Already run managed databases (Azure Database for PostgreSQL, Cosmos DB,
external Kafka/ClickHouse, etc.) and want a single Helm install instead of
in-cluster dependencies? Follow the Deployment Guide
— it installs only the
bud chart pointed at your external services.How it works
You apply two ArgoCD ApplicationSets, both sourcing charts fromoci://registry.bud.studio/charts:
| ApplicationSet | Deploys | Namespace(s) |
|---|---|---|
cluster-addons | dapr, cert-manager, cert-manager-issuer, postgres, clickhouse, kafka, mongodb, valkey, seaweedfs | one per addon |
prod-apps | keycloak, bud (the platform) | keycloak, bud |
values.yaml + secrets)
comes from a source you control — a small config repo (recommended),
inline values, or the CLI (Step 3).
Nothing proprietary lives in your config, and you never need credentials to
bud-runtime.
Ordering. The addon charts install operators (CloudNativePG, Strimzi,
Altinity, Percona, …) whose CRDs must exist before the database
custom-resources can apply. The charts do not use ArgoCD sync-waves;
instead ArgoCD’s
automated + selfHeal sync policy retries failed syncs
until each operator establishes its CRDs and the dependent resources converge.
Expect a few Applications to show Degraded/Progressing on the first pass and
self-heal within a few minutes — this is normal.Prerequisites
| Requirement | Notes |
|---|---|
| Kubernetes 1.25+ | With a default StorageClass for PVCs |
kubectl, helm 3.8+ | Helm must support OCI registries |
| ArgoCD installed | You bootstrap it yourself (Step 2). Bud does not manage your ArgoCD. |
| Ingress controller | Chart Ingresses default to ingressClassName: traefik |
| Registry credentials | Robot account for registry.bud.studio |
| A config source | A git repo you own (recommended) or inline values — see Step 3 |
Step 1 — Get registry credentials
You need a read-only robot account forregistry.bud.studio to let both
ArgoCD (chart pulls) and your cluster (image pulls) authenticate.
Step 2 — Install ArgoCD
If you don’t already run ArgoCD, install it (any supported method works):Step 3 — Choose how to supply configuration
ArgoCD needs yourvalues.yaml (Step 4) and secrets.yaml (Step 5). There are
three ways to provide them; pick based on where your secrets end up.
| Option | How | Secrets land in… | Use for |
|---|---|---|---|
| Config git repo (recommended) | A repo you own, joined to the chart with $values | A repo (encryptable with SOPS) | Real installs |
Inline valuesObject | Values written directly in the Application manifest | The manifest & etcd, in plaintext | Quick / demo, non-secret values only |
CLI --values | argocd app set <app> --values … from your machine | ArgoCD’s DB only (not git) | Imperative single-Application flow, not the ApplicationSet flow below |
Recommended: a config repo
The fastest start is to fork the example repo,BudEcosystem/example-bud-foundry-config
— it already contains the two ApplicationSets and the config layout this
guide uses:
ref: values source’s repoURL in both ApplicationSets
to your fork, then edit the files under argocd/. The ApplicationSets
reference these via $values, which resolves to the repo root — hence
the paths are $values/argocd/<app>/values.yaml. Keep your fork private if
it will hold a real secrets.yaml.
You only edit a handful of values. The bud chart’s defaults already point
the application at the in-cluster databases this guide deploys
(
pooler-rw.postgres, clickhouse-clickhouse.clickhouse,
mongodb-rs0.mongodb, valkey-master.valkey). Leave the
externalServices.*.host keys at their defaults — those are only changed
for the managed-database path in the Deployment Guide.Step 4 — Cluster configuration (argocd/bud/values.yaml)
The mandatory non-secret values. Everything else falls back to chart defaults.
TLS with
https: internal. The chart annotates its Ingresses with
kubernetes.io/tls-acme: "true", which cert-manager’s ingress-shim resolves to
its default ClusterIssuer letsencrypt-http01 — created by the
cert-manager-issuer addon (in cluster-addons, so make sure it’s enabled).
That issuer uses the HTTP-01 challenge, so every ingress host (admin.<root>,
app.<root>, gateway.<root>, …) must be publicly resolvable and reachable on
port 80 for certificates to issue. If certs stay Ready=False, check
kubectl -n bud describe certificate <name> and kubectl -n bud get challenge.Step 5 — Application secrets (argocd/bud/secrets.yaml)
These are required for a new install and are not wired to external hosts.
The per-key reference — what each secret is for and how to generate it
— lives in the deployment guide; this is the same set regardless of
install method:
- Registry pull credentials
- Per-service secrets you must change
(admin login,
AES_KEY_HEX,PASSWORD_SALT, redirect-flow session/client secrets, RSA keypair, Dapr crypto keys, Novu secrets) - OIDC identity provider
Storing secrets. The simplest path is a
secrets.yaml in a private
config repo. To avoid plaintext secrets in git, encrypt the file with SOPS and
enable the helm-secrets plugin in your ArgoCD — this is optional hardening,
not required to get a working install.Step 6 — Apply the ApplicationSets
The two ApplicationSets ship in your fork atargocd/cluster-addons.yaml and
argocd/prod-apps.yaml. cluster-addons deploys the required in-cluster
dependencies (dapr, cert-manager, cert-manager-issuer, postgres, clickhouse, kafka,
mongodb, valkey, seaweedfs); prod-apps deploys keycloak and the bud platform in a later
sync-wave. Each joins its OCI chart to your config via $values. (Storage and
observability add-ons are optional — see
Optional add-ons.)
ref: values repoURL in both files points at your fork
(see Step 3), then apply:
Degraded states that self-heal (see
How it works). prod-apps is annotated to apply after the
addons.
No config repo? Inline the non-secret values. If you’d rather not fork a
config repo, drop the second (Keep secrets out of the manifest — pre-create them as Kubernetes
Secrets the chart consumes, or use the repo path for
ref: values) source and the $values/...
valueFiles, and inline the non-secret values.yaml with valuesObject
instead:secrets.yaml. Inline
valuesObject is best used in a single Application (not a templated
ApplicationSet) to avoid the templating
caveats noted in Step 3.Step 7 — Verify
Running within ~5–10 minutes of the Applications
going Healthy. Backend pods run a Dapr sidecar, so expect 2/2 READY for most
of them.
Optional add-ons
These charts are published alongside the required ones but are not part of the base install — whether you need them depends on your cluster and your operational preferences. To enable one, add it tocluster-addons.yaml (an
element { name: <addon>, namespace: <addon> }) just like a required addon.
| Add-on | What it provides | When you need it |
|---|---|---|
openebs | A storage provisioner / StorageClass (Mayastor, LVM, ZFS, hostpath) | Only if your cluster has no StorageClass — e.g. bare metal with raw disks. Managed clusters (EKS/AKS/GKE) already provide one; skip it. |
otel | OpenTelemetry operator + a node-level collector for cluster/infra metrics | Infra-level observability only. The platform ships its own app-telemetry collector (traces/metrics → ClickHouse), so the application works without this. |
signoz | Observability dashboards UI (traces, logs, metrics) | A console for viewing telemetry. Nothing in the platform depends on it. |
Storage is still required — just not from
openebs. The databases need
a working StorageClass either way. openebs is one way to provide it; a cloud
CSI driver is another. Set storage.*.className (Step 4) to whichever your
cluster offers.Post-installation
Navigate to your configured domain (e.g.https://admin.bud.yourdomain.com) and
log in with the SUPER_USER_EMAIL / SUPER_USER_PASSWORD you set in
argocd/bud/secrets.yaml.
Upgrading
BumptargetRevision in the ApplicationSet (e.g. the bud element to a new
chart version) and commit. ArgoCD rolls out the change on its next sync.
Uninstalling
Common pitfalls
kubectl applyof an ApplicationSet fails withno matches for kind "ApplicationSet"— your ArgoCD install registered theApplicationCRD but not theApplicationSetone (some install variants split them). Install the CRD for your ArgoCD version, and use--server-side— the CRD’s schema exceeds the 256 KBlast-applied-configurationannotation limit, so a plainkubectl applyerrors withmetadata.annotations: Too long:- Addon Applications stuck
Degradedon first sync — usually the operator CRDs not yet established. ArgoCDselfHealretries; give it a few minutes. If it persists, sync the operator’s Application manually first. - Backend pods crash-loop on DB connection — almost always a
database password mismatch between the addon and
argocd/bud/secrets.yaml(see the Step 5 warning). registries.registry.bud.studiocredentials are required even on clusters that mirror images locally — the chart still creates the imagePullSecret referenced by every Deployment.budmetricsClickHouse database name must bemetrics— it is hardcoded. See the Deployment Guide.
Next steps
Deployment Guide
Per-service secret & config reference; managed-database install path.
Helm Configuration
Full list of chart values and overrides.