Skip to main content

Overview

Third-party applications are infrastructure components deployed via Helm charts, things like traefik, cert-manager, external-secrets, and ArgoCD itself. This page covers how to update their versions and configurations.

Infrastructure Components

The kit includes these third-party components in kubernetes/src/infrastructure/:
ComponentChart SourcePurpose
argocdargoproj.github.ioGitOps controller
cert-managerquay.io/jetstackTLS certificate automation
cloudnative-pgcloudnative-pg.github.ioPostgreSQL operator
external-dnskubernetes-sigs.github.ioDNS record management
external-secretscharts.external-secrets.ioSecret synchronization
traefikghcr.io/traefik/helmIngress controller
karpenterpublic.ecr.aws/karpenterNode autoscaling
reloaderstakater.github.ioPod restart on config changes
signoz-k8s-infracharts.signoz.ioObservability collectors

Update Chart Versions

Each component uses a “wrapper chart” pattern: a local Helm chart that includes the upstream chart as a dependency.
1

Find the current version

Check the current version in the component’s values.yaml:
cat kubernetes/src/infrastructure/traefik/values.yaml
Look for the chartVersions section:
chartVersions:
  traefik: "38.0.1"
2

Check for new versions

Find the latest version from the chart repository:
# Search for versions using OCI registry
helm search repo traefik/traefik --versions | head -10
3

Update the version

Edit the values file to update the version:
vim kubernetes/src/infrastructure/traefik/values.yaml

chartVersions:
  traefik: "38.1.0"  # Updated version
For environment-specific versions, edit values.staging.yaml or values.production.yaml. Setting these independently allows for testing upgrades in lower environments before rolling out to production.
4

Update Chart.lock

Regenerate the lock file with the new dependency:
cd kubernetes/src/infrastructure/traefik
helm dependency update
5

Render and commit

mise run //kubernetes/src/infrastructure:render-all "<CLUSTER>"

git add .
git commit -m "chore: update traefik to 38.1.0"
git push origin main

Update Configuration

To change component settings without upgrading versions:
1

Edit the values file

Modify values.yaml for base configuration or values.{environment}.yaml for environment-specific settings:
vim kubernetes/src/infrastructure/traefik/values.yaml
For example, increase controller replicas:
traefik:
  deployment:
    replicas: 3
2

Render manifests

mise run //kubernetes/src/infrastructure:render-all "<CLUSTER>"
3

Review and commit

git diff kubernetes/rendered/
git add .
git commit -m "chore: increase traefik replicas to 3"
git push origin main
ArgoCD automatically syncs the changes.

Add Additional Manifests

Many components need additional manifests beyond the upstream chart (ClusterIssuers, StorageClasses, etc.). Add these in the wrapper chart’s templates/ directory: 
kubernetes/src/infrastructure/cert-manager/
├── Chart.yaml
├── Chart.yaml.tmpl
├── values.yaml
├── values.staging.yaml
└── templates/
    ├── ClusterIssuer.letsencrypt-production.yaml
    ├── ClusterIssuer.letsencrypt-staging.yaml
    └── ClusterIssuer.selfsigned.yaml
These templates are rendered alongside the upstream chart resources.

Environment-Specific Configuration

Use values overlay files for environment differences: 
# values.yaml (base)
traefik:
  deployment:
    replicas: 2

# values.staging.yaml
traefik:
  deployment:
    replicas: 1  # Smaller for staging

# values.production.yaml
traefik:
  deployment:
    replicas: 3  # Larger for production
The render process merges base values with environment-specific overrides.

Enable/Disable Components

Components are enabled/disabled in the ArgoCD infrastructure app-of-apps: 
vim kubernetes/src/argocd/infrastructure/values.yaml

applications:
  argocd:
    enabled: true
  cert-manager:
    enabled: true
  envoy-gateway:
    enabled: false  # Disabled
  istio:
    enabled: false  # Disabled
After changing, render and push: 
mise run //kubernetes/src/infrastructure:render-all "<CLUSTER>"
git add . && git commit -m "chore: disable envoy-gateway"
git push origin main

Upgrade Strategies

Minor/Patch Updates

For minor and patch version updates (e.g., 4.12.24.12.3):
  1. Update the version in values.yaml
  2. Run helm dependency update
  3. Render, commit, and push
  4. ArgoCD syncs automatically

Major Updates

For major version updates (e.g., 4.x5.x):
  1. Read the changelog for breaking changes
  2. Test in staging first before production
  3. Update values if configuration schema changed
  4. Have a rollback plan if the component is critical
Major version upgrades may require CRD updates. Check the component’s upgrade guide and apply CRD changes before upgrading the chart.

CRD Updates

Some components (cert-manager, ArgoCD, Karpenter) use CRDs that may need manual updates: 
# Example: Update cert-manager CRDs
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.crds.yaml
Check the component’s documentation for CRD upgrade procedures.

Best Practices

  1. Test in staging first - Always upgrade staging before production
  2. Read changelogs - Especially for major versions
  3. Update one component at a time - Easier to isolate issues
  4. Keep versions consistent - Use the same version across environments when possible
  5. Monitor after upgrades - Watch metrics and logs for regressions

Next Steps