Helm / Kubernetes

Deploy Marmot to your Kubernetes cluster using our official Helm chart.

Quick Start

1

Add the Helm repository

helm repo add marmotdata https://marmotdata.github.io/charts
helm repo update

2

Install Marmot

helm install marmot marmotdata/marmot

3

Access the UI

Port-forward to access the dashboard:

kubectl port-forward svc/marmot 8080:8080

Open http://localhost:8080 in your browser.

Default Credentials

The default username and password is admin:admin. Change this after your first login.

---

Database Configuration

Marmot requires PostgreSQL. Choose one of the following options:

External PostgreSQLEmbedded PostgreSQL

Connect Marmot to your existing PostgreSQL database:

config:
  database:
    host: postgres.example.com
    port: 5432
    user: marmot
    passwordSecretRef:
      name: marmot-db-secret
      key: password
    name: marmot
    sslmode: require

For development and testing, enable the embedded PostgreSQL:

helm install marmot marmotdata/marmot \
  --set postgresql.enabled=true

---

Encryption Key

Marmot encrypts sensitive pipeline credentials at rest. You must configure an encryption key.

Auto-GeneratedBring Your OwnDisable (Dev Only)

The Helm chart can auto-generate an encryption key for you (enabled by default):

config:
  server:
    autoGenerateEncryptionKey: true

Back Up Your Key

If the generated secret is deleted, you'll lose access to encrypted credentials. Back it up immediately after installation.

Retrieve the auto-generated key:

kubectl get secret <release-name>-marmot-encryption-key \
  -o jsonpath='{.data.encryption-key}' | base64 -d

1

Generate an encryption key

marmot generate-encryption-key
# or
openssl rand -base64 32

2

Create a Kubernetes secret

kubectl create secret generic marmot-encryption \
  --from-literal=encryption-key="your-generated-key"

3

Configure the Helm chart

config:
  server:
    autoGenerateEncryptionKey: false
    encryptionKeySecretRef:
      name: marmot-encryption
      key: encryption-key

For local development only, you can disable encryption entirely:

config:
  server:
    autoGenerateEncryptionKey: false
    allowUnencrypted: true

Security Risk

This stores all credentials in plaintext. Never use this in production.

---

Reference

For all available configuration options, view the chart's defaults:

helm show values marmotdata/marmot

Or browse the values.yaml on GitHub.

Next Steps

Add Data with Plugins

Automatically discover assets from your data sources

Configure Authentication

Set up SSO with GitHub, Google, Okta and more