Our photoprism-pro chart, hosted at charts.photoprism.app/photoprism, is compatible with Rancher and includes safe defaults for standalone installations. It can optionally be integrated with a PhotoPrism® Portal server for automated provisioning.
Features
- Runs the
photoprism/proimage with non-root defaults (UID/GID 1000) and baseline security settings. - Creates persistent volumes for originals (optional) and application storage with conservative 10 GiB / 5 GiB defaults that can be resized post-install.
- Supports either SQLite (default) or MariaDB/MySQL by overriding the database block.
- Optional LDAP and OIDC configuration mapped directly to PhotoPrism environment variables.
- Portal integration is opt-in; when enabled, the chart can consume the standard
photoprism-cluster-secretsor user-defined secrets without hard-coding customer data.
Quick Start
helm repo add photoprism https://charts.photoprism.app/photoprism
helm repo update photoprism
helm upgrade --install photos photoprism/photoprism-pro \
--namespace photos --create-namespaceThis deploys PhotoPrism with SQLite storage. To use MariaDB (recommended for production), supply the connection details:
helm upgrade --install photos photoprism/photoprism-pro \
--namespace photos \
--set database.driver=mysql \
--set database.server=mariadb.default.svc.cluster.local:3306 \
--set database.name=photoprism \
--set database.user=photoprism \
--set database.password=changemePersistence
persistence.storageprovides the writable application directory (/photoprism/storage).persistence.originalsdefaults to a PVC but can be replaced with NFS by enablingpersistence.originals.nfs.- The chart never assumes Longhorn; it honours your cluster default storage class unless overridden via
persistence.storageClassName.
Optional Portal Integration
Set cluster.integration.enabled=true to populate cluster-specific environment variables:
cluster:
integration:
enabled: true
secretName: photoprism-cluster-secrets # optional, defaults to this nameIf the secret is not available, you may provide the values inline (domain, portalURL, joinToken, …). All secret references are marked optional so the chart remains usable without a Portal deployment.
Values Reference
See values.yaml for a complete list of configurable options. Common adjustments include:
config.PHOTOPRISM_SITE_TITLE/config.PHOTOPRISM_SITE_DESCRIPTIONconfig.PHOTOPRISM_PASSWORD_LENGTH,config.PHOTOPRISM_SESSION_*ldap.*andoidc.*blocks for enterprise authenticationpersistence.*for storage sizing or NFS mounting
Networking and TLS
The chart exposes PhotoPrism on TCP 2342 through a ClusterIP service. You can override the service type or enable an Ingress resource when you terminate TLS in the cluster edge:
service:
type: ClusterIP
port: 2342
ingress:
enabled: true
className: traefik
hosts:
- host: photos.example.com
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- photos.example.com
secretName: photos-tlsBecause TLS typically terminates at the ingress or proxy layer, the chart keeps PHOTOPRISM_DISABLE_TLS set to true. Only enable PhotoPrism’s internal TLS if your cluster design requires end-to-end encryption and you manage the certificates yourself.
Security Notes
- Admin passwords are generated on first install when
adminPasswordis empty and stored in the release secret (<release>-photoprism-secrets). - When supplying custom database credentials, prefer Kubernetes secrets and keep values out of chart manifests.
- SQLite is suitable for quick tests; production deployments should use MariaDB/MySQL with regular backups.
Getting Support
Commercial support is available with our Starter, Business, and Enterprise team plans:
PhotoPrism® Documentation
For more information on specific features, services and related resources, please refer to the other documentation available in our Knowledge Base and User Guide:
