Operations
Day-2 operations for self-hosted Dreadnode — restarts, scaling, database access, backups, and secret rotation.
Day-2 reference for running Dreadnode after the initial install. All examples assume
dreadnode as the release name and Helm CLI — Admin Console equivalents are noted
where they differ.
Health checks
Section titled “Health checks”# All podskubectl -n <namespace> get pods -l app.kubernetes.io/instance=dreadnode
# API health (returns {"status":"ok"} when healthy)curl http(s)://<your-domain>/api/v1/health
# Resource usage (requires metrics-server)kubectl -n <namespace> top pods -l app.kubernetes.io/instance=dreadnodeThe API’s /api/v1/health endpoint checks Postgres connectivity. A 503 with
{"status":"unhealthy","detail":"database unreachable"} means the API is running
but can’t reach the database.
Restart components
Section titled “Restart components”Rolling restart — no downtime if replicas > 1:
# APIkubectl -n <namespace> rollout restart deploy/dreadnode-api
# Frontendkubectl -n <namespace> rollout restart deploy/dreadnode-frontend
# StatefulSets (use with care — causes brief data-store unavailability)kubectl -n <namespace> rollout restart sts/dreadnode-postgresqlkubectl -n <namespace> rollout restart sts/dreadnode-clickhousekubectl -n <namespace> rollout restart sts/dreadnode-minioWatch the rollout:
kubectl -n <namespace> rollout status deploy/dreadnode-apiView applied configuration
Section titled “View applied configuration”# ConfigMap (non-secret env vars)kubectl -n <namespace> get cm dreadnode-api -o yaml
# Current resource statekubectl -n <namespace> get deploy,sts,ingress -l app.kubernetes.io/instance=dreadnodeDatabase access
Section titled “Database access”PostgreSQL
Section titled “PostgreSQL”# Port-forwardkubectl -n <namespace> port-forward sts/dreadnode-postgresql 5432:5432
# Connect (in another terminal)PGPASSWORD=$(kubectl -n <namespace> get secret dreadnode-postgresql \ -o jsonpath='{.data.password}' | base64 -d) \ psql -h localhost -U admin -d platformOr exec directly into the pod:
kubectl -n <namespace> exec -it dreadnode-postgresql-0 -- psql -U admin -d platformClickHouse
Section titled “ClickHouse”# Port-forward the HTTP interfacekubectl -n <namespace> port-forward sts/dreadnode-clickhouse 8123:8123
# Querycurl 'http://localhost:8123/?query=SELECT+1'Or use the CLI inside the pod:
kubectl -n <namespace> exec -it dreadnode-clickhouse-0 -- clickhouse-client# Port-forward the console (not the S3 API)kubectl -n <namespace> port-forward sts/dreadnode-minio 9001:9001Open http://localhost:9001 in a browser. Log in with the root credentials:
kubectl -n <namespace> get secret dreadnode-minio \ -o jsonpath='{.data.rootUser}' | base64 -dkubectl -n <namespace> get secret dreadnode-minio \ -o jsonpath='{.data.rootPassword}' | base64 -dBackups
Section titled “Backups”Backup strategy depends on your environment. The chart deploys in-cluster PostgreSQL, ClickHouse, and MinIO by default — back up at the storage layer (PVC snapshots) or export data logically from inside the pods.
PostgreSQL
Section titled “PostgreSQL”# Dump to a local filekubectl -n <namespace> exec dreadnode-postgresql-0 -- \ pg_dump -U admin platform > dreadnode-pg-$(date +%Y%m%d).sqlRestore (destroys existing data):
# Drop and recreatekubectl -n <namespace> exec dreadnode-postgresql-0 -- \ psql -U admin -d postgres -c "DROP DATABASE platform"kubectl -n <namespace> exec dreadnode-postgresql-0 -- \ psql -U admin -d postgres -c "CREATE DATABASE platform"
# Restorecat dreadnode-pg-20260416.sql | \ kubectl -n <namespace> exec -i dreadnode-postgresql-0 -- \ psql -U admin -d platformPVC snapshots
Section titled “PVC snapshots”If your storage class supports CSI snapshots:
apiVersion: snapshot.storage.k8s.io/v1kind: VolumeSnapshotmetadata: name: pg-snapshot namespace: <namespace>spec: volumeSnapshotClassName: <your-snapshot-class> source: persistentVolumeClaimName: data-dreadnode-postgresql-0Repeat for data-dreadnode-clickhouse-0 and data-dreadnode-minio-0.
External data stores
Section titled “External data stores”If you pointed Dreadnode at external services (RDS, managed ClickHouse, S3), use those services’ native backup tools. The chart doesn’t manage backups for external stores.
Secret rotation
Section titled “Secret rotation”The chart auto-generates passwords for in-cluster data stores and security keys for the API. Rotating them requires updating the Secret and restarting the affected pods.
Data store passwords
Section titled “Data store passwords”Data store Secrets have helm.sh/resource-policy: keep — Helm won’t overwrite them on
upgrade. To rotate:
NEW_PW=$(openssl rand -base64 32)
# Update the Secretkubectl -n <namespace> create secret generic dreadnode-postgresql \ --from-literal=password="$NEW_PW" \ --dry-run=client -o yaml | kubectl apply -f -
# Update the password inside the running databasekubectl -n <namespace> exec dreadnode-postgresql-0 -- \ psql -U admin -d platform -c "ALTER USER admin PASSWORD '$NEW_PW'"
# Restart the API to pick up the new credentialkubectl -n <namespace> rollout restart deploy/dreadnode-apiSame pattern for ClickHouse (dreadnode-clickhouse, key admin-password) and MinIO
(dreadnode-minio, keys rootUser, rootPassword).
API security keys
Section titled “API security keys”The dreadnode-api-security Secret holds secretKey, jwtSecretKey, and
refreshSecretKey. Rotating these invalidates all active sessions and issued tokens —
every logged-in user gets logged out.
The dreadnode-api-encryption Secret holds the Fernet key for encrypting user secrets
stored in Postgres. Do not rotate this key unless you’re prepared to lose all
encrypted user secrets. There is no re-encryption migration.
Scaling
Section titled “Scaling”Resource presets
Section titled “Resource presets”The simplest way to scale is to change the resource preset. Set global.resourcesPreset
in your values overlay and upgrade:
helm upgrade dreadnode oci://registry.replicated.com/dreadnode/dreadnode \ --version <version> \ -f values.yaml \ --set global.resourcesPreset=mediumFor Admin Console installs, change Resource Sizing in the config screen and redeploy.
Manual replica scaling
Section titled “Manual replica scaling”The API and frontend Deployments can be scaled horizontally:
kubectl -n <namespace> scale deploy/dreadnode-api --replicas=3kubectl -n <namespace> scale deploy/dreadnode-frontend --replicas=2This doesn’t survive helm upgrade. For persistent scaling, set replica counts in
your values overlay under the subchart overrides.
Upgrades
Section titled “Upgrades”Helm CLI
Section titled “Helm CLI”helm upgrade dreadnode oci://registry.replicated.com/dreadnode/dreadnode \ --version <new-version> \ -f values.yamlAdmin Console
Section titled “Admin Console”The Admin Console checks for new versions automatically. When an update appears on the dashboard, review the release notes and click Deploy.
What happens during an upgrade
Section titled “What happens during an upgrade”- The
migrationsinit container runsalembic upgrade headagainst Postgres - The API pod starts with the new version
- The frontend pod rolls to the new version
Migrations are forward-only. helm rollback and the Admin Console Rollback button
are disabled. If an upgrade fails, see
Reinstall from scratch.
Support bundles
Section titled “Support bundles”Support bundles collect logs, cluster state, and diagnostics into a single archive.
Admin Console: Go to Troubleshoot → Generate a support bundle.
Helm CLI:
kubectl support-bundle --load-cluster-specs -n <namespace>Requires the troubleshoot kubectl plugin. The bundle spec is built into the chart — the plugin discovers it automatically.
Share the generated archive with us when you need help debugging.