惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

D
Docker
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
F
Fortinet All Blogs
I
InfoQ
量子位
M
MIT News - Artificial intelligence
F
Full Disclosure
C
Cyber Attacks, Cyber Crime and Cyber Security
P
Privacy International News Feed
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
S
Secure Thoughts
C
CERT Recently Published Vulnerability Notes
The Hacker News
The Hacker News
Hugging Face - Blog
Hugging Face - Blog
V
Vulnerabilities – Threatpost
Know Your Adversary
Know Your Adversary
A
About on SuperTechFans
IT之家
IT之家
博客园 - Franky
L
Lohrmann on Cybersecurity
B
Blog RSS Feed
T
The Exploit Database - CXSecurity.com
有赞技术团队
有赞技术团队
Application and Cybersecurity Blog
Application and Cybersecurity Blog
罗磊的独立博客
O
OpenAI News
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
人人都是产品经理
人人都是产品经理
博客园 - 叶小钗
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Forbes - Security
Forbes - Security
Hacker News - Newest:
Hacker News - Newest: "LLM"
Cloudbric
Cloudbric
L
LINUX DO - 最新话题
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Project Zero
Project Zero
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
博客园 - 三生石上(FineUI控件)
C
Cybersecurity and Infrastructure Security Agency CISA
Google DeepMind News
Google DeepMind News
美团技术团队
Cisco Talos Blog
Cisco Talos Blog
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
阮一峰的网络日志
阮一峰的网络日志
Y
Y Combinator Blog
C
Cisco Blogs
WordPress大学
WordPress大学

Apptio

How IBM Apptio Delivers Data Center Value in the Age of AI - Apptio GitOps with IBM Kubecost: Preventing Argo CD Rollbacks - Apptio GitOps with IBM Kubecost: API-Driven Rightsizing - Apptio It’s Here: Meet the New IBM Apptio Report Studio – A Faster, More Intuitive Approach to Reporting - Apptio New Tech, Same Rules: Cloud Lessons for an AI Advantage - Apptio IBM Cloudability Advanced Containers for Kubernetes FinOps - Apptio The Next Era of IT Financial Management Reporting with the New IBM Apptio Report Studio - Apptio From Guesswork to Confidence: Introducing Intelligent Forecasting for Tech Spend Planning - Apptio Smarter Technology Spend with AI-Driven Financial Intelligence - Apptio Budgets Are Up, Confidence Isn't: 2026 Global Tech Investment Insights - Apptio IBM Kubecost 3.1: Kubernetes Resource Quota Rightsizing - Apptio Driving FinOps Forward in 2025 and Beyond - Apptio ITFM Maturity: The Next CIO Imperative in the Age of Innovation - Apptio How Banks Can Optimize IT Spend Without Sacrificing Impact - Apptio Introducing IBM Apptio Product TCO: Turn Product Spend into Strategic Investments with Clear, End-to-End Total Cost of Ownership and Unit Costs: Creating a Strategic Lens for IT Investment Decisions - Apptio Workforce Management: The Engine of Strategic Portfolio Management - Apptio FinOps for AI: Enabling the Next Wave of Cloud Innovation - Apptio IBM Kubecost 3.0: Faster, Smarter, and Built for Scale - Apptio Introducing IBM Apptio Mainframe TCO: Complete Visibility into Mainframe Costs and Usage - Apptio Essential K8s Cost Metrics for Reducing Spend - Apptio The New Standard for Strategic Portfolio Management: Financial Visibility at Every Level - Apptio K8s Cost Ownership: Who’s Responsible and How to Make It Work - Apptio Kubecost 2.8: Centralized Custom Pricing and a Big Performance Leap with ClickHouse - Apptio Unlock the Power of IT Financial Management with IBM Apptio Essentials - Apptio Full Transparency for Smart AI Investments with IBM Apptio’s AI Total Cost of Ownership & Usage - Apptio What’s New in IBM Apptio Planning - Apptio Labeling in Kubernetes: From Metadata to Money-Saving Insights - Apptio Innovative Approaches to Drive Tech Spend Management with AI, Analytics, and Automation - Apptio Discover Kubecost on Apptio’s Website: Enhancing FinOps with Kubernetes Insights - Apptio How Kubecost Collections Works: From the Engineers Who Built It - Apptio Kubecost 2.7 Release Highlights - Apptio Introducing Hybrid IT TCO Impact: IBM Apptio’s Newest Solution to Manage Your Evolving Hybrid Environment - Apptio FinOps Essentials: Best Practices for Finance Teams - Apptio Upgrading Your Kubecost Experience - Apptio Kubecost 2.6 Release Highlights - Apptio Kubernetes Efficiency: Cut Waste, Not Performance - Apptio FinOps Essentials: Best Practices for Product Teams - Apptio Optimizing GPU Monitoring for AI Efficiency - Apptio Kubecost 2.5 Release Highlights - Apptio FinOps Essentials: Strategies for Smarter Cloud Spending - Apptio Achieving Cost-Effective Scaling in Kubernetes - Apptio Celebrating OpenCost’s Journey to CNCF Incubation - Apptio Unlocking Technology Value: The Essential Role of TBM in Modern IT Management - Apptio The Complex Costs of AI: Investments, Funding, and ROI Tracking - Apptio Addressing Carbon Emissions in IT: The New Business Imperative - Apptio Kubecost Brings NVIDIA GPU cost monitoring for AI workloads in 2.4 - Apptio Kubecost Launches Support for Oracle Cloud - Apptio Kubecost 2.4 Release Highlights - Apptio Evolving Container Cost Visibility with IBM Cloudability - Apptio Transforming the Way You Manage Your Digital Portfolios: IBM Apptio and ServiceNow - Apptio Maximizing Kubernetes Cost Efficiency with Kubecost and Amazon EKS - Apptio FinOps Foundations: Strategies for Cross-Team Alignment - Apptio Managing Kubernetes Costs in a Multi-Cloud Environment - Apptio Unlock Kubernetes Savings with Kubecost’s Automated Actions - Apptio Celebrating a Milestone: Kubecost Surpasses 10 Million Installs - Apptio Kubernetes Pricing: On-Premises Versus Cloud Environments - Apptio Maximizing Multi-Cloud Efficiency with Kubecost APIs - Apptio Aligning Tech Financials and Labor Resources - Apptio Kubecost 2.3 Release Highlights - Apptio IBM Cloudability Introduces New Innovations for FinOps Practitioners - Apptio Kubecost Launches the First Kubecost Certification - Apptio Enhancing Cloud Reporting: Attributing Costs to Kubernetes Applications - Apptio Building a FinOps Solution for All - Apptio Navigating the Growing Complexities of Technology Spend Management - Apptio Apptio Introduces New Products to Elevate Technology Value - Apptio Developing a Strategy for Kubernetes Cost Monitoring - Apptio Visualize your Kubernetes Network Costs - Apptio Getting Highly Accurate and Granular Cost Metrics with Kubecost - Apptio 8 Steps to Achieve Enterprise Agile Planning Success - Apptio FinOps and TBM at Public Sector Summit - Apptio Introducing Kubecost Collections - Apptio Apptio & ServiceNow launch new Application Portfolio Management capabilities - Apptio Beyond the Hype: A Balanced View of AI Adoption - Apptio 2.1 Release Highlights - Apptio Starting your Technology Business Management Journey: A Guide for Smart Technology Investments with Apptio Cost Management - Apptio IBM Cloudability: 2023 Innovation in Review - Apptio Kubecost 2.0 Packaging - Apptio Kubernetes Readiness Probe: Tutorial & Examples - Apptio Kubernetes Health Check - How-To and Best Practices - Apptio Introducing Kubecost 2.0 - Apptio Kubernetes Liveness Probe: Tutorial & Examples - Apptio Kubernetes Cluster Size: Your Guide to Optimization - Apptio EKS Cost Monitoring: The Kubecost and AWS Solution - Apptio Kubernetes Deployment Strategies: Tutorial & Examples - Apptio Guide to Kubernetes Management Tools - Apptio Automate Your Rightsizing Workflows with IBM Cloudability and ServiceNow - Apptio Kyverno and Kubecost: Real-time Kubernetes Cost Management - Apptio Making Smarter IT Decisions With Apptio Plus ServiceNow Breaking Down Silos Between Finance and Agile Teams With Lean Budgeting - Apptio Maximize Cloud Savings Without Running Afoul of AWS RI Marketplace Enforcements - Apptio Cost-Effective Deployment Policies With Kyverno - Apptio Tracking Waste on Kubernetes Clusters - Apptio Blending FinOps With Observability - Apptio 3 Key Opportunities for Finance Teams in SAFe 6.0 - Apptio Kubecost Predict Part 2: Introducing the Admission Controller - Apptio The CEO as the Chief Transformation Officer - Apptio Client Challenge Client Challenge Client Challenge
Managing K8s Agent Updates at Scale with Helm and Terraform - Apptio
Mohammad Azharuddin · 2026-05-20 · via Apptio

Managing an agent on a single Kubernetes cluster is usually straightforward. Managing that same agent across five, ten, or fifty clusters is where things get harder. When you need to roll out an agent update consistently across environments, manual installs can be difficult to audit, prone to drift, and time consuming to repeat.

That challenge shows up quickly when platform teams need to standardize agent deployment, validate updates safely, and avoid treating every cluster like a one-off project. The larger the environment gets, the more important it becomes to use a deployment pattern that is repeatable, reviewable, and easy to scale.

In this post, we’ll look at how Helm and Terraform can work together to make agent rollouts more manageable at scale, and we’ll use updating to IBM Cloudability’s new IBM FinOps Agent as a practical example.

What is Helm, in plain English

Helm is the package manager for Kubernetes. It gives teams a standard way to install, configure, upgrade, and manage software in a cluster.

Instead of hand-authoring and reapplying raw YAML for every deployment, Helm packages Kubernetes resources into a chart with configurable values. That makes it easier to install the same software repeatedly, apply environment-specific settings cleanly, and manage upgrades in a more structured way.

That matters here because the IBM FinOps agent is packaged as a Helm chart.

Where Terraform fits in

Helm solves package deployment inside Kubernetes. Terraform provides automation using infrastructure as code to helps teams provision and manage infrastructure across an organization. Using Terraform, teams can manage that deployment process as code across many environments.

That distinction matters. Terraform is not replacing Helm. It is orchestrating Helm in a way that makes large-scale rollouts easier to manage.

With Terraform, you can:

  • Define the desired deployment once
  • Pass cluster-specific values at runtime
  • Commit changes to version control
  • Make upgrades and rollbacks reviewable
  • Avoid manually repeating Helm commands for every cluster

That makes Terraform especially useful when a team is managing many agent deployments and wants a more standardized rollout model.

A practical example: rolling out the IBM FinOps Agent

The IBM FinOps Agent is the new unified agent across products within the IBM FinOps Suite. It improves reliability and resilience, supports secure credential handling through Kubernetes Secrets, and is the path forward for IBM Cloudability Advanced Containers and future cost optimization capabilities.

For platform teams managing many Kubernetes clusters, the challenge is rolling it out in a way that is consistent, easy to validate, and straightforward to upgrade later.

That is exactly where Helm and Terraform become useful. If you’ve never used Terraform before, don’t worry—we’ll walk through every file and explain what each piece does.

1. What you need before starting

Before you begin, make sure you have the tooling and access needed to deploy across all target clusters.

Tool Minimum Version What it’s for
terraform 1.3 Running your infrastructure code
helm 3.8.0+ Terraform uses this under the hood to install the agent chart
kubectl any recent Verifying the deployment afterward

You’ll also need:

  • Kubeconfig access to each cluster you want to deploy to. Run kubectl config get-contexts to see what’s available.
  • An existing Kubernetes secret on each cluster that holds the federated storage configuration. This example assumes that secret is already in place—Terraform will reference it by name but won’t create or manage it.

New to Terraform? Run terraform -version to check if it’s installed. If not, the easiest way to install it is via the official downloads page or brew install terraform on macOS.

Cloudability users migrating from the legacy metrics agent: This walkthrough focuses on scaling the Helm deployment pattern with Terraform. Before using it in production, complete the specific IBM FinOps Agent prerequisites from the provisioning docs.

2. How we’ll organize our Terraform code

Since each cluster gets its own Terraform run, the code is refreshingly simple. The root module calls the agent module exactly once, and the cluster-specific values come in as variables at run time.

finops-agent/
├── providers.tf          # one provider, no aliases
├── variables.tf          # cluster_id, kube_context, chart_version
├── main.tf               # one module call
├── deploy.sh             # the loop that runs this for every cluster
└── modules/
    └── finops-agent/
        ├── variables.tf  # what the module accepts
        ├── main.tf       # creates namespace + installs chart
        └── outputs.tf    # release status

The module stays simple and unchanged across every cluster. What varies is only the values passed in at run time by deploy.sh.

3. Building the reusable module

Let’s write the three files inside modules/finops-agent/. Once written, you won’t need to touch them again regardless of how many clusters you add.

Variables — what the module needs to know

The module needs three things: which cluster it is, which version to install, and the name of the existing secret that holds the storage config.

variable "cluster_id" {
  description = "A globally unique name for this cluster. If you reuse cluster names across regions, append the region — e.g. prod-us-east-1."
  type        = string
}

variable "chart_version" {
  description = "The Helm chart version to install. Must match the image tag exactly."
  type        = string
}

variable "namespace" {
  description = "The Kubernetes namespace to deploy into."
  type        = string
  default     = "ibm-finops-agent"
}

variable "storage_secret_name" {
  description = "Name of the existing Kubernetes secret that holds the federated storage config. This secret must already exist on the cluster before applying."
  type        = string
  default     = "finops-federated-storage"
}
modules/finops-agent/variables.tf

For Cloudability Legacy Agent Migrations: cluster_id should match the existing CLOUDABILITY_CLUSTER_NAME to avoid cost ingestion issues.

Notice that storage_secret_name has a default value. If all your clusters use the same secret name—which is the common case—you never need to pass this in explicitly.

Main — the deployment logic

This file does two things: creates a namespace, then installs the Helm chart. The storage secret already exists on the cluster, so we just tell the agent its name.

# Step 1: Create the namespace if it doesn't already exist.
# If the namespace was created outside of Terraform (e.g. by a previous manual
# install), Terraform will error with a conflict on first apply. To adopt an
# existing namespace into state instead of recreating it, run from the root module, where deploy.sh runs terraform:
# terraform import module.finops_agent.kubernetes_namespace.this ibm-finops-agent
# ...before running apply. Alternatively, remove this resource and set
# create_namespace = true in the helm_release block below.

resource "kubernetes_namespace" "this" {
  metadata {
    name = var.namespace
  }
}

# Step 2: Install the FinOps Agent Helm chart.
resource "helm_release" "finops_agent" {
  name       = "ibm-finops-agent"
  repository = "https://kubecost.github.io/finops-agent-chart"
  chart      = "finops-agent"
  version    = var.chart_version
  namespace  = kubernetes_namespace.this.metadata[0].name

  # Don't try to create the namespace — we already did that above.
  create_namespace = false

  # If the install or upgrade fails, Helm purges or rolls back automatically. 
  # atomic also implies wait = true, so Terraform won't report success until 
  # the agent pod is actually Running. Default timeout is 5 minutes. 
  
  atomic = true

  # The two required parameters every agent installation must have.
  set {
    name  = "global.clusterId"
    value = var.cluster_id
  }

  set {
    name  = "global.federatedStorage.existingSecret"
    value = var.storage_secret_name
  }

  depends_on = [kubernetes_namespace.this] # create namespace before running Helm install
}
modules/finops-agent/main.tf

Outputs — what the module reports back

output "release_status" {
  description = "The Helm release status (e.g. 'deployed')."
  value       = helm_release.finops_agent.status
}
modules/finops-agent/outputs.tf

4. The root configuration

Providers — one cluster, no aliases

Because each Terraform run targets a single cluster, the provider config is clean. The kubeconfig context is just a variable passed in at run time.

terraform {
  required_version = ">= 1.3"

  required_providers {
    helm = {
      source  = "hashicorp/helm"
      version = ">= 2.11"
    }
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = ">= 2.23"
    }
  }
}

provider "kubernetes" {
  config_path    = "~/.kube/config"
  config_context = var.kube_context
}

provider "helm" {
  kubernetes {
    config_path    = "~/.kube/config"
    config_context = var.kube_context
  }
}
providers.tf

Variables — your inputs

variable "kube_context" {
  description = "The kubeconfig context for the cluster being deployed to. Run 'kubectl config get-contexts' to see available contexts."
  type        = string
}

variable "cluster_id" {
  description = "A globally unique identifier for this cluster."
  type        = string
}

variable "chart_version" {
  description = "FinOps Agent Helm chart version to install."
  type        = string
  default     = "1.0.15"
}
variables.tf

Main — one module call

With everything parameterized, main.tf is just a single module call. No cluster-specific logic lives here at all.

module "finops_agent" {
  source = "./modules/finops-agent"

  cluster_id    = var.cluster_id
  chart_version = var.chart_version
}
main.tf

5. Deploying at scale

Run terraform init once to download the provider plugins. You’ll need to re-run it any time you change provider version constraints or add a new provider.

terraform init

Now for the loop. Create a deploy.sh script at the root of your project. It holds your full cluster list and runs Terraform against each one, keeping a separate state file per cluster so they’re fully independent.

#!/usr/bin/env bash
set -euo pipefail

CHART_VERSION="1.0.15"

# Add a line here for every cluster.
# Format: "cluster_id|kube_context"
clusters=(
  "prod-us-east-1|arn:aws:eks:us-east-1:123456789012:cluster/prod-a"
  "prod-us-west-2|arn:aws:eks:us-west-2:123456789012:cluster/prod-b"
  "prod-eu-west-1|arn:aws:eks:eu-west-1:123456789012:cluster/prod-c"
)

for entry in "${clusters[@]}"; do
  cluster_id="${entry%%|*}"    # everything before the |
  kube_context="${entry##*|}"  # everything after the |

  echo "==> Deploying to $cluster_id"

  terraform apply \
    -auto-approve \
    -state="states/${cluster_id}.tfstate" \
    -var="cluster_id=${cluster_id}" \
    -var="kube_context=${kube_context}" \
    -var="chart_version=${CHART_VERSION}"

  echo "==> Done: $cluster_id"
done
deploy.sh

Make it executable, then run it:

chmod +x deploy.sh
mkdir -p states
./deploy.sh

Each cluster gets its own states/<cluster-id>.tfstate file, so a failure on one cluster has no effect on the others.

Adding a new cluster: Just add a line to the clusters array in deploy.sh and re-run the script. Terraform will skip clusters that are already up to date and only act on the new one.

Using remote state in production: Local state files are fine to start with; in a team setting you’ll want a shared, locked backend like S3. Add a partial backend "s3" {} block to providers.tf, then in deploy.sh run terraform init -reconfigure -backend-config="key=${cluster_id}/terraform.tfstate" before each apply (and drop the -state flag). The per-cluster key gives you the same isolation as the local states/ directory.

6. Verifying it worked

After the script completes, check that the agent is running on each cluster:

# Check pod status
kubectl get pods -n ibm-finops-agent --context <your-context-name> 

# Expected output:
# NAME                                  READY   STATUS    RESTARTS   AGE
# ibm-finops-agent-57b9c8b699-7dpth     1/1     Running   0          2m

# Tail the logs to confirm it's exporting data
kubectl logs -n ibm-finops-agent \
  -l app.kubernetes.io/name=finops-agent \
  --context <your-context-name> \
  --tail=50

If the pod is in CrashLoopBackOff, check the logs for a panic message. The most common cause is the storage secret not existing yet on the cluster, or the clusterId being unset. The agent will tell you exactly what it can’t find.

For Cloudability Legacy Agent Migrations: The first successful upload log can take up to 10 minutes to appear. We recommend keeping the legacy metrics agent running until the new IBM FinOps Agent has been uploading successfully for 24 hours. After validation is confirmed, the legacy metrics agent can be removed.

7. Upgrading the agent

To upgrade every cluster, update CHART_VERSION at the top of deploy.sh and re-run it. Terraform compares the desired version against each cluster’s state file and only applies the change where needed.

CHART_VERSION="1.0.16"  # bump this, then re-run ./deploy.sh

Because atomic = true is set in the module, if the new version fails to start on any cluster, Terraform automatically rolls it back to the previous working version for that cluster—without affecting any of the others.

Version matching: The chart version must match the container image tag. Chart 1.0.16 must use image tag v1.0.16. The Helm chart warns when the chart and image versions do not match, but it’s good to be aware of when reading release notes.

Closing

Helm is the standard deployment model for Kubernetes for a reason: it brings structure and consistency to how software is installed and managed in clusters.

Terraform builds on that by giving teams a scalable way to roll out the same pattern across many clusters, manage updates more consistently, and reduce the operational risk that comes with manual repetition.

For IBM Cloudability customers migrating to the new IBM FinOps Agent, that combination can make the move from the legacy metrics agent much easier to manage. You can refer to our migration documentation for guidance. If you need additional support, please contact your account manager or IBM Support.