Migrating from 2.2 to 2.3
Kure Monitor 2.3.0 contains two breaking changes. Read this document in full before upgrading.
Summary
Section titled “Summary”| Area | Change | Action required |
|---|---|---|
| Dashboard auth | AUTH_API_KEY / auth.apiKey removed, replaced by user accounts + bootstrap Secret | Yes — remove old value overrides; create the initial admin on first visit |
| Service auth (agent, scanner) | New shared SERVICE_TOKEN auto-generated by Helm | None if you use Helm; manual step for raw-k8s users |
| Cluster metrics | Monitoring tab, metrics ingestion, metrics-server requirement all removed | None, but the Monitoring tab is gone |
| LLM providers | GitHub Copilot added; model catalogs refreshed | None — existing configs keep working |
Breaking change 1: Auth overhaul
Section titled “Breaking change 1: Auth overhaul”What’s removed
Section titled “What’s removed”auth.apiKeyHelm value (and theAUTH_API_KEYenv var it produced).- The single-shared-key login screen.
- Any
--set auth.apiKey=...flag in install/upgrade commands.
What replaces it
Section titled “What replaces it”The dashboard now uses user accounts with three roles:
| Role | Permissions |
|---|---|
read | View pod failures and security findings. No mutating actions. |
write | Everything read can do, plus dismiss/resolve pods, trigger rescans, edit suppressions. |
admin | Everything write can do, plus user management, LLM config, notification settings. |
Sessions are carried in an HttpOnly cookie called kure_session, signed with SESSION_SECRET. Login is rate-limited (5 attempts per 30 seconds).
Agent and security scanner traffic is authenticated separately using a shared SERVICE_TOKEN, sent as the X-Service-Token header (and as ?token=<value> on WebSocket connections).
How the Helm chart wires it up
Section titled “How the Helm chart wires it up”On helm install, the chart creates a Secret named <release>-bootstrap containing two random keys (randAlphaNum 48):
service-token— mounted asSERVICE_TOKENin backend, agent, and scanner pods.session-secret— mounted asSESSION_SECRETin the backend pod.
On helm upgrade, the chart uses lookup to read the existing Secret values back so both tokens are preserved. Active dashboard sessions stay valid and service traffic keeps working.
If you scale the backend beyond one replica, pre-provisioning the Secret (or just letting Helm manage it) keeps session-secret consistent across replicas so users don’t get signed out depending on which pod handles the request.
First visit to 2.3.0
Section titled “First visit to 2.3.0”On the very first visit to the upgraded dashboard you see an initial-admin setup screen:
- Pick a username and password — creates the first
adminaccount. - After logging in, go to Admin → Users to invite additional users and assign
read/write/adminroles.
There is no automatic user migration — the old model didn’t have user records, so there is nothing to migrate.
If you were using raw k8s manifests
Section titled “If you were using raw k8s manifests”The k8s/ directory ships a placeholder bootstrap-secret.yaml. Before applying, replace the placeholder values with real ones:
kubectl create secret generic kure-bootstrap \ --namespace kure-system \ --from-literal=service-token="$(openssl rand -hex 32)" \ --from-literal=session-secret="$(openssl rand -hex 32)" \ --dry-run=client -o yaml | kubectl apply -f -Helm is the recommended install path.
Rotating tokens
Section titled “Rotating tokens”kubectl edit secret kure-monitor-bootstrap -n kure-system
kubectl rollout restart \ deployment/kure-monitor-backend \ deployment/kure-monitor-security-scanner \ -n kure-systemkubectl rollout restart daemonset/kure-monitor-agent -n kure-systemRotating session-secret invalidates all existing dashboard sessions and forces every user to log in again.
Breaking change 2: Cluster metrics removal
Section titled “Breaking change 2: Cluster metrics removal”The entire cluster-metrics subsystem has been removed:
- The Monitoring tab is gone.
- The agent no longer collects or reports cluster / pod metrics.
- Pod metrics history is no longer recorded.
metrics-serveris no longer a dependency.- The
agent.clusterMetricsHelm values have been removed (silently ignored if you still set them).
The only endpoint preserved on the metrics surface is /api/metrics/security-scan-duration, scraped by Prometheus for scanner duration tracking.
Action required: none — the upgrade succeeds whether or not you had metrics enabled. But if you relied on the Monitoring tab for cluster visibility, switch to a dedicated observability stack (Prometheus + Grafana, Datadog, etc.).
New: GitHub Copilot LLM provider
Section titled “New: GitHub Copilot LLM provider”Kure Monitor 2.3 adds a new LLM provider powered by GitHub Models:
- Aliases:
copilot,github,github_models - Base URL:
https://models.github.ai/inference(OpenAI-compatible) - Auth: GitHub fine-grained Personal Access Token with the Models permission
- Default model:
openai/gpt-5-mini - Example models:
openai/gpt-5,openai/gpt-5-mini,anthropic/claude-sonnet-4
Configure it from Admin Panel → AI Config after upgrading.
The per-provider model catalogs have been refreshed:
| Provider | Available models | Default |
|---|---|---|
| OpenAI | gpt-5, gpt-5-mini, gpt-4.1 | gpt-5-mini |
| Anthropic | claude-opus-4-5, claude-sonnet-4-5, claude-haiku-4-5 | claude-sonnet-4-5 |
| Gemini | gemini-2.5-pro, gemini-2.5-flash, gemini-2.5-flash-lite | gemini-2.5-flash |
| Ollama | llama3.3, llama3.2, qwen2.5 | llama3.2 |
| Groq | (unchanged) | (unchanged) |
| GitHub Copilot | openai/gpt-5, openai/gpt-5-mini, anthropic/claude-sonnet-4 | openai/gpt-5-mini |
Existing LLM configurations continue to work. If the model you previously selected is no longer listed, it still functions as a custom override, but picking a current default is recommended.
Upgrade procedure
Section titled “Upgrade procedure”With Helm (recommended)
Section titled “With Helm (recommended)”helm repo updatehelm upgrade kure-monitor kure-monitor/kure \ --namespace kure-system \ --version 2.3.0If your previous values.yaml or --set overrides referenced auth.apiKey, remove them — passing the value is harmless (the chart ignores it) but cleaner to delete the stale override.
On first visit to the upgraded dashboard, you’ll be prompted to create the initial admin account.
With raw k8s manifests
Section titled “With raw k8s manifests”-
Create (or rotate) the bootstrap Secret:
Terminal window kubectl create secret generic kure-bootstrap \--namespace kure-system \--from-literal=service-token="$(openssl rand -hex 32)" \--from-literal=session-secret="$(openssl rand -hex 32)" \--dry-run=client -o yaml | kubectl apply -f - -
Update image tags in
k8s/backend.yaml,k8s/frontend.yaml,k8s/agent.yaml, andk8s/security-scanner.yamlto2.3.0. -
Apply:
Terminal window kubectl apply -f k8s/ -
Visit the dashboard and create the initial admin account.
Getting help
Section titled “Getting help”- GitHub Issues: https://github.com/Nan0C0de/kure-monitor/issues
- Full changelog: CHANGELOG.md