Installation
Install Magos on Kubernetes using the official Helm chart.
Under Development:
Magos is currently in active development. The chart values and distribution URL may change before the first stable release. Follow our GitHub organization for release announcements.
Magos is distributed as a Helm chart and is intended to run inside a Kubernetes cluster.
Prerequisites
- A Kubernetes cluster running v1.28 or newer.
kubectlconfigured to reach that cluster.- Helm v3.
- Cluster-admin permission for the install (Magos creates
ClusterRoleandCustomResourceDefinitionresources). - cert-manager v1+ installed in the cluster if you plan to use the chart's self-signed TLS option (the default for the Ingress and on-pod TLS paths). Skip this if you bring your own TLS Secret.
Install with Helm
helm install magos \
oci://ghcr.io/magosproject/magos/charts/magos \
--namespace magos-system \
--create-namespace
The default install brings up the API server, the UI, all five controllers (workspace, project, rollout, variableset, refwatcher), an embedded Postgres StatefulSet, and an embedded RustFS deployment for log storage. No additional configuration is required to get a working cluster.
Verify the workloads are ready:
kubectl -n magos-system get pods
You should see one Pod per controller plus the API, UI, Postgres, and RustFS Pods in the Running state.
Upgrade
helm upgrade --install magos \
oci://ghcr.io/magosproject/magos/charts/magos \
--namespace magos-system
Uninstall
helm uninstall magos --namespace magos-system
The chart leaves the CustomResourceDefinitions and the runtime data (Postgres volume, RustFS PVC) in place by design, so an accidental uninstall does not destroy your run history. Clean those up explicitly if you want a fresh slate.
Configuration
Render the default values to a file, edit, and reinstall:
helm show values oci://ghcr.io/magosproject/magos/charts/magos > values.yaml
helm upgrade --install magos \
oci://ghcr.io/magosproject/magos/charts/magos \
--namespace magos-system \
-f values.yaml
A few values worth knowing about:
-
policy.kyverno.installCRDcontrols whether the chart ships thepolicies.kyverno.io/v1ValidatingPolicyCRD itself. Leave ittrueon clusters that do not have Kyverno installed; set it tofalseon clusters that do, so Magos does not collide with Kyverno's own CRD lifecycle. -
auth.*configures OIDC login for the UI and API. This is where you set the issuer URL, client ID, redirect URL, claim mapping, and Secret references for the client secret and session secret. See OpenID Connect. -
postgres.modeselects betweenembedded(default) andexternal. In embedded mode the chart deploys a Postgres 16 StatefulSet and auto-generates a random password on first install, preserving it across upgrades via Helm'slookup. To use your own PostgreSQL instance, setpostgres.mode=externaland supplypostgres.external.host,postgres.external.port,postgres.external.database,postgres.external.username, andpostgres.external.secret.name. The Secret must contain the password under the key named bypostgres.external.secret.passwordKey(defaults topassword). -
logs.storage.modefollows the same pattern. In embedded mode the chart deploys RustFS, an S3-compatible object store, and auto-generates credentials. To use your own S3-compatible endpoint, setlogs.storage.mode=externalalong withlogs.storage.external.endpointandlogs.storage.external.secret.name. The Secret must contain the access key and secret key under the keys named bylogs.storage.external.secret.accessKeyKeyandlogs.storage.external.secret.secretKeyKey(both default toaccessKeyandsecretKeyrespectively). -
ui.host,ui.ingress.enabled,ui.ingress.tls.selfSignedCert, andui.ingress.tls.secretNamecontrol how the UI (and API) are exposed to clients. See the next section for details.
Exposing the UI and API
The UI's nginx reverse proxy forwards all requests under /apis/* to the API Service in-cluster. This means a single Ingress aimed at the UI Service covers both the UI and the API. Clients reach the API at <host>/apis/v1/... through the same front door used for the UI.
Default (no Ingress)
Without an Ingress, the UI Service is a ClusterIP. Use a port-forward for local access:
kubectl -n magos-system port-forward svc/magos-ui 8080:80
Then open http://localhost:8080.
Ingress with a self-signed cert
Set ui.ingress.enabled=true and ui.host to your chosen hostname. With the default ui.ingress.tls.selfSignedCert=true, the chart renders a cert-manager Certificate resource issued by a chart-managed magos-selfsigned-cert-issuer. cert-manager must be installed in the cluster.
ui:
host: magos.example.com
ingress:
enabled: true
ingressClassName: nginx
Once DNS for magos.example.com resolves to your Ingress controller, browse to https://magos.example.com. API calls hit https://magos.example.com/apis/v1/....
Ingress with a BYO TLS Secret
If you manage your own certificate, set ui.ingress.tls.selfSignedCert=false and point ui.ingress.tls.secretName at a Secret you have created in the magos-system namespace:
ui:
host: magos.example.com
ingress:
enabled: true
ingressClassName: nginx
tls:
selfSignedCert: false
secretName: your-tls-secret
No cert-manager resources are rendered in this case.
On-pod TLS without an Ingress
For clusters without an Ingress controller, set ui.tls.enabled=true. The UI nginx configuration adds a listen 443 ssl server block fed from the Secret named by ui.tls.secretName. With ui.tls.selfSignedCert=true the chart generates the certificate via cert-manager, same as the Ingress path.
Production example
The following values file connects Magos to an external Postgres database and an external S3-compatible object store, and exposes the front door through an Ingress with a BYO TLS certificate:
ui:
host: magos.example.com
ingress:
enabled: true
ingressClassName: nginx
tls:
enabled: true
selfSignedCert: false
secretName: magos-ui-cert
postgres:
mode: external
external:
host: postgres.internal.example.com
port: 5432
database: magos
username: magos
secret:
name: magos-postgres
passwordKey: password
sslMode: require
logs:
storage:
mode: external
external:
endpoint: https://s3.internal.example.com
secret:
name: magos-s3
accessKeyKey: accessKey
secretKeyKey: secretKey
This configuration connects Magos to a PostgreSQL instance at postgres.internal.example.com using the password from a pre-existing Secret named magos-postgres. Log storage uses an S3-compatible endpoint at s3.internal.example.com, with credentials from a Secret named magos-s3. The UI and API are reachable at https://magos.example.com through an nginx Ingress, with TLS terminated at the Ingress controller using the Secret magos-ui-cert.
If you enable OIDC login, make sure users access the UI through the same hostname you register with your identity provider, because the callback URL is served by Magos at /auth/callback.
Next steps
Continue with the Quickstart to create your first Project and Workspace.