All articles

Installing passbolt with Helm

5 min. read

Clayton Stevenson

Clayton Stevenson

9 February, 2023

Passbolt Helm Chart

Let’s take a journey through passbolt’s recently released Helm chart. Using Helm is the easiest way to get started with passbolt on kubernetes. In this guide, we’ll go over the Helm chart and show a sample installation with it.

Before digging in, there are a few things you’ll need to know.

Gather The Essentials

This is a guide for a Helm chart, so you’ll definitely need Helm. Other key components are a kubernetes (k8s) cluster, kubectl, and a working SMTP server to get this baby up and running. You can get a full rundown on our help page, but the essentials are:

While it’s completely optional, you may also want an ingress of your choice configured so you can navigate to the links provided in this installation guide. Finally, we recommend a properly configured-DNS record if you’re planning to set this up as a more production-like environment.

Worf work to do

K8s Noob? Proceed With Caution

If you’re interested in installing this Helm chart, you should come prepared with some kubernetes skills. This guide is for folks who already know their way around a cluster. It assumes the reader has a general knowledge of k8s, Helm, and how to use them.

If you’ve never used k8s before or don’t know how to configure kubectl or an ingress this probably isn’t for you right now. Since it focuses only on the passbolt aspects, it may not be the right time to dive right into k8s. You can definitely use this post as a learning experience, but for hosting you’ll want to use one of passbolt’s other methods.

Seriously, don’t host your password manager on k8s as your first introduction to working with k8s, you WILL have a bad time.

Let’s Embark: Installation

Well, now that’s out of the way, let’s get started! The first step is to add our repo for the Helm chart:

helm repo add passbolt-repo
codecentric repo is for mailhog for this demo
*codecentric repo is for mailhog for this demo

Once the repo has been added, we’ll want to get a copy of the values file:


Several changes will need to be made in this file. Everything with a value of, get this, “CHANGEME” will need to be changed. Revolutionary, right? Take these for example:

screenshot showing change me

Another (less obvious) important variable needing to be changed is “APP_FULL_BASE_URL” value. If you choose to configure an ingress, it’s necessary to enable ingress as well:

ingress settings

Done changing all the values you want to? Now the real fun begins, it’s time to install on your cluster using Helm:

helm install -f values.yaml my-passbolt passbolt-repo/passbolt

Here we can notice that “APP_FULL_BASE_URL” is set to https://passbolt.local. In this instance, ingress is also configured for it and the /etc/hosts file points to it.

If you have these configured, you should be able to view the site in your browser. It will look something like this:

Passbolt in browser screenshot
*Yes, It’s running this in an insecure set up, we wouldn’t ever recommend doing that in production. This is only because it is a demo on a local setup.

Once you’ve confirmed you can access the login page from the browser, it’s time to populate your installation.

Welcome Aboard

It’s time to create the first admin user in your installation:

kubectl exec -it my-passbolt-depl-srv-78b96589c6–2h2bv — /bin/bash -c “su -s /bin/bash -c \”bin/cake passbolt register_user -u [email protected] -f clayton -l stevenson -r admin\” www-data”
Admin creation screenshot
*We used a fake email address and ran mailhog for the purpose of this demo.

Finish registering your account at the url provided in your terminal. When visiting the URL, you should be greeted with the prompt to choose a passphrase:

Passphrase creation page Passbolt

After typing a memorable passphrase and clicking next, you’ll be prompted to download a recovery kit. Then it’s time to pick a security token:

Security Token creation passbolt

Once a security token is chosen, pressing next will take you to your passbolt dashboard:

Passbolt dashboard

With that, you’ve successfully installed passbolt via Helm chart and created your first admin. Which means you’re kind of ready to go, but not really because it’s not secure and it’s local… but, you get the idea.

Plus, just look at all these beautiful pods from k9s:

k9s pods

If you’ve made it this far you should have a working installation of passbolt on k8s. That’s great news, congratulations! We recommend getting some cake or something to celebrate.

The Grand Finale

Creating a passbolt install using Helm may only take a few steps, but managing a cluster can be gnarly. If you decide to go this route, make sure you’re prepared to maintain it. Even though this installation guide is finished, there’s still work to be done.

You’ll want to configure it to use https and a real email server if you plan to use it as a password manager. And there are lots of values in the options file that will allow you to forge a passbolt installation that suits your needs.

If you run into problems, let the community know, we’ll be happy to help. We’d also love to hear your feedback on the Helm chart.

This article was written in collaboration with Shelby Lee Neubeck.