
Passbolt is great. It provides a secure and very useful interface for password/manual secret storage. Both the Firefox addon and iOS App works great, and are easy to setup and use.
The available documentation explains installation on most platforms, including Ubuntu and Docker, but no “basic” Kubernetes deployment. With that said, I am aware of the Helm chart. But it felt a bit… overkill.
Here is a basic deployment with deployment, service and ingress.
For this deployment to work, a database endpoint (Kubernetes service) need to be available. Also a database (named passbolt) with user “passbolt” need to be available. Also, a persistent volume needs to be created for storing Passbolt’s GPG and JWT keys. I also use the ‘cert-manager.io/cluster-issuer: “letsencrypt-production”‘ annotation for nginx-ingress for Lets Encrypt.
Remember to update the “[]” keywords before deploying.
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: passbolt-pv-claim
labels:
app: passbolt
spec:
storageClassName: [StorageClass]
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: Secret
metadata:
name: passboltmysqlpassword
type: Opaque
data:
password: cGFzc3dvcmQ= # echo -n 'password'|base64
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: passbolt
spec:
replicas: 1
selector:
matchLabels:
app: passbolt
template:
metadata:
labels:
app: passbolt
spec:
containers:
- name: passbolt
image: passbolt/passbolt:latest-ce
env:
- name: APP_FULL_BASE_URL
value: https://[PASSBOLT_URL]
- name: DATASOURCES_DEFAULT_HOST
value: [MYSQL_DB_SERVICE]
- name: DATASOURCES_DEFAULT_DATABASE
value: passbolt
- name: DATASOURCES_DEFAULT_USERNAME
value: passbolt
- name: DATASOURCES_DEFAULT_PASSWORD
valueFrom:
secretKeyRef:
name: passboltmysqlpassword
key: password
volumeMounts:
- mountPath: "/etc/passbolt/gpg"
name: gpgjwt
subPath: gpg
- mountPath: "/etc/passbolt/jwt"
name: gpgjwt
subPath: jwt
imagePullPolicy: Always
ports:
- containerPort: 80
volumes:
- name: gpgjwt
persistentVolumeClaim:
claimName: passbolt-pv-claim
---
apiVersion: v1
kind: Service
metadata:
name: passbolt-service
spec:
selector:
app: passbolt
ports:
- protocol: TCP
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passbolt-ingress
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt-production"
spec:
tls:
- hosts:
- [PASSBOLT_URL]
secretName: passbolt-tls
rules:
- host: [PASSBOLT_URL]
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: passbolt-service
port:
number: 80
Save (and update) the above deployment under passbolt.yaml, apply with:
~$ kubectl apply -f passbolt.yaml
Once Passbolt is up and running in the cluster, create a new user with:
~$ kubectl exec -it <pod_name> -n <namespace> -- su -c "bin/cake passbolt register_user -u <user_mail> -f <first_name> -l <last_name> -r admin" -s /bin/bash www-data
…And follow the printed URL to finish user setup.
Encrypt your secrets ?