Quick start
Deploy Scalekit on Kubernetes in minutes using bundled databases and a single values.yaml file.
Get Scalekit running on Kubernetes quickly through the Scalekit distribution portal. This guide uses bundled PostgreSQL and Redis and auto-creates Kubernetes secrets from your values.yaml — no external databases or kubectl secret commands needed.
Before you start
Section titled “Before you start”| Requirement | Notes |
|---|---|
kubectl 1.27+ | Configured against your target cluster |
| Helm 3.12+ | Run helm version to verify |
| Domain | Subdomains app.<domain> and auth.<domain> must resolve to your cluster |
| Gateway class | A GatewayClass must be installed on your cluster |
| TLS certificate | Attached via a gateway annotation (GCP cert map, cert-manager, etc.) |
| SMTP credentials | Any provider; Postmark and SendGrid have first-class support |
| Registry token | From the Scalekit distribution portal — see step 1 |
openssl and python3 | To generate webhook credentials in step 2 |
-
Get a registry token
Section titled “Get a registry token”Log in to the Scalekit distribution portal and create a Personal Access Token. This token authenticates your cluster to pull Scalekit images from
ar.scalekit.cloud.Copy the token — it is shown only once.
-
Generate webhook credentials
Section titled “Generate webhook credentials”Run these commands to produce a JWT secret and a signed API token. Copy both output lines — you will paste them into
values.yamlin the next step.Terminal window export JWT_SECRET=$(openssl rand -base64 32)echo "jwtSecret: $JWT_SECRET"python3 << 'EOF'import base64, hashlib, hmac as _hmac, json, os, secrets, string, timesecret = os.environ['JWT_SECRET']chars = string.ascii_letters + string.digitssub = 'org_' + ''.join(secrets.choice(chars) for _ in range(22))now = int(time.time())exp = now + 315360000h = base64.urlsafe_b64encode(json.dumps({'alg':'HS256','typ':'JWT'}, separators=(',',':')).encode()).rstrip(b'=').decode()p = base64.urlsafe_b64encode(json.dumps({'iat':now,'exp':exp,'nbf':now,'iss':'svix-server','sub':sub}, separators=(',',':')).encode()).rstrip(b'=').decode()msg = f'{h}.{p}'sig = base64.urlsafe_b64encode(_hmac.new(secret.encode(), msg.encode(), hashlib.sha256).digest()).rstrip(b'=').decode()print(f'apiToken: {msg}.{sig}')EOFThe output looks like:
jwtSecret: aB3cD4eF5gH6...apiToken: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... -
Create values.yaml
Section titled “Create values.yaml”Create a
values.yamlfile using the template below. Replace each placeholder with your actual value.values.yaml scalekit:config:app:domain: "<your-domain>" # e.g. scalekit.example.com — no scheme or trailing slashseedData:adminUser:firstName: "<firstname>"lastName: "<lastname>"email: "<admin-email>"emailServer:settings:fromEmail: "hi@<your-domain>"fromName: "Team <Your Company>"host: "<smtp-host>"port: <smtp-port>username: "<smtp-username>"postgresql:enabled: trueredis:enabled: truesecrets:create: truesvix:jwtSecret: "<jwtSecret from step 2>"apiToken: "<apiToken from step 2>"registry:password: "<registry token from step 1>"gateway:enabled: trueprovider: "<provider>" # gcp for GKE; other for all other clustersclassName: "<gateway-class-name>" # e.g. gke-l7-global-external-managedannotations:<annotation-key>: "<annotation-value>" # e.g. networking.gke.io/certmap: your-cert-mapredirectToHttps: truehealthCheckPolicy:enabled: true # GKE only — set false for other providersField Description domainBase domain. The chart derives app.<domain>andauth.<domain>from this.adminUserFirst admin account created on first boot. Use this to log in to the dashboard. emailServerSMTP settings for transactional email (invites, magic links, verification codes). The password is provided separately via secrets.registry.password— see full configuration for details.secrets.createWhen true, the chart creates all required Kubernetes secrets from the values below.secrets.svixWebhook service credentials generated in step 2. secrets.registry.passwordRegistry access token from step 1. gateway.providerSet to gcpfor GKE to enable GKE-specific resources. Leave empty for all other providers.gateway.classNameThe GatewayClass installed on your cluster. gateway.annotationsAttach a TLS certificate via your provider’s annotation. -
Create a deployment in the portal
Section titled “Create a deployment in the portal”Deployments are managed through the Scalekit distribution portal.
Create the namespace on your cluster first:
Terminal window kubectl create namespace <namespace>Then, in the portal:
- In the left sidebar, click Deployments, then + New Deployment
- Select Scalekit Onprem and click Continue
- Set a Deployment Name (
scalekitis recommended) and enter the Kubernetes Namespace you just created - Leave Enable cluster-scoped permissions checked and click Continue
- Select the Version you want to install
- Under Helm values, paste the full contents of your
values.yaml - Click Create Deployment
The portal shows a Deployment Created Successfully screen with a
kubectl applycommand. Click Copy Command and run it on your cluster:Terminal window kubectl apply -n <namespace> -f "<portal-provided-url>"This connects your cluster to the portal, which then installs the Helm chart and runs database migrations.
-
Update DNS
Section titled “Update DNS”Once the gateway is provisioned, get its external IP:
Terminal window kubectl get gateway -n scalekitCopy the address from the
ADDRESScolumn. In your DNS provider, create a wildcardArecord:*.<your-domain> → <gateway-external-ip>DNS propagation can take a few minutes. Verify with:
Terminal window dig app.<your-domain> -
Verify
Section titled “Verify”Terminal window kubectl get pods -n scalekitAll pods should show
Running. Openhttps://app.<your-domain>in a browser and sign in with the admin email you set invalues.yaml.
Next steps
Section titled “Next steps”- Ready for production? Switch to external databases and full secret management — follow the installation guide.
- Review every configuration field in the configuration reference.
- Learn how to upgrade and maintain your deployment in upgrades & maintenance.