This guide covers the OpenShift specifics for running a PhotoPrism® Portal and its tenant instances: the restricted Security Context Constraints (SCC), exposing the Portal with a Route, and using the OpenShift console’s Form View to install charts. For the general Kubernetes workflow (namespaces, cluster secret, Portal manifests, tenant join), start with the Kubernetes guide.

A public Helm chart for the Portal is not available yet. Deploy the Portal with the manifests from the Kubernetes guide and tenants with the public photoprism-pro chart. If you need an orchestrated Portal chart with OpenShift Form View support, contact us.

Security Context & SCC

The PhotoPrism Portal and Pro images run as non-root and are compatible with OpenShift’s default restricted-v2 SCC. Keep the security context permissive so OpenShift can assign namespace-range IDs:

  • Leave runAsUser, runAsGroup, and fsGroup unset so OpenShift assigns an arbitrary high UID/GID from the namespace range. (The fixed UID/GID 1000 shown in the Kubernetes manifests is for plain Kubernetes; omit it on OpenShift.)
  • Do not grant elevated SCCs such as anyuid or privileged unless your platform team explicitly requires them.
  • If your storage backend enforces group-based ACLs (common with NFS), set podSecurityContext.fsGroup and, if needed, supplementalGroups explicitly, and match the export permissions to those groups.
  • Do not deploy workloads into the default or kube-system namespaces — OpenShift does not assign SCCs there, which breaks volume permissions.

Exposing the Portal with a Route

On OpenShift, a Route is the native way to expose the Portal over HTTPS with edge TLS termination. Because the Portal proxies tenants under /i/<name>/, one Route at the shared domain covers the whole cluster:

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: portal
  namespace: photoprism
spec:
  host: portal.example.com
  to:
    kind: Service
    name: portal
  port:
    targetPort: 2342
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Redirect

Use an Ingress instead of a Route only when your cluster standardizes on Ingress (for example with an external ingress controller). If you set both a Route host and an Ingress host, they must match. Tenant traffic stays internal HTTP over service DNS names while all public URLs use HTTPS.

Adding a Helm Repository to the Console

The OpenShift console only lists Helm repositories registered as cluster resources. To make the public PhotoPrism charts available for tenant installs, add a ProjectHelmChartRepository (single namespace) or a HelmChartRepository (all namespaces):

cat <<'EOF' | oc apply -f -
apiVersion: helm.openshift.io/v1beta1
kind: ProjectHelmChartRepository
metadata:
  name: photoprism
  namespace: photoprism
spec:
  name: photoprism
  connectionConfig:
    url: https://charts.photoprism.app/photoprism
EOF

oc -n photoprism get projecthelmchartrepositories

If the console shows an empty repository URL, confirm the resource uses spec.connectionConfig.url (not spec.url) and re-apply the manifest. For an authenticated repository, create a Secret with the credentials and reference it under connectionConfig.basicAuthConfig.

Installing with the Form View

The OpenShift Developer Console renders a form-based install view when a chart ships a values.schema.json file, so you can configure common settings without editing raw YAML:

  1. Open Developer+AddHelm Chart (or Software Catalog on newer consoles).
  2. Select the target Project/Namespace for the release.
  3. Choose the chart, then select Form View on the install screen.
  4. Provide the required values, then click Install. Switch to YAML View for advanced overrides not exposed in the form.

Storage

  • Persistent data is stored on PersistentVolumeClaims; OpenShift Data Foundation (ODF) block storage is a common choice for the Portal and tenant storage volumes.
  • For a shared, externally managed filesystem for large original assets, mount a pre-created NFS-backed PVC and set the matching fsGroup/supplementalGroups so the restricted SCC can write to it.
  • Size the database StatefulSet PVC for the combined tenant schemas. Keep the database in an SCC-assigned namespace (not default/kube-system).

Database

Provide the Portal a reachable MariaDB endpoint over TCP 3306 (a direct server or a MaxScale listener). For the recommended database baseline and how to run it under the MariaDB Enterprise Operator on OpenShift, see MariaDB Enterprise.

PhotoPrism® Documentation

For more information on specific features, services and related resources, please refer to the other documentation available in our Knowledge Base and User Guide: