🚧 DevGuard & this page is under active development. Visit the DevGuard Repo →
How-to GuidesAdministrationDeploy with Helm

Deploy DevGuard with Helm

Deploy DevGuard to a Kubernetes cluster using the official Helm chart. This is the recommended method for production deployments.

Prerequisites

  • Kubernetes cluster (1.24+)
  • Helm 3.x installed
  • kubectl configured for your cluster

Create namespace

kubectl create namespace devguard

Create required secrets

DevGuard requires an EC private key for signing In-Toto attestations:

openssl ecparam -name prime256v1 -genkey -noout -out private.ec.key
kubectl create secret generic ec-private-key \
  --from-file=privateKey=private.ec.key \
  -n devguard

Create your values file

Create a values.yaml with your configuration:

api:
  ingress:
    enabled: true
    hosts:
      - host: api.devguard.example.com
        paths:
          - path: /
            pathType: Prefix
 
web:
  ingress:
    enabled: true
    hosts:
      - host: devguard.example.com
        paths:
          - path: /
            pathType: Prefix
 
# Authentication settings
password:
  enabled: true
passkey:
  enabled: true
 
# Mail configuration (required for account verification)
mail:
  existingSMTPConnectionUriSecret: "smtp-secret"
  fromAddress: "noreply@example.com"
  fromName: "DevGuard"

See the full values.yaml for all configuration options. To inspect the chart locally:

helm pull oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard --version <version>
tar -xzf devguard-<version>.tgz
cd devguard

Install the chart

helm install devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard \
  --version <version> \
  --namespace devguard \
  -f values.yaml

Verify deployment

kubectl get pods -n devguard

All pods should reach Running status within a few minutes. You will find the postgres pod, kratos pod, API deployment, and web deployment.

Optional: CSAF Support

For CSAF advisory generation, create a PGP key pair:

gpg --full-generate-key
KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | grep sec | head -1 | awk '{print $2}' | cut -d'/' -f2)
gpg --armor --export "$KEY_ID" > public.asc
gpg --armor --export-secret-keys "$KEY_ID" > private.asc
FINGERPRINT=$(gpg --fingerprint "$KEY_ID" | grep -A1 "pub " | tail -1 | tr -d ' ')
 
kubectl create secret generic csaf-key-pair \
  --from-file=privateKey=private.asc \
  --from-file=publicKey=public.asc \
  --from-literal=passphrase="your-passphrase" \
  --from-literal=fingerprint="$FINGERPRINT" \
  -n devguard

Then add the CSAF section to your values.yaml (under the existing api: block):

api:
  csaf:
    existingCsafSecretName: "csaf-key-pair"
    aggregatorNamespace: "example.com"
    aggregatorName: "Example GmbH"
    aggregatorContactDetails: "csaf@example.com"

Then upgrade the release:

helm upgrade devguard oci://ghcr.io/l3montree-dev/devguard-helm-chart/devguard \
  --version {version} \
  --namespace devguard \
  -f values.yaml

Next Steps

OverviewDeploy with Docker Compose