Kubermatic 2.14 deprecates the Elasticsearch-based logging stack, consisting of the
Helm charts. These components will only receive security fixes in future releases and will be removed entirely in version
Log aggregation in Kubermatic is now handled by Grafana Loki, offering a much simpler and less resource intensive setup. As existing data cannot be migrated into Loki, it’s recommended to install Loki in parallel to an existing ELK stack and ship logs only to it going forward. Once all logs in Elasticsearch have expired, the Elastic Stack can be deleted.
Loki can be setup by installing two Helm charts:
helm upgrade --tiller-namespace kubermatic --install --values YOUR_VALUES_YAML_HERE --namespace logging loki charts/logging/loki/ helm upgrade --tiller-namespace kubermatic --install --values YOUR_VALUES_YAML_HERE --namespace logging promtail charts/logging/promtail/
An alternative to Loki is the Elastic Cloud on Kubernetes (ECK) stack, which greatly simplifies managing Elasticsearch clusters on Kubernetes. Like with Loki, there is no migration planned and customers are advised to install an ECK stack in parallel to slowly phase out the old, Helm-based stack.
Previously, Kubermatic used a shared Helm chart,
certs, that contains all TLS certificates for both Kubermatic and all
IAP Ingresses. This however made the configuration somewhat hard to understand and does not work well with the new
For these reasons the
certs chart is now deprecated. Instead the
iap charts will create their own
certificates and reference them explicitly in the Ingresses they also create. The
--default-ssl-certificate CLI flag
for nginx is now not set anymore.
To upgrade, just upgrade the
iap charts as normal. Make sure to have the current
and configured to create a
letsencrypt-prod ClusterIssuer (which it does by default). After upgrading the charts, it should
only take a minute for the new certificates to be acquired.
certs chart can be removed entirely from the cluster. You might also want to manually remove the
kubermatic/kubermatic-tls-certificates Secret, as it will soon expire. If you used the
certs chart to manage
non-Kubermatic/IAP certificates, please migrate accordingly as the chart will soon not be published with Kubermatic anymore.
Kubermatic 2.14 introduced a stable interface for templating addon manifests. Previously, the exact variables that could be used were not documented and could change in between releases.
Please refer to the addon documentation for more information about the available fields. Compared to previous versions, the following are the most noticeable changes:
.Clusteris now a dedicated structure and not the Cluster CRD anymore. The CRD was never meant as a stable interface.
.Cluster.MajorMinorVersion. The exact version is now also available as
.Addonwas removed as it did not contain any relevant information.
If you have custom addons, make sure to review their manifests to ensure they continue to work.