Uptime Kuma
Self-hosted uptime monitoring with a modern web UI. Uptime Kuma checks HTTP, TCP, DNS, Ping, Docker, WebSocket, and 20+ other monitor types on configurable intervals, sends alerts via 90+ notification services (Telegram, Discord, Slack, email, and more), and publishes customizable public status pages.
Uptime Kuma manages WebSocket connections and monitor state in-process. Running multiple replicas causes monitor duplication and inconsistent alerts. Keep the deployment at 1 replica regardless of the database backend used.
Key Features
- 20+ monitor types — HTTP(s), TCP, Ping, DNS, Docker, WebSocket, Steam, MQTT, and more
- 90+ notification services — Telegram, Discord, Slack, Email, Pushover, Gotify, and more
- Public status pages — customizable status pages with custom domains
- Two-factor authentication — built-in 2FA for the admin account
- SQLite or MariaDB — embedded SQLite (default) or MariaDB-compatible subchart
- External database — connect to an existing MariaDB/MySQL instance
- Smart S3 backup —
tarfor SQLite mode,mysqldumpfor MariaDB mode - Custom CA certificates — monitor internal HTTPS services with private CA
- Gateway API and Ingress — expose the UI with classic Ingress or HTTPRoute
- External Secrets Operator — source database and S3 credentials from external providers
- Dual-stack Services — optional
ipFamilyPolicyandipFamiliescontrols
Installation
HTTPS repository:
helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install uptime-kuma helmforge/uptime-kuma -f values.yaml
OCI registry:
helm install uptime-kuma oci://ghcr.io/helmforgedev/helm/uptime-kuma -f values.yaml
After deploying with default values, access the setup wizard to create the admin account:
kubectl port-forward svc/<release>-uptime-kuma 3001:80
# Open http://localhost:3001 in your browser
Deployment Examples
# values.yaml — Uptime Kuma with SQLite (default, no database configuration needed)
persistence:
enabled: true
size: 2Gi
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: status.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: uptime-kuma-tls
hosts:
- status.example.com# values.yaml — Uptime Kuma with bundled MariaDB subchart
database:
type: mariadb
mysql:
enabled: true
auth:
password: 'mariadb-password'
persistence:
enabled: true
size: 2Gi
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: status.example.com
paths:
- path: /
pathType: Prefix# values.yaml — Uptime Kuma with external MariaDB/MySQL
database:
type: mariadb
external:
host: mariadb.database.svc.cluster.local
port: '3306'
name: uptime_kuma
username: uptime_kuma
existingSecret: uptime-kuma-db-credentials
existingSecretPasswordKey: password
mysql:
enabled: false
persistence:
enabled: true
size: 2Gi
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: status.example.com
paths:
- path: /
pathType: Prefix# values.yaml — Monitor internal HTTPS services with a private CA certificate
# The CA certificate must be stored in the /app/data PVC at /app/data/ca.pem
uptimeKuma:
extraEnv:
- name: NODE_EXTRA_CA_CERTS
value: /app/data/ca.pem
persistence:
enabled: true
size: 2Gi
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: status.example.com
paths:
- path: /
pathType: Prefix# values.yaml — Daily S3 backup
# Backup strategy is automatic: tar for SQLite mode, mysqldump for MariaDB mode
backup:
enabled: true
schedule: '0 2 * * *'
s3:
endpoint: https://s3.amazonaws.com
bucket: my-uptime-kuma-backups
prefix: uptime-kuma
existingSecret: uptime-kuma-s3-credentials
persistence:
enabled: true
size: 2Gi
ingress:
enabled: true
ingressClassName: traefik
hosts:
- host: status.example.com
paths:
- path: /
pathType: Prefix# values.yaml — expose Uptime Kuma through Gateway API
persistence:
enabled: true
size: 2Gi
gatewayAPI:
enabled: true
httpRoutes:
- name: uptime-kuma
spec:
parentRefs:
- name: public-gateway
namespace: gateway-system
hostnames:
- status.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /# values.yaml — external database and S3 credentials managed by External Secrets Operator
database:
type: mariadb
external:
host: mariadb.database.svc.cluster.local
username: uptime_kuma
existingSecret: uptime-kuma-db
existingSecretPasswordKey: password
backup:
enabled: true
s3:
endpoint: https://s3.amazonaws.com
bucket: my-uptime-kuma-backups
existingSecret: uptime-kuma-s3
externalSecrets:
enabled: true
apiVersion: external-secrets.io/v1
refreshInterval: 1h
items:
- name: database
spec:
secretStoreRef:
name: platform-secrets
kind: ClusterSecretStore
target:
name: uptime-kuma-db
creationPolicy: Owner
data:
- secretKey: password
remoteRef:
key: uptime-kuma/database
property: password
- name: s3
spec:
secretStoreRef:
name: platform-secrets
kind: ClusterSecretStore
target:
name: uptime-kuma-s3
creationPolicy: Owner
data:
- secretKey: access-key
remoteRef:
key: uptime-kuma/s3
property: accessKey
- secretKey: secret-key
remoteRef:
key: uptime-kuma/s3
property: secretKeyConfiguration Reference
Core
| Parameter | Type | Default | Description |
|---|---|---|---|
nameOverride |
string | "" |
Override the chart name. |
fullnameOverride |
string | "" |
Override the full release name. |
commonLabels |
object | {} |
Extra labels added to all resources. |
Image
| Parameter | Type | Default | Description |
|---|---|---|---|
image.repository |
string | docker.io/louislam/uptime-kuma |
Uptime Kuma container image. |
image.tag |
string | "2.4.0" |
Image tag. |
image.pullPolicy |
string | IfNotPresent |
Image pull policy. |
imagePullSecrets |
array | [] |
Pull secrets for private registries. |
Uptime Kuma Configuration
| Parameter | Type | Default | Description |
|---|---|---|---|
uptimeKuma.port |
integer | 3001 |
Internal HTTP port. |
uptimeKuma.disableFrameSameOrigin |
boolean | false |
Allow embedding the status page in iframes from other origins. |
uptimeKuma.extraEnv |
array | [] |
Extra environment variables. Use for NODE_EXTRA_CA_CERTS and advanced settings. |
Status pages can be embedded in dashboards such as Heimdall or Homarr. Set uptimeKuma.disableFrameSameOrigin: true
to allow cross-origin iframe embedding. By default, the X-Frame-Options: SAMEORIGIN header prevents embedding from
other domains.
To monitor internal HTTPS endpoints using a self-signed or private CA certificate, place the CA certificate file in
the PVC at /app/data/ca.pem and set NODE_EXTRA_CA_CERTS via uptimeKuma.extraEnv. Node.js will then trust that CA
for all outgoing HTTPS requests made by the monitor checks.
Database
| Parameter | Type | Default | Description |
|---|---|---|---|
database.type |
string | sqlite |
Database backend: sqlite or mariadb. |
database.external.host |
string | "" |
External MariaDB/MySQL hostname. |
database.external.port |
string | "3306" |
External MariaDB/MySQL port. |
database.external.name |
string | uptime_kuma |
Database name on the external server. |
database.external.username |
string | uptime_kuma |
Username for the external database. |
database.external.password |
string | "" |
Password for the external database (prefer existingSecret). |
database.external.existingSecret |
string | "" |
Existing secret containing the database password. |
database.external.existingSecretPasswordKey |
string | password |
Key inside the existing secret for the password. |
Database — MySQL Subchart
The subchart is named mysql in the values, but Uptime Kuma uses it as a MariaDB-compatible backend. Set
database.type: mariadb alongside mysql.enabled: true to activate this mode. The bundled dependency is the
HelmForge MySQL chart 2.0.0.
| Parameter | Type | Default | Description |
|---|---|---|---|
mysql.enabled |
boolean | false |
Deploy a bundled MySQL/MariaDB subchart. |
mysql.architecture |
string | standalone |
Database architecture. |
mysql.auth.database |
string | uptime_kuma |
Database name created by the subchart. |
mysql.auth.username |
string | uptime_kuma |
Database user created by the subchart. |
mysql.auth.password |
string | "" |
Database password (required when using the subchart). |
Persistence
| Parameter | Type | Default | Description |
|---|---|---|---|
persistence.enabled |
boolean | true |
Enable a PVC for /app/data (SQLite, config, and CA certificates). |
persistence.size |
string | 2Gi |
PVC size. |
persistence.storageClass |
string | "" |
StorageClass for the PVC. |
persistence.accessModes |
array | ["ReadWriteOnce"] |
PVC access modes. |
persistence.existingClaim |
string | "" |
Use an existing PVC instead of creating one. |
Backup
The backup strategy adapts to the configured database mode automatically:
- SQLite mode — archives the full
/app/datadirectory usingtar. - MariaDB mode — runs
mysqldumpagainst the database and uploads the SQL dump.
| Parameter | Type | Default | Description |
|---|---|---|---|
backup.enabled |
boolean | false |
Enable scheduled S3 backup CronJob. |
backup.schedule |
string | "0 2 * * *" |
Cron schedule for backups. |
backup.suspend |
boolean | false |
Suspend the CronJob without deleting it. |
backup.concurrencyPolicy |
string | Forbid |
CronJob concurrency policy. |
backup.successfulJobsHistoryLimit |
integer | 3 |
Number of successful Job records to keep. |
backup.failedJobsHistoryLimit |
integer | 3 |
Number of failed Job records to keep. |
backup.backoffLimit |
integer | 1 |
Job retry limit. |
backup.archivePrefix |
string | uptime-kuma |
Prefix for backup archive filenames. |
backup.resources |
object | {} |
Resources for backup containers. |
backup.images.uploader.repository |
string | docker.io/helmforge/mc |
S3 uploader image repository. |
backup.images.uploader.tag |
string | "1.0.0" |
S3 uploader image tag. |
backup.images.mysql.repository |
string | docker.io/library/mysql |
mysqldump image repository (MariaDB mode). |
backup.images.mysql.tag |
string | "8.4" |
mysqldump image tag. |
backup.s3.endpoint |
string | "" |
S3-compatible endpoint URL. |
backup.s3.bucket |
string | "" |
Target bucket name. |
backup.s3.prefix |
string | uptime-kuma |
Key prefix within the bucket. |
backup.s3.createBucketIfNotExists |
boolean | true |
Create the bucket automatically if it does not exist. |
backup.s3.existingSecret |
string | "" |
Existing secret containing S3 access and secret keys. |
backup.s3.existingSecretAccessKeyKey |
string | access-key |
Key in the existing secret for the S3 access key. |
backup.s3.existingSecretSecretKeyKey |
string | secret-key |
Key in the existing secret for the S3 secret key. |
backup.s3.accessKey |
string | "" |
Inline S3 access key (ignored when existingSecret is set). |
backup.s3.secretKey |
string | "" |
Inline S3 secret key (ignored when existingSecret is set). |
Service
| Parameter | Type | Default | Description |
|---|---|---|---|
service.type |
string | ClusterIP |
Kubernetes service type. |
service.port |
integer | 80 |
Service port exposed to the cluster. |
service.annotations |
object | {} |
Annotations for the Service. |
service.ipFamilyPolicy |
string | omitted | Service IP family policy: SingleStack, PreferDualStack, or RequireDualStack. |
service.ipFamilies |
array | omitted | Ordered Service IP families such as IPv4 and IPv6. |
Ingress
| Parameter | Type | Default | Description |
|---|---|---|---|
ingress.enabled |
boolean | false |
Enable an Ingress resource. |
ingress.ingressClassName |
string | traefik |
Ingress class name. |
ingress.annotations |
object | {} |
Annotations for the Ingress (e.g. cert-manager). |
ingress.hosts |
array | [] |
Ingress host and path rules. |
ingress.tls |
array | [] |
TLS configuration (secret name and hosts). |
Gateway API
Use Gateway API when your cluster standardizes HTTP routing through Gateway resources. The chart renders HTTPRoutes that target the Uptime Kuma Service by default.
| Parameter | Type | Default | Description |
|---|---|---|---|
gatewayAPI.enabled |
boolean | false |
Enable HTTPRoute resources. |
gatewayAPI.httpRoutes |
array | [] |
HTTPRoute definitions to render. |
External Secrets Operator
External Secrets can materialize database, S3, or integration credentials without storing them directly in Helm values.
| Parameter | Type | Default | Description |
|---|---|---|---|
externalSecrets.enabled |
boolean | false |
Render ExternalSecret resources. |
externalSecrets.apiVersion |
string | external-secrets.io/v1 |
ExternalSecret API version. |
externalSecrets.refreshInterval |
string | 1h |
Default refresh interval for items that do not set one. |
externalSecrets.items |
array | [] |
ExternalSecret definitions. Each item requires a full spec. |
Probes
| Parameter | Type | Default | Description |
|---|---|---|---|
probes.startup.enabled |
boolean | true |
Enable startup probe. |
probes.startup.initialDelaySeconds |
integer | 10 |
Startup probe initial delay. |
probes.startup.periodSeconds |
integer | 5 |
Startup probe period. |
probes.startup.timeoutSeconds |
integer | 3 |
Startup probe timeout. |
probes.startup.failureThreshold |
integer | 30 |
Startup probe failure threshold. |
probes.liveness.enabled |
boolean | true |
Enable liveness probe. |
probes.liveness.initialDelaySeconds |
integer | 0 |
Liveness probe initial delay. |
probes.liveness.periodSeconds |
integer | 15 |
Liveness probe period. |
probes.liveness.timeoutSeconds |
integer | 5 |
Liveness probe timeout. |
probes.liveness.failureThreshold |
integer | 3 |
Liveness probe failure threshold. |
probes.readiness.enabled |
boolean | true |
Enable readiness probe. |
probes.readiness.initialDelaySeconds |
integer | 0 |
Readiness probe initial delay. |
probes.readiness.periodSeconds |
integer | 10 |
Readiness probe period. |
probes.readiness.timeoutSeconds |
integer | 5 |
Readiness probe timeout. |
probes.readiness.failureThreshold |
integer | 3 |
Readiness probe failure threshold. |
Resources and Security
| Parameter | Type | Default | Description |
|---|---|---|---|
resources |
object | {} |
CPU and memory requests and limits. |
podSecurityContext |
object | {} |
Pod-level security context. |
securityContext |
object | {} |
Container-level security context. |
Service Account
| Parameter | Type | Default | Description |
|---|---|---|---|
serviceAccount.create |
boolean | false |
Create a dedicated ServiceAccount. |
serviceAccount.name |
string | "" |
Override the ServiceAccount name. |
serviceAccount.annotations |
object | {} |
Annotations for the ServiceAccount. |
Scheduling
| Parameter | Type | Default | Description |
|---|---|---|---|
nodeSelector |
object | {} |
Node selector for scheduling. |
tolerations |
array | [] |
Tolerations for scheduling. |
affinity |
object | {} |
Affinity rules. |
topologySpreadConstraints |
array | [] |
Topology spread constraints. |
priorityClassName |
string | "" |
PriorityClass for the pod. |
terminationGracePeriodSeconds |
integer | 30 |
Termination grace period. |
podLabels |
object | {} |
Extra labels for the pod. |
podAnnotations |
object | {} |
Extra annotations for the pod. |
Extra
| Parameter | Type | Default | Description |
|---|---|---|---|
extraVolumes |
array | [] |
Extra volumes to attach to the pod. |
extraVolumeMounts |
array | [] |
Extra volume mounts for the container. |
extraManifests |
array | [] |
Extra Kubernetes manifests deployed alongside the chart. |