Skip to main content

Helm

Helm chart path:

deploy/helm/oneprotect/

Current chart represents:

  • api-service
  • worker-service
  • frontend
  • Services
  • ConfigMap
  • Secret placeholders
  • Namespace-scoped worker RBAC for Kubernetes Secret reads when secretProvider=kubernetes
  • Optional Ingress

Render:

make helm-template

Production environments must override placeholder secrets through the deployment system. Use secrets.existingSecret when runtime values such as DATABASE_URL are populated by platform tooling and should not be rendered into a Helm-managed Secret. For integration credentials, staging/prod should use secretProvider=kubernetes with External Secrets Operator, CSI, Vault Agent, or platform sync populating Kubernetes Secrets. Prefer exact workerService.secretReaderRbac.resourceNames once tenant integration secret names are known.

The Docusaurus docs site is not deployed by this Helm chart. AWS docs hosting uses the Terraform/OpenTofu docs-site module with private S3 and CloudFront.