Install DevOps Secrets Safe on the Server

To install DevOps Secrets Safe, review the prerequisites, and then run the install script, as detailed below. Instructions to upgrade and uninstall are also noted below.


  1. Kubernetes cluster with version 1.14, 1.15, 1.16, 1.17. 1.18, 1.19, or 1.20 must be available to host the deployment.
  2. Install kubectl and configure to allow full permissions to the cluster. The version of kubectl must be within one minor version of the cluster (above or below).
  3. Install Helm v3 and initialize with the appropriate Role-Based Access Control (RBAC).
  4. In order for the application to be reachable, configure an NGINX ingress controller in the cluster.
  5. Provide BeyondTrust the DockerHub username of the installing user, for them to be given permission to pull the required images.

As a reference deployment, DevOps Secrets Safe has been tested on a three-node Kubernetes cluster, each with a minimum of 7GB of RAM.

For more information, please see the following:

Supported Databases

The following information provides details on supported database providers and any privileges required by the DevOps Secrets Safe database user.


DevOps Secrets Safe currently supports Postgres 11+.

Minimum version: 11

The user specified in the DevOps Secrets Safe database connection string requires special privileges:

  • CREATEDB (Unless the initial run of DevOps Secrets Safe points to a pre-existing database)
  • CREATE (On the database DevOps Secrets Safe uses)

Installation Instructions

The script is a bash entry point that installs DevOps Secrets Safe through a series of kubectl calls and then a helm install call. Values in the file values.yml within the helm chart are the defaults for the install. The script itself can be supplied with values through arguments or environment variables, or interactively. Values passed by arguments override any other form, then environment variables are accepted, and finally, mandatory values not specified otherwise are requested interactively.

To see a list of accepted parameters, run the install script with the --help parameter.

./ --help

If an installation does not complete successfully, run the uninstaller before running the installer again.

Install DevOps Secrets Safe using a postgreSQL database:
./ --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email --database-type postgres --connection-string ';Database=secrets-safe;Port=5432;User Id=postgresql-user@secretssafe;Password=postgresql-password;Ssl Mode=Require;'
Install DevOps Secrets Safe using a Microsoft SQL Server database:
./ --docker-hub-username docker-user --docker-hub-password dockerpass --docker-hub-email --database-type mssql --connection-string' Server=;Database=secrets-safe;User Id=sqluser;Password=sqlpass;'

Once the application is installed, a means to access it is also required. Currently, DevOps Secrets Safe is compatible with the NGINX Ingress controller.

Upgrade Instructions

To upgrade an existing DevOps Secrets Safe installation from a cluster, run the install script with the --upgrade parameter. This preserves all custom values entered for the release. Additional value overrides can be specified during the upgrade either with additional parameters or by modifying the values file prior to upgrade and specifying the --values-from-file flag.

./ --upgrade

Install with a Certificate

Please see the file for instructions on how to mount a custom certificate in a Secrets Safe installation.

Uninstall Instructions

To remove a DevOps Secrets Safe installation from a cluster, run the uninstall script. The uninstall script removes all DSS data, containers, secrets, etc. from the cluster. This does not include removing the database.