Konstruct 0.3
Released: January 2026
Highlights
- Simplified Installation - Install Konstruct on any Kubernetes cluster without pre-existing infrastructure
- Umbrella Chart Consolidation - All services deploy through a single Helm chart
- No kubefirst Dependency - Konstruct now runs independently of kubefirst
Major Features
Simplified Installation
Konstruct 0.3 can be installed on any Kubernetes cluster - no pre-existing ArgoCD, cert-manager, Vault, or other infrastructure required.
Minimal Install (No External Dependencies):
helm install konstruct oci://europe-west2-docker.pkg.dev/civo-com/charts/konstruct \
--version 0.3.1 \
--namespace konstruct-system \
--create-namespace \
--set konstruct-api.extraEnv.DISABLE_AUTH=true \
--set konstruct-api.vaultSecretPath="" \
--set konstruct-api.externalSecrets.apiSecrets.enabled=false \
--set konstruct-api.externalSecrets.dexConfig.enabled=false \
--set konstruct-api.ingress.enabled=false \
--set konstruct-ui.ingress.enabled=false
Access via port-forward:
kubectl port-forward svc/konstruct-konstruct-ui -n konstruct-system 8080:8080
What changed:
DISABLE_AUTH=truebypasses OIDC (auto-login as admin)- No external-secrets-operator CRD required
- No ingress controller required
See Install Konstruct for the complete guide.
Automatic Platform Bootstrap
The team-management-operator bootstraps platform tools automatically:
- ArgoCD Installation - Installed via Helm SDK when control plane is configured
- GitOps Repository Setup - Platform templates pushed to your GitOps repo
- Platform Apps Deployment - cert-manager, ingress-nginx, external-secrets deployed via ArgoCD
Bootstrap sequence:
Konstruct Install -> Detect Control Plane Config -> Install ArgoCD ->
Initialize GitOps Repo -> ArgoCD Syncs Platform Apps -> Ready
Platform apps included:
- ArgoCD (self-managing after bootstrap)
- cert-manager with Let's Encrypt ClusterIssuers
- ingress-nginx
- external-secrets-operator
- external-dns (optional)
- Dex (optional)
Umbrella Chart Consolidation
All Konstruct platform services now deploy through a single konstruct umbrella Helm chart, consolidating what were previously 8 separate ArgoCD Applications into one.
Services Included:
- konstruct-api
- konstruct-ui
- application-operator
- cloudaccount-operator
- gitaccount-operator
- sso-operator
- team-management-operator
- workloadcluster-operator
Key Benefits:
- Coordinated Versioning: All services version together
- Simplified Promotion: Single chart to promote across environments
- Reduced Complexity: One ArgoCD Application instead of eight
- Atomic Deployments: Related services deploy together
Breaking Changes
kubefirst Dependency Removed��
Konstruct 0.3 no longer reads from the kubefirst-initial-state secret. If you're running on a kubefirst-provisioned cluster, this doesn't affect existing functionality - Konstruct simply ignores the secret.
Platform Tools via GitOps
Platform tools (cert-manager, ingress-nginx, etc.) will be managed via GitOps instead of Helm subcharts. This provides:
- Version control for platform tool configurations
- Visibility into what's deployed via ArgoCD
- Customization without chart modifications
For GitOps Users
What Changed
Previously, each operator had its own ArgoCD Application YAML:
application-operator.yamlcloudaccount-operator.yaml- etc.
Now, all services are configured within konstruct.yaml under the helm.values section.
Configuration Example
# registry/environments/development/konstruct.yaml
spec:
source:
chart: konstruct
helm:
values: |
konstruct-api:
# API configuration...
konstruct-ui:
# UI configuration...
application-operator:
imagePullSecrets:
- name: docker-config
cloudaccount-operator:
imagePullSecrets:
- name: docker-config
# ... other operators
Upgrading from 0.2
Operator Helm charts include CRDs. If ArgoCD prunes Applications before the umbrella chart takes over, all Custom Resources will be deleted (GitAccounts, CloudAccounts, Applications, etc.). Follow the phases below exactly.
Phase 1: Remove Finalizers (Prevents Pruning)
Update each operator Application YAML to remove the resources-finalizer.argocd.argoproj.io finalizer:
# BEFORE
metadata:
name: development-application-operator
finalizers:
- resources-finalizer.argocd.argoproj.io # REMOVE THIS
# AFTER
metadata:
name: development-application-operator
# No finalizers - ArgoCD will orphan resources instead of pruning
Apply to all operator Applications:
application-operator.yamlcloudaccount-operator.yamlgitaccount-operator.yamlsso-operator.yamlteam-management-operator.yamlworkloadcluster-operator.yaml
Commit and wait for ArgoCD to sync.
Phase 2: Verify Finalizers Removed
Confirm ArgoCD has removed the finalizers from live Applications:
kubectl get application -n argocd -o jsonpath='{range .items[*]}{.metadata.name}{": "}{.metadata.finalizers}{"\n"}{end}' | grep operator
All operators should show empty finalizers [] before proceeding.
Phase 3: Deploy Umbrella Chart
- Update your
konstruct.yamlto include operator values - Delete the individual operator Application YAMLs
- Commit both changes together
ArgoCD will:
- Orphan the old resources (not prune, because finalizers were removed)
- Deploy operators via the umbrella chart
- Take over management seamlessly
Why This Sequence Matters
| Action | With Finalizer | Without Finalizer |
|---|---|---|
| Delete Application YAML | ArgoCD prunes all resources (including CRDs) | ArgoCD orphans resources (leaves them running) |
| CRDs deleted | All CRs cascade-deleted | CRs preserved |
The two-phase approach ensures zero downtime and no data loss.
Migration Checklist
- Review Install Konstruct guide
- If upgrading, follow the Phase 1-3 sequence
- Verify all operators running after upgrade
- Check ArgoCD applications are synced
- Test cluster provisioning workflow
Known Issues
None at this time.
What's Next?
- Konstruct 0.3.4 - Operator stability, cluster management, observability, and UX improvements
- Konstruct 0.3.5 - App repository RBAC permissions
- Konstruct 0.3.6 - GitHub App authentication for Git operations
- Konstruct 0.3.7 - GitOps catalog auth and IaC write bugfixes