Run Signal Desktop in your cluster with browser access and persistent storage
Deploys Signal Desktop in Kubernetes with:
- Browser-based VNC access (no client needed)
- Persistent storage (conversations survive pod restarts)
- Integration with your existing infrastructure (OAuth2, ingress, cert-manager)
Install K3d:
curl -s https://raw.githubusercontent.com/k3d-io/k3d/main/install.sh | bashCreate a cluster:
k3d cluster createInstall the chart:
helm install ghostwire oci://ghcr.io/drengskapur/charts/ghostwire --version 0.0.0-latest --create-namespace -n ghostwireWait for the pod to be ready:
kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=ghostwire -n ghostwire --timeout=300sPort-forward the service:
kubectl port-forward -n ghostwire svc/ghostwire 6901:6901Open in browser:
http://localhost:6901?keyboard=1
Note: VNC authentication is disabled by default. For production use, configure ingress with OAuth2 instead of port-forwarding. See Chart README.
Most VNC-in-Kubernetes solutions bundle their own authentication, TLS termination, and security controls. This creates redundant configuration and conflicts with platform-level security tools.
Ghostwire takes a different approach: delegate infrastructure concerns to infrastructure.
What we don't include:
- Built-in authentication (use OAuth2-proxy or similar)
- Built-in TLS (use cert-manager)
- Custom ingress configuration (use your existing ingress controller)
What we do well:
- Run Signal Desktop reliably in a container
- Persist your data correctly (StatefulSet + PVC)
- Expose VNC via standard Service
- Stay out of your infrastructure's way
This means less configuration overlap and easier integration with tools you already use.
architecture-beta
group internet(cloud)[Internet]
group cloud(cloud)[Cloud Provider]
group k8s(cloud)[Kubernetes Cluster] in cloud
group ns_infra(cloud)[Ingress Namespace] in k8s
group ns_app(cloud)[App Namespace] in k8s
service user(internet)[User] in internet
service lb(internet)[Load Balancer] in cloud
service ingress(server)[NGINX Ingress] in ns_infra
service oauth(server)[OAuth2 Proxy] in ns_infra
service svc(server)[Service] in ns_app
service pod(server)[Pod] in ns_app
service pv(disk)[PV] in cloud
service pvc(disk)[PVC] in ns_app
user:R -- L:lb
lb:R -- L:ingress
ingress:R -- L:oauth
oauth:R -- L:svc
svc:R -- L:pod
pod:B -- T:pvc
pvc:B -- T:pv
Clean separation: the chart handles the application runtime, your platform handles everything else.
The chart exposes 60+ Helm values. Key parameters:
| Parameter | Default | Description |
|---|---|---|
persistence.size |
10Gi |
Signal data volume size |
resources.limits.memory |
4Gi |
Memory limit |
resources.requests.cpu |
500m |
CPU request |
image.tag |
1.18.0-rolling-daily |
Signal Desktop version |
See values.yaml for complete options and values.schema.json for validation.
- Chart README - Installation guide and configuration reference
- Container Architecture - How the runtime works
- Deployment Strategies - StatefulSet design and rollout behavior
- Infrastructure Integration - Patterns for OAuth2, ingress, cert-manager
- Testing Strategy - Testing approach and quality assurance
- Fuzzing Strategy - Property-based testing and fuzzing approach
- OpenSSF Best Practices Guide - Security badge application guide
- Code Review Strategy - Single-maintainer approach and co-maintainer call
Looking for Co-Maintainers! This project is actively seeking additional maintainers to help with code review, issue triage, and feature development. If you're interested, please see Code Review Strategy and reach out via GitHub Discussions.
Contributions welcome. See CONTRIBUTING.md for:
- Development environment setup
- Testing requirements
- Commit message conventions
- Pull request guidelines
- This Helm chart: Apache License 2.0 (LICENSE)
- Signal Desktop: AGPLv3 (Signal Messenger LLC)
- Kasm container images: MIT License (Kasm Technologies Inc)
See NOTICE for third-party software attributions.
Important: Signal Messenger LLC and Kasm Technologies Inc do not endorse or support this project.
- Signal Desktop - Encrypted messaging application
- Kasm Workspaces - Containerized desktop streaming
- KasmVNC - VNC server with HTML5 client
- XFCE - Lightweight desktop environment
- Documentation: chart/README.md
- Bug Reports: GitHub Issues
- Questions: GitHub Discussions