A Helm chart for deploying Snappass — a zero-knowledge, one-time secret sharing app. Originally forked from Pinterest's Snappass, this version encrypts and decrypts entirely in the browser (AES-256-GCM via Web Crypto API). The server never sees plaintext.
Snappass is a secure password sharing tool that automatically expires shared secrets after a specified time. This Helm chart provides a production-ready deployment of Snappass on Kubernetes, including:
- Built-in Valkey backend (Redis-compatible, optional)
- Support for external Valkey/Redis servers
- Ingress support
- Security hardening
- Horizontal Pod Autoscaling
- Health checks and monitoring
- Kubernetes 1.21+
- Helm 3.x
- Ingress controller (optional, but recommended)
# Add the helm repository
helm repo add snappass https://lmacka.github.io/helm-snappass/
helm repo update
# Install with default configuration
helm install snappass snappass/snappassFor a basic installation with ingress enabled:
ingress:
enabled: true
className: "nginx"
hosts:
- host: snappass.yourdomain.com
paths:
- path: /
pathType: PrefixFor a production setup with TLS and resource limits:
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: "letsencrypt-prod"
hosts:
- host: snappass.yourdomain.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: snappass-tls
hosts:
- snappass.yourdomain.com
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 200m
memory: 256Mi
valkey:
enabled: true
storage:
requestedSize: 100Mi
haMode:
enabled: false # Set to true for high availability| Parameter | Description | Default |
|---|---|---|
replicaCount |
Number of Snappass replicas | 1 |
image.repository |
Snappass image repository | lmacka/snappass |
image.tag |
Snappass image tag (defaults to appVersion) | "" |
image.pullPolicy |
Image pull policy | IfNotPresent |
| Parameter | Description | Default |
|---|---|---|
valkey.enabled |
Deploy Valkey as part of the release | true |
valkey.haMode.enabled |
Enable high availability mode | false |
valkey.haMode.replicas |
Number of replicas in HA mode | 1 |
valkey.storage.requestedSize |
Storage size for persistence (empty = emptyDir, no PVC) | "" |
valkey.valkeyConfig |
Valkey configuration overrides | save "" (persistence disabled) |
externalValkey.host |
External Valkey/Redis host (if valkey.enabled=false) | "" |
externalValkey.port |
External Valkey/Redis port | 6379 |
| Parameter | Description | Default |
|---|---|---|
ingress.enabled |
Enable ingress | false |
ingress.className |
Ingress class name | "" |
ingress.hosts |
Array of host configurations | [] |
ingress.tls |
TLS configuration | [] |
The chart implements several security best practices:
- Non-root container execution
- ReadOnly root filesystem
- Dropped capabilities
- Resource limits
- Network policies (optional)
The deployment includes readiness and liveness probes configured for the Snappass service. Default probe settings can be adjusted through values.yaml.
To remove the deployment:
helm uninstall snappassContributions are welcome! Submit a Pull Request against the main branch.
Patch releases are automated. When snappass cuts a release, it dispatches to this repo which auto-bumps appVersion and the chart patch version in Chart.yaml, then pushes to main. The chart-releaser action packages and publishes the new chart.
Minor or major chart releases require a manual version bump:
- Update
version(andappVersionif needed) incharts/snappass/Chart.yaml - Update the
artifacthub.io/imagesandartifacthub.io/changesannotations - Merge to
main— chart-releaser handles the rest
This project is licensed under the MIT License - see the LICENSE file for details.