What you must NEVER do when deploying on Tawa, and the correct alternatives.
NEVER use kubectl, helm, or docker commands directly for deployments. The tawa CLI and iec-builder handle the complete deployment flow.
| WRONG | RIGHT | Why |
|---|---|---|
docker build && docker push | tawa deploy | Builder auto-generates Dockerfile, handles registry auth |
helm upgrade my-svc ./helm | tawa deploy --prod | Builder injects env vars, secrets, OAuth, DNS |
kubectl apply -f deployment.yaml | tawa deploy | Builder handles namespace, secrets, ingress |
kubectl rollout restart | tawa deploy | Redeploy with latest code and config |
kubectl create secret | Declare in catalog-info.yaml | Builder provisions secrets automatically |
kubectl set env | tawa config set KEY=VALUE | Config management via CLI |
Hardcoding MONGODB_URI in .env | Declare databases: [{type: mongodb}] in catalog | Builder provisions connection string |
| Manual DNS records in Cloudflare | tawa domain add or auto via deploy | Builder manages DNS |
Running helm template to debug | tawa troubleshoot | AI-powered diagnostics |
Only for read-only debugging and observability:
# These are OK:
kubectl get pods -n my-svc-prod # Check pod status
kubectl logs -n my-svc-prod <pod> # View application logs
kubectl describe pod -n my-svc-prod <pod> # Inspect resources
kubectl port-forward -n my-svc-prod <pod> 3000:3000 # Local debugging
kubectl top pods -n my-svc-prod # Resource usage
# These are NOT OK:
kubectl apply ... # Use tawa deploy
kubectl delete ... # Use tawa deploy (redeploy)
kubectl edit ... # Use tawa config
kubectl scale ... # Change pod-tier in catalog-info.yaml
process.env.BIO_CLIENT_ID, the builder injects themkubectl logs for debuggingtawa deploy to stay in syncIf you are typing kubectl, helm, or docker followed by a write command, STOP. Use tawa deploy instead. The only exception is read-only debugging commands.
Last updated: July 15, 2026