BunkerWeb Kubernetes Helm Chart

Official Helm chart to deploy BunkerWeb on Kubernetes - A next-generation, open-source web application firewall (WAF) and reverse proxy.

Features

• Security First: Advanced threat protection with automatic rule updates
• High Availability: Support for DaemonSet and Deployment modes
• Monitoring: Built-in Prometheus metrics and Grafana dashboards
• Management UI: Web interface for configuration and monitoring
• Auto-scaling: Kubernetes-native scaling capabilities
• Secret Management: Integration with Kubernetes secrets

Prerequisites

• Kubernetes 1.19+
• Helm 3.8+
• PV provisioner support in the underlying infrastructure (for persistence)

Important: Please first refer to the BunkerWeb documentation, particularly the Kubernetes integration section.

Installation

Add Helm Repository

helm repo add bunkerweb https://repo.bunkerweb.io/charts
helm repo update

Install Chart

# Install with default values
helm install mybunkerweb bunkerweb/bunkerweb

# Install with custom values
helm install mybunkerweb bunkerweb/bunkerweb -f myvalues.yaml

# Install in specific namespace
helm install mybunkerweb bunkerweb/bunkerweb -n bunkerweb --create-namespace

Need help with configuration? Check out our Configuration Guide for detailed examples and best practices.

Architecture Components

Component	Description	Default State
BunkerWeb	Main WAF/reverse proxy	Required
Scheduler	Configuration management	Required
Controller	Kubernetes integration	Enabled
UI	Web management interface	Enabled
MariaDB	Database backend	Enabled
Redis	Caching and persistence	Enabled
Prometheus	Metrics collection	Disabled
Grafana	Monitoring dashboards	Disabled

Configuration

For detailed configuration options, see our comprehensive documentation:

Values Guide - Complete user guide
Values Reference - Quick technical reference
values.yaml - Source configuration file

Security Settings

settings:
  misc:
    # Custom DNS resolvers
    dnsResolvers: "1.1.1.1 8.8.8.8"
    # API whitelist for internal access
    apiWhitelistIp: "127.0.0.0/8 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16"

Kubernetes Integration

settings:
  kubernetes:
    # Namespaces to monitor (empty = all)
    namespaces: "default,production"
    # Custom ingress class
    ingressClass: "bunkerweb"
    # Cluster domain
    domainName: "cluster.local"

High Availability Setup

bunkerweb:
  kind: DaemonSet  # or "Deployment"
  replicas: 3      # Only for Deployment mode
  pdb:
    create: true
    minAvailable: 1

service:
  type: LoadBalancer
  externalTrafficPolicy: Local

Secret Management

settings:
  # Use existing secret for sensitive values
  existingSecret: "bunkerweb-secrets"
  # Or configure inline (less secure)
  ui:
    adminUsername: "admin"
    adminPassword: "secure-password"

Persistence

Storage Requirements

Component	Default Size	Purpose
MariaDB	5Gi	Configuration and logs
Redis	1Gi	Cache and banned IPs
UI Logs	5Gi	Access and error logs
Prometheus	8Gi	Metrics storage
Grafana	5Gi	Dashboards and config

Custom Storage Classes

mariadb:
  persistence:
    storageClass: "fast-ssd"
    size: 20Gi

redis:
  persistence:
    storageClass: "standard"
    size: 5Gi

Monitoring and Observability

Enable Monitoring Stack

scheduler:
  proLicenceKey: your-bunkerweb-licence-key
  usePrometheusExporter: true

prometheus:
  enabled: true
  persistence:
    enabled: true
    size: 20Gi

grafana:
  enabled: true
  adminUser: admin
  adminPassword: "your-secure-password"
  ingress:
    enabled: true
    hosts:
      - host: grafana.example.com

Custom Dashboards

The chart includes pre-configured Grafana dashboards for:

• BunkerWeb metrics and performance
• Request analytics and threat detection
• System health and resource usage

Security Considerations

1. Change Default Passwords: Always set custom passwords for UI and database
2. Use Secrets: Store sensitive data in Kubernetes secrets
3. Network Policies: Enable network policies for production environments
4. Resource Limits: Set appropriate CPU/memory limits
5. Pod Security: Review and adjust security contexts

Troubleshooting

Common Issues

BunkerWeb pods not starting:

kubectl logs -l app.kubernetes.io/name=bunkerweb -n bunkerweb

Database connection issues:

kubectl get pods -n bunkerweb
kubectl describe pod mariadb-<pod-name> -n bunkerweb

Ingress not working:

kubectl get ingress -n bunkerweb
kubectl describe ingressclass bunkerweb

Health Checks

All components include health checks:

• Liveness probes for automatic restart
• Readiness probes for traffic routing
• Custom healthcheck scripts

Upgrading

# Update repository
helm repo update bunkerweb

# Check available versions
helm search repo bunkerweb/bunkerweb --versions

# Upgrade to latest version
helm upgrade mybunkerweb bunkerweb/bunkerweb

# Upgrade with new values
helm upgrade mybunkerweb bunkerweb/bunkerweb -f new-values.yaml

Uninstallation

# Uninstall release
helm uninstall mybunkerweb -n bunkerweb

# Remove namespace (optional)
kubectl delete namespace bunkerweb

Note: PVCs are not automatically deleted and must be removed manually if needed.

Key Configuration Areas

• Global Settings: Common configuration across all components
• BunkerWeb: Main reverse proxy configuration
• UI: Web interface settings
• Database: MariaDB configuration
• Monitoring: Prometheus and Grafana setup
• Security: Network policies and access control

Quick Configuration Examples

See examples/ directory for complete configuration examples.

Support

• Documentation
• GitHub Issues
• Community Forum

License

This Helm chart is licensed under the same terms as BunkerWeb itself.