Deploy Helm Charts

1. Support for multiple repository types: Truefoundry allows deploying a Helm chart from public/private helm repository, OCI registry, and or your own Git repository.
2. Support for Kustomize patches and additional manifests: Truefoundry allows you to add Kustomize patches and additional manifests to the Helm chart deployment. This is specially useful in case the helm chart doesn’t allow you to customize the values you need.
3. Support for secrets management: While installing helm charts, we often need to create kubernetes secrets manually and then refer to them in the helm chart. Truefoundry makes this process secure by allowing you to create the secrets in Truefoundry(on your secret manager) and then add a kubernetes secret manifest via Kustomize to the helm chart deployment. You can read more on this in the steps below.
4. Validation for cluster-scoped objects: Helm-charts downloaded from the internet can have malicious code in them, which can impact the security of your cluster. Truefoundry validates the helm chart by checking for any cluster-scoped objects in the helm chart.

5. Pause Helm Chart: Truefoundry allows you to pause the helm chart deployment. This is useful in case you want to stop the deployment and resume it later to save cost. Pausing the helm chart will scale all the pods in the helm chart to 0.

​

Step-by-Step Deployment Guide

1

Navigate to Deployments

Log in to your TrueFoundry dashboard and click on Deployments in the left sidebar, then click New to create a new deployment.

2

Select Helm

In the application type page, click on show advanced and select Helm.

3

Choose Your Chart Source

Now you need to tell TrueFoundry where your Helm chart is located. You have three options:

Helm Chart Deployment Form

Option 1: Public Helm Repository

You can use this option to deploy charts from public helm repositories like Bitnami, Helm Charts, etc.

HelmRepo Configuration

What you need to fill:

• Helm repository URL: The URL of the chart repository (e.g., https://charts.bitnami.com/bitnami)
• Chart name: The name of the chart (e.g., redis, postgresql)
• Version: The specific version you want to deploy

Example: Deploy Redis from Bitnami

Copy

Ask AI

source:
  type: helm-repo
  repo_url: https://charts.bitnami.com/bitnami
  chart: redis
  version: 22.0.7

Option 2: Container Registry (OCI)

You can use this option to deploy charts from container registries like Docker Hub, Google Container Registry, etc.

To deploy charts from private container registries, you have to add the container registry as an integration first. To do this, go to Integrations → Add Integration Provider and select your registry provider and add an integration for your registry. You can refer to the Integrations Overview guide for more details on how to add integrations.

OCIRepo Configuration

What you need to fill:

• OCI chart URL: The OCI URL of your chart (e.g., oci://registry-1.docker.io/bitnamicharts/redis)
• Version: The specific version of the chart
• Container Registry: This is only needed if you are deploying helm chart from your private container registry. Toggle the Show Advanced Fields and select the integration from the dropdown which contains your helm charts.

Example: Deploy Redis from Docker Hub

Copy

Ask AI

source:
  type: oci-repo
  oci_chart_url: oci://registry-1.docker.io/bitnamicharts/redis
  version: 22.0.7

Option 3: Git Repository

You can use this option to deploy charts from your own Git repositories.

To deploy charts from private Git repositories, you have to create a repository secret first, you can refer to the Private Repository Configuration section on how to do that.

GitHelmRepo Configuration

What you need to fill:

• Git repository URL: The URL of your Git repository
• Revision: Branch, tag, or commit SHA to use (e.g., main, v1.0.0)
• Path: Path to the chart within the repository (e.g., charts/my-app)

Example: Deploy from your own Git repo

Copy

Ask AI

source:
  type: git-helm-repo
  git_repo_url: https://github.com/your-org/helm-charts.git
  revision: main
  path: charts/redis

4

Configure Your Application

This is where you can update the values file, add kustomize patches and additional manifests.

Basic Values Configuration

You can override the default values of the helm chart by updating the values in values block. This is useful if you want to change the default values of the helm chart.

Values Configuration

Example: Configure Redis with a password and persistent storage.

Copy

Ask AI

values:
  auth:
    enabled: true
    password: "my-secure-password"
  master:
    persistence:
      enabled: true
      size: 8Gi
  service:
    type: LoadBalancer
    ports:
      redis: 6379

Using Secrets (Recommended)

Instead of putting passwords directly in your configuration, you can use TrueFoundry’s secure secret management.How to use secrets:

1. First, create a secret in TrueFoundry, you can refer to the Secret Management page for more details on how to create a secret.
2. Copy the secret’s FQN (it looks like tfy-secret://truefoundry:secret-name:key)
3. Use it in your secret manifest instead of plain text password.

Truefoundry secrets are supported only in manifest block that too only for kubernetes secret manifest which are using stringData field to store the secret.

Secrets Configuration

Example: Using a secret for Redis password, as you can see in the above image, the password is referenced using the secret FQN.

Copy

Ask AI

# Secret to create a redis password secret
apiVersion: v1
kind: Secret
metadata:
  name: redis-secret
type: Opaque
stringData:
  redis-password: tfy-secret://truefoundry:redis-secrets:password

This is much more secure than putting passwords directly in your configuration files!

Advanced Customization (Optional)

When to use this: If you need to modify the Kubernetes resources that Helm creates, or add additional resources.Two main options:

1. Kustomize Patches: Modify existing resources (e.g., add annotations, change resource limits), you can refer to the Kustomize page for more details on how to use kustomize patches.

Kustomize Configuration

2. Additional Manifests: Add new Kubernetes resources (e.g., To expose your app with a VirtualService, you can add a VirtualService manifest here.)

Additional Manifests Configuration

Example: Expose Redis with a custom endpoint

Copy

Ask AI

# Additional manifest to expose Redis endpoint
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-virtualservice
  namespace: your-workspace
spec:
  hosts:
    - <your-custom-domain>
  gateways:
    - <istio-gateway-name>/<istio-gateway-namespace>
  tcp:
    - match:
        - port: 6379
      route:
        - destination:
            host: redis-redis-master.<your-workspace-name>.svc.cluster.local
            port:
              number: 6379

5

Deploy and Monitor

Click Submit to deploy your chart. TrueFoundry will:

1. Download your chart
2. Apply your configuration
3. Create the necessary Kubernetes resources
4. Show you the deployment status

Deployment Status

You can monitor the deployment progress and view logs by clicking on your deployment in the deployments list.

​

Private Repository Configuration

GitHub Private Repository

Configure access to private GitHub repositories containing Helm charts.

1

Add GitHub as Integration

First, add your private GitHub repository as an integration in TrueFoundry, you can refer to the Github Integration guide for more details on how to add an github repository as an integration.

2

Create GitHub Personal Access Token

First, create a personal access token in GitHub:

1. Go to https://github.com/settings/tokens (click on “Generate new token (classic)”)
2. Select scopes: repo (for private repositories)
3. Copy the generated token

Store your token securely. You won’t be able to see it again after creation.

3

Deploy Repository Secret using Kubernetes Manifest

Use TrueFoundry’s Kubernetes manifest deployment to create the repository secret. Follow the Deploy Kubernetes Manifests guide and deploy this manifest:

Copy

Ask AI

apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: repo-1752233801
  labels:
    argocd.argoproj.io/secret-type: repository
  namespace: argocd
stringData:
  url: https://github.com/your-org/helm-charts.git
  type: git
  project: tfy-apps
  password: github_pat_11BAP2UBQ0tDSEVgbtphEM_18bH8fYWa6qhGCIWZsZIeIMm5NAEKYUIOfdfdfdfdfHER7RDDfbTAa
  username: x-access-token

Before deploying, replace:

• https://github.com/your-org/helm-charts.git with your actual repository URL
• github_pat_11BAP2UBQ0tDSEVgbtphEM_18bH8fYWa6qhGCIWZsZIeIMm5NAEKYUIOfdfdfdfdfHER7RDDfbTAa with your actual GitHub token
• repo-1752233801 with a unique name for your secret

Deployed Secret

4

Deploy Helm Chart from Private Repository

Now you can deploy Helm charts from your private repository:

1. Go to Deployments → New → Helm
2. Select Git Repository as your chart source
3. Enter your private repository URL
4. Specify the chart path and revision
5. Configure your values and deploy

​

Complete Example: Deploying Redis

Step 1: Choose Redis Chart

First, we’ll tell TrueFoundry to use the Redis chart from Bitnami (a popular chart repository):

Redis Chart Configuration

This tells TrueFoundry: “Use the Redis chart from Bitnami’s repository, version 22.0.5”

Step 2: Set Up Secure Password

Instead of putting a password directly in our configuration, we’ll use TrueFoundry’s secure secret management:

1. Create a secret in TrueFoundry:
   • Go to Secrets in the left sidebar
   • Create a new secret called redis-secrets
   • Add a key called password with your desired password
   

   Creating Redis Password Secret
2. Copy the secret reference: It will look like tfy-secret://truefoundry:redis-secrets:password

Step 3: Add additional manifests to create a redis password secret

Now we’ll configure how Redis should run - with a password, persistent storage, and external access:

Copy

Ask AI

# Additional manifest to create a redis password secret
apiVersion: v1
  kind: Secret
  metadata:
    name: redis-secret
  type: Opaque
  data:
    redis-password: <base64-encoded-password>

Before deploying, replace:

• redis-secret with a unique name for your secret
• redis-password with your desired password

Creating Redis Password Secret

Step 4: Configure Redis Settings

Now we’ll configure how Redis should run - with a password, persistent storage, and external access:

Copy

Ask AI

# Redis configuration with security and persistence
values:
  auth:
    enabled: true
    existingSecret: redis-secret
    existingSecretPasswordKey: redis-password

  master:
    service:
      type: LoadBalancer  # This makes Redis accessible from outside
      ports:
        redis: 6379
    persistence:
      enabled: true       # This saves data even if Redis restarts
      size: 8Gi

  replica:
    replicaCount: 2       # Run 2 backup Redis instances
    service:
      type: ClusterIP     # Internal access only
    persistence:
      enabled: true
      size: 4Gi

  metrics:
    enabled: true         # Enable monitoring
    serviceMonitor:
      enabled: true

What this does:

• Sets up a secure password using our secret
• Makes Redis accessible from outside (LoadBalancer)
• Saves data permanently (persistence)
• Runs backup instances for reliability
• Enables monitoring

Step 5: Custom Endpoint (Optional)

If you want to access Redis through a custom URL (like redis.your-app.com), you can add this advanced configuration:

Copy

Ask AI

# Custom endpoint configuration
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redis-virtualservice
  namespace: your-workspace
spec:
  hosts:
    - redis.your-workspace.ml.demo.truefoundry.cloud
  gateways:
    - istio-system/tfy-wildcard-alb
  tcp:
    - match:
        - port: 6379
      route:
        - destination:
            host: redis-redis-master.your-workspace.svc.cluster.local
            port:
              number: 6379

When to use this: Only if you need a custom domain name for your Redis instance.

Final Redis Deployment Result