This repository contains a Helm chart and Docker Compose projects for deploying DatabunkerPro β a privacy vault and tokenization service for personal data.
For production environments, we strongly recommend using dedicated database servers instead of running databases in Kubernetes. This includes:
- AWS RDS (PostgreSQL/MySQL)
- Google Cloud SQL (PostgreSQL/MySQL)
- Azure Database (PostgreSQL/MySQL)
- Self-hosted database servers with proper backup and monitoring
- Better Performance: Dedicated resources and optimized configurations
- Enhanced Security: Managed security patches and compliance features
- Reliability: Built-in high availability, backup, and disaster recovery
- Scalability: Easier to scale without affecting application workloads
- Maintenance: Automated updates and maintenance windows
- Monitoring: Advanced monitoring and alerting capabilities
The official DatabunkerPro Helm chart is available through GitHub Pages. To install it:
# Add the Helm repository
helm repo add databunkerpro https://securitybunker.github.io/databunkerpro-setup
# Update your local Helm repository cache
helm repo update
# Install DatabunkerPro
helm install databunkerpro databunkerpro/databunkerproAfter installing the databunkerpro Helm chart, you need to expose the Databunker Pro service to complete the installation:
kubectl port-forward service/databunkerpro 3000:3000Then, open http://localhost:3000 in your browser to finish the setup process.
helm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=postgresql \
--set database.externalConfig.host=your-rds-postgresql-endpoint \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-password \
--set database.externalConfig.sslMode=requirehelm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=mysql \
--set database.externalConfig.host=your-rds-mysql-endpoint \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-passwordhelm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=postgresql \
--set database.externalConfig.host=your-cloudsql-instance-ip \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-password \
--set database.externalConfig.sslMode=require
β οΈ Warning: Internal databases is not recomended for production.
helm install databunkerpro databunkerpro/databunkerpro \
--set database.type=postgresql \
--set database.internal.postgresql.enabled=true \
--set database.internal.postgresql.ssl.enabled=truehelm install databunkerpro databunkerpro/databunkerpro \
--set database.type=mysql \
--set database.internal.mysql.enabled=trueInstead of auto-generating database passwords, you can generate your own password and store it as Kubernetes secret. The helm install can be configured to use this secret.
-
Create the secret with kubectl:
kubectl create secret generic my-postgresql-secret \ --from-literal=password='your-secure-postgresql-password' \ --namespace=your-namespace -
Install DatabunkerPro with the existing secret:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=postgresql \ --set database.internal.postgresql.enabled=true \ --set database.existingSecret.name=my-postgresql-secret \ --namespace=your-namespace
-
Create the secret with kubectl (MySQL requires both
passwordandroot-password):kubectl create secret generic my-mysql-secret \ --from-literal=password='your-secure-mysql-password' \ --from-literal=root-password='your-secure-mysql-root-password' \ --namespace=your-namespace
-
Install DatabunkerPro with the existing secret:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=mysql \ --set database.internal.mysql.enabled=true \ --set database.existingSecret.name=my-mysql-secret \ --namespace=your-namespace
Alternatively, you can configure this in your values file:
database:
type: postgresql
existingSecret:
name: my-postgresql-secret
internal:
postgresql:
enabled: trueThen install with:
helm install databunkerpro databunkerpro/databunkerpro -f my-values.yamlNote: The secret must exist in the same namespace where you're deploying DatabunkerPro. If the secret name is not provided, the chart will automatically generate passwords as before.
-
Create the postgresql user and database:
CREATE ROLE bunkeruser NOSUPERUSER LOGIN PASSWORD 'your-secure-password'; CREATE ROLE mtenant NOSUPERUSER NOLOGIN; GRANT mtenant TO bunkeruser; CREATE DATABASE databunkerdb OWNER bunkeruser;
-
When working with neondb:
CREATE ROLE mtenant NOSUPERUSER NOLOGIN; GRANT mtenant TO neondb_owner; CREATE DATABASE databunkerdb;
-
Enable SSL/TLS (recommended for production):
- AWS RDS: SSL is enabled by default
- Google Cloud SQL: Enable SSL connections
- Azure Database: Enable SSL enforcement
-
Configure network access:
- Ensure your Kubernetes cluster can reach the database
- Configure security groups/firewall rules appropriately
- Use VPC peering or VPN for enhanced security
The internal database will be automatically created with the required schema.
If you want to use your own SSL certificates instead of auto-generated ones:
-
Generate SSL certificates (if you don't have them):
# Or generate manually openssl req -new -text -subj /CN=your-hostname \ -out server.req -keyout server.key openssl req -x509 -in server.req -text \ -key server.key -out server.crt -
Create Kubernetes secret:
kubectl create secret generic postgresql-ssl-certs \ --from-file=server.crt=./server.crt \ --from-file=server.key=./server.key
-
Install with custom certificates:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=postgresql \ --set database.internal.postgresql.enabled=true \ --set database.internal.postgresql.ssl.enabled=true \ --set database.internal.postgresql.ssl.generateSelfSigned=false \ --set database.internal.postgresql.ssl.secretName=postgresql-ssl-certs
generateSelfSigned: true(default): Automatically generates self-signed certificatesgenerateSelfSigned: false+secretName: Uses certificates from Kubernetes secret
To expose DatabunkerPro via Ingress, set your custom host parameter:
--set ingress.host=databunker.your-domain.comMake sure to:
- Replace
databunker.your-domain.comwith your actual domain - Have an Ingress controller (like NGINX Ingress Controller) installed
- Have cert-manager installed if you want automatic SSL/TLS certificate management
For more complex configurations, you can create your own values file based on the default configuration:
# Download the default values file
helm show values databunkerpro/databunkerpro > my-values.yaml
# Edit the values file to match your needs
# Then install or upgrade using your custom values
helm install databunkerpro databunkerpro/databunkerpro -f my-values.yamlThis approach is recommended when you need to:
- Configure multiple parameters
- Maintain consistent configuration across deployments
- Version control your configuration
DatabunkerPro can also be deployed using Docker Compose. We provide two options: Percona MySQL 8 and PostgreSQL.
- Navigate to the MySQL Docker Compose directory:
cd docker-compose-mysql- Generate the required environment files:
./generate-env-files.sh- Pull the latest images:
docker compose pull- Start the services:
docker compose up -d- Navigate to the PostgreSQL Docker Compose directory:
cd docker-compose-pgsql- Generate the required environment files:
./generate-env-files.sh- Pull the latest images:
docker compose pull- Start the services:
docker compose up -dThe generate-env-files.sh script will:
- Create necessary directories
- Generate secure random passwords
- Create environment files for MySQL/PostgreSQL and DatabunkerPro
- Set up proper permissions
You can customize the deployment by modifying the values in your Helm installation command or by creating a custom values file.
Before deploying to production, ensure you have:
- Using a dedicated database server (RDS, Cloud SQL, etc.)
- Database SSL/TLS enabled
- Proper backup and disaster recovery configured
- Database monitoring and alerting set up
- Network security configured (VPC, security groups, etc.)
- SSL/TLS certificates configured for DatabunkerPro
- Proper RBAC and service accounts configured
- Secrets management in place (not hardcoded passwords)
- Network policies configured
- Regular security updates enabled
- Logging and monitoring configured
- Health checks and readiness probes working
- Resource limits and requests configured
- Horizontal Pod Autoscaler (HPA) configured if needed
- Backup and restore procedures tested
- Ingress controller properly configured
- SSL/TLS termination configured
- Load balancer configured for high availability
- DNS and domain configuration complete
kubectl run postgres-test --rm -i --restart=Never --image=postgres:14 -n namespace -- bash
psql -h databunkerpro-postgresql -U bunkeruser -d databunkerdb
kubectl exec -ti databunkerpro_pod_name -n namespace -- sh
/bin/busybox env
/bin/busybox cat /file-location
/bin/busybox cat /var/run/secrets/kubernetes.io/serviceaccount/wrapping-key/wrapping-key
Reset user related tables:
TRUNCATE TABLE users RESTART IDENTITY;
TRUNCATE TABLE userversions RESTART IDENTITY;
TRUNCATE TABLE userapps RESTART IDENTITY;
TRUNCATE TABLE userappversions RESTART IDENTITY;
TRUNCATE TABLE sharedrecords RESTART IDENTITY;
TRUNCATE TABLE audit RESTART IDENTITY;
TRUNCATE TABLE requests RESTART IDENTITY;
TRUNCATE TABLE agreements RESTART IDENTITY;
TRUNCATE TABLE sessions RESTART IDENTITY;
TRUNCATE TABLE usergroups RESTART IDENTITY;