Skip to main content
This is a new deployment guide for combined helm chart chainloop-ee. If you want to see deployment guide for the previous helm chart chainloop-platform please refer to this documentation
This documentation is for the proprietary Chainloop Enterprise. If you are looking for the Open Source Evidence Store documentation, please refer to the Chainloop Evidence Store guide

Introduction

The Chainloop platform has two top-level components: Chainloop Evidence Store and Chainloop Platform. Both components are deployed using one unified Helm Chart called chainloop-ee (Chainloop Enterprise Edition). Once deployed, for example in an AWS Kubernetes cluster, it could look like this: Chainloop Platform

Retrieve Private OCI Registry credentials.

To pull the Helm Charts and container images you’ll need to authenticate with a private OCI registry managed. If you don’t have them yet, please contact the Chainloop team. Once you get the creds, you can give it a try by authenticating locally and pulling the latest version of both Helm Charts. 
# Authenticate locally
$ docker login -u [username] -p [creds] chainloop.azurecr.io
# Chainloop Enterprise Edition Chart
$ helm fetch oci://chainloop.azurecr.io/chart/chainloop-ee
$ ls chainloop-*
  chainloop-ee-0.326.0.tgz

Configure credentials for deployment

You have two options to consume the provided Helm Charts and container images in your Kubernetes cluster:

Option 1: Pull images and Chart directly from Private Azure Registry

To pull the images, you’ll need to store these credentials as a K8s secret in the cluster where you will deploy the Helm Charts. Later, they will be referenced in the Helm charts as imagePullSecrets. 
$ kubectl create secret docker-registry regcred-azure \
    --docker-server=https://chainloop.azurecr.io \
    --docker-username=[your-username] \
    --docker-password=[your credentials]

Option 2: Relocate Helm Chart and images to your own registry

Both charts are compatible with relocation processes performed by the Helm Relocation Plugin. This means that you can easily import the Helm Charts and Container images provided by the Chainloop team into your registry, even behind the firewall. This is a two-step process (wrap -> unwrap)
  • Pull all the container images and Helm chart and wrap them in an intermediate tarball.
  • If needed, transfer that tarball to your air-gap environment via an offline medium
  • Unwrap the tarball and push container images, update the Helm Chart with new image references, and push it to the target registry.
For example, to relocate from Azure to your own Harbor registry. 
helm dt wrap oci://chainloop.azurecr.io/chart/chainloop-ee

# 🎉  Helm chart wrapped into "chainloop-ee-0.326.0.wrap.tgz"
# Now you can take the tarball to an air-gapped environment and unwrap it like this

helm dt unwrap chainloop-ee-0.326.0.wrap.tgz oci://my-repo.harbor.io --yes

#  Unwrapping Helm chart "chainloop-ee-0.326.0.wrap.tgz"
#    ✔  All images pushed successfully
#    ✔  Helm chart successfully pushed
#
# 🎉  Helm chart unwrapped successfully: You can use it now by running "helm install oci://my-repo.harbor.io/chainloop-platform --generate-name"
The relocated Helm Charts will be ready to be used, pointing to the images also relocated to the end registry.

Deploy and Configure in Kubernetes

Step 1 - Deploy Platform Chart

Please refer to Chart Readme file that can be found on the chart tarball that can be pulled like this. 
helm fetch oci://chainloop.azurecr.io/chart/chainloop-ee
Next steps:
  • Do an end-to-end run of our getting started guide to test the platform
  • Optionally, configure the platform to enhance it with additional features following the steps below

Step 2 (optional) - Development mode

Do not use this mode for production environment. Please refer to guide how to setup Chainloop for production in charts README.md
This is an example of minimal configuration to run chainloop-ee chart in development mode. 
global:
  imagePullSecrets:
    - name: regcred-azure

development: true

ingress:
  enabled: true
  hostname: "chainloop.tst"
  ingressClassName: "nginx"
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  tls: true

postgresql:
  enabled: true

dex:
  dex:
    # Point to the [controlplane http ingress]/auth/callback
    redirectURL: https://cp.chainloop.tst/auth/callback
    # Expose the dex instance to the outside world
    ingress:
      enabled: true
      tls: true
      hostname: "dex.chainloop.tst"
      ingressClassName: "nginx"
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
Besides of chainloop components it will deploy:
  • PostgreSQL database.
  • Dex as authentication provider.
  • Hashicorp Vault instance running in development mode (unsealed, in-memory, insecure).
After deployment you can log in using these hardcoded credentials: 
username: [email protected]
password: password

Step 3 (optional) - Setup SMTP configuration

To enable email notifications, you need to configure the SMTP settings in the Chainloop Platform backend Helm chart values.yaml file like this:
Platform Chart values.yaml
backend:
  smtp:
    host: smtp.example.com # SMTP server hostname
    port: 587 # SMTP server port
    user: the-user # SMTP server username
    password: REDACTED # SMTP server password
    from: "Chainloop Notifications <[email protected]>" # From email address
Without this configuration, the Chainloop platform will not be able to send email notifications for events such as weekly summaries, or org invitations.

Step 4 (optional) - Configure users auto-onboarding

This step allows automatically onboarding users to specific organizations and user groups. Follow this guide to configure Chainloop Platform for auto-provisioning.

Step 5 (optional) - Restrict organization creation

This step allows restricting organization creation to specific users. Follow this guide to configure Chainloop Platform for restricting organization creation.

Step 6 (optional) - Configure Keyless attestation for GitLab

1 - Enable GitLab AuthN and AuthZ in backend

To support GitLab keyless attestation, the platform backend needs to be configured to authorize incoming tokens. This means allowing users to onboard GitLab repositories and authorizing the tokens against those repositories. Configure the GitLab OAuth2 application. Note that you’ll need to create one with read_api permissions in your GitLab instance:
Platform Chart values.yaml
backend:
    oauth2Providers:
        - id: gitlab # do not change this
          url: [your gitlab instance URL] # i.e https://gitlab.com or your self-hosted instance
          client_id: REDACTED
          client_secret: REDACTED
          type: ISSUER_TYPE_GITLAB # do not change this

Step 7 (optional) - Expose MCP server

To enable access to Chainloop Model Context Protocol (MCP) server, you need to update the Chainloop platform chart values.yaml to expose the MCP server through an ingress, like any other resource
Platform Chart values.yaml
backend:
  mcpIngress:
    enabled: true
    hostname: [your-mcp-hostname]
    tls: true
This will expose the MCP server at https://[your-mcp-hostname]/sse for example https://mcp.app.chainloop.dev/sse

Step 8 (optional) - Configure Keyless attestation for GitHub

1 - Enable GitHub AuthN and AuthZ in backend

To support GitHub keyless attestation, the platform backend needs to be configured to authorize incoming tokens. This means allowing users to onboard GitHub repositories via a GitHub App and authorizing the tokens against those repositories. Configure backend.githubApp for repo onboarding. You’ll need to create a GitHub App with metadata repository permission:
Platform Chart values.yaml
backend:
  # GitHub App configuration for repo onboarding
  # Requires creating a GitHub App with metadata repository permission
  github_app:
    app_id: 123456
    private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      ...
      -----END RSA PRIVATE KEY-----
    app_slug: my-chainloop-app      # The slug from the GitHub App's public URL
    base_url: https://github.com    # Optional, defaults to https://github.com. Set for GHES.