Skip to content
Paquetier

Deployment

Paquetier provides an official Helm chart for deploying to Kubernetes.

Prerequisites

Section titled “Prerequisites”
  • A Kubernetes cluster (1.19+).
  • Helm 3.
  • A PostgreSQL database accessible from the cluster.
  • An S3-compatible storage bucket.

Installing the Chart

Section titled “Installing the Chart”
helm repo add paquetier https://charts.paquetier.com
helm install paquetier paquetier/paquetier \
  --set config.publicUrl=https://paquetier.example.com \
  --set secret.jwtSecret=your-secret-key \
  --set secret.databaseDsn=postgresql://user:pass@host:5432/paquetier \
  --set secret.s3AccessKey=your-access-key \
  --set secret.s3SecretKey=your-secret-key \
  --set config.s3.endpoint=s3.amazonaws.com \
  --set config.s3.bucket=paquetier

Minimal values.yaml

Section titled “Minimal values.yaml”
config:
  publicUrl: "https://paquetier.example.com"
  s3:
    endpoint: "s3.amazonaws.com"
    bucket: "paquetier"
    ssl: true
    region: "us-east-1"

secret:
  jwtSecret: "your-stable-jwt-secret"
  databaseDsn: "postgresql://user:pass@host:5432/paquetier"
  s3AccessKey: "your-access-key"
  s3SecretKey: "your-secret-key"

Ingress

Section titled “Ingress”

Traditional Ingress

Section titled “Traditional Ingress”
ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
  hosts:
    - host: paquetier.example.com
      paths:
        - path: /
          pathType: Prefix
  tls:
    - secretName: paquetier-tls
      hosts:
        - paquetier.example.com

Gateway API

Section titled “Gateway API”
gatewayApi:
  enabled: true
  gateway:
    name: my-gateway
  hostnames:
    - paquetier.example.com

External Secrets

Section titled “External Secrets”

If you manage secrets externally (e.g. with External Secrets Operator), disable the chart-managed secret and reference your own:

secret:
  create: false
existingSecret: my-paquetier-secret

The external secret must contain the same keys as the chart-generated one (PAQUETIER_JWT_SECRET, PAQUETIER_DATABASE_DSN, etc.).

Security Defaults

Section titled “Security Defaults”

The chart ships with secure defaults:

  • Runs as non-root user (UID 65534).
  • Read-only root filesystem.
  • All capabilities dropped.
  • Seccomp profile enabled.
  • Liveness and readiness probes on /api/v1/healthz.

Upgrading

Section titled “Upgrading”
helm upgrade paquetier paquetier/paquetier -f values.yaml

Pod annotations include checksums of the ConfigMap and Secret, so pods are automatically restarted when configuration changes.