be completely self-contained within it’s own namespace, not load dynamic manifests from the web and doesn’t contain risky security practices.

Obviously this chart, in the operators train, has a naming conflict with the old metallb chart in the enterprise train, so the later has been renamed to metallb-config requiring a reinstall. We want to point out that only the new metallb-config chart is compatible with the new self-build metallb operator.

We are very happy to also announce that the metallb-config chart, is fully compatible with our old and new ways of installing/managing metallb. However, new installs of the old way of handling metallb (without the chart from the operators train), will be actively disabled from now on.

To use MetalLB on new installs, one needs to install both metallb and metallb-config, in that order.

Updating to the new MetalLB helm chart

We want to point out though, that users should update the new MetalLB Helm chart as soon as possible. To update a current install using MetalLB to the new system, the following procedure can be used:

  • remove the old metallb chart coming from the enterprise train
  • run this in a root shell: k3s kubectl delete --grace-period 30 --v=4 -k https://github.com/truecharts/manifests/delete
  • install the new metallb chart from the operators train
  • wait a few minutes
  • install or update metallb-config to the latest version
  • wait a few minutes
  • Hit edit on metallb-config and save without changes if you where already on the latest version or it isn’t working yet
  • wait a few minutes

If you run into additional issues, please file a ticket with our dedicated support staff via the #support channel of our discord as normal.