Kubernetes Installation (Helm)¶

Section: Installation | Article 07
Audience: IT Administrators, Platform Engineers
Last Updated: 2026-04-07

Overview¶

This article covers deploying RP-PAM to a Kubernetes cluster using Helm and the RP-PAM OCI Helm chart hosted on the Ravenphyre container registry. This deployment method is recommended for production environments that require high availability, auto-scaling, or integration with existing Kubernetes infrastructure.

Prerequisites¶

Requirement	Details
Kubernetes	1.27 or later (AKS, EKS, GKE, or self-managed)
Helm	3.12 or later
kubectl	Configured to connect to your target cluster
Registry Credentials	Username and token for `registry.ravenphyre.net`
Database	An existing MSSQL or PostgreSQL instance accessible from the cluster
Redis	An existing Redis instance or plan to deploy one in-cluster
Storage	A StorageClass that supports ReadWriteOnce PersistentVolumeClaims

Step 1 — Log In to the Helm OCI Registry¶

RP-PAM Helm charts are distributed as OCI artifacts from the Ravenphyre container registry.

Bash:

helm registry login registry.ravenphyre.net

Enter your registry username and token when prompted.

PowerShell:

helm registry login registry.ravenphyre.net

Tip: For CI/CD pipelines, pass credentials non-interactively:

echo "$RPPAM_REGISTRY_TOKEN" | helm registry login registry.ravenphyre.net \
    --username "$RPPAM_REGISTRY_USER" --password-stdin

Step 2 — Pull the Chart (Optional)¶

You can pull the chart locally to inspect its contents before installing.

Bash:

helm pull oci://registry.ravenphyre.net/rppam/rppam --version 1.0.0

This downloads rppam-1.0.0.tgz to your current directory.

Inspect the default values:

helm show values oci://registry.ravenphyre.net/rppam/rppam --version 1.0.0 > values-defaults.yaml

Step 3 — Create the Namespace¶

Bash:

kubectl create namespace rppam

PowerShell:

kubectl create namespace rppam

Step 4 — Create Secrets¶

RP-PAM requires several secrets for database credentials, encryption keys, and registry authentication.

Image Pull Secret¶

Create a secret so Kubernetes can pull the RP-PAM container image from the private registry.

Bash:

kubectl create secret docker-registry rppam-registry \
    --namespace rppam \
    --docker-server=registry.ravenphyre.net \
    --docker-username="$RPPAM_REGISTRY_USER" \
    --docker-password="$RPPAM_REGISTRY_TOKEN"

PowerShell:

kubectl create secret docker-registry rppam-registry `
    --namespace rppam `
    --docker-server=registry.ravenphyre.net `
    --docker-username="$env:RPPAM_REGISTRY_USER" `
    --docker-password="$env:RPPAM_REGISTRY_TOKEN"

Database Credentials Secret¶

Bash:

kubectl create secret generic rppam-db \
    --namespace rppam \
    --from-literal=host="your-db-server.example.com" \
    --from-literal=port="1433" \
    --from-literal=database="rppam" \
    --from-literal=username="rppam_write" \
    --from-literal=password="YourStr0ng!DbPassword#2026"

PowerShell:

kubectl create secret generic rppam-db `
    --namespace rppam `
    --from-literal=host="your-db-server.example.com" `
    --from-literal=port="1433" `
    --from-literal=database="rppam" `
    --from-literal=username="rppam_write" `
    --from-literal=password="YourStr0ng!DbPassword#2026"

Redis Credentials Secret (if authentication is enabled)¶

Bash:

kubectl create secret generic rppam-redis \
    --namespace rppam \
    --from-literal=host="your-redis.example.com" \
    --from-literal=port="6379" \
    --from-literal=password="YourRedisPassword"

Step 5 — Create a Values File¶

Create a file named values-production.yaml with your deployment-specific settings:

# values-production.yaml

replicaCount: 2

image:
  repository: registry.ravenphyre.net/rppam/rppam
  tag: "1.0.0"
  pullPolicy: IfNotPresent

imagePullSecrets:
  - name: rppam-registry

service:
  type: ClusterIP
  port: 7101

ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
    - host: rppam.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: rppam-tls
      hosts:
        - rppam.example.com

database:
  existingSecret: rppam-db
  provider: mssql      # or "postgresql"

redis:
  existingSecret: rppam-redis

persistence:
  config:
    enabled: true
    size: 1Gi
    storageClass: ""    # uses default StorageClass
  keys:
    enabled: true
    size: 512Mi
    storageClass: ""
  logs:
    enabled: true
    size: 10Gi
    storageClass: ""

resources:
  requests:
    cpu: 500m
    memory: 1Gi
  limits:
    cpu: 2000m
    memory: 4Gi

nodeSelector: {}

tolerations: []

affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
      - weight: 100
        podAffinityTerm:
          labelSelector:
            matchExpressions:
              - key: app.kubernetes.io/name
                operator: In
                values:
                  - rppam
          topologyKey: kubernetes.io/hostname

Note: Adjust replicaCount, resources, ingress, and storageClass to match your cluster environment. See System Requirements for sizing guidance.

Step 6 — Install the Chart¶

Bash:

helm install rppam oci://registry.ravenphyre.net/rppam/rppam \
    --version 1.0.0 \
    --namespace rppam \
    --values values-production.yaml

PowerShell:

helm install rppam oci://registry.ravenphyre.net/rppam/rppam `
    --version 1.0.0 `
    --namespace rppam `
    --values values-production.yaml

Step 7 — Verify the Deployment¶

Check Pod Status¶

Bash:

kubectl get pods -n rppam -w

Wait until all pods show Running with READY 1/1:

NAME                     READY   STATUS    RESTARTS   AGE
rppam-6d8f9b7c4d-abc12   1/1     Running   0          45s
rppam-6d8f9b7c4d-def34   1/1     Running   0          45s

Check Services¶

kubectl get svc -n rppam

Check Ingress¶

kubectl get ingress -n rppam

Health Check¶

If you configured an ingress:

Bash:

curl -sk https://rppam.example.com/health | python3 -m json.tool

PowerShell:

Invoke-RestMethod -Uri "https://rppam.example.com/health" -SkipCertificateCheck

For a direct port-forward test without ingress:

kubectl port-forward -n rppam svc/rppam 7101:7101 &
curl -sk https://localhost:7101/health | python3 -m json.tool

Expected response:

{
    "status": "healthy",
    "version": "1.0.0",
    "uptime": "00:01:12"
}

Upgrading¶

To upgrade to a new version:

Bash:

helm upgrade rppam oci://registry.ravenphyre.net/rppam/rppam \
    --version 1.1.0 \
    --namespace rppam \
    --values values-production.yaml

PowerShell:

helm upgrade rppam oci://registry.ravenphyre.net/rppam/rppam `
    --version 1.1.0 `
    --namespace rppam `
    --values values-production.yaml

Uninstalling¶

helm uninstall rppam --namespace rppam

Note: This removes the Helm release and its Kubernetes resources but preserves PersistentVolumeClaims. To also remove persistent data, delete the PVCs manually:
kubectl delete pvc -n rppam --all

Troubleshooting¶

Symptom	Cause	Resolution
Pods stuck in `ImagePullBackOff`	Registry credentials incorrect or missing	Verify the `rppam-registry` secret exists: `kubectl get secret -n rppam rppam-registry`
Pods stuck in `CrashLoopBackOff`	Configuration or database connection error	Check pod logs: `kubectl logs -n rppam <pod-name>`
Pods stuck in `Pending`	No nodes match resource requests or no PV available	Check events: `kubectl describe pod -n rppam <pod-name>`
Ingress returns 502	Backend not ready or HTTPS backend protocol not set	Ensure `nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"` is set in ingress annotations
Cannot connect to database	Network policy or firewall blocking egress	Verify the database is reachable from a test pod: `kubectl run -it --rm debug --image=busybox -n rppam -- nslookup your-db-server.example.com`
Helm install fails with "not logged in"	Helm registry session expired	Run `helm registry login registry.ravenphyre.net` again

Next Steps¶

Setup Wizard — Run the first-time setup wizard
High Availability Setup — Configure RP-PAM for HA with multiple replicas
MSSQL Database Setup — Prepare a MSSQL database for RP-PAM