Official Helm charts for deploying Password Pusher Pro on Kubernetes.
- Kubernetes 1.24+
- Helm 3.x
- Access to
registry.apnotic.com(requires a Password Pusher Pro license)
helm repo add pwpush-pro https://apnotic.github.io/pwpush-pro-helm
helm repo updatePassword Pusher Pro images are hosted on a private registry. Create a pull secret in your namespace:
kubectl create secret docker-registry regcred \
--docker-server=registry.apnotic.com \
--docker-username=YOUR_USERNAME \
--docker-password=YOUR_PASSWORD# For Advanced
curl -O https://raw.githubusercontent.com/apnotic/pwpush-pro-helm/main/charts/pwpush-pro/values-advanced.yaml
# For Enterprise
curl -O https://raw.githubusercontent.com/apnotic/pwpush-pro-helm/main/charts/pwpush-pro/values-enterprise.yamlStarter Edition:
helm install my-push pwpush-pro/pwpush-pro \
--set license.key=YOUR_LICENSE_KEY \
--set imagePullSecrets[0].name=regcredAdvanced Edition:
helm install my-push pwpush-pro/pwpush-pro \
-f values-advanced.yaml \
--set license.key=YOUR_LICENSE_KEY \
--set imagePullSecrets[0].name=regcredEnterprise Edition:
helm install my-push pwpush-pro/pwpush-pro \
-f values-enterprise.yaml \
--set license.key=YOUR_LICENSE_KEY \
--set imagePullSecrets[0].name=regcred \
--set postgresql.auth.existingSecret=my-push-pwpush-proNote: The postgresql.auth.existingSecret value follows the pattern <release-name>-pwpush-pro. Replace my-push with your chosen release name.
For GitOps deployments with Argo CD, see the dedicated Argo CD Guide. The chart is fully compatible with Argo CD, but requires special handling for encryption secrets to prevent key regeneration on every sync.
Quick reference for Argo CD:
spec:
source:
helm:
values: |
secrets:
existingSecretName: pwpush-pro-secrets # Pre-create this secretFor customizations beyond what Helm values expose (adding labels, annotations, sidecars, network policies), use Kustomize with the Helm chart. See the Kustomize Guide and examples/kustomize/.
Common Kustomize use cases:
- Adding organizational labels for cost allocation
- Injecting monitoring sidecars (Datadog, New Relic)
- Adding network policies for pod-to-pod communication control
- Security hardening patches
| Feature | Starter | Advanced | Enterprise |
|---|---|---|---|
| Database | SQLite | SQLite | PostgreSQL |
| SSO | - | Google, Microsoft | Google, Microsoft, Okta, Auth0, NetScaler |
| Storage | Disk | Disk, S3, GCS, Azure | Disk, S3, GCS, Azure, MinIO, R2, and more |
| Scaling | Single replica | Single replica | Multi-replica with HPA |
| Parameter | Description | Default |
|---|---|---|
license.key |
Password Pusher Pro license key (required) | "" |
license.region |
License region (required) | "" |
image.repository |
Container image repository | registry.apnotic.com/pwpush-pro |
image.tag |
Container image tag | latest |
imagePullSecrets |
Image pull secrets for private registry | [] |
replicaCount |
Number of pod replicas | 1 |
resources |
CPU/memory resource requests and limits | {} |
| Parameter | Description | Default |
|---|---|---|
storage.size |
Persistent volume size | 5Gi |
storage.storageClassName |
Storage class name | "" |
storage.accessModes |
PVC access modes | [ReadWriteOnce] |
| Parameter | Description | Default |
|---|---|---|
ingress.enabled |
Enable Ingress | false |
ingress.className |
Ingress class name | "" |
ingress.annotations |
Ingress annotations | {} |
ingress.hosts |
Ingress host rules | [] |
ingress.tls |
Ingress TLS configuration | [] |
| Parameter | Description | Default |
|---|---|---|
database.type |
Database type (sqlite or postgresql) |
sqlite |
database.host |
External PostgreSQL host | "" |
database.port |
PostgreSQL port | 5432 |
database.name |
Database name | pwpush-pro |
database.user |
Database user | pwpush-pro |
database.password |
Database password (auto-generated if empty) | "" |
postgresql.enabled |
Deploy bundled PostgreSQL subchart | false |
| Parameter | Description | Default |
|---|---|---|
secrets.existingSecretName |
Use an existing Kubernetes Secret | "" |
| Parameter | Description | Default |
|---|---|---|
extraEnv |
Additional env vars in ConfigMap (non-sensitive only) | {} |
extraSecretEnv |
Additional env vars in Secret (for sensitive values) | {} |
| Parameter | Description | Default |
|---|---|---|
autoscaling.enabled |
Enable Horizontal Pod Autoscaler | false |
autoscaling.minReplicas |
Minimum replicas | 1 |
autoscaling.maxReplicas |
Maximum replicas | 5 |
autoscaling.targetCPUUtilizationPercentage |
Target CPU utilization | 70 |
TLS is handled by the Kubernetes Ingress controller, not the application container. When Ingress TLS is configured, the Ingress terminates HTTPS and forwards requests to the app over HTTP on port 80. Password Pusher Pro detects the original protocol via X-Forwarded-Proto headers from the Ingress.
For most deployments, configure TLS via Ingress with cert-manager:
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: push.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: push-tls
hosts:
- push.example.comAfter installation, immediately back up your encryption secrets:
kubectl get secret <release-name>-pwpush-pro -n <namespace> -o yaml > pwpush-pro-secrets-backup.yamlStore this file securely. If you lose these keys, all encrypted data becomes permanently inaccessible.
Secrets are annotated with helm.sh/resource-policy: keep -- they are preserved across helm upgrade and are not deleted by helm uninstall.
- Starter/Advanced (SQLite): The SQLite database files are stored on the PVC mounted at
/opt/PasswordPusher/storage. Back up the PVC contents regularly. - Enterprise (PostgreSQL): Use standard PostgreSQL backup tools (
pg_dump) or your cloud provider's managed backup features.
helm repo update
helm upgrade my-push pwpush-pro/pwpush-proEncryption keys and database data are preserved automatically across upgrades.
helm uninstall my-pushThe Secret and PVC are retained (via helm.sh/resource-policy: keep). To fully remove:
kubectl delete secret <release-name>-pwpush-pro
kubectl delete pvc <release-name>-pwpush-pro-storageSee the examples/ directory for ready-to-use values files:
starter-minimal.yaml-- Starter with Ingressadvanced-external-storage.yaml-- Advanced with S3 storageenterprise-ha.yaml-- Enterprise HA with bundled PostgreSQLenterprise-external-db.yaml-- Enterprise with external PostgreSQL (RDS, Cloud SQL, etc.)argocd-application.yaml-- Argo CD Application manifestkustomize/-- Kustomize patches and configurations for advanced customizations
For detailed guides, see:
- Argo CD Guide -- Argo CD specific documentation
- Kustomize Guide -- Kustomize integration documentation
- Documentation: https://docs.pwpush.com
- Support: https://docs.pwpush.com/docs/support/
- FAQ: https://docs.pwpush.com/docs/faq/