Run Signal Desktop in your cluster with browser access and persistent storage
Deploys Signal Desktop in Kubernetes with:
- Browser-based VNC access (no client needed)
- Persistent storage (conversations survive pod restarts)
- Integration with your existing infrastructure (OAuth2, ingress, cert-manager)
Install the chart:
helm install ghostwire oci://ghcr.io/drengskapur/charts/ghostwire --version 1.0.0 --create-namespace -n ghostwireAccess via port-forward:
kubectl port-forward -n ghostwire svc/ghostwire 6901:6901Open in browser:
http://localhost:6901?keyboard=1
Note: VNC authentication is disabled by default. For production use, configure ingress with OAuth2 instead of port-forwarding. See Chart README.
Most VNC-in-Kubernetes solutions bundle their own authentication, TLS termination, and security controls. This creates redundant configuration and conflicts with platform-level security tools.
Ghostwire takes a different approach: delegate infrastructure concerns to infrastructure.
What we don't include:
- Built-in authentication (use OAuth2-proxy or similar)
- Built-in TLS (use cert-manager)
- Custom ingress configuration (use your existing ingress controller)
What we do well:
- Run Signal Desktop reliably in a container
- Persist your data correctly (StatefulSet + PVC)
- Expose VNC via standard Service
- Stay out of your infrastructure's way
This means less configuration overlap and easier integration with tools you already use.
%%{init: {'theme':'base', 'themeVariables': { 'primaryColor':'#000','primaryTextColor':'#fff','primaryBorderColor':'#fff','lineColor':'#fff','secondaryColor':'#000','tertiaryColor':'#000'}}}%%
graph LR
subgraph Infrastructure ["Your Infrastructure"]
direction LR
I1[Ingress]
I2[OAuth2]
I3[TLS]
I4[Network Policy]
end
subgraph Ghostwire ["Ghostwire"]
direction LR
G1[Signal Desktop]
G2[VNC]
G3[Storage]
end
Infrastructure --> Ghostwire
Clean separation: the chart handles the application runtime, your platform handles everything else.
The chart exposes 60+ Helm values. Key parameters:
| Parameter | Default | Description |
|---|---|---|
persistence.size |
10Gi |
Signal data volume size |
resources.limits.memory |
4Gi |
Memory limit |
resources.requests.cpu |
500m |
CPU request |
image.tag |
1.18.0-rolling-daily |
Signal Desktop version |
See values.yaml for complete options and values.schema.json for validation.
- Chart README - Installation guide and configuration reference
- Container Architecture - How the runtime works
- Deployment Strategies - StatefulSet design and rollout behavior
- Infrastructure Integration - Patterns for OAuth2, ingress, cert-manager
- Testing Strategy - Testing approach and quality assurance
- Fuzzing Strategy - Property-based testing and fuzzing approach
- OpenSSF Best Practices Guide - Security badge application guide
- Code Review Strategy - Single-maintainer approach and co-maintainer call
Looking for Co-Maintainers! This project is actively seeking additional maintainers to help with code review, issue triage, and feature development. If you're interested, please see Code Review Strategy and reach out via GitHub Discussions.
Contributions welcome. See CONTRIBUTING.md for:
- Development environment setup
- Testing requirements
- Commit message conventions
- Pull request guidelines
- This Helm chart: Apache License 2.0 (LICENSE)
- Signal Desktop: AGPLv3 (Signal Messenger LLC)
- Kasm container images: MIT License (Kasm Technologies Inc)
See NOTICE for third-party software attributions.
Important: Signal Messenger LLC and Kasm Technologies Inc do not endorse or support this project.
- Signal Desktop - Encrypted messaging application
- Kasm Workspaces - Containerized desktop streaming
- KasmVNC - VNC server with HTML5 client
- XFCE - Lightweight desktop environment
- Documentation: chart/README.md
- Bug Reports: GitHub Issues
- Questions: GitHub Discussions