Skip to main content

Deploy with Helm

Version: 0.10.1 Type: application AppVersion:

The Pact Broker is an application for sharing for Pact contracts and verification results.


helm repo add bitnami
helm repo add pact-broker

helm install pact-broker pact-broker/pact-broker


The Pact Broker Chart is available in the following formats:

Installing from Chart Repository

The following command can be used to add the chart repository:

helm repo add pact-broker

Once the chart has been added, install one of the available charts:

helm install pact-broker pact-broker/pact-broker

Installing from an OCI Registry

Charts are also available in OCI format. The list of available charts can be found here.

Install one of the available charts:

helm upgrade -i <release_name> oci:// --version=<version>

Source Code




broker.affinityPact Broker Affinityobject{}
broker.annotationsAdditional annotations that can be added to the Broker deploymentobject{}
broker.config.allowDangerousContractModificationWhether or not to allow the pact content for an existing consumer version to be modified. It is strongly recommended that this is set to false, as allowing modification makes the results of can-i-deploy unreliable.boolfalse
broker.config.allowMissingMigrationFilesIf true, will not raise an error if a database migration is recorded in the database that does not have an equivalent file in the codebase. If this is true, an older version of the code may be used with a newer version of the database, however, data integrity issues may occur.booltrue
broker.config.autoDetectMainBranchWhen true and a pacticipant version is created with a tag or a branch that matches one of the names in main_branch_candidates, the mainBranch property is set for that pacticipant if it is not already set.booltrue
broker.config.autoMigrateDbWhether or not to run the database schema migrations on start up. It is recommended to set this to true.booltrue
broker.config.autoMigrateDbDataWhether or not to run the database data migrations on start up. It is recommended to set this to true.booltrue
broker.config.badgeProviderModeThe method by which the badges are generated. Allowed values: redirect, proxystring"redirect"
broker.config.baseUrlsBase URLs can be configured for architectures that use gateways or proxies that allow the same Pact Broker instance to be addressed with different base URLs. The application may run correctly without this attribute, however, it is strongly recommended to set it when deploying the Pact Broker to production as it prevents cache poisoning security vulnerabilitiesstringnil
broker.config.basicAuth.allowPublicReadSet to true if you want public read access, but still require credentials for writing.boolfalse
broker.config.basicAuth.enablePublicBadgeAccessSet this to true to allow status badges to be embedded in README files without requiring a hardcoded password.boolfalse
broker.config.basicAuth.enabledSet to true if you basic authentication to be enabledboolfalse
broker.config.basicAuth.publicHeartbeatSet to true if you want the heartbeat endpoint to be publicly accessible. This will have to be true if you have enabled basic auth.booltrue
broker.config.basicAuth.readUser.existingSecretName of an existing Kubernetes secret containing credentials to access the Pact Brokerstring""
broker.config.basicAuth.readUser.existingSecretPasswordKeyThe key to which holds the value of the password within the existingSecretstring""
broker.config.basicAuth.readUser.existingSecretUsernameKeyThe key to which holds the value of the username within the existingSecretstring""
broker.config.basicAuth.readUser.passwordPassword for read access to the Pact Brokerstring""
broker.config.basicAuth.readUser.usernameUsername for read access to the Pact Brokerstring""
broker.config.basicAuth.writeUser.existingSecretName of an existing Kubernetes secret containing credentials to access the Pact Brokerstring""
broker.config.basicAuth.writeUser.existingSecretPasswordKeyThe key to which holds the value of the password within the existingSecretstring""
broker.config.basicAuth.writeUser.existingSecretUsernameKeyThe key to which holds the value of the username within the existingSecretstring""
broker.config.basicAuth.writeUser.passwordPassword for write access to the Pact Brokerstring""
broker.config.basicAuth.writeUser.usernameUsername for write access to the Pact Brokerstring""
broker.config.checkForPotentialDuplicatePacticipantNamesWhen a pact is published, the consumer, provider and consumer version resources are automatically created. To prevent a pacticipant (consumer or provider) being created multiple times with slightly different name variants (eg. FooBar/foo-bar/foo bar/Foo Bar Service), a check is performed to determine if a new pacticipant name is likely to be a duplicate of any existing applications. If it is deemed similar enough to an existing name, a 409 will be returned.booltrue
broker.config.createDeployedVersionsForTagsWhen true and a tag is created, if there is an environment with the name of the newly created tag, a deployed version is also created for the pacticipant version.booltrue
broker.config.databaseClean.cronScheduleSet to a cron schedule that will run when your Broker is under the least operational load.string"15 2 * * *"
broker.config.databaseClean.deletionLimitThe maximum number of records to delete at a time for each of the removable data categories.int500
broker.config.databaseClean.dryRunDefaults to false. Set to true to see the output of what would have been deleted if the task had run.boolfalse
broker.config.databaseClean.enabledSet to true to enable the automatic data cleanup.boolfalse
broker.config.databaseClean.keepVersionSelectorsA JSON string containing a list of the "keep" selectors.string"[{\"latest\": true}, { \"max_age\": 180 }]"
broker.config.databaseClean.modeSet the mode of the cleanup task. Can either be embedded or external. Setting the mode to external will create a Kubernetes CronJob to handle the cleanup; thus implementing"embedded"
broker.config.databaseClean.overwrittenDataMaxAgeThe maximum number of days to keep "overwritten" data.int90
broker.config.databaseConnectMaxRetriesSetting the max retries to a non-zero number will allow it to retry the connection the configured number of times, waiting 3 seconds between attempts.int0
broker.config.databaseMaxConnectionsThe maximum size of the connection pool (4 connections by default on most databases)int4
broker.config.databasePoolTimeoutThe number of seconds to wait if a connection cannot be acquired before raising an errorint5
broker.config.databaseSslmodeThe Postgresql ssl mode. Allowed values: disable, allow, prefer, require, verify-ca, verify-fullstring"prefer"
broker.config.databaseStatementTimeoutThe number of seconds after which an SQL query will be aborted. Only supported for Postgresql connections.int15
broker.config.disable_sslIf set to true, SSL verification will be disabled for the HTTP requests made by the webhooksboolfalse
broker.config.enableDiagnosticEndpointsWhether or not to enable the diagnostic endpoints at /diagnostic/status/heartbeat and "diagnostic/status/dependenciesbooltrue
broker.config.featuresA list of features to enable in the Pact Broker for beta testing before public release.stringnil
broker.config.hidePactflowMessagesSet to true to hide the messages in the logs about PactFlowbooltrue
broker.config.httpDebugLoggingEnabledEnable this setting to print the entire request and response to the logs at debug level. Do not leave this on permanently, as it will have performance and security issues. Ensure the application log_level is set to debug when this setting is enabled.boolfalse
broker.config.logFormatThe application log format. Can be any value supported by Semantic Logger. Allowed values: default, json, colorstring"default"
broker.config.logLevelThe application log level Allowed values: debug, info, warn, error, fatalstring"info"
broker.config.mainBranchCandidatesAn array of potential main branch names used when automatically detecting the main branch for a pacticipant.string"develop main master"
broker.config.metricsSqlStatementTimeoutThe number of seconds after which the SQL queries used for the metrics endpoint will be aborted. This is configurable separately from the standard database_statement_timeout as it may need to be significantly longer than the desired value for standard queries.int30
broker.config.pactContentDiffTimeoutThe maximum amount of time in seconds to attempt to generate the diff between two pacts before aborting the request.int15
broker.config.shieldsIoBaseUrlThe URL of the server used to generate the README badges.string""
broker.config.sqlEnableCallerLoggingWhen enabled it logs source path that caused SQL query.boolfalse
broker.config.sqlLogLevelThe log level that will be used when the SQL query statements are logged. Allowed values: none, debug, info, warn, error, fatalstring"none"
broker.config.sqlLogWarnDurationThe number of seconds after which to log an SQL query at warn level. Use this for detecting slow queries.int5
broker.config.useFirstTagAsBranchWhen true, the first tag applied to a version within the use_first_tag_as_branch_time_limit (10 seconds) will be used to populate the branch property of the version.booltrue
broker.config.useHalBrowserWhether or not to enable the embedded HAL Browser.booltrue
broker.config.webhookHostWhitelistA list of hosts, network ranges, or host regular expressions.stringnil
broker.config.webhookHttpCodeSuccessIf webhook call returns the response with an HTTP code that is listed in the success codes then the operation is considered a success, otherwise the webhook will be re-triggered based on the webhook_retry_schedule configuration.string"200 201 202 203 204 205 206"
broker.config.webhookHttpMethodWhitelistThe allowed HTTP methods for webhooks. It is highly recommended that only POST requests are allowed to ensure that webhooks cannot be used to retrieve sensitive information from hosts within the same network.string"POST"
broker.config.webhookRetryScheduleThe schedule of seconds to wait between webhook execution attempts. The default schedule is 10 sec, 1 min, 2 min, 5 min, 10 min, 20 min (38 minutes in total).string"10 60 120 300 600 1200"
broker.config.webhookSchemeWhitelistThe allowed URL schemes for webhooks.string"https"
broker.containerPorts.httphttp portint9292
broker.containerPorts.httpshttp portint8443
broker.containerSecurityContext.enabledEnable Pact Broker containers' Security Contextbooltrue
broker.containerSecurityContext.runAsNonRootSet Pact Broker container's Security Context runAsNonRootbooltrue
broker.containerSecurityContext.runAsUserSet Pact Broker container's Security Context runAsUserint1001
broker.extraContainersAdditional containers to add to the Pact Broker podslist[]
broker.labelsAdditional labels that can be added to the Broker deploymentobject{}
broker.livenessProbe.enabledEnable livenessProbe on Pact Broker containersbooltrue
broker.livenessProbe.failureThresholdFailure threshold for livenessProbeint3
broker.livenessProbe.initialDelaySecondsInitial delay seconds for livenessProbeint300
broker.livenessProbe.periodSecondsPeriod seconds for livenessProbeint1
broker.livenessProbe.successThresholdSuccess threshold for livenessProbeint1
broker.livenessProbe.timeoutSecondsTimeout seconds for livenessProbeint5
broker.nodeSelectorPact Broker Node Selectorobject{}
broker.podDisruptionBudget.maxUnavailableMax Unavailable Pods (alternatively one can define minAvailable)int1
broker.podSecurityContext.enabledEnable Pact Broker pods' Security Contextbooltrue
broker.podSecurityContext.fsGroupSet Pact Broker pod's Security Context fsGroupint1001
broker.readinessProbe.enabledEnable readinessProbe on Pact Broker containersbooltrue
broker.readinessProbe.failureThresholdFailure threshold for readinessProbeint3
broker.readinessProbe.initialDelaySecondsInitial delay seconds for readinessProbeint30
broker.readinessProbe.periodSecondsPeriod seconds for readinessProbeint10
broker.readinessProbe.successThresholdSuccess threshold for readinessProbeint1
broker.readinessProbe.timeoutSecondsTimeout seconds for readinessProbeint1
broker.replicaCountNumber of Pact Broker replicas to deployint1
broker.revisionHistoryLimitNumber of Deployment Revisions to setint10
broker.tolerationsPact Broker Tolerationslist[]
broker.volumeMountsVolume mountslist[]
broker.volumesVolumes to mountlist[]
externalDatabase.config.adapterDatabase engine to use. Only allowed values are postgres or sqlite. More info herestring""
externalDatabase.config.auth.existingSecretName of an existing Kubernetes secret containing the database credentialsstring""
externalDatabase.config.auth.existingSecretPasswordKeyThe key to which the password will be stored under within existing secret.string"user-password"
externalDatabase.config.auth.passwordPassword for the non-root username for the Pact Brokerstring""
externalDatabase.config.auth.usernameNon-root username for the Pact Brokerstring""
externalDatabase.config.databaseNameExternal database namestring""
externalDatabase.config.hostDatabase hoststring""
externalDatabase.config.portDatabase port numberstring""
externalDatabase.enabledSwitch to enable or disable the externalDatabase connectionboolfalse
image.pullPolicySpecify a imagePullPolicy Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' more info herestring"IfNotPresent"
image.pullSecretsArray of imagePullSecrets to allow pulling the Pact Broker image from private registries. PS: Secret's must exist in the namespace to which you deploy the Pact Broker. more info here Example: pullSecrets: - mySecretNamelist[]
image.registryPact Broker image registrystring""
image.repositoryPact Broker image repositorystring"pactfoundation/pact-broker"
image.tagPact Broker image tag (immutable tags are recommended)string""
ingress.annotationsingress.annotations Additional annotations for the Ingress resourceobject{}
ingress.classNameingress.className Name of the IngressClass cluster resource which defines which controller will implement the resource (e.g nginx)string""
ingress.enabledingress.enabled Enable the creation of the ingress resourcebooltrue
ingress.hosthost Hostname to be used to expose the route to access the Pact Brokerstring""
ingress.tls.enabledingress.tls.enabled Enable TLS configuration for the host defined at parameterboolfalse
ingress.tls.secretNameingress.tls.secretName The name to which the TLS Secret will be calledstring""
postgresql.architecturePostgreSQL architecture (standalone or replication)string"standalone"
postgresql.auth.databaseName for a custom database to createstring"bitnami_broker"
postgresql.auth.existingSecretName of existing secret to use for PostgreSQL credentialsstring""
postgresql.auth.passwordPassword for the custom user to createstring""
postgresql.auth.secretKeys.adminPasswordKeyThe key in which Postgres well look for, for the admin password, in the existing Secretstring"admin-password"
postgresql.auth.secretKeys.replicationPasswordKeyThe key in which Postgres well look for, for the replication password, in the existing Secretstring"replication-password"
postgresql.auth.secretKeys.userPasswordKeyThe key in which Postgres well look for, for the user password, in the existing Secretstring"user-password"
postgresql.auth.usernameName for a custom user to createstring"bn_broker"
postgresql.enabledSwitch to enable or disable the PostgreSQL helm chartbooltrue
service.clusterIPPact Broker service clusterIPstring""
service.loadBalancerIPPact Broker Service loadBalancerIPstring""
service.nodePorts.httphttp nodePortstring""
service.nodePorts.httpshttps nodePortstring""
service.ports.httpPact service HTTP portint80
service.ports.httpsPact service HTTPS portint443
service.typeKubernetes service typestring"ClusterIP"
serviceAccount.annotationsAdditional custom annotations for the ServiceAccount.object{}
serviceAccount.automountServiceAccountTokenAuto-mount the service account token in the podbooltrue
serviceAccount.createEnable the creation of a ServiceAccount for Pact Broker podsbooltrue
serviceAccount.imagePullSecretsName of image pull secrets that should be attached to the service accountlist[]
serviceAccount.labelsAdditional custom labels to the service ServiceAccount.object{}
serviceAccount.nameName of the ServiceAccount If serviceAccount.create is true and is not set, a name is generated based on the release name. If serviceAccount.create is true and is set, a service account is created and named after value set in If serviceAccount.create is false and is not set, the default service account is used for the Deployment. If serviceAccount.create is false and is set, the service account specified at is used for the Deployment.string""

Configuration and Installation Details

Configuring Chart PostgreSQL

With the Pact Broker Helm Chart, it bundles together the Pact Broker and a Bitnami PostgreSQL database - this can be enabled by switching postgresql.enabled to true (it is true by default). If switched on, the Helm Chart, on deployment, will automatically deploy a PostgreSQL instance and configure it with the credentials you specify. There are multiple ways of doing this that will be detailed below.

Automatic Database Credential Creation

This is the easiest of the configuration options. Here, the credentials for both the Admin and Database user will be automatically generated and put into a Kubernetes secret. This then will be automatically used by the Pact Broker. For this, ensure the following happens:

  • Keep postgresql.auth.existingSecret & postgresql.auth.password empty.

Specifying Password for PostgreSQL to Use

Here, you can specify the password that you want PostgreSQL to use for it's Database User (The user that the Pact Broker will use to connect to the database). For this, ensure the following happens:

  • Keep the postgresql.auth.existingSecret empty.
  • Set the postgresql.auth.password to the value that you want the User password to be.

    NOTE: Be careful and mindful that the value you provide here is done in a secure way.

Specifying Existing Secret for PostgreSQL to Use

Here, you can specify an existing Kubernetes secret that you have created that contains the Password that you want PostgreSQL to use. The secret has to be in the same namespace as where you are deploying the Helm Chart. For this, ensure the following happens:

  • Create the Kubernetes secret with the Password inside.
  • Set postgresql.auth.existingSecret to the name of the Secret
  • PostgreSQL by default will look for the relevant Password keys that are set by default here postgresql.auth.secretKeys. So make sure that the Keys in the Secret match the default secretKeys values. More information here
  • For example, if you want PostgreSQL to use an existing Secret called my-user-secret that has the User password that you want to use inside it. Make sure that you create a Key inside that secret called user-password (this key can be found here postgresql.auth.secretKeys.userPasswordKey). i.e. user-password=Password123.

Configuring External Database

If you want to use an external database with your Pact Broker, switch the externalDatabase.enabled flag to true and the postgresql.enabled to false.

The configuring of the, externalDatabase.config.port, externalDatabase.config.adapter and externalDatabase.config.databaseName should be pretty straight forward. The credential configuration however has two methods of configuration.

Specify Credentials via Values

Configure the Pact Broker by using the username credential that you configure via the externalDatabase.config.auth.username value and the password via the externalDatabase.config.auth.password value.

NOTE: Be careful and mindful that the values you provide here is done in a secure way.

Specify Credentials via Secret

Configure the Pact Broker to use an existing Secret to retrieve the user password as a means to connect to the database. Ensure that the Kubernetes Secret has the password in the user-password field and ensure that you have set externalDatabase.config.auth.existingSecret value to the name of the secret. To configure the username, you can use the username value.

Database Clean Task

Pact Broker automatic data cleanup can be enabled by setting the property broker.config.databaseClean.enabled to true.

By default and for simple installations, one could rely on the built-in integrated mode of the cleanup (the property broker.config.databaseClean.mode having the value embedded).

For a more advanced setup e.g. in highly available installations with more than one replica, one should rely on the external source pattern of running the clean task. That can be achieved by setting the property broker.config.databaseClean.mode to external, which would result in having a CronJob performing the cleanup task instead of the main application Pods.