Applications
This guide covers configuring the pgt-application Helm chart for deploying applications to Kubernetes. The chart supports two deployment strategies:
Rolling Deployments - Standard Kubernetes deployments (default)
Canary/Blue-Green Deployments - Progressive delivery using Argo Rollouts (Premium)
Prerequisites
Add the chart as a dependency in your Chart.yaml:
apiVersion: v2
name: demo-app
version: 0.0.1
dependencies:
- name: pgt-application
version: 0.0.4
repository: oci://public.ecr.aws/w9m9e0e9/pgt-helm-chartsAfter adding the dependency, run:
helm dependency updateCommon Configuration
These configuration options apply to both deployment strategies. All values are nested under pgt-application: in your values.yaml.
Required Fields
⚠️ Memory Requests and Limits
Always set memory requests equal to memory limits. This ensures your pod receives a Guaranteed Quality of Service (QoS) class, which provides:
Predictable scheduling: The scheduler knows exactly how much memory your pod needs
OOM kill priority: Guaranteed pods are the last to be killed when nodes run low on memory
No throttling surprises: Your pod won't be killed for exceeding its request while under its limit
When requests differ from limits, your pod gets a Burstable QoS class. Burstable pods can be OOM-killed even when using memory between their request and limit, making failures unpredictable and harder to debug.
Development Environment & Cost Optimization
When deploying to non-production environments, consider these settings to reduce costs:
💡 Spot Instances
The
preferSpotInstances: truesetting prefers scheduling your workloads on spot instances when available, which can significantly reduce compute costs. If you're interested in enabling spot instances for your environment, please reach out to the platform team to discuss your requirements and ensure your applications are suitable for spot instance usage.
💰 Office Hours Scaling
Setting
scaleDownOutsideOfficeHours: trueautomatically scales your application to zero replicas outside of business hours (evenings and weekends). This is ideal for:
Development and staging environments
Internal tools not needed 24/7
Non-critical services in non-production clusters
⚠️ Warning: Do not enable this for production workloads or services that require high availability.
🕐 Custom Scaling Schedules
If
scaleDownOutsideOfficeHoursdoesn't fit your needs, you can define custom scaling schedules using KEDA's cron trigger:This gives you full control over when your application scales up or down based on your specific requirements.
Ports and Service
Define ports to expose your application. If no ports are defined, no Service is created:
Environment Variables
Configure environment variables directly or from ConfigMaps/Secrets:
Health Probes
Configure liveness and readiness probes. We recommend running health checks on a dedicated port separate from your application traffic port:
💡 Dedicated Health Check Port
Running health checks on a separate port (e.g., 8081) from your main traffic port (e.g., 8080) provides several benefits:
Isolation from traffic load: Health checks won't compete with application requests for connections
Independent scaling: Health endpoints can remain responsive even when the main port is under heavy load
Security: Health endpoints can be excluded from external ingress while remaining accessible to the kubelet
Simpler debugging: Separating concerns makes it easier to diagnose issues with either traffic or health
Autoscaling with KEDA
The chart uses KEDA ScaledObject for autoscaling. When enabled, the replicas field is ignored:
Gateway API Ingress
Configure traffic routing using Gateway API (HTTPRoute, GRPCRoute, etc.). The cloud setting determines which cloud-specific resources are created alongside the standard Gateway API routes.
Cloud Provider Options
aws
Creates TargetGroupConfiguration resources for ALB health checks and protocol settings
azure
Creates standard Gateway API routes only; health checks are configured via container probes
""
No cloud-specific resources; uses standard Gateway API routes only
AWS Configuration
When cloud: aws, the chart creates TargetGroupConfiguration resources that configure AWS Application Load Balancer target groups with custom health checks, protocol settings, and HTTP matchers:
Azure Configuration
When cloud: azure, the chart creates standard Gateway API routes. Azure's Gateway implementation uses the container's readiness probe for health checks, so no additional cloud-specific configuration is required:
💡 Azure Health Checks
On Azure, ensure your
readinessProbeis properly configured as the Gateway uses this to determine backend health. The probe path, port, and timing settings directly affect load balancer behaviour.
External Secrets
The pgt-application chart includes pgt-secrets as a subchart for fetching secrets from AWS Secrets Manager or Azure Key Vault. For full configuration options, see the PGT Secrets documentation.
Service Account
Configure a ServiceAccount to allow your application to access cloud resources securely:
For detailed instructions on creating IAM roles and managed identities, see:
AWS IAM Roles (IRSA) - Configure IAM roles for EKS workloads
Azure Workload Identity - Configure managed identities for AKS workloads
Prometheus ServiceMonitor
Enable metrics scraping:
Rolling Deployments (Default)
Rolling deployments are the default strategy. The chart creates a standard Kubernetes Deployment that gradually replaces pods during updates.
Basic Rolling Deployment
Rolling Update Strategy Options
deployment.strategy.type
RollingUpdate
RollingUpdate or Recreate
deployment.strategy.rollingUpdate.maxSurge
25%
Max pods above desired count during update
deployment.strategy.rollingUpdate.maxUnavailable
25%
Max unavailable pods during update
Zero-Downtime Rolling Update
For zero-downtime deployments, configure:
Complete Rolling Deployment Example
Canary/Blue-Green Deployments (Premium)
ℹ️ Premium Feature
Canary and Blue-Green deployments require Argo Rollouts to be installed in your cluster. This is a premium setup that enables progressive delivery strategies.
Enable Argo Rollouts by setting rollout.enabled: true. This creates a Rollout resource instead of a Deployment.
Canary Deployments
Canary deployments gradually shift traffic to the new version, allowing you to validate changes with a subset of users before full rollout.
Basic Canary Configuration
Custom Canary Steps
Define custom rollout steps to control the progression:
Canary with Gateway API Traffic Routing
When using Gateway API routes, traffic routing is automatically configured:
Canary with Analysis (Automated Rollback)
Enable automated promotion/rollback based on metrics analysis:
📝 AnalysisTemplate Required
You must create AnalysisTemplate resources separately. These define the metrics queries and success criteria for automated promotion decisions.
Blue-Green Deployments
Blue-Green deployments run two identical environments (blue = current, green = new) and switch traffic instantly after validation.
Basic Blue-Green Configuration
Blue-Green with Auto-Promotion
Automatically promote after a specified delay:
Blue-Green with Preview Replicas
Run a different number of replicas for the preview environment:
Blue-Green with Pre-Promotion Analysis
Run analysis before promoting the new version:
Complete Canary Deployment Example
Complete Blue-Green Deployment Example
Managing Rollouts with Argo CD
The Argo Rollouts extension is installed in Argo CD, providing a rich UI for managing progressive deployments directly from the Argo CD interface.
Viewing Rollout Status
Navigate to your application in the Argo CD UI
Click on the Rollout resource in the application tree
The extension displays a visual rollout panel showing:
Current rollout phase and status
Step progression with visual indicators for completed, active, and pending steps
Traffic weight distribution between stable and canary/preview versions
ReplicaSet revisions with pod counts
Analysis run status and results (if analysis is enabled)
Promoting a Paused Rollout
When a rollout is paused (waiting for manual promotion):
Open the application in Argo CD
Click on the Rollout resource to open the rollout panel
Click the Promote button in the rollout panel header
The rollout will proceed to the next step
For full promotion (skip all remaining steps):
Click the dropdown arrow next to Promote
Select Promote Full to immediately complete the rollout to 100%
Aborting a Rollout (Rollback)
To abort a rollout and revert to the previous stable version:
Open the application in Argo CD
Click on the Rollout resource
Click the Abort button in the rollout panel header
The rollout will scale down the canary/preview ReplicaSet and restore full traffic to the stable version
Retrying a Failed Rollout
If a rollout fails (e.g., due to failed analysis or degraded status):
Open the application in Argo CD
Click on the Rollout resource
Click the Retry button to restart the rollout from the beginning
Restarting a Rollout
To trigger a new rollout without changing the image (e.g., to pick up ConfigMap changes):
Open the application in Argo CD
Click on the Rollout resource
Click the Restart button to initiate a new rollout with the current configuration
Debugging Issues
Check Rollout Status Panel:
The rollout extension panel shows real-time status:
Click on the Rollout resource in Argo CD
Review the step progression - failed steps are highlighted in red
Check the revision history to compare stable vs canary ReplicaSets
Hover over status indicators for detailed messages
Check Rollout Events:
Click on the Rollout resource in Argo CD
Select the Events tab to view Kubernetes events
Look for warnings or errors related to the rollout progression
Check Pod Logs:
In the application tree, expand the Rollout to see its ReplicaSets and Pods
Click on a Pod resource
Select the Logs tab to view container logs
Use the container dropdown to switch between main and sidecar containers
Check Analysis Runs:
If using automated analysis:
AnalysisRun resources appear in the application tree under the Rollout
Click on the AnalysisRun to view the analysis panel
Review individual metric results - failed metrics are highlighted
Check metric queries and their returned values to understand failures
Sync Status:
If the application shows as OutOfSync:
Check the Diff tab to see what resources differ from Git
Click Sync to reconcile the desired state
Review sync options if specific resources need to be excluded
Additional Configuration
Init Containers
Run initialization tasks before the main container:
Worker Containers (Sidecars)
Add sidecar containers that run alongside the main container:
Volume Mounts
Mount ConfigMaps or Secrets as volumes:
Pod Scheduling
Control pod placement with affinity, tolerations, and node selectors:
Values Reference
For a complete list of all available values, see the chart's default values:
name
string
nil
Required. Application name
organisationName
string
nil
Required. Organisation name
deployment.replicas
int
1
Replica count (ignored if autoscaling enabled)
deployment.strategy.type
string
RollingUpdate
RollingUpdate or Recreate
rollout.enabled
bool
false
Enable Argo Rollouts
rollout.strategy.type
string
canary
canary or blueGreen
container.image.registry
string
nil
Required. Container registry
container.image.repository
string
nil
Required. Image repository
container.image.tag
string
nil
Required. Image tag
autoscaling.enable
bool
true
Enable KEDA autoscaling
autoscaling.minReplicas
int
1
Minimum replicas
autoscaling.maxReplicas
int
3
Maximum replicas
autoscaling.scaleDownOutsideOfficeHours
bool
false
Scale to zero outside business hours
affinity.nodeAffinity.preferSpotInstances
bool
false
Prefer scheduling on spot instances
gatewayIngress.cloud
string
""
Cloud provider (aws for TargetGroupConfig)
serviceMonitor.enabled
bool
false
Enable Prometheus ServiceMonitor
pgt-secrets.enabled
bool
true
Enable external secrets
Last updated
Was this helpful?