Deploy on Kubernetes with Helm
Deploy Password Pusher Pro on Kubernetes using the official Helm chart — quick start, edition-specific configuration, Ingress, TLS, backup, and upgrade guidance.
Deploy Password Pusher Pro on Kubernetes
This guide covers deploying Self-Hosted Pro using the official Helm chart. If you prefer Docker Compose on a single VM, use the standard install flow described in Getting started checklist. For Azure-specific guidance, see Deploy on Microsoft Azure.
Prerequisites
- Kubernetes 1.24 or later
- Helm 3.x
- A Password Pusher Pro license (any edition: Starter, Advanced, or Enterprise)
- Access to the private container registry
registry.apnotic.com(credentials provided with your license)
Quick start
1. Add the Helm repository
helm repo add pwpush-pro https://apnotic.github.io/pwpush-pro-helm
helm repo update
2. Create an image pull secret
Password Pusher Pro images are hosted on a private registry. Create a pull secret in your target namespace:
kubectl create secret docker-registry regcred \
--docker-server=registry.apnotic.com \
--docker-username=YOUR_USERNAME \
--docker-password=YOUR_PASSWORD
3. Install the chart
Starter edition (default):
helm install my-push pwpush-pro/pwpush-pro \
--set license.key=YOUR_LICENSE_KEY \
--set license.region=YOUR_REGION \
--set imagePullSecrets[0].name=regcred
Advanced edition:
helm install my-push pwpush-pro/pwpush-pro \
-f values-advanced.yaml \
--set license.key=YOUR_LICENSE_KEY \
--set license.region=YOUR_REGION \
--set imagePullSecrets[0].name=regcred
Download the Advanced values file first:
curl -O https://raw.githubusercontent.com/apnotic/pwpush-pro-helm/main/charts/pwpush-pro/values-advanced.yaml
Enterprise edition:
helm install my-push pwpush-pro/pwpush-pro \
-f values-enterprise.yaml \
--set license.key=YOUR_LICENSE_KEY \
--set license.region=YOUR_REGION \
--set imagePullSecrets[0].name=regcred \
--set postgresql.auth.existingSecret=my-push-pwpush-pro
Download the Enterprise values file first:
curl -O https://raw.githubusercontent.com/apnotic/pwpush-pro-helm/main/charts/pwpush-pro/values-enterprise.yaml
The postgresql.auth.existingSecret value follows the pattern <release-name>-pwpush-pro. Replace my-push with your chosen release name.
4. Verify the deployment
kubectl get pods -l app.kubernetes.io/name=pwpush-pro
kubectl logs -l app.kubernetes.io/name=pwpush-pro --tail=50
Retrieve the boot code from the logs and use it to create the first admin user in the web UI.
Editions at a glance
The Helm chart supports all three Pro Self-Hosted editions. Each uses a different container image and defaults.
| Feature | Starter | Advanced | Enterprise |
|---|---|---|---|
| Database | SQLite | SQLite | PostgreSQL |
| SSO | – | Google, Microsoft | Google, Microsoft, Okta, Auth0, NetScaler |
| Storage | Disk | Disk, S3, GCS, Azure | Disk, S3, GCS, Azure, MinIO, R2, and more |
| Scaling | Single replica | Single replica | Multi-replica with HPA |
| Container image | registry.apnotic.com/pwpush-pro |
registry.apnotic.com/pwpush-pro-advanced |
registry.apnotic.com/pwpush-pro-enterprise |
For full plan comparison and pricing, see Self-Hosted Pricing.
Ingress and TLS
TLS is handled by the Kubernetes Ingress controller, not the application container. When Ingress TLS is configured, the Ingress terminates HTTPS and forwards requests to the app over HTTP. Password Pusher Pro detects the original protocol via X-Forwarded-Proto headers from the Ingress.
Configure Ingress in your values file:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: push.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: push-tls
hosts:
- push.example.com
This example uses cert-manager with an nginx Ingress controller. Adjust className, annotations, and TLS settings for your cluster’s Ingress controller (Traefik, HAProxy, AWS ALB, etc.).
Configuration reference
Common parameters
| Parameter | Description | Default |
|---|---|---|
license.key |
Password Pusher Pro license key (required) | "" |
license.region |
License region (required) | "" |
image.repository |
Container image repository | registry.apnotic.com/pwpush-pro |
image.tag |
Container image tag | latest |
imagePullSecrets |
Image pull secrets for private registry | [] |
replicaCount |
Number of pod replicas | 1 |
resources |
CPU/memory resource requests and limits | {} |
Persistent storage
| Parameter | Description | Default |
|---|---|---|
storage.size |
Persistent volume size | 5Gi |
storage.storageClassName |
Storage class name | "" |
storage.accessModes |
PVC access modes | [ReadWriteOnce] |
For multi-replica deployments (Enterprise), use ReadWriteMany with a compatible CSI driver (NFS, EFS, Azure Files, etc.).
Database (Enterprise only)
| Parameter | Description | Default |
|---|---|---|
database.type |
Database type (sqlite or postgresql) |
sqlite |
database.host |
External PostgreSQL host | "" |
database.port |
PostgreSQL port | 5432 |
database.name |
Database name | pwpush-pro |
database.user |
Database user | pwpush-pro |
database.password |
Database password (auto-generated if empty) | "" |
postgresql.enabled |
Deploy bundled PostgreSQL subchart | false |
Secrets
| Parameter | Description | Default |
|---|---|---|
secrets.existingSecretName |
Use an existing Kubernetes Secret for encryption keys | "" |
Environment variables
| Parameter | Description | Default |
|---|---|---|
extraEnv |
Additional env vars in ConfigMap (non-sensitive only) | {} |
extraSecretEnv |
Additional env vars in Secret (for sensitive values) | {} |
Use extraEnv for non-sensitive configuration like RAILS_LOG_LEVEL and extraSecretEnv for secrets like AWS_SECRET_ACCESS_KEY.
Autoscaling (Enterprise)
| Parameter | Description | Default |
|---|---|---|
autoscaling.enabled |
Enable Horizontal Pod Autoscaler | false |
autoscaling.minReplicas |
Minimum replicas | 1 |
autoscaling.maxReplicas |
Maximum replicas | 5 |
autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization | 70 |
Enterprise with PostgreSQL
Enterprise edition uses PostgreSQL instead of SQLite. You can either use the bundled PostgreSQL subchart or connect to an external PostgreSQL instance.
Bundled PostgreSQL
The Enterprise values file enables the Bitnami PostgreSQL subchart by default. It creates the main database and four auxiliary databases automatically:
helm install my-push pwpush-pro/pwpush-pro \
-f values-enterprise.yaml \
--set license.key=YOUR_LICENSE_KEY \
--set license.region=YOUR_REGION \
--set imagePullSecrets[0].name=regcred \
--set postgresql.auth.existingSecret=my-push-pwpush-pro
External PostgreSQL (RDS, Cloud SQL, Azure Database, etc.)
To use a managed PostgreSQL service, create four databases on your server:
pwpush-propwpush-pro-cachepwpush-pro-cablepwpush-pro-queue
Then configure the chart:
database:
type: postgresql
host: "your-db-host.region.rds.amazonaws.com"
port: 5432
name: pwpush-pro
user: pwpush_pro
password: "YOUR_DB_PASSWORD"
postgresql:
enabled: false
Cloud storage backends
Advanced and Enterprise editions support external storage backends for file uploads. Configure via extraEnv and extraSecretEnv:
extraEnv:
ACTIVE_STORAGE_SERVICE: s3
AWS_REGION: "us-east-1"
AWS_BUCKET: "pwpush-pro-files"
extraSecretEnv:
AWS_ACCESS_KEY_ID: "YOUR_ACCESS_KEY"
AWS_SECRET_ACCESS_KEY: "YOUR_SECRET_KEY"
Supported storage backends include AWS S3, Google Cloud Storage, Azure Blob Storage, Cloudflare R2, MinIO, Wasabi, Backblaze B2, and more. See Configuration for all storage options.
Backup and recovery
Encryption secrets
After installation, immediately back up your encryption secrets:
kubectl get secret <release-name>-pwpush-pro -n <namespace> -o yaml > pwpush-pro-secrets-backup.yaml
Store this file securely. If you lose these keys, all encrypted data becomes permanently inaccessible.
Secrets are annotated with helm.sh/resource-policy: keep – they are preserved across helm upgrade and are not deleted by helm uninstall.
Database
- Starter/Advanced (SQLite): The SQLite database files are stored on the PVC mounted at
/opt/PasswordPusher/storage. Back up the PVC contents regularly. - Enterprise (PostgreSQL): Use standard PostgreSQL backup tools (
pg_dump) or your cloud provider’s managed backup features.
For full backup guidance, see Backups.
Upgrading
helm repo update
helm upgrade my-push pwpush-pro/pwpush-pro
Encryption keys and database data are preserved automatically across upgrades. For day-2 operations guidance, see Operations.
Uninstalling
helm uninstall my-push
The Secret and PVC are retained by default (via helm.sh/resource-policy: keep). To fully remove all data:
kubectl delete secret <release-name>-pwpush-pro
kubectl delete pvc <release-name>-pwpush-pro-storage
GitOps with Argo CD
The chart is fully compatible with Argo CD. Encryption secrets require special handling to prevent key regeneration on every sync. Pre-create the secret and reference it in your values:
secrets:
existingSecretName: pwpush-pro-secrets
For a complete Argo CD setup guide, see the Argo CD Guide in the Helm chart repository.
Kustomize integration
For customizations beyond what Helm values expose — adding labels, annotations, sidecars, network policies — you can use Kustomize with the Helm chart. See the Kustomize Guide and the examples in the Helm chart repository.
Example values files
The Helm chart repository includes ready-to-use example values files:
| Example | Description |
|---|---|
starter-minimal.yaml |
Starter edition with Ingress and TLS |
advanced-external-storage.yaml |
Advanced edition with S3 storage backend |
enterprise-ha.yaml |
Enterprise HA with bundled PostgreSQL and autoscaling |
enterprise-external-db.yaml |
Enterprise with external PostgreSQL (RDS, Cloud SQL, etc.) |
argocd-application.yaml |
Argo CD Application manifest |
kustomize/ |
Kustomize patches for advanced customizations |
Related
| Topic | Doc |
|---|---|
| Docker Compose install (non-K8s) | Getting started checklist |
| Azure-specific deployment | Deploy on Microsoft Azure |
| Plans and features | Overview |
| Admin settings | Configuration |
Database and .env backups |
Backups |
| System requirements | System Requirements |
| Helm chart source | apnotic/pwpush-pro-helm on GitHub |