Upgrade from Chart 1.x to 2.0

Chart 2.0.0 is a breaking release. It restructures three long-standing pain points:

The deployment namespace is now driven by --namespace / -n at install time — no values override.
All sensitive inputs live under a single secrets: block.
You can bring your own Kubernetes Secrets (Vault, external-secrets-operator, sealed-secrets, AWS Secrets Manager, …) instead of letting Helm create them.

Every existing 1.x installation needs a values-file update before running helm upgrade.

The chart refuses to install into the default namespace and validates that credentials are provided (inline or via existing*Secret) at install time. A straight helm upgrade without the changes below will fail fast.

Prerequisites

Kubernetes 1.29+ (matches the chart’s kubeVersion constraint).
Helm 3.8+.
A namespace that is not default. If your 1.x install already set namespace.name: scanner, you’re fine — the resources are already there; only the values file changes.

Breaking changes at a glance

1.x	2.0	Notes
`namespace.name: scanner`	Pass `-n scanner` on the CLI	`namespace.name` is no longer read. Every resource targets `.Release.Namespace`.
`config.licenseKey`	`secrets.licenseKey`	Moved under `secrets:`.
`config.connectorApiKey`	`secrets.connectorApiKey`	Moved under `secrets:`.
`registry.username`	`secrets.registry.username`	Moved under `secrets:`.
`registry.password`	`secrets.registry.password`	Moved under `secrets:`.
`config.imagePullSecret`	removed	Derived internally from the registry Secret name.
`registry.imagePullSecrets`	removed	Chart wires `imagePullSecrets` automatically.
not available	`secrets.existingConfigSecret`	Bring-your-own Opaque Secret (`license-key`, `connector-api-key`, `connector-url`).
not available	`secrets.existingRegistrySecret`	Bring-your-own `kubernetes.io/dockerconfigjson` Secret.

Non-secret URLs (config.connectorServerUrl, config.licenseServerUrl, config.redisUrl, polling intervals, config.logFormat, …) stay under config:. Registry image paths (registry.server, registry.url) stay under registry:.

Values rewrite

Before (1.x)


namespace:
  name: scanner
 
registry:
  username: 'your-registry-username'
  password: 'your-registry-password'
 
config:
  licenseKey: 'your-license-key'
  connectorApiKey: 'your-connector-api-key'

After (2.0)


secrets:
  licenseKey: 'your-license-key'
  connectorApiKey: 'your-connector-api-key'
  registry:
    username: 'your-registry-username'
    password: 'your-registry-password'

Then pass the namespace on the CLI:


helm upgrade detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  -f my-values.yaml \
  -n scanner

Bring-your-own Secret (optional)

If you want credentials out of Helm values entirely, create the Secrets first, then reference them:


secrets:
  existingConfigSecret: 'my-team-scanner-config'
  existingRegistrySecret: 'my-team-detectify-registry'

See Secrets Management for worked recipes (kubectl, external-secrets-operator, sealed-secrets, AWS Secrets Manager via ESO).

Helm removes the previously chart-managed scanner-config / detectify-registry Secrets automatically on the next release once you switch — no manual cleanup required.

Migration steps

Rewrite your values file using the before/after snippets above. Remove namespace.name, config.licenseKey, config.connectorApiKey, registry.username, registry.password, any config.imagePullSecret, and any registry.imagePullSecrets.
(Optional) Create your external Secrets if you’re moving to bring-your-own mode, and set secrets.existingConfigSecret / secrets.existingRegistrySecret.

Upgrade the chart:


helm upgrade detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  -f my-values.yaml \
  -n scanner

Verify pods pick up the new Secret — they should roll automatically:


kubectl rollout status deployment -n scanner
kubectl get pods -n scanner

Complete example


secrets:
  licenseKey: 'your-license-key'
  connectorApiKey: 'your-connector-api-key'
  registry:
    username: 'your-registry-username'
    password: 'your-registry-password'
 
ingress:
  enabled: true
  className: nginx
  host: scanner.example.com
  tls:
    enabled: true
    secretName: scanner-tls


helm upgrade --install detectify-scanner detectify/internal-scanning-agent \
  --version '~> 2.0' \
  -f my-values.yaml \
  -n scanner \
  --create-namespace

Common errors after upgrade

If helm upgrade fails with one of the messages below, see Troubleshooting for the fix:

secrets.licenseKey is required unless secrets.existingConfigSecret is set.
secrets.connectorApiKey is required unless secrets.existingConfigSecret is set.
secrets.registry.username is required unless secrets.existingRegistrySecret is set.
secrets.registry.password is required unless secrets.existingRegistrySecret is set.
internal-scanning-agent refuses to install into the `default` namespace.

Next Steps

Getting Started — Fresh install reference
Secrets Management — BYO-Secret recipes
Troubleshooting — Common issues