Skip to content

Helm charts to run Passbolt on Kubernetes. No strings attached charts to run the open source password manager for teams!

License

Notifications You must be signed in to change notification settings

passbolt/charts-passbolt

Repository files navigation

Passbolt Helm chart

passbolt sails kubernetes

Version: 1.3.0 Type: application AppVersion: 4.9.1-1-ce

Passbolt is an open source, security first password manager with strong focus on collaboration.

TL;DR

The following commands are not recommended for production deployments as they will use default passwords for internal databases:

helm repo add my-repo https://download.passbolt.com/charts/passbolt
helm install my-release my-repo/passbolt

In case you prefer to use postgresql intead of mariadb, a sample config is provided in the examples directory:

helm repo add my-repo https://download.passbolt.com/charts/passbolt
helm install my-release my-repo/passbolt -f examples/postgresql.yaml

Production workloads should change the fields with values 'CHANGEME' on values.yaml and deploy the chart as follows:

helm repo add my-repo https://download.passbolt.com/charts/passbolt
helm install my-release my-repo/passbolt -f values.yaml

Or using --set flags to modify certain chart options:

helm repo add my-repo https://download.passbolt.com/charts/passbolt
helm install my-release my-repo/passbolt \
  --set redis.auth.password=my_redis_password \
  --set passboltEnv.secret.CACHE_CAKE_DEFAULT_PASSWORD=my_redis_password \
  --set mariadb.auth.password=my_mariadb_password \
  --set passboltEnv.secret.DATASOURCES_DEFAULT_PASSWORD=my_mariadb_password

Introduction

This chart deploys passbolt on kubernetes using the Helm package manager.

Passbolt comes in three editions:

This chart supports the deployment of Community edition and Professional edition.

Prerequisites

  • Kubernetes 1.19+ or 1.23+ if you want to use hpa
  • Helm 3.x
  • Passbolt docker >= 3.12.2-1

Installing the chart

Installing the chart under the name my-release:

helm install my-release my-repo

The above command deploys passbolt with default settings on your kubernetes cluster. Check the configuration section to check which parameters you can fine tune.

Use passbolt non-root image

In case you want to use the non-root passbolt image, there are a few changes that you have to introduce on your values file:

app:
  image:
    tag: <NON_ROOT_TAG>

service:
  ports:
    https:
      targetPort: 4433
    http:
      targetPort: 8080

With these changes you should be able to run passbolt on a container executed by www-data user.

Creating first user

Once the chart is deployed, you can create your first user by running the following command:

kubectl exec -it <passbolt-pod-name> -- su -c "bin/cake passbolt register_user -u <email> -f <firstname> -l <lastname> -r admin" -s /bin/bash www-data

Uninstalling the chart

To uninstall/delete the chart from your cluster:

helm delete my-release

The above command deletes all the kubernetes components associated with the chart and deletes the release.

Requirements

Repository Name Version
https://charts.bitnami.com/bitnami mariadb 11.5.7
https://charts.bitnami.com/bitnami redis 17.15.2
https://download.passbolt.com/charts/passbolt-library passbolt-library 0.2.7

Values

Key Type Default Description
affinity object {} Configure passbolt deployment affinity
app.cache.redis.enabled bool true By enabling redis the chart will mount a configuration file on /etc/passbolt/app.php That instructs passbolt to store sessions on redis and to use it as a general cache.
app.cache.redis.sentinelProxy.enabled bool true Inject a haproxy sidecar container configured as a proxy to redis sentinel Make sure that CACHE_CAKE_DEFAULT_SERVER is set to '127.0.0.1' to use the proxy
app.cache.redis.sentinelProxy.image object {"registry":"","repository":"haproxy","tag":"latest"} Configure redis sentinel proxy image
app.cache.redis.sentinelProxy.image.repository string "haproxy" Configure redis sentinel image repository
app.cache.redis.sentinelProxy.image.tag string "latest" Configure redis sentinel image tag
app.cache.redis.sentinelProxy.resources object {} Configure redis sentinel container resources
app.database.kind string "mariadb"
app.databaseInitContainer object {"enabled":true} Configure pasbolt deployment init container that waits for database
app.databaseInitContainer.enabled bool true Toggle pasbolt deployment init container that waits for database
app.extraContainers list [] Configure additional containers to be added to the pod
app.extraPodLabels object {}
app.image.pullPolicy string "IfNotPresent" Configure pasbolt deployment image pullPolicy
app.image.registry string "" Configure pasbolt deployment image repsitory
app.image.repository string "passbolt/passbolt"
app.image.tag string "4.9.1-1-ce" Overrides the image tag whose default is the chart appVersion.
app.resources object {}
app.tls object {}
autoscaling.enabled bool false Enable autoscaling on passbolt deployment
autoscaling.maxReplicas int 100 Configure autoscaling maximum replicas
autoscaling.minReplicas int 1 Configure autoscaling minimum replicas
autoscaling.targetCPUUtilizationPercentage int 80 Configure autoscaling target CPU uptilization percentage
cronJobEmail object {"enabled":true,"extraPodLabels":{},"schedule":"* * * * *"} Enable email cron
extraVolumeMounts list [] Add additional volume mounts, e.g. for overwriting config files
extraVolumes list [] Add additional volumes, e.g. for overwriting config files
fullnameOverride string "" Value to override the whole fullName
global.imagePullSecrets list []
global.imageRegistry string ""
gpgExistingSecret string "" Name of the existing secret for the GPG server keypair. The secret must contain the serverkey.asc and serverkey_private.asc keys.
gpgPath string "/etc/passbolt/gpg" Configure passbolt gpg directory
gpgServerKeyPrivate string "" Gpg server private key in base64
gpgServerKeyPublic string "" Gpg server public key in base64
imagePullSecrets list [] Configure image pull secrets
ingress.annotations object {} Configure passbolt ingress annotations
ingress.enabled bool false Enable passbolt ingress
ingress.hosts list [] Configure passbolt ingress hosts
ingress.tls list [] Configure passbolt ingress tls
jobCreateGpgKeys.extraPodLabels object {}
jobCreateJwtKeys.extraPodLabels object {}
jwtCreateKeysForced bool false Forces overwrite JWT keys
jwtExistingSecret string "" Name of the existing secret for the JWT server keypair. The secret must contain the jwt.key and jwt.pem keys.
jwtPath string "/etc/passbolt/jwt" Configure passbolt jwt directory
jwtServerPrivate string "" JWT server private key in base64
jwtServerPublic string "" JWT server public key in base64
livenessProbe object {"initialDelaySeconds":20,"periodSeconds":10} Configure passbolt container livenessProbe
mariadb.architecture string "replication" Configure mariadb architecture
mariadb.auth.database string "passbolt" Configure mariadb auth database
mariadb.auth.password string "CHANGEME" Configure mariadb auth password
mariadb.auth.replicationPassword string "CHANGEME" Configure mariadb auth replicationPassword
mariadb.auth.rootPassword string "root" Configure mariadb auth root password
mariadb.auth.username string "CHANGEME" Configure mariadb auth username
mariadb.primary object {"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}} Configure parameters for the primary instance.
mariadb.primary.persistence object {"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"existingClaim":"","labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""} Configure persistence options.
mariadb.primary.persistence.accessModes list ["ReadWriteOnce"] Primary persistent volume access Modes
mariadb.primary.persistence.annotations object {} Primary persistent volume claim annotations
mariadb.primary.persistence.enabled bool true Enable persistence on MariaDB primary replicas using a PersistentVolumeClaim. If false, use emptyDir
mariadb.primary.persistence.existingClaim string "" Name of an existing PersistentVolumeClaim for MariaDB primary replicas. When it's set the rest of persistence parameters are ignored.
mariadb.primary.persistence.labels object {} Labels for the PVC
mariadb.primary.persistence.selector object {} Selector to match an existing Persistent Volume
mariadb.primary.persistence.size string "8Gi" Primary persistent volume size
mariadb.primary.persistence.storageClass string "" Primary persistent volume storage Class
mariadb.primary.persistence.subPath string "" Subdirectory of the volume to mount at
mariadb.secondary object {"persistence":{"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""}} Configure parameters for the secondary instance.
mariadb.secondary.persistence object {"accessModes":["ReadWriteOnce"],"annotations":{},"enabled":true,"labels":{},"selector":{},"size":"8Gi","storageClass":"","subPath":""} Configure persistence options.
mariadb.secondary.persistence.accessModes list ["ReadWriteOnce"] Secondary persistent volume access Modes
mariadb.secondary.persistence.annotations object {} Secondary persistent volume claim annotations
mariadb.secondary.persistence.enabled bool true Enable persistence on MariaDB secondary replicas using a PersistentVolumeClaim. If false, use emptyDir
mariadb.secondary.persistence.labels object {} Labels for the PVC
mariadb.secondary.persistence.selector object {} Selector to match an existing Persistent Volume
mariadb.secondary.persistence.size string "8Gi" Secondary persistent volume size
mariadb.secondary.persistence.storageClass string "" Secondary persistent volume storage Class
mariadb.secondary.persistence.subPath string "" Subdirectory of the volume to mount at
mariadbDependencyEnabled bool true Install mariadb as a depending chart
nameOverride string "" Value to override the chart name on default
networkPolicy.enabled bool false Enable network policies to allow ingress access passbolt pods
networkPolicy.label string "app.kubernetes.io/name" Configure network policies label for ingress deployment
networkPolicy.namespaceLabel string "ingress-nginx" Configure network policies namespaceLabel for namespaceSelector
networkPolicy.podLabel string "ingress-nginx" Configure network policies podLabel for podSelector
nodeSelector object {} Configure passbolt deployment nodeSelector
passboltEnv.configMapName string ""
passboltEnv.extraEnv list [] Environment variables to add to the passbolt pods
passboltEnv.extraEnvFrom list [] Environment variables from secrets or configmaps to add to the passbolt pods
passboltEnv.plain.APP_FULL_BASE_URL string "https://passbolt.local" Configure passbolt fullBaseUrl
passboltEnv.plain.CACHE_CAKE_DEFAULT_SERVER string "127.0.0.1" Configure passbolt cake cache server
passboltEnv.plain.DEBUG bool false Toggle passbolt debug mode
passboltEnv.plain.EMAIL_DEFAULT_FROM string "[email protected]" Configure passbolt default email from
passboltEnv.plain.EMAIL_DEFAULT_FROM_NAME string "Passbolt" Configure passbolt default email from name
passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_HOST string "127.0.0.1" Configure passbolt default email host
passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_PORT int 587 Configure passbolt default email service port
passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_TIMEOUT int 30 Configure passbolt default email timeout
passboltEnv.plain.EMAIL_TRANSPORT_DEFAULT_TLS bool true Toggle passbolt tls
passboltEnv.plain.KUBECTL_DOWNLOAD_CMD string "curl -LO \"https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl\"" Download Command for kubectl
passboltEnv.plain.PASSBOLT_JWT_SERVER_KEY string "/var/www/passbolt/config/jwt/jwt.key" Configure passbolt jwt private key path
passboltEnv.plain.PASSBOLT_JWT_SERVER_PEM string "/var/www/passbolt/config/jwt/jwt.pem" Configure passbolt jwt public key path
passboltEnv.plain.PASSBOLT_KEY_EMAIL string "[email protected]" Configure email used on gpg key. This is used when automatically creating a new gpg server key and when automatically calculating the fingerprint.
passboltEnv.plain.PASSBOLT_LEGAL_PRIVACYPOLICYURL string "https://www.passbolt.com/privacy" Configure passbolt privacy url
passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED bool true Toggle passbolt jwt authentication
passboltEnv.plain.PASSBOLT_PLUGINS_LICENSE_LICENSE string "/etc/passbolt/subscription_key.txt" Configure passbolt license path
passboltEnv.plain.PASSBOLT_REGISTRATION_PUBLIC bool true Toggle passbolt public registration
passboltEnv.plain.PASSBOLT_SELENIUM_ACTIVE bool false Toggle passbolt selenium mode
passboltEnv.plain.PASSBOLT_SSL_FORCE bool true Configure passbolt to force ssl
passboltEnv.secret.CACHE_CAKE_DEFAULT_PASSWORD string "CHANGEME" Configure passbolt cake cache password
passboltEnv.secret.DATASOURCES_DEFAULT_DATABASE string "passbolt" Configure passbolt default database
passboltEnv.secret.DATASOURCES_DEFAULT_PASSWORD string "CHANGEME" Configure passbolt default database password
passboltEnv.secret.DATASOURCES_DEFAULT_USERNAME string "CHANGEME" Configure passbolt default database username
passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_PASSWORD string "CHANGEME" Configure passbolt default email service password
passboltEnv.secret.EMAIL_TRANSPORT_DEFAULT_USERNAME string "CHANGEME" Configure passbolt default email service username
passboltEnv.secretName string ""
podAnnotations object {} Map of annotation for passbolt server pod
podSecurityContext object {} Security Context configuration for passbolt server pod
postgresqlDependencyEnabled bool false Install postgresql as a depending chart
rbacEnabled bool true Enable role based access control
readinessProbe object {"initialDelaySeconds":5,"periodSeconds":10} Configure passbolt container RadinessProbe
redis.auth.enabled bool true Enable redis authentication
redis.auth.password string "CHANGEME" Configure redis password
redis.sentinel.enabled bool true Enable redis sentinel
redisDependencyEnabled bool true Install redis as a depending chart
replicaCount int 2 If autoscaling is disabled this will define the number of pods to run
service.annotations object {} Annotations to add to the service
service.ports object {"http":{"name":"http","port":80,"targetPort":80},"https":{"name":"https","port":443,"targetPort":443}} Configure the service ports
service.ports.http.name string "http" Configure passbolt HTTP service port name
service.ports.http.port int 80 Configure passbolt HTTP service port
service.ports.http.targetPort int 80 Configure passbolt HTTP service targetPort
service.ports.https object {"name":"https","port":443,"targetPort":443} Configure the HTTPS port
service.ports.https.name string "https" Configure passbolt HTTPS service port name
service.ports.https.port int 443 Configure passbolt HTTPS service port
service.ports.https.targetPort int 443 Configure passbolt HTTPS service targetPort
service.type string "ClusterIP" Configure passbolt service type
serviceAccount.annotations object {} Annotations to add to the service account
serviceAccount.create bool true Specifies whether a service account should be created
tolerations list [] Configure passbolt deployment tolerations

Running tests

In order to run the available tests, you can run the run_tests.sh script on the root of the project. This script runs both the unit and the integration tests.

$ bash run_tests.sh -h
Run the available tests for passbolt helm charts

Syntax: run_tests.sh [options]
run_tests.sh with no arguments will run all of the available tests.

options:
-h|--help                 Show this message.
-l|--lint                 Run helm lint.
-u|--unit                 Run helm unittest tests.
-i|--integration          Run integration tests.
-d|--database [option]    Database to run integration tests with [mariadb|postgresql]."
-no-clean                 Skip cleaning step.

Unit tests

We rely on helm unitttest framework, so if you want to run it on your own, follow the installation steps in their docs.

Integration tests

The integration tests code is under the tests/integration. There are a list of tools that are required locally to run the integration tests (kind, helm, kubectl, mkcert and passbolt go cli) and they will be downloaded during the tests execution if they are not installed in the system. Even though, there is a cleaning step that runs at the end of the execution to clean the directory.

Updating README.md

We rely on the helm-docs helm plugin and mdformat with mdformat-tables to generate and format the README.md on each release

helm-docs -t README.md.gotmpl --dry-run | mdformat - > README.md