Truefoundry Docs

TrueFoundry provides a way to deploy Helm charts directly through the platform, making it easy to deploy any Helm chart without needing to use kubectl or other command-line tools. It also helps keep track of the helm charts that are deployed along with their versions and change history. Truefoundry also provides the following additional features for helm charts deployment:

Support for multiple repository types: Truefoundry allows deploying a Helm chart from public/private helm repository, OCI registry, and or your own Git repository.
Support for Kustomize patches and additional manifests: Truefoundry allows you to add Kustomize patches and additional manifests to the Helm chart deployment. This is specially useful in case the helm chart doesn’t allow you to customize the values you need.
Support for secrets management: While installing helm charts, we often need to create kubernetes secrets manually and then refer to them in the helm chart. Truefoundry makes this process secure by allowing you to create the secrets in Truefoundry(on your secret manager) and then add a kubernetes secret manifest via Kustomize to the helm chart deployment. You can read more on this in the steps below.
Validation for cluster-scoped objects: Helm-charts downloaded from the internet can have malicious code in them, which can impact the security of your cluster. Truefoundry validates the helm chart by checking for any cluster-scoped objects in the helm chart.

Cluster-scoped objects (like ClusterRole, ClusterRoleBinding, or non-namespace scoped resources) cannot be applied when deploying Helm charts unless you have cluster admin privileges. This restriction prevents workspace users from creating cluster-level resources that could impact other workloads.

Pause Helm Chart: Truefoundry allows you to pause the helm chart deployment. This is useful in case you want to stop the deployment and resume it later to save cost. Pausing the helm chart will scale all the pods in the helm chart to 0.

Step-by-Step Deployment Guide

Navigate to Deployments

Log in to your TrueFoundry dashboard and click on Deployments in the left sidebar, then click New to create a new deployment.

Select Helm

In the application type page, click on show advanced and select Helm.

Deploy new Helm modal showing Helm option selected

Choose Your Chart Source

Now you need to tell TrueFoundry where your Helm chart is located. You have three options:

Helm Chart Deployment Form

Option 1: Public Helm Repository

You can use this option to deploy charts from public helm repositories like Bitnami, Helm Charts, etc.

HelmRepo Configuration

What you need to fill:

Helm repository URL: The URL of the chart repository (e.g., https://charts.bitnami.com/bitnami)
Chart name: The name of the chart (e.g., redis, postgresql)
Version: The specific version you want to deploy

Example: Deploy Redis from Bitnami

source:
  type: helm-repo
  repo_url: https://charts.bitnami.com/bitnami
  chart: redis
  version: 22.0.7

Option 2: Container Registry (OCI)

You can use this option to deploy charts from container registries like Docker Hub, Google Container Registry, etc.

To deploy charts from private container registries, you have to add the container registry as an integration first. To do this, go to Integrations → Add Integration Provider and select your registry provider and add an integration for your registry. You can refer to the Integrations Overview guide for more details on how to add integrations.

OCIRepo Configuration

What you need to fill:

OCI chart URL: The OCI URL of your chart (e.g., oci://registry-1.docker.io/bitnamicharts/redis)
Version: The specific version of the chart
Container Registry: This is only needed if you are deploying helm chart from your private container registry. Toggle the Show Advanced Fields and select the integration from the dropdown which contains your helm charts.

Example: Deploy Redis from Docker Hub

source:
  type: oci-repo
  oci_chart_url: oci://registry-1.docker.io/bitnamicharts/redis
  version: 22.0.7

Option 3: Git Repository

You can use this option to deploy charts from your own Git repositories.

To deploy charts from private Git repositories, you have to create a repository secret first, you can refer to the Private Repository Configuration section on how to do that.

GitHelmRepo Configuration

What you need to fill:

Git repository URL: The URL of your Git repository
Revision: Branch, tag, or commit SHA to use (e.g., main, v1.0.0)
Path: Path to the chart within the repository (e.g., charts/my-app)

Example: Deploy from your own Git repo

source:
  type: git-helm-repo
  git_repo_url: https://github.com/your-org/helm-charts.git
  revision: main
  path: charts/redis

Configure Your Application

This is where you can update the values file, add kustomize patches and additional manifests.

Basic Values Configuration

You can override the default values of the helm chart by updating the values in values block. This is useful if you want to change the default values of the helm chart.

Values Configuration

Example: Configure Redis with a password and persistent storage.

values:
  auth:
    enabled: true
    password: "my-secure-password"
  master:
    persistence:
      enabled: true
      size: 8Gi
  service:
    type: LoadBalancer
    ports:
      redis: 6379

Using Secrets (Recommended)

Instead of putting passwords directly in your configuration, you can use TrueFoundry’s secure secret management.How to use secrets:

First, create a secret in TrueFoundry, you can refer to the Secret Management page for more details on how to create a secret.
Copy the secret’s FQN (it looks like tfy-secret://truefoundry:secret-name:key)
Use it in your secret manifest instead of plain text password.

Truefoundry secrets are supported only in manifest block that too only for kubernetes secret manifest which are using stringData field to store the secret.

Secrets Configuration

Example: Using a secret for Redis password, as you can see in the above image, the password is referenced using the secret FQN.

# Secret to create a redis password secret
apiVersion: v1
kind: Secret
metadata:
  name: redis-secret
type: Opaque
stringData:
  redis-password: tfy-secret://truefoundry:redis-secrets:password

This is much more secure than putting passwords directly in your configuration files!

Advanced Customization (Optional)

When to use this: If you need to modify the Kubernetes resources that Helm creates, or add additional resources.Two main options:

Kustomize Patches: Modify existing resources (e.g., add annotations, change resource limits), you can refer to the Kustomize page for more details on how to use kustomize patches.

Kustomize Configuration

Additional Manifests: Add new Kubernetes resources (e.g., To expose your app with a VirtualService, you can add a VirtualService manifest here.)

Additional Manifests Configuration

Example: Expose Redis with a custom endpoint

# Additional manifest to expose Redis endpoint
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-virtualservice
  namespace: your-workspace
spec:
  hosts:
    - <your-custom-domain>
  gateways:
    - <istio-gateway-name>/<istio-gateway-namespace>
  tcp:
    - match:
        - port: 6379
      route:
        - destination:
            host: redis-redis-master.<your-workspace-name>.svc.cluster.local
            port:
              number: 6379

Deploy and Monitor

Click Submit to deploy your chart. TrueFoundry will:

Download your chart
Apply your configuration
Create the necessary Kubernetes resources
Show you the deployment status

Deployment Status

You can monitor the deployment progress and view logs by clicking on your deployment in the deployments list.

Private Repository Configuration

TrueFoundry allows you to deploy Helm charts from private repositories by configuring repository credentials using the Kubernetes manifest deployment feature or by adding repository integrations.

GitHub Private Repository

Configure access to private GitHub repositories containing Helm charts.

Add GitHub as Integration

First, add your private GitHub repository as an integration in TrueFoundry, you can refer to the Github Integration guide for more details on how to add an github repository as an integration.

Create GitHub Personal Access Token

First, create a personal access token in GitHub:

Go to https://github.com/settings/tokens (click on “Generate new token (classic)”)
Select scopes: repo (for private repositories)
Copy the generated token

Store your token securely. You won’t be able to see it again after creation.

Deploy Repository Secret using Kubernetes Manifest

Use TrueFoundry’s Kubernetes manifest deployment to create the repository secret. Follow the Deploy Kubernetes Manifests guide and deploy this manifest:

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: repo-1752233801
  labels:
    argocd.argoproj.io/secret-type: repository
  namespace: argocd
stringData:
  url: https://github.com/your-org/helm-charts.git
  type: git
  project: tfy-apps
  password: github_pat_11BAP2UBQ0tDSEVgbtphEM_18bH8fYWa6qhGCIWZsZIeIMm5NAEKYUIOfdfdfdfdfHER7RDDfbTAa
  username: x-access-token

Before deploying, replace:

https://github.com/your-org/helm-charts.git with your actual repository URL
github_pat_11BAP2UBQ0tDSEVgbtphEM_18bH8fYWa6qhGCIWZsZIeIMm5NAEKYUIOfdfdfdfdfHER7RDDfbTAa with your actual GitHub token
repo-1752233801 with a unique name for your secret

Deployed Secret

Deploy Helm Chart from Private Repository

Now you can deploy Helm charts from your private repository:

Go to Deployments → New → Helm
Select Git Repository as your chart source
Enter your private repository URL
Specify the chart path and revision
Configure your values and deploy

Complete Example: Deploying Redis

Let’s walk through a real example of deploying Redis (a popular caching database) with proper configuration and security:

Step 1: Choose Redis Chart

Step 2: Set Up Secure Password

Step 3: Add additional manifests to create a redis password secret

Now we’ll configure how Redis should run - with a password, persistent storage, and external access:

# Additional manifest to create a redis password secret
apiVersion: v1
  kind: Secret
  metadata:
    name: redis-secret
  type: Opaque
  data:
    redis-password: <base64-encoded-password>

Before deploying, replace:

redis-secret with a unique name for your secret
redis-password with your desired password

Creating Redis Password Secret

Step 4: Configure Redis Settings

Now we’ll configure how Redis should run - with a password, persistent storage, and external access:

# Redis configuration with security and persistence
values:
  auth:
    enabled: true
    existingSecret: redis-secret
    existingSecretPasswordKey: redis-password

  master:
    service:
      type: LoadBalancer  # This makes Redis accessible from outside
      ports:
        redis: 6379
    persistence:
      enabled: true       # This saves data even if Redis restarts
      size: 8Gi

  replica:
    replicaCount: 2       # Run 2 backup Redis instances
    service:
      type: ClusterIP     # Internal access only
    persistence:
      enabled: true
      size: 4Gi

  metrics:
    enabled: true         # Enable monitoring
    serviceMonitor:
      enabled: true

What this does:

Sets up a secure password using our secret
Makes Redis accessible from outside (LoadBalancer)
Saves data permanently (persistence)
Runs backup instances for reliability
Enables monitoring

Step 5: Custom Endpoint (Optional)

If you want to access Redis through a custom URL (like redis.your-app.com), you can add this advanced configuration:

# Custom endpoint configuration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-virtualservice
  namespace: your-workspace
spec:
  hosts:
    - redis.your-workspace.ml.demo.truefoundry.cloud
  gateways:
    - istio-system/tfy-wildcard-alb
  tcp:
    - match:
        - port: 6379
      route:
        - destination:
            host: redis-redis-master.your-workspace.svc.cluster.local
            port:
              number: 6379

When to use this: Only if you need a custom domain name for your Redis instance.

Final Redis deployment showing the complete deployment with all configurations, Kustomize patches, and VirtualService applied

Final Redis Deployment Result

Getting Started

Train and Deploy Models

Service Deployment

Job Deployment

Workflow Deployment

Async Service Deployment

Volumes

ML Repository

Platform

Deploying On Your Own Cloud

Deploy Helm Charts

Step-by-Step Deployment Guide

Private Repository Configuration

Complete Example: Deploying Redis

Getting Started

Train and Deploy Models

Service Deployment

Job Deployment

Workflow Deployment

Async Service Deployment

Volumes

ML Repository

Platform

Deploying On Your Own Cloud

​Step-by-Step Deployment Guide

​Private Repository Configuration

​Complete Example: Deploying Redis

Step-by-Step Deployment Guide

Private Repository Configuration

Complete Example: Deploying Redis