KKP now supports Helm 3. Previous versions required some manual intervention to get all charts installed. With the updated CRD handling (see below), we made the switch to recommending Helm 3 for new installations.
A migration guide is provided.
After the Kubermatic Operator has been introduced as a beta in version 2.14, it is now the recommended way of
installing and managing KKP. This means that the
kubermatic Helm chart is considered deprecated as of
version 2.15 and all users are encouraged to prepare the migration to the Operator.
The Kubermatic Operator does not support previously deprecated features like the
or the full feature set of the
kubermatic chart’s customization options. Instead, datacenters
have to be converted to
Seed resources, while the chart configuration must be converted to a
KubermaticConfiguration. The Kubermatic Installer offers commands to perform these conversions
Note that the following customization options are not yet supported in the Kubermatic Operator:
maxParallelReconcile(always defaults to
Depending on your chosen installation method, a number of upgrade paths are documented:
In conjunction with the operator being promoted to the recommended installation method, we also deprecate the
nodeport-proxy Helm chart. The proxy is still a required component of any Kubermatic setup, but is now
managed by the Kubermatic Operator (similar to how it manages seed clusters).
The upgrade documents linked above include the necessary migration steps.
The Prometheus version included in Kubermatic Kubernetes Platform (KKP) 2.15 now enables WAL compression by default; our Helm chart follows this
recommendation. If the compression needs to stay disabled, the key
prometheus.tsdb.compressWAL can be set to
when upgrading the Helm chart.
In previous KKP releases, Helm was responsible for installing the CRDs for cert-manager and Velero. While this made the deployment rather simple, it lead to problems in keeping the CRDs up-to-date (as Helm never updates or deletes CRDs).
For this reason the CRD handling in KKP 2.15 was changed to require users to always manually install CRDs before installing/updating a Helm chart. This provides much greater control over the CRD life cycle and eases integration with other deployment mechanisms.
Upgrading existing Helm releases in a cluster is simple, as Helm does not delete CRDs. To update cert-manager, simply install the CRDs and then run Helm as usual:
kubectl apply -f charts/cert-manager/crd/ helm --namespace cert-manager upgrade --install --values YOUR_VALUES_YAML_HERE cert-manager charts/cert-manager/
kubectl apply -f charts/cert-manager/crd/ helm --tiller-namespace kubermatic upgrade --install --values YOUR_VALUES_YAML_HERE --namespace cert-manager cert-manager charts/cert-manager/
Older versions of
kubectl can potentially have issues applying the CRD manifests. If you encounter problems, please update
kubectl to the latest stable version and refer to the
for more information.
Note that on the first
kubectl apply you will receive warnings because now “kubectl takes control over previously
Helm-owned resources”, which can be safely ignored.
Perform the same steps for Velero:
kubectl apply -f charts/backup/velero/crd/ helm --namespace velero upgrade --install --values YOUR_VALUES_YAML_HERE velero charts/backup/velero/
kubectl apply -f charts/backup/velero/crd/ helm --tiller-namespace kubermatic upgrade --install --values YOUR_VALUES_YAML_HERE --namespace velero velero charts/backup/velero/
The labeling for the Promtail DaemonSet has changed, requiring administrators to re-install the Helm chart. As a clean upgrade is not possible, we advise to delete and re-install the chart.
helm --namespace logging delete promtail helm --namespace logging upgrade --install --values YOUR_VALUES_YAML_HERE promtail charts/logging/promtail/
helm --tiller-namespace kubermatic delete promtail helm --tiller-namespace kubermatic upgrade --install --values YOUR_VALUES_YAML_HERE --namespace logging promtail charts/logging/promtail/
Promtail pods are stateless, so no data is lost during this migration.
To prevent insecure misconfigurations, the default credentials for Grafana and Minio have been removed. They must be
set explicitly when installing the charts. Additionally, the base64 encoding for Grafana credentials has been removed,
so the plain text values are put into the Helm
When upgrading the charts, make sure your
values.yaml contains at least these keys:
grafana: # Remember to un-base64-encode the username if you have set a custom value. user: admin # generate random password, keep it plaintext as well password: ExamplePassword minio: credentials: accessKey: # generate a random, alphanumeric 32 byte secret secretKey: # generate a random, alphanumeric 64 byte secret
Previous KKP versions used Keycloak-Proxy for securing access to cluster services like Prometheus or Grafana. The project was then renamed to Louketo and then shortly thereafter deprecated and users are encouraged to move to OAuth2-Proxy.
KKP 2.15 therefore switches to OAuth2-Proxy, which covers most of Keycloak’s functionality but with a slightly different syntax. Please refer to the official documentation for the available settings, in addition to these changes:
iap.disocvery_urlin Helm values was renamed to
iap.oidc_issuer_url, pointing to the OIDC provider’s base URL (i.e. if you had this configured as
https://example.com/dex/.well-known/openid-configurationbefore, this must now be
passthroughoption for each IAP deployment has been removed. Instead paths that are not supposed to be secured by the proxy are now configured via
config.scopesoption for each IAP deployment is now
config.scope, a single string that must (for Dex) be space-separated.
config.resourcesmechanism for granting access based on user groups/roles has been removed. Instead the required organizations/teams are now configured via explicit config variables like
email_domainsmust be configured for each IAP deployment. In most cases it can be set to
A few examples can be found in the relevant code change in KKP.
To prevent issues with Helm re-using IAP deployment config values from a previous release, it can be helpful to purge and reinstall the chart:
helm --namespace iap delete iap helm --namespace iap upgrade --install --values YOUR_VALUES_YAML_HERE iap charts/iap/
helm --tiller-namespace kubermatic delete iap helm --tiller-namespace kubermatic upgrade --install --values YOUR_VALUES_YAML_HERE --namespace iap iap charts/iap/
Be advised that during the re-installation the secured services (Prometheus, Grafana, …) will not be accessible.