add annotations to deployment

remove lazy-librarian
fix app version
2024-04-21 06:40:46 -06:00 · 2024-04-21 04:59:41 -06:00 · 2024-04-21 04:03:32 -06:00 · 2024-04-21 03:59:25 -06:00 · 2024-04-19 21:34:56 -06:00 · 2024-04-19 05:41:38 -06:00
69 changed files with 7206 additions and 788 deletions
--- a/charts/home-assistant/Chart.yaml
+++ b/charts/home-assistant/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: home-assistant
-version: 0.1.8
+version: 0.1.10
 description: Chart for Home Assistant
 keywords:
  - home-automation
@@ -9,4 +9,4 @@ sources:
 maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/13844975?s=200&v=4
-appVersion: v2024.4.2
+appVersion: v2024.4.3
--- a/charts/home-assistant/values.yaml
+++ b/charts/home-assistant/values.yaml
@@ -3,7 +3,7 @@ deployment:
  strategy: Recreate
  image:
    repository: homeassistant/home-assistant
-    tag: 2024.4.2
+    tag: 2024.4.3
    imagePullPolicy: IfNotPresent
  env:
    TZ: UTC
@@ -56,7 +56,7 @@ codeserver:
  enabled: false
  image:
    repository: linuxserver/code-server
-    tag: 4.23.0
+    tag: 4.23.1
    imagePullPolicy: IfNotPresent
  env:
    TZ: UTC
--- a/charts/homepage/Chart.yaml
+++ b/charts/homepage/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: homepage
-version: 0.0.10
+version: 0.0.12
 description: Chart for benphelps homepage
 keywords:
  - dashboard
@@ -9,4 +9,4 @@ sources:
 maintainers:
  - name: alexlebens
 icon: https://github.com/benphelps/homepage/blob/de584eae8f12a0d257e554e9511ef19bd2a1232c/public/mstile-150x150.png
-appVersion: v0.8.11
+appVersion: v0.8.12
--- a/charts/homepage/templates/deployment.yaml
+++ b/charts/homepage/templates/deployment.yaml
@@ -9,6 +9,10 @@ metadata:
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: homepage
+  annotations:
+    {{- with .Values.deployment.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}    
 spec:
  revisionHistoryLimit: 3
  replicas: {{ .Values.deployment.replicas }}
--- a/charts/homepage/values.yaml
+++ b/charts/homepage/values.yaml
@@ -1,9 +1,10 @@
 deployment:
+  annotations: {}
  replicas: 1
  strategy: Recreate
  image:
    repository: ghcr.io/gethomepage/homepage
-    tag: v0.8.11
+    tag: v0.8.12
    imagePullPolicy: IfNotPresent
  env:
  envFrom:
--- a/charts/kyoo/Chart.yaml
+++ b/charts/kyoo/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: kyoo
+version: 0.1.9
+description: Chart for Kyoo
+keywords:
+  - media
+sources:
+  - https://github.com/zoriya/Kyoo
+  - https://github.com/rabbitmq/rabbitmq-server
+  - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
+  - https://github.com/meilisearch/meilisearch
+  - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
+maintainers:
+  - name: alexlebens
+icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
+dependencies:
+  - name: rabbitmq
+    version: 14.0.1
+    repository: https://charts.bitnami.com/bitnami
+  - name: meilisearch
+    version: 0.6.1
+    repository: https://meilisearch.github.io/meilisearch-kubernetes  
+appVersion: v4.4.0
--- a/charts/kyoo/README.md
+++ b/charts/kyoo/README.md
@@ -0,0 +1,17 @@
+## Introduction
+
+[Kyoo](https://github.com/zoriya/Kyoo)
+
+A portable and vast media library solution.
+
+This chart bootstraps a [Kyoo](https://github.com/zoriya/Kyoo) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).
--- a/charts/kyoo/templates/_helpers.tpl
+++ b/charts/kyoo/templates/_helpers.tpl
@@ -0,0 +1,155 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kyoo.name" -}}
+  {{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "kyoo.fullname" -}}
+  {{- if .Values.global.fullnameOverride -}}
+    {{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- $name := default .Chart.Name .Values.global.nameOverride -}}
+    {{- if contains $name .Release.Name -}}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+    {{- else -}}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label
+*/}}
+{{- define "kyoo.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "kyoo.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Common labels for specific components
+*/}}
+{{- define "kyoo.autosync.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-autosync
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.back.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-back
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.front.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-front
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.matcher.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-matcher
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.migrations.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-migrations
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.scanner.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-scanner
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "kyoo.transcoder.labels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-transcoder
+helm.sh/chart: {{ template "kyoo.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "kyoo.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.autosync.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-autosync
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.back.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-back
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.front.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-front
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.matcher.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-matcher
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.migrations.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-migrations
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.scanner.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-scanner
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "kyoo.transcoder.matchLabels" -}}
+app.kubernetes.io/name: {{ template "kyoo.name" . }}-transcoder
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kyoo.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create -}}
+    {{ default (include "kyoo.fullname" .) .Values.serviceAccount.name }}
+  {{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the back persistent volume
+*/}}
+{{- define "kyoo.backVolumeName" -}}
+  {{- if .Values.persistence.back.existingClaim -}}
+    {{ .Values.persistence.back.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-back" (include "kyoo.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the metadata persistent volume
+*/}}
+{{- define "kyoo.metadataVolumeName" -}}
+  {{- if .Values.persistence.metadata.existingClaim -}}
+    {{ .Values.persistence.metadata.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-metadata" (include "kyoo.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}
--- a/charts/kyoo/templates/deployment-autosync.yaml
+++ b/charts/kyoo/templates/deployment-autosync.yaml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-autosync
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.autosync.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.autosync.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.autosync.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.autosync.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-autosync
+      annotations:
+        {{- with .Values.autosync.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.autosync.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.autosync.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.autosync.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.autosync.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-autosync
+          image: "{{ .Values.autosync.image.repository }}:{{ .Values.autosync.image.tag }}"
+          imagePullPolicy: {{ .Values.autosync.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.autosync.resources | nindent 12 }}
+          env:
+            - name: RABBITMQ_HOST
+              value: {{ template "kyoo.fullname" . }}-rabbitmq
+            - name: RABBITMQ_DEFAULT_USER
+              value: "{{ .Values.rabbitmq.auth.username }}"
+            - name: RABBITMQ_DEFAULT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.rabbitmq.auth.existingPasswordSecret }}"
+                  key: "{{ .Values.rabbitmq.auth.existingSecretPasswordKey }}"
+          {{ if .Values.config.secretAPIKey.existingSimklSecretKey }}
+            - name: OIDC_SIMKL_CLIENTID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingSimklSecretKey }}"
+          {{ end }}
+          {{- with .Values.autosync.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
--- a/charts/kyoo/templates/deployment-back.yaml
+++ b/charts/kyoo/templates/deployment-back.yaml
@@ -0,0 +1,173 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.back.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.back.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.back.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-back
+      annotations:
+        {{- with .Values.back.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.back.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.back.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.back.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.back.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-back
+          image: "{{ .Values.back.image.repository }}:{{ .Values.back.image.tag }}"
+          imagePullPolicy: {{ .Values.back.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.back.resources | nindent 12 }}
+          ports:
+            - name: kyoo-back
+              containerPort: {{ .Values.back.service.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: kyoo-back
+              mountPath: /kyoo
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+            - name: REQUIRE_ACCOUNT_VERIFICATION
+              value: "{{ .Values.config.requireAccountVerification }}"
+            - name: UNLOGGED_PERMISSIONS
+              value: "{{ .Values.config.unloggedPermissions }}"
+            - name: DEFAULT_PERMISSIONS
+              value: "{{ .Values.config.defaultPermissions }}"
+            - name: AUTHENTICATION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAuthenticationKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAuthenticationKey.existingSecretKey }}"
+            - name: KYOO_APIKEYS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingKyooSecretKey }}"
+            - name: PUBLIC_URL
+              value: "{{ .Values.config.publicUrl }}"
+            - name: POSTGRES_USER
+              value: "{{ .Values.config.postgresql.username }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.postgresql.existingSecretName }}"
+                  key: "{{ .Values.config.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              value: "{{ .Values.config.postgresql.database }}"
+            - name: POSTGRES_SERVER
+              value: "{{ .Values.config.postgresql.host }}"
+            - name: POSTGRES_PORT
+              value: "{{ .Values.config.postgresql.port }}"
+
+          {{ if .Values.config.oidc.enabled }}
+            - name: OIDC_SERVICE_NAME
+              value: "{{ .Values.config.oidc.name }}"
+            - name: OIDC_SERVICE_LOGO
+              value: "{{ .Values.config.oidc.logo }}"
+            - name: OIDC_SERVICE_AUTHORIZATION
+              value: "{{ .Values.config.oidc.authorization }}"
+            - name: OIDC_SERVICE_TOKEN
+              value: "{{ .Values.config.oidc.token }}"
+            - name: OIDC_SERVICE_PROFILE
+              value: "{{ .Values.config.oidc.profile }}"
+            - name: OIDC_SERVICE_SCOPE
+              value: "{{ .Values.config.oidc.scope }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.oidc.existingSecretName }}"
+                  key: "{{ .Values.config.oidc.clientIDKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.oidc.existingSecretName }}"
+                  key: "{{ .Values.config.oidc.secretIDKey }}"
+          {{ end }}
+
+            - name: MEILI_HOST
+              value: http://{{ template "kyoo.fullname" . }}-meilisearch.{{ .Release.Namespace }}:{{ .Values.meilisearch.service.port }}
+            - name: MEILI_MASTER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.meilisearch.auth.existingMasterKeySecret }}"
+                  key: MEILI_MASTER_KEY
+            - name: RABBITMQ_HOST
+              value: {{ template "kyoo.fullname" . }}-rabbitmq
+            - name: RABBITMQ_DEFAULT_USER
+              value: "{{ .Values.rabbitmq.auth.username }}"
+            - name: RABBITMQ_DEFAULT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.rabbitmq.auth.existingPasswordSecret }}"
+                  key: "{{ .Values.rabbitmq.auth.existingSecretPasswordKey }}"
+
+          {{- if .Values.back.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.back.livenessProbe.path }}
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.back.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.back.livenessProbe.path }}
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.readinessProbe.failureThreshold }}
+          {{- end }}
+
+      volumes:
+        - name: kyoo-back
+      {{- if .Values.persistence.back.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "kyoo.backVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
--- a/charts/kyoo/templates/deployment-front.yaml
+++ b/charts/kyoo/templates/deployment-front.yaml
@@ -0,0 +1,90 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.front.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.front.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.front.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-front
+      annotations:
+        {{- with .Values.front.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.front.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.front.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.front.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.front.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-front
+          image: "{{ .Values.front.image.repository }}:{{ .Values.front.image.tag }}"
+          imagePullPolicy: {{ .Values.front.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.front.resources | nindent 12 }}
+          ports:
+            - name: kyoo-front
+              containerPort: {{ .Values.front.service.port }}
+              protocol: TCP
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+            - name: KYOO_URL
+              value: http://{{ template "kyoo.fullname" . }}-back.{{ .Release.Namespace }}:{{ .Values.back.service.port }}
+
+          {{- if .Values.front.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: {{ .Values.front.livenessProbe.path }}
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.front.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: {{ .Values.front.livenessProbe.path }}
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.readinessProbe.failureThreshold }}
+          {{- end }}
--- a/charts/kyoo/templates/deployment-matcher.yaml
+++ b/charts/kyoo/templates/deployment-matcher.yaml
@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-matcher
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.matcher.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.matcher.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.matcher.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.matcher.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-matcher
+      annotations:
+        {{- with .Values.matcher.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.matcher.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.matcher.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.matcher.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.matcher.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-matcher
+          image: "{{ .Values.matcher.image.repository }}:{{ .Values.matcher.image.tag }}"
+          imagePullPolicy: {{ .Values.matcher.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.matcher.resources | nindent 12 }}
+          command:
+            - matcher
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+            - name: KYOO_URL
+              value: http://{{ template "kyoo.fullname" . }}-back.{{ .Release.Namespace }}:{{ .Values.back.service.port }}
+
+          {{- if .Values.config.secretAPIKey.existingKyooSecretKey }}
+            - name: KYOO_APIKEYS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingKyooSecretKey }}"
+          {{- end }}
+
+          {{- if .Values.config.secretAPIKey.existingTMDBSecretKey }}
+            - name: THEMOVIEDB_APIKEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingTMDBSecretKey }}"
+          {{- end }}
+
+            - name: LIBRARY_LANGUAGES
+              value: "{{ .Values.config.libraryLanguages }}"
+            - name: RABBITMQ_HOST
+              value: {{ template "kyoo.fullname" . }}-rabbitmq
+            - name: RABBITMQ_DEFAULT_USER
+              value: "{{ .Values.rabbitmq.auth.username }}"
+            - name: RABBITMQ_DEFAULT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.rabbitmq.auth.existingPasswordSecret }}"
+                  key: "{{ .Values.rabbitmq.auth.existingSecretPasswordKey }}"
--- a/charts/kyoo/templates/deployment-migrations.yaml
+++ b/charts/kyoo/templates/deployment-migrations.yaml
@@ -0,0 +1,133 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-migrations
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.migrations.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.migrations.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.migrations.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.migrations.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-migrations
+      annotations:
+        {{- with .Values.migrations.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.migrations.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.migrations.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.migrations.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.migrations.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-migrations
+          image: "{{ .Values.migrations.image.repository }}:{{ .Values.migrations.image.tag }}"
+          imagePullPolicy: {{ .Values.migrations.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.migrations.resources | nindent 12 }}
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+            - name: REQUIRE_ACCOUNT_VERIFICATION
+              value: "{{ .Values.config.requireAccountVerification }}"
+            - name: UNLOGGED_PERMISSIONS
+              value: "{{ .Values.config.unloggedPermissions }}"
+            - name: DEFAULT_PERMISSIONS
+              value: "{{ .Values.config.defaultPermissions }}"
+            - name: AUTHENTICATION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAuthenticationKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAuthenticationKey.existingSecretKey }}"
+            - name: KYOO_APIKEYS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingKyooSecretKey }}"
+            - name: PUBLIC_URL
+              value: "{{ .Values.config.publicUrl }}"
+            - name: POSTGRES_USER
+              value: "{{ .Values.config.postgresql.username }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.postgresql.existingSecretName }}"
+                  key: "{{ .Values.config.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              value: "{{ .Values.config.postgresql.database }}"
+            - name: POSTGRES_SERVER
+              value: "{{ .Values.config.postgresql.host }}"
+            - name: POSTGRES_PORT
+              value: "{{ .Values.config.postgresql.port }}"
+
+          {{ if .Values.config.oidc.enabled }}
+            - name: OIDC_SERVICE_NAME
+              value: "{{ .Values.config.oidc.name }}"
+            - name: OIDC_SERVICE_LOGO
+              value: "{{ .Values.config.oidc.logo }}"
+            - name: OIDC_SERVICE_AUTHORIZATION
+              value: "{{ .Values.config.oidc.authorization }}"
+            - name: OIDC_SERVICE_TOKEN
+              value: "{{ .Values.config.oidc.token }}"
+            - name: OIDC_SERVICE_PROFILE
+              value: "{{ .Values.config.oidc.profile }}"
+            - name: OIDC_SERVICE_SCOPE
+              value: "{{ .Values.config.oidc.scope }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.oidc.existingSecretName }}"
+                  key: "{{ .Values.config.oidc.clientIDKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.oidc.existingSecretName }}"
+                  key: "{{ .Values.config.oidc.secretIDKey }}"
+          {{ end }}
+
+            - name: MEILI_HOST
+              value: http://{{ template "kyoo.fullname" . }}-meilisearch.{{ .Release.Namespace }}:{{ .Values.meilisearch.service.port }}
+            - name: MEILI_MASTER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.meilisearch.auth.existingMasterKeySecret }}"
+                  key: MEILI_MASTER_KEY
+            - name: RABBITMQ_HOST
+              value: {{ template "kyoo.fullname" . }}-rabbitmq
+            - name: RABBITMQ_DEFAULT_USER
+              value: "{{ .Values.rabbitmq.auth.username }}"
+            - name: RABBITMQ_DEFAULT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.rabbitmq.auth.existingPasswordSecret }}"
+                  key: "{{ .Values.rabbitmq.auth.existingSecretPasswordKey }}"
--- a/charts/kyoo/templates/deployment-scanner.yaml
+++ b/charts/kyoo/templates/deployment-scanner.yaml
@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-scanner
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.scanner.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.scanner.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.scanner.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.scanner.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-scanner
+      annotations:
+        {{- with .Values.scanner.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.scanner.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.scanner.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.scanner.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.scanner.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-scanner
+          image: "{{ .Values.scanner.image.repository }}:{{ .Values.scanner.image.tag }}"
+          imagePullPolicy: {{ .Values.scanner.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.scanner.resources | nindent 12 }}
+          volumeMounts:
+            - name: kyoo-library
+              mountPath: "{{ .Values.persistence.library.mountPath }}"
+          command:
+            - scanner
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+            - name: KYOO_URL
+              value: http://{{ template "kyoo.fullname" . }}-back.{{ .Release.Namespace }}:{{ .Values.back.service.port }}
+
+          {{- if .Values.config.secretAPIKey.existingKyooSecretKey }}
+            - name: KYOO_APIKEYS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingKyooSecretKey }}"
+          {{- end }}
+
+          {{- if .Values.config.secretAPIKey.existingTMDBSecretKey }}
+            - name: THEMOVIEDB_APIKEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.config.secretAPIKey.existingSecretName }}"
+                  key: "{{ .Values.config.secretAPIKey.existingTMDBSecretKey }}"
+          {{- end }}
+
+            - name: LIBRARY_LANGUAGES
+              value: "{{ .Values.config.libraryLanguages }}"
+            - name: LIBRARY_IGNORE_PATTERN
+              value: "{{ .Values.config.libraryIgnorePattern }}"
+            - name: SCANNER_LIBRARY_ROOT
+              value: "{{ .Values.persistence.library.mountPath }}"
+            - name: RABBITMQ_HOST
+              value: {{ template "kyoo.fullname" . }}-rabbitmq
+            - name: RABBITMQ_DEFAULT_USER
+              value: "{{ .Values.rabbitmq.auth.username }}"
+            - name: RABBITMQ_DEFAULT_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.rabbitmq.auth.existingPasswordSecret }}"
+                  key: "{{ .Values.rabbitmq.auth.existingSecretPasswordKey }}"
+
+      volumes:
+        - name: kyoo-library
+      {{- if .Values.persistence.library.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.library.existingClaim }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
--- a/charts/kyoo/templates/deployment-transcoder.yaml
+++ b/charts/kyoo/templates/deployment-transcoder.yaml
@@ -0,0 +1,114 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "kyoo.fullname" . }}-transcoder
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.transcoder.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.transcoder.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "kyoo.transcoder.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "kyoo.transcoder.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "kyoo.name" . }}-transcoder
+      annotations:
+        {{- with .Values.transcoder.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.transcoder.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.transcoder.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.transcoder.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "kyoo.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.transcoder.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "kyoo.fullname" . }}-transcoder
+          image: "{{ .Values.transcoder.image.repository }}:{{ .Values.transcoder.image.tag }}"
+          imagePullPolicy: {{ .Values.transcoder.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.transcoder.resources | nindent 12 }}
+          ports:
+            - name: kyoo-transcoder
+              containerPort: {{ .Values.transcoder.service.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: kyoo-metadata
+              mountPath: "{{ .Values.persistence.metadata.mountPath }}"
+            - name: kyoo-cache
+              mountPath: "{{ .Values.persistence.cache.mountPath }}"
+            - name: kyoo-library
+              mountPath: "{{ .Values.persistence.library.mountPath }}"
+          env:
+          {{- with .Values.back.extraVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+          {{- if eq .Values.config.transcoderProfile "vaapi" }}
+            - name: GOCODER_HWACCEL
+              value: "vaapi"
+            - name: GOCODER_VAAPI_RENDERER
+              value: "{{ .Values.config.transcoderRenderPath }}"
+          {{- else if eq .Values.config.transcoderProfile "qsv" }}
+            - name: GOCODER_HWACCEL
+              value: "qsv"
+            - name: GOCODER_QSV_RENDERER
+              value: "{{ .Values.config.transcoderRenderPath }}"
+          {{- else if eq .Values.config.transcoderProfile "nvidia" }}
+            - name: GOCODER_HWACCEL
+              value: "nvidia"
+          {{- else }}
+            - name: GOCODER_HWACCEL
+              value: "disabled"
+          {{- end }}
+
+            - name: GOCODER_PRESET
+              value: "{{ .Values.config.transcoderPreset }}"
+            - name: GOCODER_METADATA_ROOT
+              value: "{{ .Values.persistence.metadata.mountPath }}"
+            - name: GOCODER_CACHE_ROOT
+              value: "{{ .Values.persistence.cache.mountPath }}"
+
+      volumes:
+        - name: kyoo-metadata
+      {{- if .Values.persistence.metadata.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "kyoo.metadataVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
+        - name: kyoo-cache
+          emptyDir:
+            sizeLimit: {{ .Values.persistence.cache.size }}
+        - name: kyoo-library
+      {{- if .Values.persistence.library.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ .Values.persistence.library.existingClaim }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
--- a/charts/kyoo/templates/ingress.yaml
+++ b/charts/kyoo/templates/ingress.yaml
@@ -0,0 +1,44 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "kyoo.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+  labels:
+    {{- include "kyoo.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.ingress.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ template "kyoo.fullname" . }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            backend:
+              service:
+                name: "{{ template "kyoo.fullname" . }}-front"
+                port:
+                  name: kyoo-front
+            pathType: ImplementationSpecific
+          - path: /api
+            backend:
+              service:
+                name: "{{ template "kyoo.fullname" . }}-back"
+                port:
+                  name: kyoo-back
+            pathType: ImplementationSpecific
+{{- end }}
--- a/charts/kyoo/templates/persistent-volume-claim.yaml
+++ b/charts/kyoo/templates/persistent-volume-claim.yaml
@@ -0,0 +1,54 @@
+{{- if and .Values.persistence.back.enabled (not .Values.persistence.back.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "kyoo.backVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.back.retain }}
+    helm.sh/resource-policy: keep
+    {{- end }}
+  labels:
+    {{- include "kyoo.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.back.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.back.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.back.size }}
+{{- end }}
+
+---
+{{- if and .Values.persistence.metadata.enabled (not .Values.persistence.metadata.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "kyoo.metadataVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.metadata.retain }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    {{- include "kyoo.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.metadata.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.metadata.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.metadata.size }}
+{{- end }}
--- a/charts/kyoo/templates/service-account.yaml
+++ b/charts/kyoo/templates/service-account.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "kyoo.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
--- a/charts/kyoo/templates/service.yaml
+++ b/charts/kyoo/templates/service.yaml
@@ -0,0 +1,100 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyoo.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.back.service.type }}
+  ports:
+    - port: {{ .Values.back.service.port }}
+      targetPort: kyoo-back
+      protocol: TCP
+      name: kyoo-back
+  selector:
+    {{- include "kyoo.back.matchLabels" . | nindent 4 }}
+    {{- with .Values.back.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "kyoo.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.front.service.type }}
+  ports:
+    - port: {{ .Values.front.service.port }}
+      targetPort: kyoo-front
+      protocol: TCP
+      name: kyoo-front
+  selector:
+    {{- include "kyoo.front.matchLabels" . | nindent 4 }}
+    {{- with .Values.front.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: transcoder
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.transcoder.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "kyoo.transcoder.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.transcoder.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.transcoder.service.type }}
+  ports:
+    - port: {{ .Values.transcoder.service.port }}
+      targetPort: kyoo-transcoder
+      protocol: TCP
+      name: kyoo-transcoder
+  selector:
+    {{- include "kyoo.transcoder.matchLabels" . | nindent 4 }}
+    {{- with .Values.transcoder.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
--- a/charts/kyoo/values.yaml
+++ b/charts/kyoo/values.yaml
@@ -0,0 +1,892 @@
+## Global
+##
+global:
+  # -- Set an override for the prefix of the fullname
+  nameOverride:
+
+  # -- Set the entire name definition
+  fullnameOverride:
+
+  # -- Set additional global labels. Helm templates can be used.
+  labels: {}
+
+  # -- Set additional global annotations. Helm templates can be used.
+  annotations: {}
+
+## Service Account
+##
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: false
+
+  # -- Annotations to add to the service account
+  annotations: {}
+
+  # -- Labels to add to the service account
+  labels: {}
+
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+## Config options
+##
+config:
+  ## Secret key
+  ## Specificy the secret name and the key containg a strong secret key
+  ##
+  secretAuthenticationKey:
+    existingSecretName: ""
+    existingSecretKey: ""
+
+  ## API keys
+  ## Specificy the secret name and the key containg an API key for that service
+  ##
+  secretAPIKey:
+    existingSecretName: ""
+
+    # -- Kyoo
+    existingKyooSecretKey: ""
+
+    # -- The Movie Database
+    existingTMDBSecretKey: ""
+
+    # -- Simkl: https://simkl.docs.apiary.io/#
+    existingSimklSecretKey: ""
+
+  # Langauges
+  libraryLanguages: en
+
+  # A pattern (regex) to ignore video files, ie ".*/[dD]ownloads?/.*"
+  libraryIgnorePattern: ""
+
+  # If this is true, new accounts wont have any permissions before you approve them in your admin dashboard.
+  requireAccountVerification: true
+
+  # Specify permissions of guest accounts, default is no permissions,
+  # but you can allow anyone to use your instance without account by doing:
+  # UNLOGGED_PERMISSIONS=overall.read,overall.play
+  # You can specify this to allow guests users to see your collection without behing able to play videos for example:
+  # UNLOGGED_PERMISSIONS=overall.read
+  unloggedPermissions: overall.read
+
+  # Specify permissions of new accounts.
+  defaultPermissions: overall.read,overall.play
+
+  # Hardware transcoding (equivalent of --profile docker compose option).
+  # cpu (no hardware acceleration) or vaapi or qsv or nvidia
+  transcoderProfile: cpu
+
+  # Path to the hardware device for the specificied transcoder profile
+  transcoderRenderPath: /dev/dri/renderD128
+
+  # the preset used during transcode. faster means worst quality, you can probably use a slower preset with hwaccels
+  # warning: using vaapi hwaccel disable presets (they are not supported).
+  transcoderPreset: fast
+
+  # The url you can use to reach your kyoo instance. This is also used during oidc to redirect users to your instance.
+  publicUrl: ""
+
+  ## OIDC authentication
+  ##
+  oidc:
+    enabled: false
+
+    # Name of the OIDC provider, ie Authentik, Keycloak, Authelia, etc
+    name: ""
+
+    # URL to the an image of the provider logo
+    logo: ""
+
+    # Urls to access the provider
+    authorization: ""
+    token: ""
+    profile: ""
+
+    # Scopes space separeted
+    scope: "openid profile email"
+
+    # Generated from the provider, these are expected to be stored in a secret
+    existingSecretName: ""
+    clientIDKey: ""
+    secretIDKey: ""
+
+  ## Postgresql
+  ##
+  postgresql:
+    username: ""
+    database: ""
+    host: ""
+    port: ""
+
+    # -- Use a secret to store the pasword
+    existingSecretName: ""
+    passwordKey: ""
+
+## Configure the ingress resource that allows you to access the
+## kyoo installation. Set up the URL
+## ref: http://kubernetes.io/docs/user-guide/ingress/
+##
+ingress:
+  # -- Enables or disables the ingress
+  enabled: false
+
+  # -- Provide additional annotations which may be required.
+  annotations: {}
+
+  # -- Provide additional labels which may be required.
+  labels: {}
+
+  # -- Set the ingressClass that is used for this ingress.
+  className: ""
+
+  ## Configure the hosts for the ingress
+  host: chart-example.local
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  back:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false
+
+  metadata:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false
+
+    # -- Mount path inside container
+    mountPath: /metadata
+
+  cache:
+    # -- Transcoder cache will be mounted as an emptyDir, specificy a limit to the cache size
+    size: 10Gi
+
+    # -- Mount path inside container
+    mountPath: /cache
+
+  library:
+    enabled: false
+
+    # -- Provide an existing claim to you media library
+    existingClaim: ""
+
+    # -- Mount path inside container, used as the root path for the library
+    mountPath: /video
+
+## Auto Sync
+##
+autosync:
+  ## Kyoo Auto Sync image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_autosync/tags
+  ##
+  image:
+    repository: zoriya/kyoo_autosync
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+## Back
+##
+back:
+  ## Kyoo Back image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_back/tags
+  ##
+  image:
+    repository: zoriya/kyoo_back
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    path: /health
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+
+  readinessProbe:
+    enabled: false
+    path: /health
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 5000
+
+## Front
+##
+front:
+  ## Kyoo Front image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_front/tags
+  ##
+  image:
+    repository: zoriya/kyoo_front
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    path: /
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+
+  readinessProbe:
+    enabled: false
+    path: /
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8901
+
+## Matcher
+##
+matcher:
+  ## Kyoo Matcher image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_matcher/tags
+  ##
+  image:
+    repository: zoriya/kyoo_scanner
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+## Migrations
+##
+migrations:
+  ## Kyoo Migrations image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_migrations/tags
+  ##
+  image:
+    repository: zoriya/kyoo_migrations
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+## Scanner
+##
+scanner:
+  ## Kyoo Scanner image version
+  ## ref: https://hub.docker.com/r/zoriya/zoriya/kyoo_scanner/tags
+  ##
+  image:
+    repository: zoriya/kyoo_scanner
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+## Transcoder
+##
+transcoder:
+  ## Kyoo Transcoder image version
+  ## ref: https://hub.docker.com/r/zoriya/kyoo_transcoder/tags
+  ##
+  image:
+    repository: zoriya/kyoo_transcoder
+    tag: "4.4.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## kyoo containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Extra environment variables
+  ##
+  extraVars:
+  #  - name: EXAMPLE
+  #    value: "example"
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 7666
+
+## Rabbitmq
+## https://artifacthub.io/packages/helm/bitnami/rabbitmq?modal=values-schema
+##
+rabbitmq:
+  auth:
+    ## @param auth.username RabbitMQ application username
+    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
+    ##
+    username: kyoo
+
+    ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
+    ## e.g:
+    ## existingPasswordSecret: name-of-existing-secret
+    ##
+    existingPasswordSecret: ""
+    existingSecretPasswordKey: ""
+
+    ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
+    ## e.g:
+    ## existingErlangSecret: name-of-existing-secret
+    ##
+    existingErlangSecret: ""
+    ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
+    ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
+    ##
+    existingSecretErlangKey: ""
+
+  ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
+  ## Must contain the key "rabbitmq.conf"
+  ## Takes precedence over `configuration`, so do not use both simultaneously
+  ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
+  ##
+  configurationExistingSecret: ""
+
+  ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
+  ## Use this instead of `configuration` to add more configuration
+  ## Do not use simultaneously with `extraConfigurationExistingSecret`
+  ##
+  extraConfiguration: |-
+    default_vhost = '/'
+    default_permissions.configure = .*
+    default_permissions.read = .*
+    default_permissions.write = .*
+
+## Meilisearch
+## https://github.com/meilisearch/meilisearch-kubernetes/blob/main/charts/meilisearch/values.yaml
+##
+meilisearch:
+  environment:
+
+    # -- Deactivates analytics
+    MEILI_NO_ANALYTICS: true
+
+    # -- Sets the environment. Either **production** or **development**
+    MEILI_ENV: production
+
+    # For production deployment, the environment MEILI_MASTER_KEY is required.
+    # If MEILI_ENV is set to "production" without setting MEILI_MASTER_KEY, this
+    # chart will automatically create a secure MEILI_MASTER_KEY and push it as a
+    # secret. Otherwise the below value of MEILI_MASTER_KEY will be used instead.
+    # MEILI_MASTER_KEY: ""
+
+  auth:
+    # -- Use an existing Kubernetes secret for the MEILI_MASTER_KEY
+    existingMasterKeySecret: ""
+
+  service:
+    # -- Kubernetes Service type
+    type: ClusterIP
+
+    # -- Kubernetes Service port
+    port: 7700
+
+    # -- Additional annotations for service
+    annotations: {}
+
+  persistence:
+    enabled: false
+
+    # -- PVC Access Mode
+    accessMode: ReadWriteOnce
+
+    ## Persistent Volume Storage Class
+    ## If defined, storageClassName: <storageClass>
+    ## If set to "-", storageClassName: "", which disables dynamic provisioning
+    ## If undefined (the default) or set to null, no storageClassName spec is
+    ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+    ##   GKE, AWS & OpenStack)
+    ##
+    # -- PVC Storage Class
+    storageClass: "-"
+
+    ## Data Persistent Volume existing claim name
+    ## Requires persistence.enabled: true
+    ## If defined, PVC must be created manually before volume will be bound
+    # -- Existing PVC
+    existingClaim: ""
+
+    # -- PVC Storage Request
+    size: 10Gi
+
+  resources: {}
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+
+  serviceMonitor:
+    enabled: false
--- a/charts/matrix-hookshot/Chart.yaml
+++ b/charts/matrix-hookshot/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: matrix-hookshot
-version: 0.1.0
+version: 0.1.1
 description: Chart for Matrix Hookshot
 keywords:
  - matrix
@@ -11,4 +11,4 @@ sources:
 maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/8418310?s=48&v=4
-appVersion: "5.2.1"
+appVersion: "5.3.0"
--- a/charts/matrix-hookshot/values.yaml
+++ b/charts/matrix-hookshot/values.yaml
@@ -3,7 +3,7 @@ deployment:
  strategy: Recreate
  image:
    repository: halfshot/matrix-hookshot
-    tag: "5.2.1"
+    tag: "5.3.0"
    imagePullPolicy: IfNotPresent
  env: {}
  envFrom: []
@@ -81,7 +81,7 @@ hookshot:
        resources:
          - widgets

-    #github:
+    # github:
    #  # (Optional) Configure this to enable GitHub support
    #  auth:
    #    # Authentication for the GitHub App.
@@ -104,7 +104,7 @@ hookshot:
    #    # (Optional) Prefix used when creating ghost users for GitHub accounts.
    #    _github_

-    #gitlab:
+    # gitlab:
    #  # (Optional) Configure this to enable GitLab support
    #  instances:
    #    gitlab.com:
@@ -119,7 +119,7 @@ hookshot:
    #    # (Optional) Aggregate comments by waiting this many miliseconds before posting them to Matrix. Defaults to 5000 (5 seconds)
    #    5000

-    #figma:
+    # figma:
    #  # (Optional) Configure this to enable Figma support
    #  publicUrl: https://example.com/hookshot/
    #  instances:
@@ -128,7 +128,7 @@ hookshot:
    #      accessToken: your-personal-access-token
    #      passcode: your-webhook-passcode

-    #jira:
+    # jira:
    #  # (Optional) Configure this to enable Jira support. Only specify `url` if you are using a On Premise install (i.e. not atlassian.com)
    #  webhook:
    #    # Webhook settings for JIRA
@@ -139,7 +139,7 @@ hookshot:
    #    client_secret: bar
    #    redirect_uri: https://example.com/oauth/

-    #generic:
+    # generic:
    #  # (Optional) Support for generic webhook events.
    #  #'allowJsTransformationFunctions' will allow users to write short transformation snippets in code, and thus is unsafe in untrusted environments

@@ -150,23 +150,23 @@ hookshot:
    #  allowJsTransformationFunctions: false
    #  waitForComplete: false

-    #feeds:
+    # feeds:
    #  # (Optional) Configure this to enable RSS/Atom feed support
    #  enabled: false
    #  pollConcurrency: 4
    #  pollIntervalSeconds: 600
    #  pollTimeoutSeconds: 30

-    #provisioning:
+    # provisioning:
    #  # (Optional) Provisioning API for integration managers
    #  secret: "!secretToken"

-    #bot:
+    # bot:
    #  # (Optional) Define profile information for the bot user
    #  displayname: Hookshot Bot
    #  avatar: mxc://half-shot.uk/2876e89ccade4cb615e210c458e2a7a6883fe17d

-    #serviceBots:
+    # serviceBots:
    #  # (Optional) Define additional bot users for specific services
    #  - localpart: feeds
    #    displayname: Feeds
@@ -174,21 +174,21 @@ hookshot:
    #    prefix: "!feeds"
    #    service: feeds

-    #metrics:
+    # metrics:
    #  # (Optional) Prometheus metrics support
    #  enabled: true

-    #cache:
+    # cache:
    #  # (Optional) Cache options for large scale deployments.
    #  # For encryption to work, this must be configured.
    #  redisUri: redis://localhost:6379

-    #queue:
+    # queue:
    #  # (Optional) Message queue configuration options for large scale deployments.
    #  # For encryption to work, this must not be configured.
    #  redisUri: redis://localhost:6379

-    #widgets:
+    # widgets:
    #  # (Optional) EXPERIMENTAL support for complimentary widgets
    #  addToAdminRooms: false
    #  disallowedIpRanges:
@@ -217,12 +217,12 @@ hookshot:
    #  branding:
    #    widgetTitle: Hookshot Configuration

-    #sentry:
+    # sentry:
    #  # (Optional) Configure Sentry error reporting
    #  dsn: https://examplePublicKey@o0.ingest.sentry.io/0
    #  environment: production

-    #permissions:
+    # permissions:
    #  # (Optional) Permissions for using the bridge. See docs/setup.md#permissions for help
    #  - actor: example.com
    #    services:
--- a/charts/mautrix-whatsapp/Chart.yaml
+++ b/charts/mautrix-whatsapp/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: mautrix-whatsapp
-version: 0.0.2
+version: 0.0.3
 description: Chart for Matrix Whatsapp Bridge
 keywords:
  - matrix
@@ -12,4 +12,4 @@ sources:
 maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/88519669?s=48&v=4
-appVersion: v0.10.6
+appVersion: v0.10.7
--- a/charts/mautrix-whatsapp/values.yaml
+++ b/charts/mautrix-whatsapp/values.yaml
@@ -3,7 +3,7 @@ deployment:
  strategy: Recreate
  image:
    repository: dock.mau.dev/mautrix/whatsapp
-    tag: v0.10.6
+    tag: v0.10.7
    imagePullPolicy: IfNotPresent
  env: {}
  envFrom: []
@@ -45,11 +45,9 @@ persistence:
  accessMode: ReadWriteOnce
  size: 500Mi

-
 # Reference the following for examples
 # https://github.com/mautrix/whatsapp/blob/main/example-config.yaml
 mautrixWhatsapp:
-
  # config.yml contents
  existingSecret: ""
  config:
--- a/charts/outline/Chart.yaml
+++ b/charts/outline/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: outline
-version: 0.3.0
+version: 0.5.2
 description: Chart for Outline wiki
 keywords:
  - wiki
@@ -14,5 +14,5 @@ icon: https://avatars.githubusercontent.com/u/1765001?s=48&v=4
 dependencies:
  - name: redis
    repository: https://charts.bitnami.com/bitnami
-    version: 19.1.0
+    version: 19.1.2
 appVersion: v0.75.2
--- a/charts/outline/templates/deployment.yaml
+++ b/charts/outline/templates/deployment.yaml
@@ -102,41 +102,14 @@ spec:
                secretKeyRef:
                  name: "{{ .Values.persistence.s3.credentialsSecret }}"
                  key: AWS_SECRET_ACCESS_KEY
-          {{- if .Values.persistence.s3.endpointConfigMap.enabled }}
-            - name: AWS_REGION
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_REGION
-            - name: AWS_S3_UPLOAD_BUCKET_NAME
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_NAME
-            - name: AWS_S3_UPLOAD_BUCKET_HOST
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_HOST
-            - name: AWS_S3_UPLOAD_BUCKET_PORT
-              valueFrom:
-                configMapKeyRef:
-                  name: "{{ .Values.persistence.s3.endpointConfigMap.name }}"
-                  key: BUCKET_PORT
-            - name: AWS_S3_UPLOAD_BUCKET_URL
-              value: "{{ .Values.persistence.s3.urlProtocol }}://$(AWS_S3_UPLOAD_BUCKET_NAME).$(AWS_S3_UPLOAD_BUCKET_HOST):$(AWS_S3_UPLOAD_BUCKET_PORT)"
-            - name: AWS_S3_ACCELERATE_URL
-              value: "{{ .Values.persistence.s3.urlProtocol }}://$(AWS_S3_UPLOAD_BUCKET_NAME).$(AWS_S3_UPLOAD_BUCKET_HOST):$(AWS_S3_UPLOAD_BUCKET_PORT)"         
-          {{- else }}
            - name: AWS_REGION
              value: "{{ .Values.persistence.s3.region }}"
            - name: AWS_S3_UPLOAD_BUCKET_NAME
              value: "{{ .Values.persistence.s3.bucketName }}"
            - name: AWS_S3_UPLOAD_BUCKET_URL
-              value: "{{ .Values.persistence.s3.urlProtocol }}://{{ .Values.persistence.s3.bucketName }}.{{ .Values.persistence.s3.host }}"
+              value: "{{ .Values.persistence.s3.bucketUrl }}"
            - name: AWS_S3_ACCELERATE_URL
-              value: "{{ .Values.persistence.s3.urlProtocol }}://{{ .Values.persistence.s3.bucketName }}.{{ .Values.persistence.s3.host }}"              
-          {{- end }}
+              value: "{{ .Values.persistence.s3.bucketUrl }}"
            - name: AWS_S3_FORCE_PATH_STYLE
              value: "{{ .Values.persistence.s3.forcePathStyle }}"
            - name: AWS_S3_ACL
--- a/charts/outline/values.yaml
+++ b/charts/outline/values.yaml
@@ -24,13 +24,9 @@ persistence:
  type: s3
  s3:
    credentialsSecret:
-    endpointConfigMap:
-      enabled: false
-      name:
    region:
    bucketName:
-    host:
-    urlProtocol: http
+    bucketUrl:
    uploadMaxSize: "26214400"
    forcePathStyle: false
    acl: private
@@ -95,10 +91,6 @@ outline:
      displayName:
      scopes: openid profile email
 redis:
-  image:
-    registry: docker.io
-    repository: valkey/valkey
-    tag: 7.2.4-rc1
  architecture: standalone
  auth:
    enabled: false
--- a/charts/penpot/Chart.yaml
+++ b/charts/penpot/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: penpot
+version: 0.1.0
+description: Chart for Penpot
+keywords:
+  - penpot
+  - design
+sources:
+  - https://github.com/penpot/penpot
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/30179644?s=200&v=4
+appVersion: 2.0.1
--- a/charts/penpot/README.md
+++ b/charts/penpot/README.md
@@ -0,0 +1,16 @@
+## Introduction
+
+[Penpot](https://github.com/penpot/penpot)
+
+Penpot is the first Open Source design and prototyping platform meant for cross-domain teams. Non dependent on operating systems, Penpot is web based and works with open standards (SVG). Penpot invites designers all over the world to fall in love with open source while getting developers excited about the design process in return.
+
+This chart bootstraps a [Penpot](https://github.com/penpot/penpot) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).
--- a/charts/penpot/templates/_helpers.tpl
+++ b/charts/penpot/templates/_helpers.tpl
@@ -0,0 +1,72 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "penpot.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "penpot.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "penpot.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels.
+*/}}
+{{- define "penpot.labels" -}}
+helm.sh/chart: {{ include "penpot.chart" . }}
+app.kubernetes.io/name: {{ include "penpot.name" . }}-frontend
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Selector labels.
+*/}}
+{{- define "penpot.frontendSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "penpot.name" . }}-frontend
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "penpot.backendSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "penpot.name" . }}-backend
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "penpot.exporterSelectorLabels" -}}
+app.kubernetes.io/name: {{ include "penpot.name" . }}-exporter
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use.
+*/}}
+{{- define "penpot.serviceAccountName" -}}
+{{- if .Values.serviceAccount.enabled -}}
+    {{ default (include "penpot.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
--- a/charts/penpot/templates/config-map.yaml
+++ b/charts/penpot/templates/config-map.yaml
@@ -0,0 +1,129 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "{{ include "penpot.fullname" . }}-frontend-nginx"
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+data:
+  nginx.conf: |
+    user www-data;
+    worker_processes auto;
+    pid /run/nginx.pid;
+    include /etc/nginx/modules-enabled/*.conf;
+
+    events {
+        worker_connections 2048;
+        # multi_accept on;
+    }
+
+    http {
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        keepalive_requests 30;
+        keepalive_timeout 65;
+        types_hash_max_size 2048;
+
+        server_tokens off;
+
+        reset_timedout_connection on;
+        client_body_timeout 30s;
+        client_header_timeout 30s;
+
+        include /etc/nginx/mime.types;
+        default_type application/octet-stream;
+
+        error_log /dev/stdout;
+        access_log /dev/stdout;
+
+        gzip on;
+        gzip_vary on;
+        gzip_proxied any;
+        gzip_static on;
+        gzip_comp_level 4;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+
+        gzip_types text/plain text/css text/javascript application/javascript application/json application/transit+json;
+
+        resolver 127.0.0.11;
+
+        map $http_upgrade $connection_upgrade {
+            default upgrade;
+            ''      close;
+        }
+
+        server {
+            listen 80 default_server;
+            server_name _;
+
+            client_max_body_size 100M;
+            charset utf-8;
+
+            proxy_http_version 1.1;
+            proxy_set_header Host $http_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Scheme $scheme;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+            etag off;
+            root /var/www/app/;
+
+            location ~* \.(js|css).*$ {
+                add_header Cache-Control "max-age=86400" always; # 24 hours
+            }
+
+            location ~* \.(html).*$ {
+                add_header Cache-Control "no-cache, max-age=0" always;
+            }
+
+            location /api/export {
+                proxy_pass http://{{ include "penpot.fullname" . }}-exporter:6061;
+            }
+
+            location /api {
+                proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/api;
+            }
+
+            location /ws/notifications {
+                proxy_set_header Upgrade $http_upgrade;
+                proxy_set_header Connection 'upgrade';
+                proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/ws/notifications;
+            }
+
+            location @handle_redirect {
+                set $redirect_uri "$upstream_http_location";
+                set $redirect_host "$upstream_http_x_host";
+                set $redirect_cache_control "$upstream_http_cache_control";
+
+                proxy_buffering off;
+
+                proxy_set_header Host "$redirect_host";
+                proxy_hide_header etag;
+                proxy_hide_header x-amz-id-2;
+                proxy_hide_header x-amz-request-id;
+                proxy_hide_header x-amz-meta-server-side-encryption;
+                proxy_hide_header x-amz-server-side-encryption;
+                proxy_pass $redirect_uri;
+
+                add_header x-internal-redirect "$redirect_uri";
+                add_header x-cache-control "$redirect_cache_control";
+                add_header cache-control "$redirect_cache_control";
+            }
+
+            location /assets {
+                proxy_pass http://{{ include "penpot.fullname" . }}-backend:6060/assets;
+                recursive_error_pages on;
+                proxy_intercept_errors on;
+                error_page 301 302 307 = @handle_redirect;
+            }
+
+            location /internal/assets {
+                internal;
+                alias /opt/data/assets;
+                add_header x-internal-redirect "$upstream_http_x_accel_redirect";
+            }
+        }
+    }
--- a/charts/penpot/templates/deployment-backend.yaml
+++ b/charts/penpot/templates/deployment-backend.yaml
@@ -0,0 +1,378 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "penpot.fullname" . }}-backend
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.backend.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "penpot.backendSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "penpot.backendSelectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{ if .Values.backend.podSecurityContext.enabled }}
+      securityContext:
+        {{- omit .Values.backend.podSecurityContext "enabled" | toYaml | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app.kubernetes.io/instance
+                operator: In
+                values:
+                - {{ .Release.Name }}
+            topologyKey: "kubernetes.io/hostname"
+      containers:
+        - name: {{ .Chart.Name }}-backend
+        {{ if .Values.backend.containerSecurityContext.enabled }}
+          securityContext:
+            {{- omit .Values.backend.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+        {{- end }}
+          image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }}"
+          imagePullPolicy: {{ .Values.backend.image.imagePullPolicy }}
+          volumeMounts:
+            - mountPath: /opt/data
+              name: app-data
+              readOnly: false
+          env:
+            - name: PENPOT_PUBLIC_URI
+              value: {{ .Values.config.publicURI | quote }}
+            - name: PENPOT_FLAGS
+              value: "$PENPOT_FLAGS {{ .Values.config.flags }}"
+            - name: PENPOT_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.apiSecretKey.existingSecretName }}
+                  key: {{ .Values.config.apiSecretKey.existingSecretKey }}
+            - name: PENPOT_DATABASE_URI
+              value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}"
+            - name: PENPOT_DATABASE_USERNAME
+            {{- if not .Values.config.postgresql.secretKeys.usernameKey }}
+              value: {{ .Values.config.postgresql.username | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.usernameKey }}
+            {{- end }}
+            - name: PENPOT_DATABASE_PASSWORD
+            {{- if not .Values.config.postgresql.secretKeys.passwordKey }}
+              value: {{ .Values.config.postgresql.password | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.passwordKey }}
+            {{- end }}
+            - name: PENPOT_REDIS_URI
+              value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}"
+            - name: PENPOT_ASSETS_STORAGE_BACKEND
+              value: {{ .Values.config.assets.storageBackend | quote }}
+          {{- if eq .Values.config.assets.storageBackend "assets-fs" }}
+            - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY
+              value: {{ .Values.config.assets.filesystem.directory | quote }}
+          {{- else if eq .Values.config.assets.storageBackend "assets-s3" }}
+            - name: PENPOT_STORAGE_ASSETS_S3_REGION
+              value: {{ .Values.config.assets.s3.region | quote }}
+            - name: PENPOT_STORAGE_ASSETS_S3_BUCKET
+              value: {{ .Values.config.assets.s3.bucket | quote }}
+            - name: AWS_ACCESS_KEY_ID
+          {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+              value: {{ .Values.config.assets.s3.accessKeyID | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+          {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+          {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }}
+              value: {{ .Values.config.assets.s3.secretAccessKey | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }}
+          {{- end }}
+            - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT
+          {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }}
+              value: {{ .Values.config.assets.s3.endpointURI | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }}
+          {{- end }}
+          {{- end }}
+            - name: PENPOT_TELEMETRY_ENABLED
+              value: {{ .Values.config.telemetryEnabled | quote }}
+
+          {{- if .Values.config.smtp.enabled }}
+          {{- if .Values.config.smtp.defaultFrom }}
+            - name: PENPOT_SMTP_DEFAULT_FROM
+              value: {{ .Values.config.smtp.defaultFrom | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.defaultReplyTo }}
+            - name: PENPOT_SMTP_DEFAULT_REPLY_TO
+              value: {{ .Values.config.smtp.defaultReplyTo | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.host }}
+            - name: PENPOT_SMTP_HOST
+              value: {{ .Values.config.smtp.host | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.port }}
+            - name: PENPOT_SMTP_PORT
+              value: {{ .Values.config.smtp.port | quote }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.usernameKey }}
+            - name: PENPOT_SMTP_USERNAME
+              value: {{ .Values.config.smtp.username | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.usernameKey }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.passwordKey }}
+            - name: PENPOT_SMTP_PASSWORD
+              value: {{ .Values.config.smtp.password | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.passwordKey }}
+          {{- end }}
+          {{- if .Values.config.smtp.tls }}
+            - name: PENPOT_SMTP_TLS
+              value: {{ .Values.config.smtp.tls | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.ssl }}
+            - name: PENPOT_SMTP_SSL
+              value: {{ .Values.config.smtp.ssl | quote }}
+          {{- end }}
+          {{- end }}
+
+
+          {{- if .Values.config.registrationDomainWhitelist }}
+            - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST
+              value: {{ .Values.config.registrationDomainWhitelist | quote }}
+          {{- end }}
+
+          {{- if .Values.config.providers.google.enabled }}
+          {{- if not .Values.config.providers.secretKeys.googleClientIDKey }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              value: {{ .Values.config.providers.google.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              value: {{ .Values.config.providers.google.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.github.enabled }}
+          {{- if not .Values.config.providers.secretKeys.githubClientIDKey }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              value: {{ .Values.config.providers.github.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.githubClientSecretKey  }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              value: {{ .Values.config.providers.github.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.gitlab.enabled }}
+          {{- if .Values.config.providers.gitlab.baseURI }}
+            - name: PENPOT_GITLAB_BASE_URI
+              value: {{ .Values.config.providers.gitlab.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              value: {{ .Values.config.providers.gitlab.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              value: {{ .Values.config.providers.gitlab.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.oidc.enabled }}
+          {{- if .Values.config.providers.oidc.baseURI }}
+            - name: PENPOT_OIDC_BASE_URI
+              value: {{ .Values.config.providers.oidc.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              value: {{ .Values.config.providers.oidc.clientID | quote}}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              value: {{ .Values.config.providers.oidc.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.authURI }}
+            - name: PENPOT_OIDC_AUTH_URI
+              value: {{ .Values.config.providers.oidc.authURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.tokenURI }}
+            - name: PENPOT_OIDC_TOKEN_URI
+              value: {{ .Values.config.providers.oidc.tokenURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.userURI }}
+            - name: PENPOT_OIDC_USER_URI
+              value: {{ .Values.config.providers.oidc.userURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.roles }}
+            - name: PENPOT_OIDC_ROLES
+              value: {{ .Values.config.providers.oidc.roles | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.rolesAttribute }}
+            - name: PENPOT_OIDC_ROLES_ATTR
+              value: {{ .Values.config.providers.oidc.rolesAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.scopes }}
+            - name: PENPOT_OIDC_SCOPES
+              value: {{ .Values.config.providers.oidc.scopes | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.nameAttribute }}
+            - name: PENPOT_OIDC_NAME_ATTR
+              value: {{ .Values.config.providers.oidc.nameAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.emailAttribute }}
+            - name: PENPOT_OIDC_EMAIL_ATTR
+              value: {{ .Values.config.providers.oidc.emailAttribute | quote }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.ldap.enabled }}
+          {{- if .Values.config.providers.ldap.host }}
+            - name: PENPOT_LDAP_HOST
+              value: {{ .Values.config.providers.ldap.host | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.port }}
+            - name: PENPOT_LDAP_PORT
+              value: {{ .Values.config.providers.ldap.port | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.ssl }}
+            - name: PENPOT_LDAP_SSL
+              value: {{ .Values.config.providers.ldap.ssl | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.startTLS }}
+            - name: PENPOT_LDAP_STARTTLS
+              value: {{ .Values.config.providers.ldap.startTLS | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.baseDN }}
+            - name: PENPOT_LDAP_BASE_DN
+              value: {{ .Values.config.providers.ldap.baseDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindDN }}
+            - name: PENPOT_LDAP_BIND_DN
+              value: {{ .Values.config.providers.ldap.bindDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindPassword }}
+            - name: PENPOT_LDAP_BIND_PASSWORD
+              value: {{ .Values.config.providers.ldap.bindPassword | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesUsername }}
+            - name: PENPOT_LDAP_ATTRS_USERNAME
+              value: {{ .Values.config.providers.ldap.attributesUsername | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesEmail }}
+            - name: PENPOT_LDAP_ATTRS_EMAIL
+              value: {{ .Values.config.providers.ldap.attributesEmail | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesFullname }}
+            - name: PENPOT_LDAP_ATTRS_FULLNAME
+              value: {{ .Values.config.providers.ldap.attributesFullname | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesPhoto }}
+            - name: PENPOT_LDAP_ATTRS_PHOTO
+              value: {{ .Values.config.providers.ldap.attributesPhoto | quote }}
+          {{- end }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.backend.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.backend.resources | nindent 12 }}
+      {{- with .Values.backend.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.backend.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.backend.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+      - name: app-data
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default ( include "penpot.fullname" . ) }}
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
--- a/charts/penpot/templates/deployment-exporter.yaml
+++ b/charts/penpot/templates/deployment-exporter.yaml
@@ -0,0 +1,353 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "penpot.fullname" . }}-exporter
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.exporter.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "penpot.exporterSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "penpot.exporterSelectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+    {{ if .Values.exporter.podSecurityContext.enabled }}
+      securityContext:
+        {{- omit .Values.exporter.podSecurityContext "enabled" | toYaml | nindent 8 }}
+    {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-exporter
+        {{ if .Values.exporter.containerSecurityContext.enabled }}
+          securityContext:
+            {{- omit .Values.exporter.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+        {{- end }}
+          image: "{{ .Values.exporter.image.repository }}:{{ .Values.exporter.image.tag }}"
+          imagePullPolicy: {{ .Values.exporter.image.imagePullPolicy }}
+          env:
+            - name: PENPOT_PUBLIC_URI
+              value: {{ .Values.config.publicURI | quote }}
+            - name: PENPOT_FLAGS
+              value: "$PENPOT_FLAGS {{ .Values.config.flags }}"
+            - name: PENPOT_SECRET_KEY
+              value: {{ .Values.config.apiSecretKey | quote }}
+            - name: PENPOT_DATABASE_URI
+              value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}"
+            - name: PENPOT_DATABASE_USERNAME
+            {{- if not .Values.config.postgresql.secretKeys.usernameKey }}
+              value: {{ .Values.config.postgresql.username | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.usernameKey }}
+            {{- end }}
+            - name: PENPOT_DATABASE_PASSWORD
+            {{- if not .Values.config.postgresql.secretKeys.passwordKey }}
+              value: {{ .Values.config.postgresql.password | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.passwordKey }}
+            {{- end }}
+            - name: PENPOT_REDIS_URI
+              value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}"
+            - name: PENPOT_ASSETS_STORAGE_BACKEND
+              value: {{ .Values.config.assets.storageBackend | quote }}
+          {{- if eq .Values.config.assets.storageBackend "assets-fs" }}
+            - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY
+              value: {{ .Values.config.assets.filesystem.directory | quote }}
+          {{- else if eq .Values.config.assets.storageBackend "assets-s3" }}
+            - name: PENPOT_STORAGE_ASSETS_S3_REGION
+              value: {{ .Values.config.assets.s3.region | quote }}
+            - name: PENPOT_STORAGE_ASSETS_S3_BUCKET
+              value: {{ .Values.config.assets.s3.bucket | quote }}
+            - name: AWS_ACCESS_KEY_ID
+          {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+              value: {{ .Values.config.assets.s3.accessKeyID | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+          {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+          {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }}
+              value: {{ .Values.config.assets.s3.secretAccessKey | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }}
+          {{- end }}
+            - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT
+          {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }}
+              value: {{ .Values.config.assets.s3.endpointURI | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }}
+          {{- end }}
+          {{- end }}
+            - name: PENPOT_TELEMETRY_ENABLED
+              value: {{ .Values.config.telemetryEnabled | quote }}
+
+          {{- if .Values.config.smtp.enabled }}
+          {{- if .Values.config.smtp.defaultFrom }}
+            - name: PENPOT_SMTP_DEFAULT_FROM
+              value: {{ .Values.config.smtp.defaultFrom | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.defaultReplyTo }}
+            - name: PENPOT_SMTP_DEFAULT_REPLY_TO
+              value: {{ .Values.config.smtp.defaultReplyTo | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.host }}
+            - name: PENPOT_SMTP_HOST
+              value: {{ .Values.config.smtp.host | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.port }}
+            - name: PENPOT_SMTP_PORT
+              value: {{ .Values.config.smtp.port | quote }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.usernameKey }}
+            - name: PENPOT_SMTP_USERNAME
+              value: {{ .Values.config.smtp.username | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.usernameKey }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.passwordKey }}
+            - name: PENPOT_SMTP_PASSWORD
+              value: {{ .Values.config.smtp.password | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.passwordKey }}
+          {{- end }}
+          {{- if .Values.config.smtp.tls }}
+            - name: PENPOT_SMTP_TLS
+              value: {{ .Values.config.smtp.tls | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.ssl }}
+            - name: PENPOT_SMTP_SSL
+              value: {{ .Values.config.smtp.ssl | quote }}
+          {{- end }}
+          {{- end }}
+
+
+          {{- if .Values.config.registrationDomainWhitelist }}
+            - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST
+              value: {{ .Values.config.registrationDomainWhitelist | quote }}
+          {{- end }}
+
+          {{- if .Values.config.providers.google.enabled }}
+          {{- if not .Values.config.providers.secretKeys.googleClientIDKey }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              value: {{ .Values.config.providers.google.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              value: {{ .Values.config.providers.google.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.github.enabled }}
+          {{- if not .Values.config.providers.secretKeys.githubClientIDKey }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              value: {{ .Values.config.providers.github.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.githubClientSecretKey  }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              value: {{ .Values.config.providers.github.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.gitlab.enabled }}
+          {{- if .Values.config.providers.gitlab.baseURI }}
+            - name: PENPOT_GITLAB_BASE_URI
+              value: {{ .Values.config.providers.gitlab.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              value: {{ .Values.config.providers.gitlab.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              value: {{ .Values.config.providers.gitlab.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.oidc.enabled }}
+          {{- if .Values.config.providers.oidc.baseURI }}
+            - name: PENPOT_OIDC_BASE_URI
+              value: {{ .Values.config.providers.oidc.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              value: {{ .Values.config.providers.oidc.clientID | quote}}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              value: {{ .Values.config.providers.oidc.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.authURI }}
+            - name: PENPOT_OIDC_AUTH_URI
+              value: {{ .Values.config.providers.oidc.authURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.tokenURI }}
+            - name: PENPOT_OIDC_TOKEN_URI
+              value: {{ .Values.config.providers.oidc.tokenURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.userURI }}
+            - name: PENPOT_OIDC_USER_URI
+              value: {{ .Values.config.providers.oidc.userURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.roles }}
+            - name: PENPOT_OIDC_ROLES
+              value: {{ .Values.config.providers.oidc.roles | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.rolesAttribute }}
+            - name: PENPOT_OIDC_ROLES_ATTR
+              value: {{ .Values.config.providers.oidc.rolesAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.scopes }}
+            - name: PENPOT_OIDC_SCOPES
+              value: {{ .Values.config.providers.oidc.scopes | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.nameAttribute }}
+            - name: PENPOT_OIDC_NAME_ATTR
+              value: {{ .Values.config.providers.oidc.nameAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.emailAttribute }}
+            - name: PENPOT_OIDC_EMAIL_ATTR
+              value: {{ .Values.config.providers.oidc.emailAttribute | quote }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.ldap.enabled }}
+          {{- if .Values.config.providers.ldap.host }}
+            - name: PENPOT_LDAP_HOST
+              value: {{ .Values.config.providers.ldap.host | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.port }}
+            - name: PENPOT_LDAP_PORT
+              value: {{ .Values.config.providers.ldap.port | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.ssl }}
+            - name: PENPOT_LDAP_SSL
+              value: {{ .Values.config.providers.ldap.ssl | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.startTLS }}
+            - name: PENPOT_LDAP_STARTTLS
+              value: {{ .Values.config.providers.ldap.startTLS | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.baseDN }}
+            - name: PENPOT_LDAP_BASE_DN
+              value: {{ .Values.config.providers.ldap.baseDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindDN }}
+            - name: PENPOT_LDAP_BIND_DN
+              value: {{ .Values.config.providers.ldap.bindDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindPassword }}
+            - name: PENPOT_LDAP_BIND_PASSWORD
+              value: {{ .Values.config.providers.ldap.bindPassword | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesUsername }}
+            - name: PENPOT_LDAP_ATTRS_USERNAME
+              value: {{ .Values.config.providers.ldap.attributesUsername | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesEmail }}
+            - name: PENPOT_LDAP_ATTRS_EMAIL
+              value: {{ .Values.config.providers.ldap.attributesEmail | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesFullname }}
+            - name: PENPOT_LDAP_ATTRS_FULLNAME
+              value: {{ .Values.config.providers.ldap.attributesFullname | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesPhoto }}
+            - name: PENPOT_LDAP_ATTRS_PHOTO
+              value: {{ .Values.config.providers.ldap.attributesPhoto | quote }}
+          {{- end }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.exporter.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.exporter.resources | nindent 12 }}
+      {{- with .Values.exporter.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.exporter.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.exporter.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
--- a/charts/penpot/templates/deployment-frontend.yaml
+++ b/charts/penpot/templates/deployment-frontend.yaml
@@ -0,0 +1,375 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "penpot.fullname" . }}-frontend
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.frontend.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "penpot.frontendSelectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "penpot.frontendSelectorLabels" . | nindent 8 }}
+    spec:
+    {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ include "penpot.serviceAccountName" . }}
+      affinity:
+        podAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app.kubernetes.io/instance
+                operator: In
+                values:
+                - {{ .Release.Name }}
+            topologyKey: "kubernetes.io/hostname"
+      containers:
+        - name: {{ .Chart.Name }}-frontend
+          image: "{{ .Values.frontend.image.repository }}:{{ .Values.frontend.image.tag }}"
+          imagePullPolicy: {{ .Values.frontend.image.imagePullPolicy }}
+          env:
+            - name: PENPOT_PUBLIC_URI
+              value: {{ .Values.config.publicURI | quote }}
+            - name: PENPOT_FLAGS
+              value: "$PENPOT_FLAGS {{ .Values.config.flags }}"
+            - name: PENPOT_SECRET_KEY
+              value: {{ .Values.config.apiSecretKey | quote }}
+            - name: PENPOT_DATABASE_URI
+              value: "postgresql://{{ .Values.config.postgresql.host }}:{{ .Values.config.postgresql.port }}/{{ .Values.config.postgresql.database }}"
+            - name: PENPOT_DATABASE_USERNAME
+            {{- if not .Values.config.postgresql.secretKeys.usernameKey }}
+              value: {{ .Values.config.postgresql.username | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.usernameKey }}
+            {{- end }}
+            - name: PENPOT_DATABASE_PASSWORD
+            {{- if not .Values.config.postgresql.secretKeys.passwordKey }}
+              value: {{ .Values.config.postgresql.password | quote }}
+            {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.postgresql.existingSecret }}
+                  key: {{ .Values.config.postgresql.secretKeys.passwordKey }}
+            {{- end }}
+            - name: PENPOT_REDIS_URI
+              value: "redis://{{ .Values.config.redis.host }}:{{ .Values.config.redis.port }}/{{ .Values.config.redis.database }}"
+            - name: PENPOT_ASSETS_STORAGE_BACKEND
+              value: {{ .Values.config.assets.storageBackend | quote }}
+          {{- if eq .Values.config.assets.storageBackend "assets-fs" }}
+            - name: PENPOT_STORAGE_ASSETS_FS_DIRECTORY
+              value: {{ .Values.config.assets.filesystem.directory | quote }}
+          {{- else if eq .Values.config.assets.storageBackend "assets-s3" }}
+            - name: PENPOT_STORAGE_ASSETS_S3_REGION
+              value: {{ .Values.config.assets.s3.region | quote }}
+            - name: PENPOT_STORAGE_ASSETS_S3_BUCKET
+              value: {{ .Values.config.assets.s3.bucket | quote }}
+            - name: AWS_ACCESS_KEY_ID
+          {{- if not .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+              value: {{ .Values.config.assets.s3.accessKeyID | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.accessKeyIDKey }}
+          {{- end }}
+            - name: AWS_SECRET_ACCESS_KEY
+          {{- if not .Values.config.assets.s3.secretKeys.secretAccessKey }}
+              value: {{ .Values.config.assets.s3.secretAccessKey | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.secretAccessKey }}
+          {{- end }}
+            - name: PENPOT_STORAGE_ASSETS_S3_ENDPOINT
+          {{- if not .Values.config.assets.s3.secretKeys.endpointURIKey }}
+              value: {{ .Values.config.assets.s3.endpointURI | quote }}
+          {{- else }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.assets.s3.existingSecret }}
+                  key: {{ .Values.config.assets.s3.secretKeys.endpointURIKey }}
+          {{- end }}
+          {{- end }}
+            - name: PENPOT_TELEMETRY_ENABLED
+              value: {{ .Values.config.telemetryEnabled | quote }}
+
+          {{- if .Values.config.smtp.enabled }}
+          {{- if .Values.config.smtp.defaultFrom }}
+            - name: PENPOT_SMTP_DEFAULT_FROM
+              value: {{ .Values.config.smtp.defaultFrom | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.defaultReplyTo }}
+            - name: PENPOT_SMTP_DEFAULT_REPLY_TO
+              value: {{ .Values.config.smtp.defaultReplyTo | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.host }}
+            - name: PENPOT_SMTP_HOST
+              value: {{ .Values.config.smtp.host | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.port }}
+            - name: PENPOT_SMTP_PORT
+              value: {{ .Values.config.smtp.port | quote }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.usernameKey }}
+            - name: PENPOT_SMTP_USERNAME
+              value: {{ .Values.config.smtp.username | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.usernameKey }}
+          {{- end }}
+          {{- if not .Values.config.smtp.secretKeys.passwordKey }}
+            - name: PENPOT_SMTP_PASSWORD
+              value: {{ .Values.config.smtp.password | quote }}
+          {{- else }}
+            - name: PENPOT_SMTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.smtp.existingSecret }}
+                  key: {{ .Values.config.smtp.secretKeys.passwordKey }}
+          {{- end }}
+          {{- if .Values.config.smtp.tls }}
+            - name: PENPOT_SMTP_TLS
+              value: {{ .Values.config.smtp.tls | quote }}
+          {{- end }}
+          {{- if .Values.config.smtp.ssl }}
+            - name: PENPOT_SMTP_SSL
+              value: {{ .Values.config.smtp.ssl | quote }}
+          {{- end }}
+          {{- end }}
+
+
+          {{- if .Values.config.registrationDomainWhitelist }}
+            - name: PENPOT_REGISTRATION_DOMAIN_WHITELIST
+              value: {{ .Values.config.registrationDomainWhitelist | quote }}
+          {{- end }}
+
+          {{- if .Values.config.providers.google.enabled }}
+          {{- if not .Values.config.providers.secretKeys.googleClientIDKey }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              value: {{ .Values.config.providers.google.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.googleClientSecretKey}}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              value: {{ .Values.config.providers.google.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GOOGLE_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.googleClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.github.enabled }}
+          {{- if not .Values.config.providers.secretKeys.githubClientIDKey }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              value: {{ .Values.config.providers.github.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.githubClientSecretKey  }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              value: {{ .Values.config.providers.github.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITHUB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.githubClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.gitlab.enabled }}
+          {{- if .Values.config.providers.gitlab.baseURI }}
+            - name: PENPOT_GITLAB_BASE_URI
+              value: {{ .Values.config.providers.gitlab.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientIDKey }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              value: {{ .Values.config.providers.gitlab.clientID | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              value: {{ .Values.config.providers.gitlab.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_GITLAB_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.gitlabClientSecretKey }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.oidc.enabled }}
+          {{- if .Values.config.providers.oidc.baseURI }}
+            - name: PENPOT_OIDC_BASE_URI
+              value: {{ .Values.config.providers.oidc.baseURI | quote }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientIDKey }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              value: {{ .Values.config.providers.oidc.clientID | quote}}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientIDKey }}
+          {{- end }}
+          {{- if not .Values.config.providers.secretKeys.oidcClientSecretKey}}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              value: {{ .Values.config.providers.oidc.clientSecret | quote }}
+          {{- else }}
+            - name: PENPOT_OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.providers.existingSecret }}
+                  key: {{ .Values.config.providers.secretKeys.oidcClientSecretKey }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.authURI }}
+            - name: PENPOT_OIDC_AUTH_URI
+              value: {{ .Values.config.providers.oidc.authURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.tokenURI }}
+            - name: PENPOT_OIDC_TOKEN_URI
+              value: {{ .Values.config.providers.oidc.tokenURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.userURI }}
+            - name: PENPOT_OIDC_USER_URI
+              value: {{ .Values.config.providers.oidc.userURI | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.roles }}
+            - name: PENPOT_OIDC_ROLES
+              value: {{ .Values.config.providers.oidc.roles | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.rolesAttribute }}
+            - name: PENPOT_OIDC_ROLES_ATTR
+              value: {{ .Values.config.providers.oidc.rolesAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.scopes }}
+            - name: PENPOT_OIDC_SCOPES
+              value: {{ .Values.config.providers.oidc.scopes | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.nameAttribute }}
+            - name: PENPOT_OIDC_NAME_ATTR
+              value: {{ .Values.config.providers.oidc.nameAttribute | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.oidc.emailAttribute }}
+            - name: PENPOT_OIDC_EMAIL_ATTR
+              value: {{ .Values.config.providers.oidc.emailAttribute | quote }}
+          {{- end }}
+          {{- end }}
+
+          {{- if .Values.config.providers.ldap.enabled }}
+          {{- if .Values.config.providers.ldap.host }}
+            - name: PENPOT_LDAP_HOST
+              value: {{ .Values.config.providers.ldap.host | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.port }}
+            - name: PENPOT_LDAP_PORT
+              value: {{ .Values.config.providers.ldap.port | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.ssl }}
+            - name: PENPOT_LDAP_SSL
+              value: {{ .Values.config.providers.ldap.ssl | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.startTLS }}
+            - name: PENPOT_LDAP_STARTTLS
+              value: {{ .Values.config.providers.ldap.startTLS | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.baseDN }}
+            - name: PENPOT_LDAP_BASE_DN
+              value: {{ .Values.config.providers.ldap.baseDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindDN }}
+            - name: PENPOT_LDAP_BIND_DN
+              value: {{ .Values.config.providers.ldap.bindDN | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.bindPassword }}
+            - name: PENPOT_LDAP_BIND_PASSWORD
+              value: {{ .Values.config.providers.ldap.bindPassword | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesUsername }}
+            - name: PENPOT_LDAP_ATTRS_USERNAME
+              value: {{ .Values.config.providers.ldap.attributesUsername | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesEmail }}
+            - name: PENPOT_LDAP_ATTRS_EMAIL
+              value: {{ .Values.config.providers.ldap.attributesEmail | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesFullname }}
+            - name: PENPOT_LDAP_ATTRS_FULLNAME
+              value: {{ .Values.config.providers.ldap.attributesFullname | quote }}
+          {{- end }}
+          {{- if .Values.config.providers.ldap.attributesPhoto }}
+            - name: PENPOT_LDAP_ATTRS_PHOTO
+              value: {{ .Values.config.providers.ldap.attributesPhoto | quote }}
+          {{- end }}
+          {{- end }}
+          volumeMounts:
+            - mountPath: /opt/data
+              name: app-data
+              readOnly: false
+            - mountPath: /etc/nginx/nginx.conf
+              name: "{{ include "penpot.fullname" . }}-frontend-nginx"
+              readOnly: true
+              subPath: nginx.conf
+          ports:
+            - name: http
+              containerPort: {{ .Values.frontend.service.port }}
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.frontend.resources | nindent 12 }}
+      {{- with .Values.frontend.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.frontend.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.frontend.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      volumes:
+      - name: app-data
+      {{- if .Values.persistence.enabled }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default ( include "penpot.fullname" . ) }}
+      {{- else }}
+        emptyDir: {}
+      {{- end }}
+      - configMap:
+          defaultMode: 420
+          name: "{{ include "penpot.fullname" . }}-frontend-nginx"
+        name: "{{ include "penpot.fullname" . }}-frontend-nginx"
--- a/charts/penpot/templates/ingress.yaml
+++ b/charts/penpot/templates/ingress.yaml
@@ -0,0 +1,53 @@
+{{- if .Values.ingress.enabled -}}
+{{- $gitVersion := .Capabilities.KubeVersion.GitVersion -}}
+{{- $fullName := include "penpot.fullname" . -}}
+{{- $svcPort := .Values.frontend.service.port -}}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+{{- if .Values.ingress.tls }}
+  tls:
+  {{- range .Values.ingress.tls }}
+    - hosts:
+      {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+  {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+{{ if semverCompare ">=1.19-0" $gitVersion }}
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+{{ else }}
+          - path: /
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+{{- end }}
+  {{- end }}
+{{- end }}
--- a/charts/penpot/templates/persistent-volume-claim.yaml
+++ b/charts/penpot/templates/persistent-volume-claim.yaml
@@ -0,0 +1,24 @@
+{{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "penpot.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+{{- include "penpot.labels" . | nindent 4 }}
+{{- if .Values.persistence.annotations }}
+  annotations:
+{{ toYaml .Values.persistence.annotations | indent 4 }}
+{{- end }}
+spec:
+  accessModes:
+  {{- range .Values.persistence.accessModes }}
+    - {{ . | quote }}
+  {{- end }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end -}}
--- a/charts/penpot/templates/service-account.yaml
+++ b/charts/penpot/templates/service-account.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "penpot.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end -}}
--- a/charts/penpot/templates/service.yaml
+++ b/charts/penpot/templates/service.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "penpot.fullname" . }}-backend
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.backend.service.type }}
+  ports:
+    - port: {{ .Values.backend.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "penpot.backendSelectorLabels" . | nindent 4 }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "penpot.fullname" . }}-exporter
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.exporter.service.type }}
+  ports:
+    - port: {{ .Values.exporter.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "penpot.exporterSelectorLabels" . | nindent 4 }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "penpot.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "penpot.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.frontend.service.type }}
+  ports:
+    - port: {{ .Values.frontend.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "penpot.frontendSelectorLabels" . | nindent 4 }}
--- a/charts/penpot/values.yaml
+++ b/charts/penpot/values.yaml
@@ -0,0 +1,468 @@
+## Default values for Penpot
+
+## @section Global parameters
+
+## @param global.postgresqlEnabled Whether to deploy the Bitnami PostgreSQL chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/postgresql) for configuration.
+## @param global.redisEnabled Whether to deploy the Bitnami Redis chart as subchart. Check [the official chart](https://artifacthub.io/packages/helm/bitnami/redis) for configuration.
+## @param global.imagePullSecrets Global Docker registry secret names as an array.
+##
+global:
+  ## E.g.
+  ## imagePullSecrets:
+  ##   - myRegistryKeySecretName
+  ##
+  imagePullSecrets: []
+
+## @section Common parameters
+
+## @param nameOverride String to partially override common.names.fullname
+##
+nameOverride: ""
+## @param fullnameOverride String to fully override common.names.fullname
+##
+fullnameOverride: ""
+## @param serviceAccount.enabled Specifies whether a ServiceAccount should be created.
+## @param serviceAccount.annotations Annotations for service account. Evaluated as a template. Only used if `create` is `true`.
+## @param serviceAccount.name The name of the ServiceAccount to use. If not set and enabled is true, a name is generated using the fullname template.
+##
+serviceAccount:
+  enabled: true
+  annotations: {}
+  name: ""
+
+## @section Backend parameters
+
+## Penpot Backend
+##
+backend:
+  ## @param backend.image.repository The Docker repository to pull the image from.
+  ## @param backend.image.tag The image tag to use.
+  ## @param backend.image.imagePullPolicy The image pull policy to use.
+  ##
+  image:
+    repository: penpotapp/backend
+    tag: 2.0.1
+    imagePullPolicy: IfNotPresent
+  ## @param backend.replicaCount The number of replicas to deploy.
+  ##
+  replicaCount: 1
+  ## @param backend.service.type The service type to create.
+  ## @param backend.service.port The service port to use.
+  ##
+  service:
+    type: ClusterIP
+    port: 6060
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param backend.podSecurityContext.enabled Enabled Penpot pods' security context
+  ## @param backend.podSecurityContext.fsGroup Set Penpot pod's security context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param backend.containerSecurityContext.enabled Enabled Penpot containers' security context
+  ## @param backend.containerSecurityContext.runAsUser Set Penpot containers' security context runAsUser
+  ## @param backend.containerSecurityContext.allowPrivilegeEscalation Set Penpot containers' security context allowPrivilegeEscalation
+  ## @param backend.containerSecurityContext.capabilities.drop Set Penpot containers' security context capabilities to be dropped
+  ## @param backend.containerSecurityContext.readOnlyRootFilesystem Set Penpot containers' security context readOnlyRootFilesystem
+  ## @param backend.containerSecurityContext.runAsNonRoot Set Penpot container's security context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+  ## @param backend.affinity Affinity for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+  ## @param backend.nodeSelector Node labels for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+  ## @param backend.tolerations Tolerations for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+  ## Penpot backend resource requests and limits
+  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## @param backend.resources.limits The resources limits for the Penpot backend containers
+  ## @param backend.resources.requests The requested resources for the Penpot backend containers
+  ##
+  resources:
+    limits: {}
+    requests: {}
+
+## @section Frontend parameters
+
+## Penpot Frontend
+##
+frontend:
+  ## @param frontend.image.repository The Docker repository to pull the image from.
+  ## @param frontend.image.tag The image tag to use.
+  ## @param frontend.image.imagePullPolicy The image pull policy to use.
+  ##
+  image:
+    repository: penpotapp/frontend
+    tag: 2.0.1
+    imagePullPolicy: IfNotPresent
+  ## @param frontend.replicaCount The number of replicas to deploy.
+  ##
+  replicaCount: 1
+  ## @param frontend.service.type The service type to create.
+  ## @param frontend.service.port The service port to use.
+  ##
+  service:
+    type: ClusterIP
+    port: 80
+  ## @param frontend.affinity Affinity for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+  ## @param frontend.nodeSelector Node labels for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+  ## @param frontend.tolerations Tolerations for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+  ## Penpot frontend resource requests and limits
+  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## @param frontend.resources.limits The resources limits for the Penpot frontend containers
+  ## @param frontend.resources.requests The requested resources for the Penpot frontend containers
+  ##
+  resources:
+    limits: {}
+    requests: {}
+
+## @section Exporter parameters
+
+## Penpot Exporter
+##
+exporter:
+  ## @param exporter.image.repository The Docker repository to pull the image from.
+  ## @param exporter.image.tag The image tag to use.
+  ## @param exporter.image.imagePullPolicy The image pull policy to use.
+  ##
+  image:
+    repository: penpotapp/exporter
+    tag: 2.0.1
+    imagePullPolicy: IfNotPresent
+  ## @param exporter.replicaCount The number of replicas to deploy.
+  ##
+  replicaCount: 1
+  ## @param exporter.service.type The service type to create.
+  ## @param exporter.service.port The service port to use.
+  ##
+  service:
+    type: ClusterIP
+    port: 6061
+  ## Configure Pods Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param exporter.podSecurityContext.enabled Enabled Penpot pods' security context
+  ## @param exporter.podSecurityContext.fsGroup Set Penpot pod's security context fsGroup
+  ##
+  podSecurityContext:
+    enabled: true
+    fsGroup: 1001
+  ## Configure Container Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
+  ## @param exporter.containerSecurityContext.enabled Enabled Penpot containers' security context
+  ## @param exporter.containerSecurityContext.runAsUser Set Penpot containers' security context runAsUser
+  ## @param exporter.containerSecurityContext.allowPrivilegeEscalation Set Penpot containers' security context allowPrivilegeEscalation
+  ## @param exporter.containerSecurityContext.capabilities.drop Set Penpot containers' security context capabilities to be dropped
+  ## @param exporter.containerSecurityContext.readOnlyRootFilesystem Set Penpot containers' security context readOnlyRootFilesystem
+  ## @param exporter.containerSecurityContext.runAsNonRoot Set Penpot container's security context runAsNonRoot
+  ##
+  containerSecurityContext:
+    enabled: true
+    runAsUser: 1001
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - all
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+  ## @param exporter.affinity Affinity for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+  ## @param exporter.nodeSelector Node labels for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+  ## @param exporter.tolerations Tolerations for Penpot pods assignment
+  ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+  ## Penpot exporter resource requests and limits
+  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## @param exporter.resources.limits The resources limits for the Penpot exporter containers
+  ## @param exporter.resources.requests The requested resources for the Penpot exporter containers
+  ##
+  resources:
+    limits: {}
+    requests: {}
+
+## @section Ingress parameters
+
+## @param frontend.ingress.enabled Enable ingress record generation for Penpot frontend.
+## @param frontend.ingress.annotations Mapped annotations for the frontend ingress.
+## @param frontend.ingress.hosts Array style hosts for the frontend ingress.
+## @param frontend.ingress.tls Array style TLS secrets for the frontend ingress.
+##
+ingress:
+  enabled: false
+  ## E.g.
+  ## annotations:
+  ##   kubernetes.io/ingress.class: nginx
+  ##   kubernetes.io/tls-acme: "true"
+  ##
+  annotations:
+    {}
+  ## E.g.
+  ## hosts:
+  ##   - host: penpot-example.local
+  hosts: []
+  ## E.g.
+  ##  - secretName: chart-example-tls
+  ##    hosts:
+  ##      - chart-example.local
+  tls: []
+
+## @section Persistence parameters
+
+## Penpot persistence
+##
+persistence:
+  ## @param persistence.enabled Enable persistence using Persistent Volume Claims.
+  ##
+  enabled: false
+  ## @param persistence.storageClass Persistent Volume storage class.
+  ## If defined, storageClassName: <storageClass>.
+  ## If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+  ##
+  storageClass: ""
+  ## @param persistence.size Persistent Volume size.
+  ##
+  size: 8Gi
+  ## @param persistence.existingClaim The name of an existing PVC to use for persistence.
+  ##
+  existingClaim: ""
+  ## @param persistence.accessModes Persistent Volume access modes.
+  ##
+  accessModes:
+    - ReadWriteOnce
+  ## @param persistence.annotations Persistent Volume Claim annotations.
+  ##
+  annotations: {}
+
+## @section Configuration parameters
+
+## Penpot configuration
+##
+config:
+  ## @param config.publicURI The public domain to serve Penpot on. Set `disable-secure-session-cookies` in the flags if you plan on serving it on a non HTTPS domain.
+  ## @param config.flags The feature flags to enable. Check [the official docs](https://help.penpot.app/technical-guide/configuration/) for more info.
+  ## @param config.apiSecretKey A random secret key needed for persistent user sessions. Generate with `openssl rand -hex 16` for example.
+  ##
+  publicURI: "http://localhost:8080"
+  flags: "enable-registration enable-login disable-demo-users disable-demo-warning"
+  apiSecretKey:
+    existingSecretName: ""
+    existingSecretKey: ""
+  ## @param config.postgresql.host The PostgreSQL host to connect to.
+  ## @param config.postgresql.port The PostgreSQL host port to use.
+  ## @param config.postgresql.database The PostgreSQL database to use.
+  ## @param config.postgresql.username The database username to use.
+  ## @param config.postgresql.password The database username to use.
+  ## @param config.postgresql.existingSecret The name of an existing secret.
+  ## @param config.postgresql.secretKeys.usernameKey The username key to use from an existing secret.
+  ## @param config.postgresql.secretKeys.passwordKey The password key to use from an existing secret.
+  ##
+  postgresql:
+    host: "postgresql.penpot.svc.cluster.local"
+    port: 5432
+    username: ""
+    password: ""
+    database: ""
+    existingSecret: ""
+    secretKeys:
+      usernameKey: ""
+      passwordKey: ""
+  ## @param config.redis.host The Redis host to connect to.
+  ## @param config.redis.port The Redis host port to use.
+  ## @param config.redis.database The Redis database to connect to.
+  ##
+  redis:
+    host: "redis-headless.penpot.svc.cluster.local"
+    port: 6379
+    database: "0"
+  ## @param config.assets.storageBackend The storage backend for assets to use. Use `assets-fs` for filesystem, and `assets-s3` for S3.
+  ## @param config.assets.filesystem.directory The storage directory to use if you chose the filesystem storage backend.
+  ## @param config.assets.s3.accessKeyID The S3 access key ID to use if you chose the S3 storage backend.
+  ## @param config.assets.s3.secretAccessKey The S3 secret access key to use if you chose the S3 storage backend.
+  ## @param config.assets.s3.region The S3 region to use if you chose the S3 storage backend.
+  ## @param config.assets.s3.bucket The name of the S3 bucket to use if you chose the S3 storage backend.
+  ## @param config.assets.s3.endpointURI The S3 endpoint URI to use if you chose the S3 storage backend.
+  ## @param config.assets.s3.existingSecret The name of an existing secret.
+  ## @param config.assets.s3.secretKeys.accessKeyIDKey The S3 access key ID to use from an existing secret.
+  ## @param config.assets.s3.secretKeys.secretAccessKey The S3 secret access key to use from an existing secret.
+  ## @param config.assets.s3.secretKeys.endpointURIKey The S3 endpoint URI to use from an existing secret.
+  ##
+  assets:
+    storageBackend: "assets-fs"
+    filesystem:
+      directory: "/opt/data/assets"
+    s3:
+      accessKeyID: ""
+      secretAccessKey: ""
+      region: ""
+      bucket: ""
+      endpointURI: ""
+      existingSecret: ""
+      secretKeys:
+        accessKeyIDKey: ""
+        secretAccessKey: ""
+        endpointURIKey: ""
+  ## @param config.telemetryEnabled Whether to enable sending of anonymous telemetry data.
+  ##
+  telemetryEnabled: true
+  ## @param config.smtp.enabled Whether to enable SMTP configuration. You also need to add the 'enable-smtp' flag to the PENPOT_FLAGS variable.
+  ## @param config.smtp.defaultFrom The SMTP default email to send from.
+  ## @param config.smtp.defaultReplyTo The SMTP default email to reply to.
+  ## @param config.smtp.host The SMTP host to use.
+  ## @param config.smtp.port The SMTP host port to use.
+  ## @param config.smtp.username The SMTP username to use.
+  ## @param config.smtp.password The SMTP password to use.
+  ## @param config.smtp.tls Whether to use TLS for the SMTP connection.
+  ## @param config.smtp.ssl Whether to use SSL for the SMTP connection.
+  ## @param config.smtp.existingSecret The name of an existing secret.
+  ## @param config.smtp.secretKeys.usernameKey The SMTP username to use from an existing secret.
+  ## @param config.smtp.secretKeys.passwordKey The SMTP password to use from an existing secret.
+  ##
+  smtp:
+    enabled: false
+    defaultFrom: ""
+    defaultReplyTo: ""
+    host: ""
+    port: ""
+    username: ""
+    password: ""
+    tls: true
+    ssl: false
+    existingSecret: ""
+    secretKeys:
+      usernameKey: ""
+      passwordKey: ""
+  ## @param config.registrationDomainWhitelist Comma separated list of allowed domains to register. Empty to allow all domains.
+  ##
+  registrationDomainWhitelist: ""
+  ## Penpot Authentication providers parameters
+  ##
+  providers:
+    ## @param config.providers.google.enabled Whether to enable Google configuration. To enable Google auth, add `enable-login-with-google` to the flags.
+    ## @param config.providers.google.clientID The Google client ID to use. To enable Google auth, add `enable-login-with-google` to the flags.
+    ## @param config.providers.google.clientSecret The Google client secret to use. To enable Google auth, add `enable-login-with-google` to the flags.
+    ##
+    google:
+      enabled: false
+      clientID: ""
+      clientSecret: ""
+    ## @param config.providers.github.enabled Whether to enable GitHub configuration. To enable GitHub auth, also add `enable-login-with-github` to the flags.
+    ## @param config.providers.github.clientID The GitHub client ID to use.
+    ## @param config.providers.github.clientSecret The GitHub client secret to use.
+    ##
+    github:
+      enabled: false
+      clientID: ""
+      clientSecret: ""
+    ## @param config.providers.gitlab.enabled Whether to enable GitLab configuration. To enable GitLab auth, also add `enable-login-with-gitlab` to the flags.
+    ## @param config.providers.gitlab.baseURI The GitLab base URI to use.
+    ## @param config.providers.gitlab.clientID The GitLab client ID to use.
+    ## @param config.providers.gitlab.clientSecret The GitLab client secret to use.
+    ##
+    gitlab:
+      enabled: false
+      baseURI: "https://gitlab.com"
+      clientID: ""
+      clientSecret: ""
+    ## @param config.providers.oidc.enabled Whether to enable OIDC configuration. To enable OpenID Connect auth, also add `enable-login-with-oidc` to the flags.
+    ## @param config.providers.oidc.baseURI The OpenID Connect base URI to use.
+    ## @param config.providers.oidc.clientID The OpenID Connect client ID to use.
+    ## @param config.providers.oidc.clientSecret The OpenID Connect client secret to use.
+    ## @param config.providers.oidc.authURI Optional OpenID Connect auth URI to use. Auto discovered if not provided.
+    ## @param config.providers.oidc.tokenURI Optional OpenID Connect token URI to use. Auto discovered if not provided.
+    ## @param config.providers.oidc.userURI Optional OpenID Connect user URI to use. Auto discovered if not provided.
+    ## @param config.providers.oidc.roles Optional OpenID Connect roles to use. If no role is provided, roles checking  disabled.
+    ## @param config.providers.oidc.rolesAttribute Optional OpenID Connect roles attribute to use. If not provided, the roles checking will be disabled.
+    ## @param config.providers.oidc.scopes Optional OpenID Connect scopes to use. This settings allow overwrite the required scopes, use with caution because penpot requres at least `name` and `email` attrs found on the user info. Optional, defaults to `openid profile`.
+    ## @param config.providers.oidc.nameAttribute Optional OpenID Connect name attribute to use. If not provided, the `name` prop will be used.
+    ## @param config.providers.oidc.emailAttribute Optional OpenID Connect email attribute to use. If not provided, the `email` prop will be used.
+    ##
+    oidc:
+      enabled: false
+      baseURI: ""
+      clientID: ""
+      clientSecret: ""
+      authURI: ""
+      tokenURI: ""
+      userURI: ""
+      roles: "role1 role2"
+      rolesAttribute: ""
+      scopes: "scope1 scope2"
+      nameAttribute: ""
+      emailAttribute: ""
+    ## @param config.providers.ldap.enabled Whether to enable LDAP configuration. To enable LDAP, also add `enable-login-with-ldap` to the flags.
+    ## @param config.providers.ldap.host The LDAP host to use.
+    ## @param config.providers.ldap.port The LDAP port to use.
+    ## @param config.providers.ldap.ssl Whether to use SSL for the LDAP connection.
+    ## @param config.providers.ldap.startTLS Whether to utilize StartTLS for the LDAP connection.
+    ## @param config.providers.ldap.baseDN The LDAP base DN to use.
+    ## @param config.providers.ldap.bindDN The LDAP bind DN to use.
+    ## @param config.providers.ldap.bindPassword The LDAP bind password to use.
+    ## @param config.providers.ldap.attributesUsername The LDAP attributes username to use.
+    ## @param config.providers.ldap.attributesEmail The LDAP attributes email to use.
+    ## @param config.providers.ldap.attributesFullname The LDAP attributes fullname to use.
+    ## @param config.providers.ldap.attributesPhoto The LDAP attributes photo format to use.
+    ##
+    ldap:
+      enabled: false
+      host: "ldap"
+      port: 10389
+      ssl: false
+      startTLS: false
+      baseDN: "ou=people,dc=planetexpress,dc=com"
+      bindDN: "cn=admin,dc=planetexpress,dc=com"
+      bindPassword: "GoodNewsEveryone"
+      attributesUsername: "uid"
+      attributesEmail: "mail"
+      attributesFullname: "cn"
+      attributesPhoto: "jpegPhoto"
+    ## @param config.providers.existingSecret The name of an existing secret to use.
+    ## @param config.providers.secretKeys.googleClientIDKey The Google client ID key to use from an existing secret.
+    ## @param config.providers.secretKeys.googleClientSecretKey The Google client secret key to use from an existing secret.
+    ## @param config.providers.secretKeys.githubClientIDKey The GitHub client ID key to use from an existing secret.
+    ## @param config.providers.secretKeys.githubClientSecretKey The GitHub client secret key to use from an existing secret.
+    ## @param config.providers.secretKeys.gitlabClientIDKey The GitLab client ID key to use from an existing secret.
+    ## @param config.providers.secretKeys.gitlabClientSecretKey The GitLab client secret key to use from an existing secret.
+    ## @param config.providers.secretKeys.oidcClientIDKey The OpenID Connect client ID key to use from an existing secret.
+    ## @param config.providers.secretKeys.oidcClientSecretKey The OpenID Connect client secret key to use from an existing secret.
+    ##
+    existingSecret: ""
+    secretKeys:
+      googleClientIDKey: ""
+      googleClientSecretKey: ""
+      githubClientIDKey: ""
+      githubClientSecretKey: ""
+      gitlabClientIDKey: ""
+      gitlabClientSecretKey: ""
+      oidcClientIDKey: ""
+      oidcClientSecretKey: ""
--- a/charts/postgres-cluster-upgrade/Chart.yaml
+++ b/charts/postgres-cluster-upgrade/Chart.yaml
@@ -1,14 +0,0 @@
-apiVersion: v2
-name: postgres-cluster-upgrade
-version: 0.1.1
-description: Chart for upgrading a cloudnative-pg cluster in the same namespace
-keywords:
-  - database
-  - postgres
-  - upgrade
-sources:
-  - https://github.com/cloudnative-pg/cloudnative-pg
-maintainers:
-  - name: alexlebens
-icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
-appVersion: v1.22.1
--- a/charts/postgres-cluster-upgrade/README.md
+++ b/charts/postgres-cluster-upgrade/README.md
@@ -1,17 +0,0 @@
-## Introduction
-
-[CloudNative PG](https://github.com/cloudnative-pg/cloudnative-pg)
-
-CloudNativePG is the Kubernetes operator that covers the full lifecycle of a highly available PostgreSQL database cluster with a primary/standby architecture, using native streaming replication.
-
-This chart bootstraps a [CNPG](https://github.com/cloudnative-pg/cloudnative-pg) cluster on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
-
-## Prerequisites
-
- Kubernetes
- Helm
- CloudNative PG Operator
-
-## Parameters
-
-See the [values files](values.yaml).
--- a/charts/postgres-cluster-upgrade/templates/backup.yaml
+++ b/charts/postgres-cluster-upgrade/templates/backup.yaml
@@ -1,17 +0,0 @@
-{{- if .Values.backup.inititeBackup }}
-apiVersion: postgresql.cnpg.io/v1
-kind: Backup
-metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster-upgrade-backup"
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: "postgresql-{{ .Release.Name }}-cluster-upgrade-backup"
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  method: barmanObjectStore
-  cluster:
-    name: "postgresql-{{ .Release.Name }}-cluster-upgrade"
-{{- end }}
--- a/charts/postgres-cluster-upgrade/templates/postgresql-cluster.yaml
+++ b/charts/postgres-cluster-upgrade/templates/postgresql-cluster.yaml
@@ -1,68 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster-upgrade"
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: "postgresql-{{ .Release.Name }}-cluster-upgrade"
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
-  instances: {{ .Values.cluster.instances }}
-  affinity:
-    enablePodAntiAffinity: true
-    topologyKey: kubernetes.io/hostname
-  postgresql:
-    parameters:
-      {{- toYaml .Values.cluster.parameters | nindent 6 }}
-  resources:
-    {{- toYaml .Values.cluster.resources | nindent 4 }}
-  storage:
-    storageClass: {{ .Values.cluster.storage.data.storageClass }}
-    size: {{ .Values.cluster.storage.data.size }}
-  walStorage:
-    storageClass: {{ .Values.cluster.storage.wal.storageClass }}
-    size: {{ .Values.cluster.storage.wal.size }}
-  monitoring:
-    enablePodMonitor: true
-
-  bootstrap:
-    initdb:
-      import:
-        type: {{ .Values.upgrade.importType }}
-        databases:
-          {{- toYaml .Values.upgrade.importDatabases | nindent 10 }}
-        source:
-          externalCluster: "postgresql-{{ .Release.Name }}-cluster"
-  externalClusters:
-    - name: "postgresql-{{ .Release.Name }}-cluster"
-      connectionParameters:
-        host: "postgresql-{{ .Release.Name }}-cluster-rw"
-        user: app
-        dbname: app
-      password:
-        name: "postgresql-{{ .Release.Name }}-cluster-app"
-        key: password
-
-  {{- if .Values.backup.backupEnabled }}
-  backup:
-    retentionPolicy: "{{ .Values.backup.retentionPolicy }}"
-    barmanObjectStore:
-      destinationPath: "s3://{{ .Values.backup.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
-      endpointURL: {{ .Values.backup.endpointURL }}
-      serverName: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.backup.backupIndex }}"
-      s3Credentials:
-        accessKeyId:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_KEY_ID
-        secretAccessKey:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_SECRET_KEY
-      data:
-        compression: {{ .Values.cluster.compression }}
-      wal:
-        compression: {{ .Values.cluster.compression }}
-  {{- end }}
--- a/charts/postgres-cluster-upgrade/values.yaml
+++ b/charts/postgres-cluster-upgrade/values.yaml
@@ -1,37 +0,0 @@
-cluster:
-  name:
-  image:
-    repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 16.2
-  instances: 1
-  parameters:
-    shared_buffers: 128MB
-    max_slot_wal_keep_size: 2000MB
-    hot_standby_feedback: "on"
-  compression: snappy
-  resources:
-    requests:
-      memory: 512Mi
-      cpu: 100m
-    limits:
-      memory: 2Gi
-      cpu: 1500m
-      hugepages-2Mi: 512Mi
-  storage:
-    data:
-      storageClass:
-      size: 10Gi
-    wal:
-      storageClass:
-      size: 2Gi
-upgrade:
-  importType: microservice
-  importDatabases:
-    - app
-backup:
-  backupEnabled: true
-  inititeBackup: false  
-  retentionPolicy: 3d  
-  backupIndex: 1
-  endpointURL:
-  bucket:
--- a/charts/postgres-cluster/Chart.yaml
+++ b/charts/postgres-cluster/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: postgres-cluster
-version: 0.2.4
+version: 2.4.2
 description: Chart for cloudnative-pg cluster
 keywords:
  - database
@@ -10,4 +10,4 @@ sources:
 maintainers:
  - name: alexlebens
 icon: https://avatars.githubusercontent.com/u/100373852?s=48&v=4
-appVersion: v1.22.1
+appVersion: v1.22.2
--- a/charts/postgres-cluster/templates/_backup.tpl
+++ b/charts/postgres-cluster/templates/_backup.tpl
@@ -0,0 +1,30 @@
+{{- define "cluster.backup" -}}
+{{- if .Values.backup.enabled }}
+backup:
+  retentionPolicy: {{ .Values.backup.retentionPolicy }}
+  barmanObjectStore:
+    destinationPath: "s3://{{ .Values.backup.endpointBucket }}/{{ .Values.kubernetesClusterName }}/postgresql/{{ include "cluster.backupName" . }}"
+    endpointURL: {{ .Values.backup.endpointURL }}
+    {{- if .Values.backup.endpointCA }}
+    endpointCA:
+      name: {{ .Values.backup.endpointCA }}
+      key: ca-bundle.crt
+    {{- end }}
+    serverName: "{{ include "cluster.name" . }}-backup-{{ .Values.backup.backupIndex }}"
+    s3Credentials:
+      accessKeyId:
+        name: {{ include "cluster.backupCredentials" . }}
+        key: ACCESS_KEY_ID
+      secretAccessKey:
+        name: {{ include "cluster.backupCredentials" . }}
+        key: ACCESS_SECRET_KEY
+    wal:
+      compression: {{ .Values.backup.wal.compression }}
+      encryption: {{ .Values.backup.wal.encryption }}
+      maxParallel: {{ .Values.backup.wal.maxParallel }}
+    data:
+      compression: {{ .Values.backup.data.compression }}
+      encryption: {{ .Values.backup.data.encryption }}
+      jobs: {{ .Values.backup.data.jobs }}
+{{- end }}
+{{- end }}
--- a/charts/postgres-cluster/templates/_bootstrap.tpl
+++ b/charts/postgres-cluster/templates/_bootstrap.tpl
@@ -0,0 +1,91 @@
+{{- define "cluster.bootstrap" -}}
+bootstrap:
+{{- if eq .Values.mode "standalone" }}
+  initdb:
+    {{- with .Values.cluster.initdb }}
+    {{- with (omit . "postInitApplicationSQL") }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}
+    {{- end }}
+    postInitApplicationSQL:
+      {{- if eq .Values.type "postgis" }}
+      - CREATE EXTENSION IF NOT EXISTS postgis;
+      - CREATE EXTENSION IF NOT EXISTS postgis_topology;
+      - CREATE EXTENSION IF NOT EXISTS fuzzystrmatch;
+      - CREATE EXTENSION IF NOT EXISTS postgis_tiger_geocoder;
+      {{- else if eq .Values.type "timescaledb" }}
+      - CREATE EXTENSION IF NOT EXISTS timescaledb;
+      {{- end }}
+      {{- with .Values.cluster.initdb }}
+      {{- range .postInitApplicationSQL }}
+      {{- printf "- %s" . | nindent 6 }}
+      {{- end }}
+      {{- end }}
+{{- else if eq .Values.mode "replica" }}
+  initdb:
+    import:
+      type: {{ .Values.replica.importType }}
+      databases:
+        {{- if and (gt (len .Values.replica.importDatabases) 1) (eq .Values.replica.importType "microservice") }}
+          {{ fail "Too many databases in import type of microservice!" }}
+        {{- else}}
+        {{- with .Values.replica.importDatabases }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+        {{- end }}        
+      {{- if eq .Values.replica.importType "monolith" }}
+      roles:
+        {{- with .Values.replica.importRoles }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      {{- if and (.Values.replica.postImportApplicationSQL) (eq .Values.replica.importType "microservice") }}
+      postImportApplicationSQL:
+        {{- with .Values.replica.postImportApplicationSQL }}
+        {{- . | toYaml | nindent 8 }}
+        {{- end }}      
+      {{- end }}
+      source:
+        externalCluster: "{{ include "cluster.name" . }}-cluster"
+externalClusters:
+  - name: "{{ include "cluster.name" . }}-cluster"
+    {{- with .Values.replica.externalCluster }}
+    {{- . | toYaml | nindent 4 }}
+    {{- end }}    
+{{- else if eq .Values.mode "recovery" }}
+  recovery:
+    {{- with .Values.recovery.pitrTarget.time }}
+    recoveryTarget:
+      targetTime: {{ . }}
+    {{- end }}
+    source: {{ include "cluster.recoveryServerName" . }}
+externalClusters:
+  - name: {{ include "cluster.recoveryServerName" . }}
+    barmanObjectStore:
+      serverName: {{ include "cluster.recoveryServerName" . }}
+      destinationPath: "s3://{{ .Values.recovery.endpointBucket }}/{{ .Values.kubernetesClusterName }}/postgresql/{{ include "cluster.recoveryInstanceName" . }}"
+      endpointURL: {{ .Values.recovery.endpointURL }}
+      {{- with .Values.recovery.endpointCA }}
+      endpointCA:
+        name: {{ . }}
+        key: ca-bundle.crt
+      {{- end }}
+      s3Credentials:
+        accessKeyId:
+          name: {{ include "cluster.recoveryCredentials" . }}
+          key: ACCESS_KEY_ID
+        secretAccessKey:
+          name: {{ include "cluster.recoveryCredentials" . }}
+          key: ACCESS_SECRET_KEY
+      wal:
+        compression: {{ .Values.recovery.wal.compression }}
+        encryption: {{ .Values.recovery.wal.encryption }}
+        maxParallel: {{ .Values.recovery.wal.maxParallel }}
+      data:
+        compression: {{ .Values.recovery.data.compression }}
+        encryption: {{ .Values.recovery.data.encryption }}
+        jobs: {{ .Values.recovery.data.jobs }}
+{{- else }}
+  {{ fail "Invalid cluster mode!" }}
+{{- end }}
+{{- end }}
--- a/charts/postgres-cluster/templates/_helpers.tpl
+++ b/charts/postgres-cluster/templates/_helpers.tpl
@@ -0,0 +1,91 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cluster.name" -}}
+  {{- if .Values.nameOverride }}
+    {{- .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+  {{- else }}
+    {{- printf "%s-postgresql-%s" .Release.Name ((semver .Values.cluster.image.tag).Major | toString) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cluster.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cluster.labels" -}}
+helm.sh/chart: {{ include "cluster.chart" . }}
+{{ include "cluster.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cluster.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cluster.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/part-of: cloudnative-pg
+{{- end }}
+
+{{/*
+Generate name for object store credentials
+*/}}
+{{- define "cluster.recoveryCredentials" -}}
+  {{- if .Values.recovery.endpointCredentials -}}
+    {{- .Values.recovery.endpointCredentials -}}
+  {{- else -}}
+    {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{- define "cluster.backupCredentials" -}}
+  {{- if .Values.backup.endpointCredentials -}}
+    {{- .Values.backup.endpointCredentials -}}
+  {{- else -}}
+    {{- printf "%s-backup-secret" (include "cluster.name" .) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate backup server name
+*/}}
+{{- define "cluster.backupName" -}}
+  {{- if .Values.backup.backupName -}}
+    {{- .Values.backup.backupName -}}
+  {{- else -}}
+    {{ include "cluster.name" . }}
+  {{- end }}
+{{- end }}
+
+
+{{/*
+Generate recovery server name
+*/}}
+{{- define "cluster.recoveryServerName" -}}
+  {{- if .Values.recovery.recoveryServerName -}}
+    {{- .Values.recovery.recoveryServerName -}}
+  {{- else -}}
+    {{- printf "%s-backup-%s" (include "cluster.name" .) (toString .Values.recovery.recoveryIndex) | trunc 63 | trimSuffix "-" -}}
+  {{- end }}
+{{- end }}
+
+{{/*
+Generate recovery instance name
+*/}}
+{{- define "cluster.recoveryInstanceName" -}}
+  {{- if .Values.recovery.recoveryInstanceName -}}
+    {{- .Values.recovery.recoveryInstanceName -}}
+  {{- else -}}
+    {{ include "cluster.name" . }}
+  {{- end }}
+{{- end }}
--- a/charts/postgres-cluster/templates/cluster.yaml
+++ b/charts/postgres-cluster/templates/cluster.yaml
@@ -0,0 +1,52 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: {{ include "cluster.name" . }}-cluster
+  namespace: {{ .Release.Namespace }}
+  {{- with .Values.cluster.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  instances: {{ .Values.cluster.instances }}
+  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
+  imagePullPolicy: {{ .Values.cluster.image.pullPolicy }}
+  postgresUID: {{ .Values.cluster.postgresUID }}
+  postgresGID: {{ .Values.cluster.postgresGID }}
+  walStorage:
+    size: {{ .Values.cluster.walStorage.size }}
+    storageClass: {{ .Values.cluster.walStorage.storageClass }}
+  storage:
+    size: {{ .Values.cluster.storage.size }}
+    storageClass: {{ .Values.cluster.storage.storageClass }}
+  {{- with .Values.cluster.resources }}
+  resources:
+    {{- toYaml . | nindent 4 }}
+  {{ end }}
+  {{- with .Values.cluster.affinity }}
+  affinity:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  priorityClassName: {{ .Values.cluster.priorityClassName }}
+  primaryUpdateMethod: {{ .Values.cluster.primaryUpdateMethod }}
+  primaryUpdateStrategy: {{ .Values.cluster.primaryUpdateStrategy }}
+  logLevel: {{ .Values.cluster.logLevel }}
+  postgresql:
+    shared_preload_libraries:
+      {{- if eq .Values.type "timescaledb" }}
+      - timescaledb
+      {{- end }}
+    {{- with .Values.cluster.postgresql.parameters }}
+    parameters:
+      {{- toYaml . | nindent 6 }}
+    {{ end }}
+  monitoring:
+    enablePodMonitor: {{ and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.podMonitor.enabled }}
+
+  {{ include "cluster.bootstrap" . | nindent 2 }}
+  {{ include "cluster.backup" . | nindent 2 }}
--- a/charts/postgres-cluster/templates/postgresql-cluster.yaml
+++ b/charts/postgres-cluster/templates/postgresql-cluster.yaml
@@ -1,81 +0,0 @@
-apiVersion: postgresql.cnpg.io/v1
-kind: Cluster
-metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster"
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  imageName: "{{ .Values.cluster.image.repository }}:{{ .Values.cluster.image.tag }}"
-  instances: {{ .Values.cluster.instances }}
-  replicationSlots:
-    highAvailability:
-      enabled: true
-  affinity:
-    enablePodAntiAffinity: true
-    topologyKey: kubernetes.io/hostname
-  postgresql:
-    parameters:
-      {{- toYaml .Values.cluster.parameters | nindent 6 }}
-  resources:
-    {{- toYaml .Values.cluster.resources | nindent 4 }}
-  storage:
-    storageClass: {{ .Values.cluster.storage.data.storageClass }}
-    size: {{ .Values.cluster.storage.data.size }}
-  walStorage:
-    storageClass: {{ .Values.cluster.storage.wal.storageClass }}
-    size: {{ .Values.cluster.storage.wal.size }}
-  monitoring:
-    enablePodMonitor: true
-
-  {{- if .Values.bootstrap.initdbEnabled }}
-  bootstrap:
-    initdb:
-      {{- toYaml .Values.bootstrap.initdb | nindent 6 }}
-  {{- end }}
-
-  {{- if .Values.bootstrap.recoveryEnabled }}
-  bootstrap:
-    recovery:
-      source: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
-  externalClusters:
-    - name: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.bootstrap.recoveryIndex }}"
-      barmanObjectStore:
-        endpointURL: {{ .Values.bootstrap.endpointURL }}
-        destinationPath: "s3://{{ .Values.bootstrap.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
-        s3Credentials:
-          accessKeyId:
-            name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-            key: ACCESS_KEY_ID
-          secretAccessKey:
-            name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-            key: ACCESS_SECRET_KEY
-        data:
-          compression: {{ .Values.cluster.compression }}
-        wal:
-          compression: {{ .Values.cluster.compression }}
-  {{- end }}
-
-  {{- if .Values.backup.backupEnabled }}
-  backup:
-    retentionPolicy: "{{ .Values.backup.retentionPolicy }}"
-    barmanObjectStore:
-      destinationPath: "s3://{{ .Values.backup.bucket }}/{{ .Values.cluster.name }}/postgresql/{{ .Release.Name }}-cluster"
-      endpointURL: {{ .Values.backup.endpointURL }}
-      serverName: "postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.backup.backupIndex }}"
-      s3Credentials:
-        accessKeyId:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_KEY_ID
-        secretAccessKey:
-          name: "postgresql-{{ .Release.Name }}-cluster-backup-secret"
-          key: ACCESS_SECRET_KEY
-      data:
-        compression: {{ .Values.cluster.compression }}
-      wal:
-        compression: {{ .Values.cluster.compression }}
-  {{- end }}
--- a/charts/postgres-cluster/templates/prometheus-rule.yaml
+++ b/charts/postgres-cluster/templates/prometheus-rule.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.cluster.monitoring.enabled .Values.cluster.monitoring.prometheusRule.enabled -}}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "cluster.name" . }}-alert-rules
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  groups:
+    - name: cloudnative-pg/{{ include "cluster.name" . }}
+      rules:
+        {{- $dict := dict "excludeRules" .Values.cluster.monitoring.prometheusRule.excludeRules -}}
+        {{- $_ := set $dict "value"       "{{ $value }}" -}}
+        {{- $_ := set $dict "namespace"   .Release.Namespace -}}
+        {{- $_ := set $dict "cluster"     (printf "%s-cluster" (include "cluster.name" .) ) -}}
+        {{- $_ := set $dict "labels"      (dict "job" "{{ $labels.job }}" "node" "{{ $labels.node }}" "pod" "{{ $labels.pod }}") -}}
+        {{- $_ := set $dict "podSelector" (printf "%s-cluster-([1-9][0-9]*)$" (include "cluster.name" .) ) -}}
+        {{- $_ := set $dict "Values"      .Values -}}
+        {{- $_ := set $dict "Template"    .Template -}}
+        {{- range $path, $_ := .Files.Glob  "prometheus_rules/**.yaml" }}
+        {{- $tpl := tpl ($.Files.Get $path) $dict | nindent 10 | trim -}}
+        {{- with $tpl }}
+        - {{ $tpl }}
+        {{- end -}}
+        {{- end -}}
+{{ end }}
--- a/charts/postgres-cluster/templates/scheduled-backup.yaml
+++ b/charts/postgres-cluster/templates/scheduled-backup.yaml
@@ -1,16 +1,18 @@
+{{ if .Values.backup.enabled }}
 apiVersion: postgresql.cnpg.io/v1
 kind: ScheduledBackup
 metadata:
-  name: "postgresql-{{ .Release.Name }}-cluster-backup"
+  name: {{ include "cluster.name" . }}-scheduled-backup
  namespace: {{ .Release.Namespace }}
  labels:
-    app.kubernetes.io/name: postgresql
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/version: {{ .Chart.AppVersion }}
-    app.kubernetes.io/component: database
-    app.kubernetes.io/part-of: {{ .Release.Name }}
+    {{- include "cluster.labels" . | nindent 4 }}
+  {{- with .Values.cluster.additionalLabels }}
+    {{ toYaml . | nindent 4 }}
+  {{- end }}
 spec:
+  immediate: true
  schedule: {{ .Values.backup.schedule }}
  backupOwnerReference: self
  cluster:
-    name: "postgresql-{{ .Release.Name }}-cluster"
+    name: {{ include "cluster.name" . }}-cluster
+{{ end }}
--- a/charts/postgres-cluster/values.yaml
+++ b/charts/postgres-cluster/values.yaml
@@ -1,42 +1,198 @@
+# -- Override the name of the cluster
+nameOverride: ""
+
+###
+# -- Type of the CNPG database. Available types:
+# * `postgresql`
+# * `postgis`
+# * `timescaledb`
+type: postgresql
+
+###
+# Cluster mode of operation. Available modes:
+# * `standalone` - Default mode. Creates new or updates an existing CNPG cluster.
+# * `recovery` - Same as standalone but creates a cluster from a backup, object store or via pg_basebackup
+# * `replica` - Create database as a replica from another CNPG cluster
+mode: standalone
+
+# Generates bucket name and path for recovery and backup, creates: <endpointBucket>/<clusterName>/postgresql/{{ .Release.Name }}
+kubernetesClusterName: ""
+
 cluster:
-  name: cl01tl
+  instances: 3
+
  image:
    repository: ghcr.io/cloudnative-pg/postgresql
-    tag: 16.0
-  instances: 2
+    tag: "16.2"
+    pullPolicy: IfNotPresent
+
+  # The UID and GID of the postgres user inside the image
+  postgresUID: 26
+  postgresGID: 26
+
+  walStorage:
+    size: 2Gi
+    storageClass: ""
+  storage:
+    size: 10Gi
+    storageClass: ""
+
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 10m
+    limits:
+      memory: 1Gi
+      cpu: 800m
+      hugepages-2Mi: 256Mi
+
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-AffinityConfiguration
+  affinity:
+    enablePodAntiAffinity: true
+    topologyKey: kubernetes.io/hostname
+
+  additionalLabels: {}
+  annotations: {}
+
+  priorityClassName: ""
+
+  # Method to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated. It can be switchover (default) or in-place (restart).
+  primaryUpdateMethod: switchover
+
+  # Strategy to follow to upgrade the primary server during a rolling update procedure, after all replicas have been
+  # successfully updated: it can be automated (unsupervised - default) or manual (supervised)
+  primaryUpdateStrategy: unsupervised
+
+  logLevel: "info"
+
+  monitoring:
+    enabled: false
+    podMonitor:
+      enabled: true
+    prometheusRule:
+      enabled: true
+      excludeRules: []
+
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-PostgresConfiguration
+  postgresql:
    parameters:
      shared_buffers: 128MB
      max_slot_wal_keep_size: 2000MB
      hot_standby_feedback: "on"
-  compression: snappy
-  resources:
-    requests:
-      memory: 512Mi
-      cpu: 100m
-    limits:
-      memory: 2Gi
-      cpu: 1500m
-      hugepages-2Mi: 512Mi
-  storage:
-    data:
-      storageClass:
-      size: 10Gi
-    wal:
-      storageClass:
-      size: 2Gi
-bootstrap:
-  recoveryEnabled: false
+
+  # BootstrapInitDB is the configuration of the bootstrap process when initdb is used.
+  # See: https://cloudnative-pg.io/documentation/current/bootstrap/
+  # See: https://cloudnative-pg.io/documentation/current/cloudnative-pg.v1/#postgresql-cnpg-io-v1-bootstrapinitdb
+  initdb: {}
+    # database: app
+    # owner: app
+    # secret: "" # Name of the secret containing the initial credentials for the owner of the user database. If empty a new secret will be created from scratch
+    # postInitApplicationSQL:
+    #   - CREATE TABLE IF NOT EXISTS example;
+
+recovery:
+  # Point in time recovery target in RFC3339 format
+  pitrTarget:
+    time: ""
+
+  # Overrides the provider specific default endpoint. Defaults to:
+  # S3: https://s3.<region>.amazonaws.com"
+  endpointURL: ""
+  endpointBucket: ""
+
+  # Specifies secret that contains a CA bundle to validate a privately signed certificate, should contain the key ca-bundle.crt
+  endpointCA: ""
+
+  # Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  endpointCredentials: ""
+
+  # Generate external cluster name, uses: {{ .Release.Name }}postgresql-<major version>-cluster-backup-index-{{ .Values.recovery.recoveryIndex }}
  recoveryIndex: 1
-  endpointURL:
-  bucket:
-  initdbEnabled: false
-  initdb:
-    database: app
-    owner: app
+
+  # Name of the recovery cluster in the object store, defaults to "cluster.name"
+  recoveryServerName: ""
+
+  # Name of the recovery cluster in the object store, defaults to ".Release.Name"
+  recoveryInstanceName: ""
+
+  wal:
+    # WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of WAL files to be archived or restored in parallel.
+    maxParallel: 2
+  data:
+    # Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of data files to be archived or restored in parallel.
+    jobs: 2
+
+replica:
+  # See https://cloudnative-pg.io/documentation/current/database_import/
+  # * `microservice` - Single database import as expected from cnpg clusters
+  # * `monolith` - Import multiple databases and roles
+  importType: microservice
+
+  # If type microservice only one database is allowed, default is app as standard in cnpg clusters
+  importDatabases:
+    - app
+  
+  # If type microservice no roles are imported and ignored
+  importRoles: []
+
+  # If import type is monolith postImportApplicationSQL is not supported and ignored
+  postImportApplicationSQL: []
+
+  # External cluster connection, password specifies a secret name and the key containing the password value
+  externalCluster:
+    connectionParameters:
+      host: postgresql
+      user: app
+      dbname: app
+    password:
+      name: postgresql
+      key: password
+
 backup:
-  backupEnabled: true
-  schedule: "0 0 0 * * *"
-  retentionPolicy: 14d
+  enabled: false
+
+  # Overrides the provider specific default endpoint
+  endpointURL: ""
+  endpointBucket: ""
+
+  # Specifies secret that contains a CA bundle to validate a privately signed certificate, should contain the key ca-bundle.crt
+  endpointCA: ""
+
+  # Specifies secret that contains S3 credentials, should contain the keys ACCESS_KEY_ID and ACCESS_SECRET_KEY
+  endpointCredentials: ""
+
+  # Generate external cluster name, creates: postgresql-{{ .Release.Name }}-cluster-backup-index-{{ .Values.backups.backupIndex }}"
  backupIndex: 1
-  endpointURL:
-  bucket:
+
+  # Name of the backup cluster in the object store, defaults to "cluster.name"
+  backupName: ""
+
+  wal:
+    # WAL compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt WAL files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of WAL files to be archived or restored in parallel.
+    maxParallel: 2
+  data:
+    # Data compression method. One of `` (for no compression), `gzip`, `bzip2` or `snappy`.
+    compression: snappy
+    # Whether to instruct the storage provider to encrypt data files. One of `` (use the storage container default), `AES256` or `aws:kms`.
+    encryption: ""
+    # Number of data files to be archived or restored in parallel.
+    jobs: 2
+
+  # Retention policy for backups
+  retentionPolicy: "30d"
+
+  # Scheduled backup in cron format
+  schedule: "0 0 0 * * *"
--- a/charts/taiga/Chart.yaml
+++ b/charts/taiga/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: taiga
+version: 0.2.0
+description: Chart for Taiga
+keywords:
+  - kanban
+  - project management
+sources:
+  - https://github.com/taigaio
+  - https://github.com/rabbitmq/rabbitmq-server
+  - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
+maintainers:
+  - name: alexlebens
+icon: https://avatars.githubusercontent.com/u/6905422?s=200&v=4
+dependencies:
+  - name: rabbitmq
+    version: 14.0.1
+    repository: https://charts.bitnami.com/bitnami
+    alias: async-rabbitmq
+  - name: rabbitmq
+    version: 14.0.1
+    repository: https://charts.bitnami.com/bitnami
+    alias: events-rabbitmq
+appVersion: 6.7.7
--- a/charts/taiga/README.md
+++ b/charts/taiga/README.md
@@ -0,0 +1,17 @@
+## Introduction
+
+[Taiga 6](https://github.com/taigaio)
+
+Intuitive and simple, yet feature complete Kanban board
+
+This chart bootstraps a [Taiga](https://github.com/taigaio) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+
+## Prerequisites
+
+- Kubernetes
+- Helm
+
+## Parameters
+
+See the [values files](values.yaml).
--- a/charts/taiga/templates/_helpers.tpl
+++ b/charts/taiga/templates/_helpers.tpl
@@ -0,0 +1,135 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "taiga.name" -}}
+  {{- default .Chart.Name .Values.global.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "taiga.fullname" -}}
+  {{- if .Values.global.fullnameOverride -}}
+    {{- .Values.global.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+  {{- else -}}
+    {{- $name := default .Chart.Name .Values.global.nameOverride -}}
+    {{- if contains $name .Release.Name -}}
+      {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+    {{- else -}}
+      {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+    {{- end -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label
+*/}}
+{{- define "taiga.chart" -}}
+  {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "taiga.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Common labels for specific components
+*/}}
+{{- define "taiga.back.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-back
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.async.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-async
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.front.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-front
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.events.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-events
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+{{- define "taiga.protected.labels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-protected
+helm.sh/chart: {{ template "taiga.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector
+*/}}
+{{- define "taiga.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.back.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-back
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.async.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-async
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.front.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-front
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.events.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-events
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+{{- define "taiga.protected.matchLabels" -}}
+app.kubernetes.io/name: {{ template "taiga.name" . }}-protected
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "taiga.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create -}}
+    {{ default (include "taiga.fullname" .) .Values.serviceAccount.name }}
+  {{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the static persistent volume
+*/}}
+{{- define "taiga.staticVolumeName" -}}
+  {{- if .Values.persistence.static.existingClaim -}}
+    {{ .Values.persistence.static.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-static" (include "taiga.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the media persistent volume
+*/}}
+{{- define "taiga.mediaVolumeName" -}}
+  {{- if .Values.persistence.media.existingClaim -}}
+    {{ .Values.persistence.media.existingClaim }}
+  {{- else -}}
+    {{ printf "%s-media" (include "taiga.fullname" .) | trunc 63 | trimSuffix "-" }}
+  {{- end -}}
+{{- end -}}
--- a/charts/taiga/templates/config-map.yaml
+++ b/charts/taiga/templates/config-map.yaml
@@ -0,0 +1,36 @@
+{{- if .Values.createInitialUser }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "taiga.fullname" . }}-create-initial-user
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  createinitialuser.sh: |
+    #!/bin/sh
+    echo """
+    import time
+    import requests
+    import subprocess
+
+    print('Waiting for backend ...')
+    while requests.get('http://{{ template "taiga.fullname" . }}-back/api/v1/').status_code != 200:
+        print('...')
+        time.sleep(2)
+
+    if str(subprocess.check_output(['python', 'manage.py', 'dumpdata', 'users.user'], cwd='/taiga-back')).find('\"is_superuser\": true') == -1:
+        print(subprocess.check_output(['python', 'manage.py', 'loaddata', 'initial_user'], cwd='/taiga-back'))
+    else:
+        print('Admin user yet created.')
+        """ > /tmp/create_superuser.py
+        python /tmp/create_superuser.py
+{{- end }}
--- a/charts/taiga/templates/deployment-back.yaml
+++ b/charts/taiga/templates/deployment-back.yaml
@@ -0,0 +1,515 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.back.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.back.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.back.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-back
+      annotations:
+        {{- with .Values.back.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.back.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.back.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.back.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.back.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-back
+          image: "{{ .Values.back.image.repository }}:{{ .Values.back.image.tag }}"
+          imagePullPolicy: {{ .Values.back.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.back.resources | nindent 12 }}
+          ports:
+            - name: taiga-back
+              containerPort: {{ .Values.back.service.port }}
+              protocol: TCP
+          volumeMounts:
+            - name: taiga-static
+              mountPath: /taiga-back/static
+            - name: taiga-media
+              mountPath: /taiga-back/media
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: ENABLE_TELEMETRY
+              value: "{{ .Values.enableTelemetry }}"
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.usernameKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.databaseNameKey }}"
+            - name: POSTGRES_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.hostKey }}"
+
+          {{ if .Values.oidc.enabled }}
+            - name: OIDC_ENABLED
+              value: "True"
+            - name: OIDC_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.scopesKey }}"
+            - name: OIDC_SIGN_ALGO
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.signatureAlgorithmKey }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientIdKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientSecretKey }}"
+            - name: OIDC_BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.baseUrlKey }}"
+            - name: OIDC_JWKS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.jwksEndpointKey }}"
+            - name: OIDC_AUTHORIZATION_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.authorizationEndpointKey }}"
+            - name: OIDC_TOKEN_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.tokenEndpointKey }}"
+            - name: OIDC_USER_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.userEndpointKey }}"
+          {{ end }}
+
+          {{ if .Values.email.enabled }}
+            - name: EMAIL_BACKEND
+              value: "django.core.mail.backends.smtp.EmailBackend"
+            - name: DEFAULT_FROM_EMAIL
+              value: "{{ .Values.email.from }}"
+            - name: EMAIL_HOST
+              value: "{{ .Values.email.host }}"
+            - name: EMAIL_PORT
+              value: "{{ .Values.email.port }}"
+            - name: EMAIL_USE_TLS
+              value: "{{ .Values.email.tls }}"
+            - name: EMAIL_USE_SSL
+              value: "{{ .Values.email.ssl }}"
+            - name: EMAIL_HOST_USER
+              value: "{{ .Values.email.user }}"
+            - name: EMAIL_HOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.email.existingPasswordSecret }}"
+                  key: "{{ .Values.email.existingSecretPasswordKey }}"
+          {{ end }}
+
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+
+          {{ if .Values.githubImporter.enabled }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "True"
+            - name: GITHUB_API_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientIdKey }}"
+            - name: GITHUB_API_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientSecretKey }}"
+          {{ else }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.jiraImporter.enabled }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "True"
+            - name: JIRA_IMPORTER_CONSUMER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretConsumerKeyKey }}"
+            - name: JIRA_IMPORTER_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretCertKey }}"
+            - name: JIRA_IMPORTER_PUB_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretPubCertKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.trelloImporter.enabled }}
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "True"
+            - name: TRELLO_IMPORTER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretApiKeyKey }}"
+            - name: TRELLO_IMPORTER_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretSecretKeyKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "async-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "async-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "async-rabbitmq" "auth" "existingSecretPasswordKey" }}
+
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_SITES_DOMAIN
+              value: "{{ .Values.ingress.host }}"
+            - name: TAIGA_SITES_SCHEME
+              value: "https"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+          {{- end }}
+
+          {{- if .Values.back.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.back.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.readinessProbe.failureThreshold }}
+          {{- end }}
+
+        - name: {{ template "taiga.fullname" . }}-async
+          image: "{{ .Values.async.image.repository }}:{{ .Values.async.image.tag }}"
+          imagePullPolicy: {{ .Values.async.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.async.resources | nindent 12 }}
+          command:
+            - /taiga-back/docker/async_entrypoint.sh
+          volumeMounts:
+            - name: taiga-static
+              mountPath: /taiga-back/static
+            - name: taiga-media
+              mountPath: /taiga-back/media
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: ENABLE_TELEMETRY
+              value: "{{ .Values.enableTelemetry }}"
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: POSTGRES_USER
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.usernameKey }}"
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.passwordKey }}"
+            - name: POSTGRES_DB
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.databaseNameKey }}"
+            - name: POSTGRES_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.postgresql.existingSecretName }}"
+                  key: "{{ .Values.postgresql.hostKey }}"
+
+          {{ if .Values.oidc.enabled }}
+            - name: OIDC_ENABLED
+              value: "True"
+            - name: OIDC_SCOPES
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.scopesKey }}"
+            - name: OIDC_SIGN_ALGO
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.signatureAlgorithmKey }}"
+            - name: OIDC_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientIdKey }}"
+            - name: OIDC_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.clientSecretKey }}"
+            - name: OIDC_BASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.baseUrlKey }}"
+            - name: OIDC_JWKS_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.jwksEndpointKey }}"
+            - name: OIDC_AUTHORIZATION_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.authorizationEndpointKey }}"
+            - name: OIDC_TOKEN_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.tokenEndpointKey }}"
+            - name: OIDC_USER_ENDPOINT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.oidc.existingSecretName }}"
+                  key: "{{ .Values.oidc.userEndpointKey }}"
+          {{ end }}
+
+          {{ if .Values.email.enabled }}
+            - name: EMAIL_BACKEND
+              value: "django.core.mail.backends.smtp.EmailBackend"
+            - name: DEFAULT_FROM_EMAIL
+              value: "{{ .Values.email.from }}"
+            - name: EMAIL_HOST
+              value: "{{ .Values.email.host }}"
+            - name: EMAIL_PORT
+              value: "{{ .Values.email.port }}"
+            - name: EMAIL_USE_TLS
+              value: "{{ .Values.email.tls }}"
+            - name: EMAIL_USE_SSL
+              value: "{{ .Values.email.ssl }}"
+            - name: EMAIL_HOST_USER
+              value: "{{ .Values.email.user }}"
+            - name: EMAIL_HOST_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.email.existingPasswordSecret }}"
+                  key: "{{ .Values.email.existingSecretPasswordKey }}"
+          {{ end }}
+
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+
+          {{ if .Values.githubImporter.enabled }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "True"
+            - name: GITHUB_API_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientIdKey }}"
+            - name: GITHUB_API_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.githubImporter.existingSecretName }}"
+                  key: "{{ .Values.githubImporter.existingSecretClientSecretKey }}"
+          {{ else }}
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.jiraImporter.enabled }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "True"
+            - name: JIRA_IMPORTER_CONSUMER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretConsumerKeyKey }}"
+            - name: JIRA_IMPORTER_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretCertKey }}"
+            - name: JIRA_IMPORTER_PUB_CERT
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.jiraImporter.existingSecretName }}"
+                  key: "{{ .Values.jiraImporter.existingSecretPubCertKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+          {{ if .Values.trelloImporter.enabled }}
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "True"
+            - name: TRELLO_IMPORTER_API_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretApiKeyKey }}"
+            - name: TRELLO_IMPORTER_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.trelloImporter.existingSecretName }}"
+                  key: "{{ .Values.trelloImporter.existingSecretSecretKeyKey }}"
+          {{ else }}
+            - name: ENABLE_JIRA_IMPORTER
+              value: "False"
+          {{ end }}
+
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "async-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "async-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "async-rabbitmq" "auth" "existingSecretPasswordKey" }}
+
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_SITES_DOMAIN
+              value: "{{ .Values.ingress.host }}"
+            - name: TAIGA_SITES_SCHEME
+              value: "https"
+            - name: SESSION_COOKIE_SECURE
+              value: "True"
+            - name: CSRF_COOKIE_SECURE
+              value: "True"
+          {{- end }}
+
+          {{- if .Values.back.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.back.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.back.service.port }}
+            initialDelaySeconds: {{ .Values.back.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.back.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.back.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.back.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.back.readinessProbe.failureThreshold }}
+          {{- end }}
+
+      volumes:
+        - name: taiga-static
+      {{- if .Values.persistence.static.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "taiga.staticVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
+        - name: taiga-media
+      {{- if .Values.persistence.media.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ include "taiga.mediaVolumeName" . }}
+      {{- else }}
+          emptyDir: {}
+      {{- end }}
--- a/charts/taiga/templates/deployment-events.yaml
+++ b/charts/taiga/templates/deployment-events.yaml
@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-events
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.events.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.events.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.events.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.events.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-events
+      annotations:
+        {{- with .Values.events.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.events.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.events.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.events.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.events.securityContext }}
+        {{ toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-events
+          image: "{{ .Values.events.image.repository }}:{{ .Values.events.image.tag }}"
+          imagePullPolicy: {{ .Values.events.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.events.resources | nindent 12 }}
+          ports:
+            - name: taiga-events
+              containerPort: {{ .Values.events.service.http.port }}
+              protocol: TCP
+            - name: taiga-app
+              containerPort: {{ .Values.events.service.app.port }}
+              protocol: TCP
+          env:
+            - name: TAIGA_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: RABBITMQ_USER
+              value: "{{ index .Values "events-rabbitmq" "auth" "username" }}"
+            - name: RABBITMQ_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: {{ index .Values "events-rabbitmq" "auth" "existingPasswordSecret" }}
+                  key: {{ index .Values "events-rabbitmq" "auth" "existingSecretPasswordKey" }}
+            - name: APP_PORT
+              value: "{{ .Values.events.service.app.port }}"
+
+          {{- if .Values.events.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.events.service.app.port }}
+            initialDelaySeconds: {{ .Values.events.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.events.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.events.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.events.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.events.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.events.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.events.service.app.port }}
+            initialDelaySeconds: {{ .Values.events.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.events.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.events.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.events.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.events.readinessProbe.failureThreshold }}
+          {{- end }}
--- a/charts/taiga/templates/deployment-front.yaml
+++ b/charts/taiga/templates/deployment-front.yaml
@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.front.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.front.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.front.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-front
+      annotations:
+        {{- with .Values.front.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.front.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.front.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.front.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.front.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-front
+          image: "{{ .Values.front.image.repository }}:{{ .Values.front.image.tag }}"
+          imagePullPolicy: {{ .Values.front.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.front.resources | nindent 12 }}
+          ports:
+            - name: taiga-front
+              containerPort: {{ .Values.front.service.port }}
+              protocol: TCP
+          env:
+          {{ if .Values.ingress.enabled }}
+            - name: TAIGA_URL
+              value: "https://{{ .Values.ingress.host }}"
+          {{ else }}
+            - name: TAIGA_URL
+              value: "http://localhost:{{ .Values.front.service.port }}"
+          {{ end }}
+
+            - name: PUBLIC_REGISTER_ENABLED
+              value: "{{ .Values.publicRegisterEnabled }}"
+            - name: ENABLE_GITHUB_AUTH
+              value: "false"
+            - name: ENABLE_GITLAB_AUTH
+              value: "false"
+            - name: ENABLE_OIDC
+              value: "{{ .Values.oidc.enabled }}"              
+            - name: ENABLE_SLACK
+              value: "{{ .Values.enableSlack }}"
+            - name: ENABLE_GITHUB_IMPORTER
+              value: "{{ .Values.githubImporter.enabled }}"
+            - name: ENABLE_JIRA_IMPORTER
+              value: "{{ .Values.jiraImporter.enabled }}"
+            - name: ENABLE_TRELLO_IMPORTER
+              value: "{{ .Values.trelloImporter.enabled }}"
+
+          {{- if .Values.front.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.front.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.front.service.port }}
+            initialDelaySeconds: {{ .Values.front.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.front.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.front.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.front.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.front.readinessProbe.failureThreshold }}
+          {{- end }}
--- a/charts/taiga/templates/deployment-protected.yaml
+++ b/charts/taiga/templates/deployment-protected.yaml
@@ -0,0 +1,91 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "taiga.fullname" . }}-protected
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.protected.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  revisionHistoryLimit: 3
+  replicas: {{ .Values.protected.replicas }}
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      {{- include "taiga.protected.matchLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "taiga.protected.labels" . | nindent 8 }}
+        app.kubernetes.io/component: {{ template "taiga.name" . }}-protected
+      annotations:
+        {{- with .Values.protected.podAnnotations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      affinity:
+        {{- with .Values.protected.affinity }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      nodeSelector:
+        {{- with .Values.protected.nodeSelector }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      tolerations:
+        {{- with .Values.protected.tolerations }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      serviceAccountName: {{ template "taiga.serviceAccountName" . }}
+      securityContext:
+        {{- with .Values.protected.securityContext }}
+        {{ toYaml . | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: {{ template "taiga.fullname" . }}-protected
+          image: "{{ .Values.protected.image.repository }}:{{ .Values.protected.image.tag }}"
+          imagePullPolicy: {{ .Values.protected.image.pullPolicy }}
+          resources:
+            {{ toYaml .Values.protected.resources | nindent 12 }}
+          ports:
+            - name: taiga-protected
+              containerPort: {{ .Values.protected.service.port }}
+              protocol: TCP
+          env:
+            - name: SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: "{{ .Values.secretKey.existingSecretName }}"
+                  key: "{{ .Values.secretKey.existingSecretKey }}"
+            - name: MAX_AGE
+              value: "{{ .Values.maxAge }}"
+
+          {{- if .Values.protected.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.protected.service.port }}
+            initialDelaySeconds: {{ .Values.protected.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.protected.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.protected.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.protected.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.protected.livenessProbe.failureThreshold }}
+          {{- end }}
+
+          {{- if .Values.protected.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /admin/login/
+              port: {{ .Values.protected.service.port }}
+            initialDelaySeconds: {{ .Values.protected.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.protected.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.protected.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.protected.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.protected.readinessProbe.failureThreshold }}
+          {{- end }}
--- a/charts/taiga/templates/ingress.yaml
+++ b/charts/taiga/templates/ingress.yaml
@@ -0,0 +1,74 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ template "taiga.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- toYaml .Values.ingress.annotations | nindent 4 }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.ingress.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  tls:
+    - hosts:
+      - {{ .Values.ingress.host }}
+      secretName: {{ template "taiga.fullname" . }}-secret-tls
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-front"
+                port:
+                  name: taiga-front
+            pathType: ImplementationSpecific
+          - path: /api
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific     
+          - path: /admin
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific
+        {{ if .Values.oidc.enabled }}
+          - path: /oidc
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-back"
+                port:
+                  name: taiga-back
+            pathType: ImplementationSpecific
+        {{- end }}                  
+          - path: /events
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-events"
+                port:
+                  name: taiga-events
+            pathType: ImplementationSpecific
+          - path: /media
+            backend:
+              service:
+                name: "{{ template "taiga.fullname" . }}-protected"
+                port:
+                  name: taiga-protected
+            pathType: ImplementationSpecific
+{{- end }}
--- a/charts/taiga/templates/job.yaml
+++ b/charts/taiga/templates/job.yaml
@@ -0,0 +1,66 @@
+{{- if .Values.createInitialUser }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "taiga.fullname" . }}-create-initial-user
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  backoffLimit: 4
+  template:
+    spec:
+      {{- if .Values.back.nodeSelector }}
+      nodeSelector:
+        {{ toYaml .Values.back.nodeSelector | nindent 8 }}
+      {{- end }}
+      restartPolicy: Never
+      containers:
+      - name: {{ template "taiga.fullname" . }}-create-initial-user
+        image: "{{ .Values.back.image.repository }}:{{ .Values.back.image.tag }}"
+        imagePullPolicy: {{ .Values.back.image.pullPolicy }}
+        command:
+          - sh
+          - /scripts/createinitialuser.sh
+        volumeMounts:
+          - name: create-initial-user
+            mountPath: /scripts
+        env:
+          - name: TAIGA_SECRET_KEY
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.secretKey.existingSecretName }}"
+                key: "{{ .Values.secretKey.existingSecretKey }}"
+          - name: POSTGRES_USERNAME
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.usernameKey }}"
+          - name: POSTGRES_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.passwordKey }}"
+          - name: POSTGRES_DATABASE_NAME
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.databaseNameKey }}"
+          - name: POSTGRES_DATABASE_HOST
+            valueFrom:
+              secretKeyRef:
+                name: "{{ .Values.postgresql.existingSecretName }}"
+                key: "{{ .Values.postgresql.hostKey }}"
+      volumes:
+        - name: create-initial-user
+          configMap:
+            name: {{ template "taiga.fullname" . }}-create-initial-user
+            defaultMode: 0744
+{{- end }}
--- a/charts/taiga/templates/persistent-volume-claim.yaml
+++ b/charts/taiga/templates/persistent-volume-claim.yaml
@@ -0,0 +1,54 @@
+{{- if and .Values.persistence.static.enabled (not .Values.persistence.static.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "taiga.staticVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.static.retain }}
+    helm.sh/resource-policy: keep
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.static.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.static.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.static.size }}
+{{- end }}
+
+---
+{{- if and .Values.persistence.media.enabled (not .Values.persistence.media.existingClaim) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ template "taiga.mediaVolumeName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- if .Values.persistence.media.retain }}
+    "helm.sh/resource-policy": keep
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  storageClassName: {{ .Values.persistence.media.storageClass }}
+  accessModes:
+    - {{ .Values.persistence.media.accessMode }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.media.size }}
+{{- end }}
--- a/charts/taiga/templates/service-account.yaml
+++ b/charts/taiga/templates/service-account.yaml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "taiga.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.serviceAccount.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
--- a/charts/taiga/templates/service.yaml
+++ b/charts/taiga/templates/service.yaml
@@ -0,0 +1,138 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-back
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.back.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.back.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.back.service.type }}
+  ports:
+    - port: {{ .Values.back.service.port }}
+      targetPort: taiga-back
+      protocol: TCP
+      name: taiga-back
+  selector:
+    {{- include "taiga.back.matchLabels" . | nindent 4 }}
+    {{- with .Values.back.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-events
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.events.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.events.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.events.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.events.service.type }}
+  ports:
+    - port: {{ .Values.events.service.http.port }}
+      targetPort: taiga-events
+      protocol: TCP
+      name: taiga-events
+    - port: {{ .Values.events.service.app.port }}
+      targetPort: taiga-app
+      protocol: TCP
+      name: taiga-app
+  selector:
+    {{- include "taiga.events.matchLabels" . | nindent 4 }}
+    {{- with .Values.events.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-front
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.front.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.front.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.front.service.type }}
+  ports:
+    - port: {{ .Values.front.service.port }}
+      targetPort: taiga-front
+      protocol: TCP
+      name: taiga-front
+  selector:
+    {{- include "taiga.front.matchLabels" . | nindent 4 }}
+    {{- with .Values.front.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "taiga.fullname" . }}-protected
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    {{- with .Values.global.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.protected.service.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  labels:
+    {{- include "taiga.protected.labels" . | nindent 4 }}
+    {{- with .Values.global.labels }}
+    {{ toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.protected.service.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.protected.service.type }}
+  ports:
+    - port: {{ .Values.protected.service.port }}
+      targetPort: taiga-protected
+      protocol: TCP
+      name: taiga-protected
+  selector:
+    {{- include "taiga.protected.matchLabels" . | nindent 4 }}
+    {{- with .Values.protected.service.extraSelectorLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
--- a/charts/taiga/values.yaml
+++ b/charts/taiga/values.yaml
@@ -0,0 +1,817 @@
+## Global
+##
+global:
+  # -- Set an override for the prefix of the fullname
+  nameOverride:
+
+  # -- Set the entire name definition
+  fullnameOverride:
+
+  # -- Set additional global labels. Helm templates can be used.
+  labels: {}
+
+  # -- Set additional global annotations. Helm templates can be used.
+  annotations: {}
+
+## Service Account
+##
+serviceAccount:
+  # -- Specifies whether a service account should be created
+  create: false
+
+  # -- Annotations to add to the service account
+  annotations: {}
+
+  # -- Labels to add to the service account
+  labels: {}
+
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+## Secret key
+## Specificy the secret name and the key containg a strong secret key
+##
+secretKey:
+  existingSecretName: ""
+  existingSecretKey: ""
+
+## Create initial user with credentials admin/123123
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+# TODO: set to false by default or create with a random password which is stored in a secret
+# or allow to pass in the data for username and secret
+createInitialUser: true
+
+## Max age
+##
+maxAge: 360
+
+## Create initial templates
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+# TODO: This values seems to be unused
+createInitialTemplates: false
+
+## Telemetry settings
+##
+enableTelemetry: true
+
+## Public registration
+##
+publicRegisterEnabled: true
+
+## Enable debug
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+debug: false
+
+## Postgresql
+## Configuration is expected to be stored in a secret, reference the secret name and each key for the value
+##
+postgresql:
+  existingSecretName: ""
+  usernameKey: ""
+  passwordKey: ""
+  databaseNameKey: ""
+  hostKey: ""
+  portKey: ""
+
+## OIDC authentication
+## Configuration is expected to be stored in a secret, reference the secret name and each key for the value
+##
+oidc:
+  enabled: false
+  existingSecretName: ""
+  scopesKey: ""                  # "openid profile email"
+  signatureAlgorithmKey: ""      # "RS256"
+  clientIdKey: ""                # <generate from auth provider>
+  clientSecretKey: ""            # <generate from auth provider>
+  baseUrlKey: ""                 # "https://id.fedoraproject.org/openidc"
+  jwksEndpointKey: ""            # "https://id.fedoraproject.org/openidc/Jwks"
+  authorizationEndpointKey: ""   # "https://id.fedoraproject.org/openidc/Authorization"
+  tokenEndpointKey: ""           # "https://id.fedoraproject.org/openidc/Token"
+  userEndpointKey: ""            # "https://id.fedoraproject.org/openidc/UserInfo"
+
+## SMTP mail delivery configuration
+## ref: https://taigaio.github.io/taiga-doc/dist/setup-production.html
+##
+email:
+  enabled: false
+  from: no-reply@example.com
+  host: localhost
+  port: 587
+  tls: false
+  ssl: false
+  user: ""
+
+  ## Specificy an existing secret containg the password for the smtp user
+  ##
+  existingPasswordSecret: ""
+  existingSecretPasswordKey: ""
+
+## Slack
+##
+enableSlack: false
+
+## Importers
+##
+# Github importer
+githubImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretClientIdKey: ""
+  existingSecretClientSecretKey: ""
+
+# Jira importer
+jiraImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretConsumerKeyKey: ""
+  existingSecretCertKey: ""
+  existingSecretPubCertKey: ""
+
+# Trello importer
+trelloImporter:
+  enabled: false
+  existingSecretName: ""
+  existingSecretApiKeyKey: ""
+  existingSecretSecretKeyKey: ""
+
+## taiga-back
+##
+back:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-back
+    tag: "6.7.3"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8000
+
+## Async
+##
+async:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-back
+    tag: "6.7.3"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8000
+
+## Async Rabbitmq
+## https://artifacthub.io/packages/helm/bitnami/rabbitmq?modal=values-schema
+##
+async-rabbitmq:
+  auth:
+    ## @param auth.username RabbitMQ application username
+    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
+    ##
+    username: taiga
+
+    ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
+    ## e.g:
+    ## existingPasswordSecret: name-of-existing-secret
+    ##
+    existingPasswordSecret: ""
+    existingSecretPasswordKey: ""
+
+    ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
+    ## e.g:
+    ## existingErlangSecret: name-of-existing-secret
+    ##
+    existingErlangSecret: ""
+    ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
+    ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
+    ##
+    existingSecretErlangKey: ""
+
+  ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
+  ## Must contain the key "rabbitmq.conf"
+  ## Takes precedence over `configuration`, so do not use both simultaneously
+  ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
+  ##
+  configurationExistingSecret: ""
+  ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
+  ## Use this instead of `configuration` to add more configuration
+  ## Do not use simultaneously with `extraConfigurationExistingSecret`
+  ##
+  extraConfiguration: |-
+    default_vhost = taiga
+    default_permissions.configure = .*
+    default_permissions.read = .*
+    default_permissions.write = .*
+
+## Events
+##
+events:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-events
+    tag: "6.7.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    http:
+      # -- HTTP port number
+      port: 8888
+
+    app:
+      # -- HTTP port number
+      port: 3023
+
+## Events Rabbitmq
+## https://artifacthub.io/packages/helm/bitnami/rabbitmq?modal=values-schema
+##
+events-rabbitmq:
+  auth:
+    ## @param auth.username RabbitMQ application username
+    ## ref: https://github.com/bitnami/containers/tree/main/bitnami/rabbitmq#environment-variables
+    ##
+    username: taiga
+
+    ## @param auth.existingPasswordSecret Existing secret with RabbitMQ credentials (existing secret must contain a value for `rabbitmq-password` key or override with setting auth.existingSecretPasswordKey)
+    ## e.g:
+    ## existingPasswordSecret: name-of-existing-secret
+    ##
+    existingPasswordSecret: ""
+    existingSecretPasswordKey: ""
+
+    ## @param auth.existingErlangSecret Existing secret with RabbitMQ Erlang cookie (must contain a value for `rabbitmq-erlang-cookie` key or override with auth.existingSecretErlangKey)
+    ## e.g:
+    ## existingErlangSecret: name-of-existing-secret
+    ##
+    existingErlangSecret: ""
+    ## @param auth.existingSecretErlangKey [default: rabbitmq-erlang-cookie] Erlang cookie key to be retrieved from existing secret
+    ## NOTE: ignored unless `auth.existingErlangSecret` parameter is set
+    ##
+    existingSecretErlangKey: ""
+
+  ## @param configurationExistingSecret Existing secret with the configuration to use as rabbitmq.conf.
+  ## Must contain the key "rabbitmq.conf"
+  ## Takes precedence over `configuration`, so do not use both simultaneously
+  ## With providing an existingSecret, extraConfiguration and extraConfigurationExistingSecret do not take any effect
+  ##
+  configurationExistingSecret: ""
+  ## @param extraConfiguration [string] Configuration file content: extra configuration to be appended to RabbitMQ configuration
+  ## Use this instead of `configuration` to add more configuration
+  ## Do not use simultaneously with `extraConfigurationExistingSecret`
+  ##
+  extraConfiguration: |-
+    default_vhost = taiga
+    default_permissions.configure = .*
+    default_permissions.read = .*
+    default_permissions.write = .*
+
+## Protected
+##
+protected:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-protected
+    tag: "6.7.0"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 8003
+
+## Front
+##
+front:
+  ## Taiga image version
+  ## ref: https://hub.docker.com/r/taigaio/taiga5/tags
+  ##
+  image:
+    repository: taigaio/taiga-front
+    tag: "6.7.7"
+    ## Specify a imagePullPolicy
+    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
+    ## ref: http://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ##
+    pullPolicy: IfNotPresent
+
+  ## Define the number of pods the deployment will create
+  ## Do not change unless your persistent volume allows more than one writer, ie NFS
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
+  ##
+  replicas: 1
+
+  ## Pod Security Context
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  ##
+  securityContext: {}
+
+  ## Pod annotations
+  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+  ##
+  podAnnotations: {}
+
+  ## Affinity for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  ##
+  affinity: {}
+
+  ## Node labels for pod assignment. Evaluated as a template.
+  ## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ##
+  nodeSelector: {}
+
+  ## Tolerations for pod assignment
+  ## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  ##
+  tolerations: []
+
+  ## taiga containers' resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources:
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    limits: {}
+    #  cpu: 2
+    #  memory: 1Gi
+    requests: {}
+    #  cpu: 1
+    #  memory: 1Gi
+
+  ## Configure extra options for liveness and readiness probes
+  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes)
+  ##
+  livenessProbe:
+    enabled: false
+    initialDelaySeconds: 20
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 3
+  readinessProbe:
+    enabled: false
+    initialDelaySeconds: 5
+    periodSeconds: 10
+    timeoutSeconds: 1
+    successThreshold: 1
+    failureThreshold: 3
+
+  ## Environment variables, to pass to the entry point
+  ##
+  # extraVars:
+  #   - name: NAMI_DEBUG
+  #     value: --log-level trace
+
+  ## Service
+  ##
+  service:
+    # -- Set the service type
+    type: ClusterIP
+
+    # -- Provide additional annotations which may be required.
+    annotations: {}
+
+    # -- Provide additional labels which may be required.
+    labels: {}
+
+    # -- Allow adding additional match labels
+    extraSelectorLabels: {}
+
+    # -- HTTP port number
+    port: 80
+
+## Configure the ingress resource that allows you to access the
+## taiga installation. Set up the URL
+## ref: http://kubernetes.io/docs/user-guide/ingress/
+##
+ingress:
+  # -- Enables or disables the ingress
+  enabled: false
+
+  # -- Provide additional annotations which may be required.
+  annotations: {}
+
+  # -- Provide additional labels which may be required.
+  labels: {}
+
+  # -- Set the ingressClass that is used for this ingress.
+  className: ""
+
+  ## Configure the hosts for the ingress
+  host: chart-example.local
+
+## Enable persistence using Persistent Volume Claims
+## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
+##
+persistence:
+  static:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false
+
+  media:
+    # -- Enables or disables the persistence item. Defaults to true
+    enabled: true
+
+    # -- Storage Class for the config volume.
+    # If set to `-`, dynamic provisioning is disabled.
+    # If set to something else, the given storageClass is used.
+    # If undefined (the default) or set to null, no storageClassName spec is set, choosing the default provisioner.
+    storageClass: ""
+
+    # -- If you want to reuse an existing claim, the name of the existing PVC can be passed here.
+    existingClaim: ""
+
+    # -- AccessMode for the persistent volume.
+    # Make sure to select an access mode that is supported by your storage provider!
+    # [[ref]](https://kubernetes.io/docs/concepts/storage/persistent-volumes/#access-modes)
+    accessMode: ReadWriteOnce
+
+    # -- The amount of storage that is requested for the persistent volume.
+    size: 5Gi
+
+    # -- Set to true to retain the PVC upon `helm uninstall`
+    retain: false
--- a/charts/tubearchivist/Chart.yaml
+++ b/charts/tubearchivist/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: tubearchivist
-version: 0.2.0
+version: 0.2.3
 description: Chart for Tube Archivist
 keywords:
  - download
@@ -14,7 +14,7 @@ maintainers:
 icon: https://avatars.githubusercontent.com/u/102734415?s=48&v=4
 dependencies:
  - name: redis
-    version: 19.1.0
+    version: 19.1.2
    repository: https://charts.bitnami.com/bitnami
  - name: elasticsearch
    version: 20.0.4
--- a/charts/tubearchivist/values.yaml
+++ b/charts/tubearchivist/values.yaml
@@ -20,18 +20,18 @@ service:
    port: 8000
 ingress:
  enabled: false
-  className:
-  annotations:
-  host:
+  className: ""
+  annotations: ""
+  host: ""
 persistence:
  cache:
    enabled: false
-    storageClassName: default
+    storageClassName: ""
    storageSize: 5Gi
    accessMode: ReadWriteOnce
    volumeMode: Filesystem
  youtube:
-    claimName:
+    claimName: ""
 redis:
  image:
    repository: redis/redis-stack-server
@@ -48,17 +48,17 @@ redis:
    loadmodule /opt/redis-stack/lib/rejson.so
 elasticsearch:
  global:
-    storageClass: default
+    storageClass: ""
  extraEnvVars:
    - name: "discovery.type"
      value: "single-node"
    - name: xpack.security.enabled
      value: "true"
-  extraEnvVarsSecret:
+  extraEnvVarsSecret: []
  extraConfig:
    path:
      repo: /usr/share/elasticsearch/data/snapshot
-  extraVolumes:
+  extraVolumes: []
  extraVolumeMounts:
    - name: snapshot
      mountPath: /usr/share/elasticsearch/data/snapshot
Author	SHA1	Message	Date
alexlebens	fd611813b7	add annotations to deployment	2024-04-21 06:40:46 -06:00
alexlebens	ab5da15b10	remove lazy-librarian	2024-04-21 04:59:41 -06:00
alexlebens	e584566dde	fix app version	2024-04-21 04:03:32 -06:00
alexlebens	f06aa3a175	add lazy-librarian	2024-04-21 03:59:25 -06:00
alexlebens	9abeba8f9d	add penpot	2024-04-19 21:34:56 -06:00
alexlebens	1f498323a4	change postgres settings to import only password from secret	2024-04-19 05:41:38 -06:00
alexlebens	646e3a2c36	grant read to unlogged users	2024-04-19 05:32:28 -06:00
alexlebens	197ca6ef81	add quotes around default vhost of /	2024-04-19 05:22:14 -06:00
alexlebens	b8780a7339	add default vhost	2024-04-19 05:05:10 -06:00
alexlebens	b90968ea85	fix scanner image name	2024-04-19 05:01:23 -06:00
alexlebens	d3275f8067	create switch if various api keys are provided	2024-04-19 04:58:46 -06:00
alexlebens	649f362824	remove extra configuration from rabbitmq	2024-04-19 04:54:03 -06:00
alexlebens	732761d73b	fix default vhost	2024-04-19 04:50:49 -06:00
alexlebens	0e7627cb7d	fix oidc values path	2024-04-19 04:41:22 -06:00
alexlebens	d81c246b35	add kyoo	2024-04-19 04:08:55 -06:00
renovate[bot]	b97dd1f892	Update Helm release redis to v19.1.2 (#39 ) * Update Helm release redis to v19.1.2 * update chart --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-18 22:02:37 -06:00
alexlebens	0b8374753d	change default cpu limit	2024-04-18 05:49:15 -06:00
alexlebens	cb29afdcb2	fix source server naming	2024-04-18 05:35:06 -06:00
alexlebens	4f366535c3	change default cpu limit	2024-04-18 04:35:42 -06:00
alexlebens	f32ef77551	add additional options for recovery	2024-04-18 03:43:52 -06:00
alexlebens	d02f649164	remove default option in bootstrap helper	2024-04-18 03:27:00 -06:00
alexlebens	3b50ca2bfe	fix comparision operator position	2024-04-18 01:51:06 -06:00
alexlebens	17796a1183	increment chart version	2024-04-18 01:48:03 -06:00
alexlebens	512b1d4243	set default value for comparision	2024-04-18 01:47:46 -06:00
alexlebens	a2b0cdd5b6	fix ordering of comparision operator	2024-04-18 01:39:33 -06:00
alexlebens	e79af169b9	calculate length of array separately	2024-04-18 01:35:19 -06:00
alexlebens	661f9342b9	fix length measurement of database	2024-04-18 01:17:16 -06:00
alexlebens	9d1244c7a1	remove patch from image tag	2024-04-18 01:07:36 -06:00
alexlebens	0dc50bf88f	change default cluster name to start with release	2024-04-17 20:01:47 -06:00
alexlebens	75accbbf87	use semver function to pull major version into cluster name	2024-04-17 20:00:06 -06:00
alexlebens	19fbd95a79	change templating for cluster naming	2024-04-17 19:45:08 -06:00
alexlebens	d73c42fd42	change default values	2024-04-17 19:15:54 -06:00
renovate[bot]	6399a8ca97	Update Helm release rabbitmq to v14 (#34 ) * Update Helm release rabbitmq to v14 * update chart * align comments for readability --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-17 19:13:57 -06:00
renovate[bot]	580c7da73a	Update Helm release redis to v19.1.1 (#18 ) * Update Helm release redis to v19.1.1 * update charts * fix indentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-17 19:09:36 -06:00
renovate[bot]	11d47799f1	Update dock.mau.dev/mautrix/whatsapp Docker tag to v0.10.7 (#36 ) * Update dock.mau.dev/mautrix/whatsapp Docker tag to v0.10.7 * update helm chart * fix indentation --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-17 19:05:30 -06:00
renovate[bot]	7d825da72d	Update linuxserver/code-server Docker tag to v4.23.1 (#35 ) * Update linuxserver/code-server Docker tag to v4.23.1 * update helm chart --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-17 19:05:16 -06:00
renovate[bot]	adf49292bd	Update halfshot/matrix-hookshot Docker tag to v5.3.0 (#38 ) * Update halfshot/matrix-hookshot Docker tag to v5.3.0 * update chart * fix linting errors --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: alexlebens <alexanderlebens@gmail.com>	2024-04-17 19:03:21 -06:00
renovate[bot]	63e69df14a	Update ghcr.io/gethomepage/homepage Docker tag to v0.8.12 (#37 ) * Update ghcr.io/gethomepage/homepage Docker tag to v0.8.12 * update chart --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Alex Lebens <alexanderlebens@gmail.com>	2024-04-17 18:55:36 -06:00
alexlebens	7bd8a4525a	if oidc is enabled add an ingress path to the backend	2024-04-17 04:42:51 -06:00
alexlebens	a860789056	add env to front deployment about oidc enablement	2024-04-15 03:31:49 -06:00
alexlebens	58f89640a8	fix naming of changed rabbitmq charts	2024-04-15 02:47:45 -06:00
alexlebens	132e086d6d	change rabbitmq chart naming to generate proper dns and app names	2024-04-15 02:44:10 -06:00
alexlebens	617505ee99	fix length of app port	2024-04-13 23:37:58 -06:00
alexlebens	34a21702ab	fix http service value	2024-04-13 23:32:48 -06:00
alexlebens	15d3253af9	fix events app port to service and port	2024-04-13 23:28:03 -06:00
alexlebens	90970ef172	fix events health endpoint	2024-04-13 23:19:59 -06:00
alexlebens	0d6f789ffd	increment chart version	2024-04-13 23:14:21 -06:00
alexlebens	f968776cd0	fix trello importer switch for async container	2024-04-13 23:13:44 -06:00
alexlebens	0b2beb08b7	fix indentation of events deployment	2024-04-13 23:11:44 -06:00
alexlebens	8fae31a679	properly enable/disable trello importer	2024-04-13 23:07:20 -06:00
alexlebens	f67ac05610	fix indentation	2024-04-13 23:05:03 -06:00
alexlebens	7803519d04	add major version value	2024-04-13 22:58:01 -06:00
alexlebens	55e63c2c72	fix minor formatting and remove uneeded values	2024-04-13 22:31:07 -06:00
alexlebens	6e083293bb	fix minor formatting and remove uneeded values	2024-04-13 22:29:33 -06:00
alexlebens	60e427826c	add taiga	2024-04-13 22:17:45 -06:00
alexlebens	f905b4ccfe	change s3 env keys	2024-04-13 14:58:20 -06:00
alexlebens	487786455c	change default credential secret name	2024-04-13 03:28:27 -06:00
alexlebens	585d39657a	change how the cluster name is generated and used	2024-04-13 03:24:58 -06:00
alexlebens	e5e2812ed5	remove chart as functionality is now included in postgres-cluster chart	2024-04-13 02:46:38 -06:00
alexlebens	506218210e	add replica import type	2024-04-13 02:41:46 -06:00
alexlebens	a7a08ef9f3	change chart to align with cnpg's chart	2024-04-13 02:06:02 -06:00
alexlebens	0fe94afd2a	revert to redis image	2024-04-12 20:11:10 -06:00
renovate[bot]	73262aa60a	Update homeassistant/home-assistant Docker tag to v2024.4.3 (#31 ) * Update homeassistant/home-assistant Docker tag to v2024.4.3 * update chart --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Alex Lebens <alexanderlebens@gmail.com>	2024-04-12 17:42:37 -06:00
alexlebens	a322553210	update readme	2024-04-11 19:37:45 -06:00
alexlebens	09aae9e79d	change default cluster size to 3	2024-04-11 19:35:05 -06:00
alexlebens	c72c25a74d	upgrade default postgres version to 16.2	2024-04-11 19:33:20 -06:00