Install Passbolt on Helm Chart
Installing Passbolt on Kubernetes with our Helm chart is considered to be a very advanced installation method. If you are not very comfortable and familiar with Kubernetes we strongly recommend that you install via one of our other methods.
System requirements
- Kubernetes cluster (>1.19): https://kubernetes.io/docs/setup/
- kubectl: https://kubernetes.io/docs/tasks/tools/#kubectl
- Helm (3.X): https://helm.sh/docs/intro/install/
- a working SMTP server for email notifications
FAQ pages:
Helm install
The easiest and recommended way to deploy your Passbolt Helm chart is to use helm install.
Step 1. Set up our Helm repo
helm repo add passbolt-repo https://download.passbolt.com/charts/passbolt
Step 2. Get a copy of the values file
curl -LO https://raw.githubusercontent.com/passbolt/charts-passbolt/main/values.yaml
Step 3. Configure values file to customize your instance and enable the Passbolt PRO installation
The APP_FULL_BASE_URL environment variable is set by default to https://passbolt.local, using a self-signed certificate.
Update this variable with the server name you plan to use. You will find at the bottom of this documentation links about how to set your own SSL certificate.
As the values.yaml file is set up for CE by default you'll need to adjust the tag for the Passbolt image to pro. You can find this on line 59 of values.yaml.
# -- Overrides the image tag whose default is the chart appVersion.
tag: 3.11.1-1-pro
It is recommended to just change ce to pro but you can use any of the tags that you want to.
The next thing you will need to do is uncomment the two lines dealing with the subscription key. You can find these on lines 88 and 90.
# -- Pro subscription key in base64 only if you are using pro version
subscriptionKey:
# -- Configure passbolt subscription key path
subscription_keyPath: /etc/passbolt/subscription_key.txt
For subscription key it expects the key to be base64 encoded. Yes, the one supplied to you by us is already base64 encoded once, but you'll need to do that again and put that in as the value for subscriptionKey.
If you are creating your own gpg keys the following commands can help convert them into a base64 encoded single line string which is what the values.yaml file expects.
gpg --armor --export-secret-keys <email you created keys with> | base64 -w 0
gpg --armor --export <email you created keys with> | base64 -w 0
You must configure also SMTP settings to be able to receive notifications and recovery emails.
For more information on which environment variables are available on passbolt, please check the passbolt environment variable reference
By default we have the ingress set to false, you'll need to decide how you want to handle this to access the web page.
Additionally the following charts are used by Passbolt and you can adjust the values under their respective headings in values.yaml
| Repository | Name | Version |
|---|---|---|
| https://charts.bitnami.com/bitnami | mariadb | 11.3.5 |
| https://charts.bitnami.com/bitnami | redis | 17.3.8 |
| https://passbolt.gitlab.io/passbolt-ops/passbolt-helm-library | passbolt-library | 0.2.1 |
Step 4. Run helm install
helm install -f values.yaml my-passbolt passbolt-repo/passbolt
At this point, you should have a working Passbolt setup via Helm running on the most up to date PRO version of Passbolt.
Manually creating first admin user
Once the Helm chart is deployed, you can create your first user by running the following command:
kubectl exec -it <passbolt-pod-name> -- /bin/bash -c "su -s /bin/bash -c \"bin/cake passbolt register_user -u <email> -f <firstname> -l <lastname> -r admin\" www-data"
It will output a link similar to the below one that can be pasted on the browser to finalize user registration:
https://mydomain.com/setup/install/1eafab88-a17d-4ad8-97af-77a97f5ff552/f097be64-3703-41e2-8ea2-d59cbe1c15bc
Going further
Passbolt docker repository: