Kubernetes – Passbolt Kubernetes Deployment

Passbolt is great. It provides a secure and very useful interface for password/manual secret storage. Both the Firefox addon and iOS App works great, and are easy to setup and use.

The available documentation explains installation on most platforms, including Ubuntu and Docker, but no “basic” Kubernetes deployment. With that said, I am aware of the Helm chart. But it felt a bit… overkill.

Here is a basic deployment with deployment, service and ingress.

For this deployment to work, a database endpoint (Kubernetes service) need to be available. Also a database (named passbolt) with user “passbolt” need to be available. Also, a persistent volume needs to be created for storing Passbolt’s GPG and JWT keys. I also use the ‘cert-manager.io/cluster-issuer: “letsencrypt-production”‘ annotation for nginx-ingress for Lets Encrypt.

Remember to update the “[]” keywords before deploying.

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: passbolt-pv-claim 
  labels:
    app: passbolt
spec:
  storageClassName: [StorageClass]
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi

---

apiVersion: v1
kind: Secret
metadata:
    name: passboltmysqlpassword
type: Opaque
data:
  password: cGFzc3dvcmQ= # echo -n 'password'|base64

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: passbolt
spec:
  replicas: 1
  selector:
    matchLabels:
      app: passbolt
  template:
    metadata:
      labels:
        app: passbolt
    spec:
      containers:
        - name: passbolt
          image: passbolt/passbolt:latest-ce
          env:
          - name: APP_FULL_BASE_URL
            value: https://[PASSBOLT_URL]
          - name: DATASOURCES_DEFAULT_HOST
            value: [MYSQL_DB_SERVICE]
          - name: DATASOURCES_DEFAULT_DATABASE
            value: passbolt
          - name: DATASOURCES_DEFAULT_USERNAME
            value: passbolt
          - name: DATASOURCES_DEFAULT_PASSWORD
            valueFrom:
              secretKeyRef:
                name: passboltmysqlpassword 
                key: password
          volumeMounts:
          - mountPath: "/etc/passbolt/gpg"
            name: gpgjwt
            subPath: gpg
          - mountPath: "/etc/passbolt/jwt"
            name: gpgjwt
            subPath: jwt
          imagePullPolicy: Always
          ports:
            - containerPort: 80
      volumes:
        - name: gpgjwt
          persistentVolumeClaim:
            claimName: passbolt-pv-claim 

---

apiVersion: v1
kind: Service
metadata:
  name: passbolt-service
spec:
  selector:
    app: passbolt
  ports:
    - protocol: TCP
      port: 80

--- 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: passbolt-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"    
    cert-manager.io/cluster-issuer: "letsencrypt-production"
spec:
  tls:
  - hosts:
    - [PASSBOLT_URL]
    secretName: passbolt-tls
  rules:
  - host: [PASSBOLT_URL]
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: passbolt-service
            port:
              number: 80

Save (and update) the above deployment under passbolt.yaml, apply with:

~$ kubectl apply -f passbolt.yaml

Once Passbolt is up and running in the cluster, create a new user with:

~$ kubectl exec -it <pod_name> -n <namespace> -- su -c "bin/cake passbolt register_user -u <user_mail> -f <first_name> -l <last_name> -r admin" -s /bin/bash www-data

…And follow the printed URL to finish user setup.

Encrypt your secrets ­čĹż

Leave a Reply

Your email address will not be published. Required fields are marked *