This chart deploys:
- Cryptomator Hub (required)
- Keycloak (optional, enabled by default)
- PostgreSQL (optional, enabled by default)
Image repositories/tags are fixed in templates:
- Hub:
ghcr.io/cryptomator/hub:<appVersion from Chart.yaml> - Keycloak:
ghcr.io/cryptomator/keycloak:26.5.3 - PostgreSQL:
postgres:17-alpine
TLS termination is currently expected to be done by ingress controller. Supported ingress controller templates:
ingress.controller=nginxingress.controller=traefikingress.controller=contour
Assuming you have a local KIND cluster, e.g. via Podman Desktop with contour ingress on port 9090:
helm install hub charts/cryptomator-hub \ --namespace cryptomator \ --create-namespace \ --wait --timeout 5m \ --set urls.hub.public=http://localhost:9090/hub \ --set urls.kc.public=http://localhost:9090/kc \ --set ingress.controller=contour \ --set hub.admin.password=passwordPasswords are optional by default. If unset, the chart generates random values and prints commands in helm notes to retrieve them from Kubernetes Secrets.
The Keycloak realm import is rendered from a dedicated template using:
keycloak.realmBootstrap.realmIdhub.secrets.systemClientSecret(optional; auto-generated when chart-managed Hub secret is used)hub.admin.*(realm-level Hub admin user; separate fromkeycloak.admin.*bootstrap user)
Hub metrics are configured via:
hub.metrics.enabledhub.metrics.usernamehub.metrics.password(optional; auto-generated if unset)
When metrics are enabled, the chart creates:
- Secret
<release>-secrets-hub-metricsof typekubernetes.io/basic-auth - Metrics ingress route on Hub management endpoint path
/q/metrics - Basic-auth protection for metrics ingress on
nginxandtraefikcontrollers
helm install hub charts/cryptomator-hub \ --namespace cryptomator \ --create-namespace \ --wait --timeout 5m \ --set keycloak.enabled=false \ --set postgres.enabled=false \ --set hub.database.jdbcUrl='jdbc:postgresql://db.example:5432/hub' \ --set hub.database.username='hub' \ --set hub.config.keycloakPublicUrl='https://sso.example/kc' \ --set hub.config.keycloakLocalUrl='http://keycloak.svc.cluster.local:8080/kc' \ --set hub.oidc.authServerUrl='http://keycloak.svc.cluster.local:8080/kc/realms/cryptomator' \ --set hub.oidc.tokenIssuer='https://sso.example/kc/realms/cryptomator'Even with keycloak.enabled=false, the chart still renders realm.json in Secret <release>-keycloak so you can manually export/import it for your existing Keycloak.
Assuming namespace cryptomator and name hub:
kubectl get secret -n cryptomator hub-secrets-kc -o jsonpath='{.data.realm\.json}' | base64 -d | ...This chart contains a OCI chart signature, which can be verified as follows (assuming chart version 0.1.0):
cosign verify \ --certificate-identity-regexp 'https://github.com/cryptomator/hub/.github/workflows/helm-chart.yml@refs/(heads|tags)/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ ghcr.io/cryptomator/charts/cryptomator-hub:0.1.1You can additionally inspect provenance attestations:
cosign verify-attestation \ --type https://slsa.dev/provenance/v1 \ --certificate-identity-regexp 'https://github.com/cryptomator/hub/.github/workflows/helm-chart.yml@refs/(heads|tags)/.+' \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ ghcr.io/cryptomator/charts/cryptomator-hub:0.1.1