This repository contains a Helm chart and Docker Compose projects for deploying Databunker Pro β a privacy vault and tokenization service for personal data.
For production environments, we strongly recommend using dedicated database servers instead of running databases in Kubernetes. This includes:
- AWS RDS (PostgreSQL/MySQL)
- Google Cloud SQL (PostgreSQL/MySQL)
- Azure Database (PostgreSQL/MySQL)
- Self-hosted database servers with proper backup and monitoring
- Better Performance: Dedicated resources and optimized configurations
- Enhanced Security: Managed security patches and compliance features
- Reliability: Built-in high availability, backup, and disaster recovery
- Scalability: Easier to scale without affecting application workloads
- Maintenance: Automated updates and maintenance windows
- Monitoring: Advanced monitoring and alerting capabilities
The official Databunker Pro Helm chart is available through GitHub Pages. To install it:
# Add the Helm repository
helm repo add databunkerpro https://securitybunker.github.io/databunkerpro-setup
# Update your local Helm repository cache
helm repo update
# Install Databunker Pro
helm install databunkerpro databunkerpro/databunkerproAfter installing the databunkerpro Helm chart, you need to expose the Databunker Pro service to complete the installation:
kubectl port-forward service/databunkerpro 3000:3000Then, open http://localhost:3000 in your browser to finish the setup process.
helm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=postgresql \
--set database.externalConfig.host=your-rds-postgresql-endpoint \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-password \
--set database.externalConfig.sslMode=requirehelm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=mysql \
--set database.externalConfig.host=your-rds-mysql-endpoint \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-passwordhelm install databunkerpro databunkerpro/databunkerpro \
--set database.external=true \
--set database.type=postgresql \
--set database.externalConfig.host=your-cloudsql-instance-ip \
--set database.externalConfig.user=your-db-user \
--set database.externalConfig.password=your-db-password \
--set database.externalConfig.sslMode=require
β οΈ Warning: Internal databases is not recomended for production.
helm install databunkerpro databunkerpro/databunkerpro \
--set database.type=postgresql \
--set database.internal.postgresql.enabled=true \
--set database.internal.postgresql.ssl.enabled=truehelm install databunkerpro databunkerpro/databunkerpro \
--set database.type=mysql \
--set database.internal.mysql.enabled=trueInstead of auto-generating database passwords, you can generate your own password and store it as Kubernetes secret. The helm install can be configured to use this secret.
-
Create the secret with kubectl:
kubectl create secret generic my-postgresql-secret \ --from-literal=password='your-secure-postgresql-password' \ --namespace=your-namespace -
Install Databunker Pro with the existing secret:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=postgresql \ --set database.internal.postgresql.enabled=true \ --set database.existingSecret.name=my-postgresql-secret \ --namespace=your-namespace
-
Create the secret with kubectl (MySQL requires both
passwordandroot-password):kubectl create secret generic my-mysql-secret \ --from-literal=password='your-secure-mysql-password' \ --from-literal=root-password='your-secure-mysql-root-password' \ --namespace=your-namespace
-
Install Databunker Pro with the existing secret:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=mysql \ --set database.internal.mysql.enabled=true \ --set database.existingSecret.name=my-mysql-secret \ --namespace=your-namespace
Alternatively, you can configure this in your values file:
database:
type: postgresql
existingSecret:
name: my-postgresql-secret
internal:
postgresql:
enabled: trueThen install with:
helm install databunkerpro databunkerpro/databunkerpro -f my-values.yamlNote: The secret must exist in the same namespace where you're deploying Databunker Pro. If the secret name is not provided, the chart will automatically generate passwords as before.
-
Create the postgresql user and database:
CREATE ROLE bunkeruser NOSUPERUSER LOGIN PASSWORD 'your-secure-password'; CREATE ROLE mtenant NOSUPERUSER NOLOGIN; CREATE ROLE madmin BYPASSRLS NOSUPERUSER NOLOGIN; GRANT mtenant TO bunkeruser; GRANT madmin TO bunkeruser; CREATE DATABASE databunkerdb OWNER bunkeruser;
-
When working with neondb:
CREATE ROLE mtenant NOSUPERUSER NOLOGIN; CREATE ROLE madmin BYPASSRLS NOSUPERUSER NOLOGIN; GRANT mtenant TO neondb_owner; GRANT madmin TO neondb_owner; CREATE DATABASE databunkerdb;
-
Enable SSL/TLS (recommended for production):
- AWS RDS: SSL is enabled by default
- Google Cloud SQL: Enable SSL connections
- Azure Database: Enable SSL enforcement
-
Configure network access:
- Ensure your Kubernetes cluster can reach the database
- Configure security groups/firewall rules appropriately
- Use VPC peering or VPN for enhanced security
The internal database will be automatically created with the required schema.
If you want to use your own SSL certificates instead of auto-generated ones:
-
Generate SSL certificates (if you don't have them):
# Or generate manually openssl req -new -text -subj /CN=your-hostname \ -out server.req -keyout server.key openssl req -x509 -in server.req -text \ -key server.key -out server.crt -
Create Kubernetes secret:
kubectl create secret generic postgresql-ssl-certs \ --from-file=server.crt=./server.crt \ --from-file=server.key=./server.key
-
Install with custom certificates:
helm install databunkerpro databunkerpro/databunkerpro \ --set database.type=postgresql \ --set database.internal.postgresql.enabled=true \ --set database.internal.postgresql.ssl.enabled=true \ --set database.internal.postgresql.ssl.generateSelfSigned=false \ --set database.internal.postgresql.ssl.secretName=postgresql-ssl-certs
generateSelfSigned: true(default): Automatically generates self-signed certificatesgenerateSelfSigned: false+secretName: Uses certificates from Kubernetes secret
To expose Databunker Pro via Ingress, set your custom host parameter:
--set ingress.host=databunker.your-domain.comMake sure to:
- Replace
databunker.your-domain.comwith your actual domain - Have an Ingress controller (like NGINX Ingress Controller) installed
- Have cert-manager installed if you want automatic SSL/TLS certificate management
For more complex configurations, you can create your own values file based on the default configuration:
# Download the default values file
helm show values databunkerpro/databunkerpro > my-values.yaml
# Edit the values file to match your needs
# Then install or upgrade using your custom values
helm install databunkerpro databunkerpro/databunkerpro -f my-values.yamlThis approach is recommended when you need to:
- Configure multiple parameters
- Maintain consistent configuration across deployments
- Version control your configuration
Databunker Pro can also be deployed using Docker Compose. We provide two options: Percona MySQL 8 and PostgreSQL.
- Navigate to the MySQL Docker Compose directory:
cd docker-compose-mysql- Generate the required environment files:
./generate-env-files.sh- Pull the latest images:
docker compose pull- Start the services:
docker compose up -d- Navigate to the PostgreSQL Docker Compose directory:
cd docker-compose-pgsql- Generate the required environment files:
./generate-env-files.sh- Pull the latest images:
docker compose pull- Start the services:
docker compose up -dThe generate-env-files.sh script will:
- Generate secure random passwords
- Create environment files for MySQL/PostgreSQL and Databunker Pro
- Generate self-signed SSL certificates for the database
- Generate a random
DATABUNKER_SETUPKEYused for unattended installation
Database data is stored in a Docker named volume managed automatically by Docker Compose.
To fully reset the database and start fresh, run:
docker compose down -vThe -v flag removes the named volumes, wiping all database data. Then run docker compose up -d to start again.
When DATABUNKER_SETUPKEY is set in databunker.env, Databunker Pro exposes a POST /autoinstall endpoint that lets you complete the setup without using the browser UI.
Step 1: Check if setup is required
Use the GET /dbstatus endpoint to check whether the database has already been initialized:
curl -s http://localhost:3000/dbstatusIf setup is required, the response will be:
{"status":"ok","installed":false}If the database is already installed:
{"status":"ok","installed":true}Only proceed with /autoinstall when installed is false.
Step 2: Run autoinstall
SETUPKEY=$(grep DATABUNKER_SETUPKEY .env/databunker.env | cut -d= -f2)
curl -s -X POST http://localhost:3000/autoinstall \
-d "setupkey=$SETUPKEY"To include a license key:
curl -s -X POST http://localhost:3000/autoinstall \
-d "setupkey=$SETUPKEY" \
-d "licensekey=YOUR_LICENSE_KEY"On success the response contains the credentials needed to operate Databunker Pro. Save this output β it cannot be retrieved again.
{
"status": "ok",
"root_token": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"wrapping_key": "...",
"shamir_keys": ["...", "...", "...", "...", "..."]
}After the response is returned, the setup server shuts down automatically and the container restarts in normal operational mode. No further action is required.
You can customize the deployment by modifying the values in your Helm installation command or by creating a custom values file.
Before deploying to production, ensure you have:
- Using a dedicated database server (RDS, Cloud SQL, etc.)
- Database SSL/TLS enabled
- Proper backup and disaster recovery configured
- Database monitoring and alerting set up
- Network security configured (VPC, security groups, etc.)
- SSL/TLS certificates configured for Databunker Pro
- Proper RBAC and service accounts configured
- Secrets management in place (not hardcoded passwords)
- Network policies configured
- Regular security updates enabled
- Logging and monitoring configured
- Health checks and readiness probes working
- Resource limits and requests configured
- Horizontal Pod Autoscaler (HPA) configured if needed
- Backup and restore procedures tested
- Ingress controller properly configured
- SSL/TLS termination configured
- Load balancer configured for high availability
- DNS and domain configuration complete
kubectl run postgres-test --rm -i --restart=Never --image=postgres:14 -n namespace -- bash
psql -h databunkerpro-postgresql -U bunkeruser -d databunkerdb
kubectl exec -ti databunkerpro_pod_name -n namespace -- sh
/bin/busybox env
/bin/busybox cat /file-location
/bin/busybox cat /var/run/secrets/kubernetes.io/serviceaccount/wrapping-key/wrapping-key
Reset user related tables:
TRUNCATE TABLE users RESTART IDENTITY;
TRUNCATE TABLE userversions RESTART IDENTITY;
TRUNCATE TABLE userapps RESTART IDENTITY;
TRUNCATE TABLE userappversions RESTART IDENTITY;
TRUNCATE TABLE sharedrecords RESTART IDENTITY;
TRUNCATE TABLE audit RESTART IDENTITY;
TRUNCATE TABLE requests RESTART IDENTITY;
TRUNCATE TABLE agreements RESTART IDENTITY;
TRUNCATE TABLE sessions RESTART IDENTITY;
TRUNCATE TABLE usergroups RESTART IDENTITY;