Helm / Kubernetes

Deploy Marmot to your Kubernetes cluster using our official Helm chart.

Quick Start

Add the Helm repository

helm repo add marmotdata https://marmotdata.github.io/charts
helm repo update

Install Marmot

helm install marmot marmotdata/marmot

Access the UI

Port-forward to access the dashboard:

kubectl port-forward svc/marmot 8080:8080

Open http://localhost:8080 in your browser.

Default Credentials

The default username and password is admin:admin. Change this after your first login.

Database Configuration

Marmot requires PostgreSQL. Choose one of the following options:

External PostgreSQL Embedded PostgreSQL CloudNativePG

Connect Marmot to your existing PostgreSQL database:

config:
  database:
    host: postgres.example.com
    port: 5432
    user: marmot
    passwordSecretRef:
      name: marmot-db-secret
      key: password
    name: marmot
    sslmode: require

For production Kubernetes deployments, CloudNativePG provides a robust PostgreSQL operator with automatic failover, read replicas and connection pooling.

Install the CloudNativePG operator

Follow the CloudNativePG installation guide to install the operator. The quickest method:

kubectl apply --server-side -f \
  https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/main/releases/cnpg-1.25.1.yaml

Configure and install Marmot with CNPG

# values.yaml
cnpg:
  enabled: true
  instances: 3  # 1 primary + 2 read replicas
  password: "your-secure-password"

  parameters:
    shared_buffers: "256MB"
    work_mem: "64MB"
    effective_cache_size: "1GB"

  persistence:
    size: "10Gi"

  pooler:
    enabled: true
    instances: 2
    poolMode: "transaction"

helm install marmot marmotdata/marmot -f values.yaml

Verify the cluster is ready

kubectl get clusters
kubectl get pods -l cnpg.io/cluster=marmot-cnpg

All pods should show Running status with the primary indicated by the -1 suffix.

Encryption Key

Marmot encrypts sensitive pipeline credentials at rest. You must configure an encryption key.

Auto-Generated Bring Your Own Disable (Dev Only)

The Helm chart can auto-generate an encryption key for you (enabled by default):

config:
  server:
    autoGenerateEncryptionKey: true

Back Up Your Key

If the generated secret is deleted, you'll lose access to encrypted credentials. Back it up immediately after installation.

Retrieve the auto-generated key:

kubectl get secret <release-name>-marmot-encryption-key \
  -o jsonpath='{.data.encryption-key}' | base64 -d

Generate an encryption key

marmot generate-encryption-key
# or
openssl rand -base64 32

Create a Kubernetes secret

kubectl create secret generic marmot-encryption \
  --from-literal=encryption-key="your-generated-key"

Configure the Helm chart

config:
  server:
    autoGenerateEncryptionKey: false
    encryptionKeySecretRef:
      name: marmot-encryption
      key: encryption-key

For local development only, you can disable encryption entirely:

config:
  server:
    autoGenerateEncryptionKey: false
    allowUnencrypted: true

Security Risk

This stores all credentials in plaintext. Never use this in production.

Reference

For all available configuration options, view the chart's defaults:

helm show values marmotdata/marmot

Or browse the values.yaml on GitHub.

Next Steps

Add Data with Plugins

Automatically discover assets from your data sources

Configure Authentication

Set up SSO with GitHub, Google, Okta and more

Quick Start​