Deployment
Paquetier provides an official Helm chart for deploying to Kubernetes.
Prerequisites
Section titled “Prerequisites”- A Kubernetes cluster (1.19+).
- Helm 3.
- A PostgreSQL database accessible from the cluster.
- An S3-compatible storage bucket.
Installing the Chart
Section titled “Installing the Chart”Minimal values.yaml
Section titled “Minimal values.yaml”Ingress
Section titled “Ingress”Traditional Ingress
Section titled “Traditional Ingress”Gateway API
Section titled “Gateway API”External Secrets
Section titled “External Secrets”If you manage secrets externally (e.g. with External Secrets Operator), disable the chart-managed secret and reference your own:
The external secret must contain the same keys as the chart-generated one (PAQUETIER_JWT_SECRET, PAQUETIER_DATABASE_DSN, etc.).
Security Defaults
Section titled “Security Defaults”The chart ships with secure defaults:
- Runs as non-root user (UID 65534).
- Read-only root filesystem.
- All capabilities dropped.
- Seccomp profile enabled.
- Liveness and readiness probes on
/api/v1/healthz.
Upgrading
Section titled “Upgrading”Pod annotations include checksums of the ConfigMap and Secret, so pods are automatically restarted when configuration changes.