gotenberg
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for gotenberg.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
# -- Specifies that chart can be used as a condition when it is a dependency.
6
# See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags for more info.
7
# @ignored
8
enabled: true
9
replicaCount: 1
10
image:
11
repository: cgr.dev/chainguard-private/gotenberg
12
pullPolicy: IfNotPresent
13
# -- Overrides the image tag whose default is the chart appVersion.
14
tag: latest@sha256:79d0ea033b0dd16762dc6e91ff0b28575826c50e069e8b0f123ecc8a5fe9302a
15
imagePullSecrets: []
16
nameOverride: ""
17
fullnameOverride: ""
18
serviceAccount:
19
# -- Specifies whether a service account should be created
20
create: false
21
# -- Annotations to add to the service account
22
annotations: {}
23
# -- The name of the service account to use.
24
## If not set and create is true, a name is generated using the fullname template
25
name: ""
26
podAnnotations: {}
27
# -- Set annotations for the helm test pods (for example to disable certain kube-score checks)
28
testPodAnnotations: {}
29
# -- Image configuration for the helm test pod
30
testImage:
31
# -- Repository for the test image
32
repository: busybox
33
# -- Tag for the test image
34
tag: latest
35
# -- List of additional pod labels
36
podLabels: {}
37
podSecurityContext: {}
38
# fsGroup: 2000
39
40
# -- Define the security context for the container. By default will use upstream recommended values.
41
# @default -- `{ privileged: false, runAsUser: 1001 }`, except in OpenShift where `runAsUser` is not set.
42
securityContext: {}
43
service:
44
type: ClusterIP
45
port: 80
46
# -- Annotations to add to the service
47
annotations: {}
48
# -- (DEPRECATED) Static IP address for LoadBalancer type service. Deprecated in Kubernetes 1.24, use provider-specific annotations instead.
49
loadBalancerIP: ""
50
# Strategy is utilized to configure the desired upgrade approach and
51
# configuration for the deployment.
52
strategy: {}
53
progressDeadlineSeconds: 120
54
resources: {}
55
# We usually recommend not to specify default resources and to leave this as a conscious
56
# choice for the user. This also increases chances charts run on environments with little
57
# resources, such as Minikube. If you do want to specify resources, uncomment the following
58
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
59
# limits:
60
# cpu: 100m
61
# memory: 128Mi
62
# requests:
63
# cpu: 100m
64
# memory: 128Mi
65
66
# -- Define the liveness probe object for the container.
67
# +docs:property
68
# livenessProbe: {}
69
livenessProbe:
70
httpGet:
71
path: /health
72
port: http
73
# -- Define the readiness probe object for the container.
74
# +docs:property
75
# readinessProbe: {}
76
readinessProbe:
77
httpGet:
78
path: /health
79
port: http
80
# -- Define the startup probe object for the container.
81
# +docs:property
82
# startupProbe: {}
83
startupProbe:
84
httpGet:
85
path: /health
86
port: http
87
failureThreshold: 30
88
periodSeconds: 10
89
autoscaling:
90
enabled: false
91
minReplicas: 1
92
maxReplicas: 100
93
behavior: {}
94
extraMetrics: []
95
targetCPUUtilizationPercentage: 80
96
# +docs:property
97
# targetMemoryUtilizationPercentage: 80
98
vpa:
99
# -- Create a VerticalPodAutoscaler resource for right-sizing pod resources.
100
# Requires the VPA controller to be installed in the cluster.
101
# See also: https://github.com/kubernetes/autoscaler/tree/master/vertical-pod-autoscaler
102
create: false
103
# -- Update mode for VPA: Auto (resize in-place or restart), Recreate (restart to resize), Initial (set at creation only), Off (recommendations only)
104
updateMode: "Auto"
105
# -- Resource policy for VPA to control which containers and resources are autoscaled, see values.yaml for an example.
106
resourcePolicy: {}
107
# containerPolicies:
108
# - containerName: gotenberg
109
# minAllowed:
110
# cpu: 100m
111
# memory: 256Mi
112
# maxAllowed:
113
# cpu: 2
114
# memory: 4Gi
115
pdb:
116
create: false
117
minAvailable: 1
118
maxUnavailable: ""
119
# -- Unhealthy pod eviction policy for the PDB (e.g., AlwaysAllow)
120
unhealthyPodEvictionPolicy:
121
nodeSelector: {}
122
tolerations: []
123
affinity: {}
124
topologySpreadConstraints: []
125
volumes: []
126
# - name: tmp-volume
127
# emptyDir:
128
# medium: Memory
129
# sizeLimit: 2Gi
130
131
volumeMounts: []
132
# - name: tmp-volume
133
# mountPath: /tmp
134
135
# -- List of extra environment variables for gotenberg container.
136
# Gotenberg 8.29.0+ supports OpenTelemetry via standard OTEL_* environment variables.
137
# See https://gotenberg.dev/docs/configuration for details.
138
extraEnv: []
139
# - name: OTEL_EXPORTER_OTLP_ENDPOINT
140
# value: "http://otel-collector:4317"
141
# - name: OTEL_TRACES_EXPORTER
142
# value: "otlp"
143
# - name: OTEL_METRICS_EXPORTER
144
# value: "otlp"
145
# - name: OTEL_LOGS_EXPORTER
146
# value: "otlp"
147
148
# -- List of init containers for the gotenberg pod
149
initContainers: []
150
# - name: init-myservice
151
# image: busybox:1.28
152
# command: ['sh', '-c', 'echo init container']
153
154
ingress:
155
# -- Set to true to enable ingress record generation. WARNING: Gotenberg shouldn't be exposed to the internet.
156
enabled: false
157
# -- Set the class name of the ingress
158
className: ""
159
# -- Set the annotations of the ingress
160
annotations: {}
161
# kubernetes.io/ingress.class: nginx
162
# kubernetes.io/tls-acme: "true"
163
164
# -- Set the labels of the ingress
165
labels: {}
166
# -- Set the hostnames of the ingress, see values.yaml for an example.
167
hosts: []
168
# - host: chart-example.local
169
# paths:
170
# - path: /
171
# pathType: ImplementationSpecific
172
173
# -- Set the TLS configuration for the ingress, see values.yaml for an example.
174
tls: []
175
# - secretName: chart-example-tls
176
# hosts:
177
# - chart-example.local
178
# Gateway API HTTPRoute configuration.
179
# WARNING: Gotenberg shouldn't be exposed to the internet.
180
# See also: https://gateway-api.sigs.k8s.io/
181
gateway:
182
# -- Set to true to create an HTTPRoute resource
183
enabled: false
184
# -- Annotations to add to the HTTPRoute
185
annotations: {}
186
# -- Labels to add to the HTTPRoute
187
labels: {}
188
# -- Parent Gateway references, see values.yaml for an example.
189
parentRefs: []
190
# - name: my-gateway
191
# namespace: default
192
# sectionName: https
193
# -- Hostnames to match for routing, see values.yaml for an example.
194
hostnames: []
195
# - gotenberg.example.local
196
# The API module is an HTTP/1 and HTTP/2 (H2C) server. Other modules may add routes, middlewares, and health checks.
197
# https://gotenberg.dev/docs/configuration#api
198
api:
199
# -- Set the port on which the API should listen (default 3000)
200
port: 3000
201
# -- Enables TLS on the API server: K8S TLS secret name containing the TLS certificate and key (tls.crt, tls.key)
202
tlsSecretName: ""
203
# -- Set the time limit for requests (default 30s)
204
timeout: ""
205
# -- Set the request body limit for multipart/form-data (e.g., "100MB")
206
bodyLimit: ""
207
# -- Set the root path of the API - for service discovery via URL paths (default "/")
208
rootPath: ""
209
# -- (DEPRECATED) Set the header name to use for identifying requests. Use correlationIdHeader instead.
210
traceHeader: ""
211
# -- Set the header name to use for identifying requests (default "Gotenberg-Trace")
212
correlationIdHeader: ""
213
# -- (DEPRECATED) Disable health check route telemetry. Use disableHealthCheckRouteTelemetry instead.
214
disableHealthCheckLogging: false
215
# -- Disable health check route telemetry. Note: upstream default changed to true in Gotenberg 8.29.0 (health check telemetry is disabled by default even without this flag).
216
disableHealthCheckRouteTelemetry: false
217
# -- Enable debug route for debugging purposes
218
enableDebugRoute: false
219
# -- Set the maximum duration to wait for the API to start
220
startTimeout: ""
221
# -- Enable basic authentication, see also the basicAuthUsername and basicAuthPassword values
222
enableBasicAuth: false
223
# -- Name of an existing secret containing basic auth credentials (keys: username, password)
224
existingSecret: ""
225
# -- Key in existingSecret for the username (default: username)
226
existingSecretUsernameKey: ""
227
# -- Key in existingSecret for the password (default: password)
228
existingSecretPasswordKey: ""
229
# -- Set the basic authentication username (ignored if existingSecret is set)
230
basicAuthUsername:
231
# -- Set the basic authentication password (ignored if existingSecret is set)
232
basicAuthPassword:
233
# -- Set the allowed URLs for the download from feature using a regular expression
234
downloadFromAllowList: ""
235
# -- Set the denied URLs for the download from feature using a regular expression
236
downloadFromDenyList: ""
237
# -- Reject `downloadFrom` URLs resolving to a non-public IP (loopback, RFC1918, link-local, IPv6 unique-local). A URL matching `downloadFromAllowList` skips the IP-class check; a URL matching `downloadFromDenyList` is always rejected. Added in Gotenberg 8.32.0.
238
downloadFromDenyPrivateIps: false
239
# -- Reject `downloadFrom` URLs resolving to a public IP. Setting both `downloadFromDenyPrivateIps` and `downloadFromDenyPublicIps` to true rejects every URL unless the allow-list matches. Added in Gotenberg 8.32.0.
240
downloadFromDenyPublicIps: false
241
# -- Set the maximum number of retries for the download from feature (default 4)
242
downloadFromMaxRetry: 4
243
# -- Disable the download from feature
244
disableDownloadFrom: false
245
# -- Disable telemetry on the root route
246
disableRootRouteTelemetry: false
247
# -- Disable telemetry on the debug route
248
disableDebugRouteTelemetry: false
249
# -- Disable telemetry on the version route
250
disableVersionRouteTelemetry: false
251
# The Chromium module interacts with the Chromium browser to convert HTML documents to PDF.
252
# https://gotenberg.dev/docs/configuration#chromium
253
chromium:
254
# -- Number of conversions after which Chromium will automatically restart. Set to 0 to disable this feature (default 100)
255
restartAfter: ""
256
# -- Maximum number of concurrent Chromium conversions (default 6)
257
maxConcurrency: 0
258
# -- Automatically launch Chromium upon initialization if set to true; otherwise, Chromium will start at the time of the first conversion
259
autoStart: false
260
# -- Maximum duration to wait for Chromium to start or restart
261
startTimeout: ""
262
# -- Allow file:// URIs to read other file:// URIs
263
allowFileAccessFromFiles: false
264
# -- Ignore TLS/SSL errors on localhost
265
allowInsecureLocalhost: false
266
# -- Set the allowed URLs for Chromium using a regular expression
267
allowList: ""
268
# -- Set the denied URLs for Chromium using a regular expression (default "^file:///[^tmp].*")
269
denyList: ""
270
# -- Reject Chromium navigations and sub-resources resolving to a non-public IP (loopback, RFC1918, link-local, IPv6 unique-local). A URL matching `allowList` skips the IP-class check; a URL matching `denyList` is always rejected. Added in Gotenberg 8.32.0. Skipped when `proxyServer` or `hostResolverRules` is set.
271
denyPrivateIps: false
272
# -- Reject Chromium navigations and sub-resources resolving to a public IP. Setting both `denyPrivateIps` and `denyPublicIps` to true rejects every URL unless the allow-list matches. Added in Gotenberg 8.32.0.
273
denyPublicIps: false
274
# -- Ignore the certificate errors
275
ignoreCertificateErrors: false
276
# -- Don't enforce the same-origin policy
277
disableWebSecurity: false
278
# -- (DEPRECATED) Start Chromium with incognito mode. This flag is deprecated as of Gotenberg 8.25.0 and its value is ignored.
279
incognito: false
280
# -- Set custom mappings to the host resolver
281
hostResolverRules: ""
282
# -- Set the outbound proxy server; this switch only affects HTTP and HTTPS requests
283
proxyServer: ""
284
# -- Disable JavaScript
285
disableJavaScript: false
286
# -- Disable the routes
287
disableRoutes: false
288
# -- Clear Chromium cache between each conversion.
289
clearCache: false
290
# -- Clear Chromium cookies between each conversion.
291
clearCookies: false
292
# -- Maximum request queue size for Chromium. Set to 0 to disable this feature.
293
maxQueueSize: 0
294
# -- Duration after which idle Chromium browser processes are shut down (e.g., "30s"). Set to 0s or leave empty to disable (default 0s, disabled).
295
idleShutdownTimeout: ""
296
# The LibreOffice module interacts with LibreOffice to convert documents to PDF, thanks to unoconv.
297
# https://gotenberg.dev/docs/configuration#libreoffice
298
libreOffice:
299
# -- Number of conversions after which LibreOffice will automatically restart. Set to 0 to disable this feature (default 10)
300
restartAfter: ""
301
# -- Automatically launch LibreOffce upon initialization if set to true; otherwise, LibreOffice will start at the time of the first conversion (default false)
302
autoStart: false
303
# -- Maximum duration to wait for LibreOffice to start or restart (default 10s)
304
startTimeout: ""
305
# -- Disable the routes
306
disableRoutes: false
307
# -- Maximum request queue size for LibreOffice. Set to 0 to disable this feature.
308
maxQueueSize: 0
309
# -- Duration after which idle LibreOffice processes are shut down (e.g., "30s"). Set to 0s or leave empty to disable (default 0s, disabled).
310
idleShutdownTimeout: ""
311
# -- Set the allowed URLs for LibreOffice outbound fetches (embedded external content in OOXML/RTF/ODF) using a regular expression. Added in Gotenberg 8.32.0.
312
allowList: ""
313
# -- Set the denied URLs for LibreOffice outbound fetches using a regular expression. Added in Gotenberg 8.32.0.
314
denyList: ""
315
# -- Reject LibreOffice outbound fetches resolving to a non-public IP (loopback, RFC1918, link-local, IPv6 unique-local). A URL matching `allowList` skips the IP-class check; a URL matching `denyList` is always rejected. Added in Gotenberg 8.32.0.
316
denyPrivateIps: false
317
# -- Reject LibreOffice outbound fetches resolving to a public IP. Setting both `denyPrivateIps` and `denyPublicIps` to true rejects every URL unless the allow-list matches. Added in Gotenberg 8.32.0.
318
denyPublicIps: false
319
# The PDF Engines module gathers all engines that can manipulate PDF files.
320
# https://gotenberg.dev/docs/configuration#pdf-engines
321
pdfEngines:
322
# -- (DEPRECATED) Set the PDF engines and their order. This flag was deprecated in Gotenberg 8.13.0 and its value is ignored. Use the per-feature engine flags instead (mergeEngines, splitEngines, flattenEngines, convertEngines, readMetadataEngines, writeMetadataEngines, encryptEngines, embedEngines).
323
engines: ""
324
# -- Set the PDF engines and their order for the merge feature (default qpdf,pdfcpu,pdftk)
325
mergeEngines: ""
326
# -- Set the PDF engines and their order for the split feature (default pdfcpu,qpdf,pdftk)
327
splitEngines: ""
328
# -- Set the PDF engines and their order for the flatten feature (default qpdf)
329
flattenEngines: ""
330
# -- Set the PDF engines and their order for the convert feature (default libreoffice-pdfengine)
331
convertEngines: ""
332
# -- Set the PDF engines and their order for the read metadata feature (default exiftool)
333
readMetadataEngines: ""
334
# -- Set the PDF engines and their order for the write metadata feature (default exiftool)
335
writeMetadataEngines: ""
336
# -- Set the PDF engines and their order for the password protection feature (default qpdf,pdftk,pdfcpu)
337
encryptEngines: ""
338
# -- Set the PDF engines and their order for the file embedding feature (default pdfcpu)
339
embedEngines: ""
340
# -- Set the PDF engines and their order for the watermark feature (default pdfcpu,pdftk)
341
watermarkEngines: ""
342
# -- Set the PDF engines and their order for the stamp feature (default pdfcpu,pdftk)
343
stampEngines: ""
344
# -- Set the PDF engines and their order for the rotate feature (default pdfcpu,pdftk)
345
rotateEngines: ""
346
# -- Set the PDF engines and their order for the read bookmarks feature (default pdfcpu)
347
readBookmarksEngines: ""
348
# -- Set the PDF engines and their order for the write bookmarks feature (default pdfcpu,pdftk)
349
writeBookmarksEngines: ""
350
# -- Disable the routes
351
disableRoutes: false
352
# The Webhook module provides a middleware that allows you to upload the output file
353
# from multipart/form-data routes to the destination of your choice.
354
# https://gotenberg.dev/docs/configuration#webhook
355
webhook:
356
# -- Enable synchronous mode for the webhook feature
357
enableSyncMode: false
358
# -- Set the allowed URLs for the webhook feature using a regular expression. In Gotenberg 8.31.0+ this applies to both regular and error webhooks.
359
allowList: ""
360
# -- Set the denied URLs for the webhook feature using a regular expression. In Gotenberg 8.31.0+ this applies to both regular and error webhooks. Note: 8.31.0's permissive-by-default revert means this defaults to empty again in 8.32.0+; opt into IP-class filtering via `denyPrivateIps` / `denyPublicIps`.
361
denyList: ""
362
# -- Reject webhook URLs (success, error, events) resolving to a non-public IP (loopback, RFC1918, link-local, IPv6 unique-local). A URL matching `allowList` skips the IP-class check; a URL matching `denyList` is always rejected. Added in Gotenberg 8.32.0.
363
denyPrivateIps: false
364
# -- Reject webhook URLs resolving to a public IP. Setting both `denyPrivateIps` and `denyPublicIps` to true rejects every URL unless the allow-list matches. Added in Gotenberg 8.32.0.
365
denyPublicIps: false
366
# -- (DEPRECATED) Set the allowed URLs in case of an error for the webhook feature using a regular expression. Use `allowList` instead in Gotenberg 8.31.0+ — it now covers both regular and error webhooks.
367
errorAllowList: ""
368
# -- (DEPRECATED) Set the denied URLs in case of an error for the webhook feature using a regular expression. Use `denyList` instead in Gotenberg 8.31.0+ — it now covers both regular and error webhooks.
369
errorDenyList: ""
370
# -- Set the maximum number of retries for the webhook feature (default 4)
371
maxRetry: ""
372
# -- Set the minimum duration to wait before trying to call the webhook again (default 1s)
373
retryMinWait: ""
374
# -- Set the maximum duration to wait before trying to call the webhook again (default 30s)
375
retryMaxWait: ""
376
# -- Set the time limit for requests to the webhook (default 30s)
377
clientTimeout: ""
378
# -- Disable the webhook feature
379
disable: false
380
# The Prometheus module collects metrics from other modules.
381
# https://gotenberg.dev/docs/configuration#prometheus
382
prometheus:
383
# -- Set the interval for collecting modules' metrics (default 1s)
384
collectInterval: ""
385
# -- Set the namespace of modules' metrics (default "gotenberg")
386
namespace: ""
387
# -- Set the metrics endpoint path (default "/prometheus/metrics")
388
metricsPath: ""
389
# -- Disable the collect of metrics
390
disableCollect: false
391
# -- (DEPRECATED) Disable the route logging. Use disableRouteTelemetry instead.
392
disableRouterLogging: false
393
# -- Disable route telemetry for the Prometheus metrics endpoint
394
disableRouteTelemetry: false
395
# The Logging module provides a logger to Gotenberg.
396
# https://gotenberg.dev/docs/configuration#logging
397
logging:
398
# -- (DEPRECATED) Set log format. Use stdFormat instead.
399
format: ""
400
# -- Set log standard output format - auto, json, or text (default "auto")
401
stdFormat: ""
402
# -- Set the log level - error, warn, info, or debug (default "info")
403
level: ""
404
# -- Prepend a specified prefix to each field in the logs
405
fieldsPrefix: ""
406
# -- (DEPRECATED) Enable GCP log field mapping for Cloud Run. Use stdEnableGcpFields instead.
407
enableGcpFields: false
408
# -- Enable GCP log standard output field mapping for Cloud Run
409
stdEnableGcpFields: false
410
# -- Enable GCP severity field mapping
411
enableGcpSeverity: false
412
# Misc.
413
# https://gotenberg.dev/docs/configuration#graceful-shutdown
414
gotenberg:
415
# -- Set the graceful shutdown duration (default 30s)
416
gracefulShutdownDurationSec: 30
417
# -- Hide the Gotenberg banner on startup
418
hideBanner: false
419
metrics:
420
serviceMonitor:
421
# -- Enable ServiceMonitor
422
enabled: false
423
# -- (string) Namespace for ServiceMonitor, defaults to release namespace
424
namespace:
425
# -- (string) Optional job label for the target service in Prometheus
426
jobLabel:
427
# -- (string) Interval at which metrics should be scraped
428
interval:
429
# -- (string) Timeout after which the scrape is ended
430
scrapeTimeout:
431
# -- HonorLabels chooses the metric’s labels on collisions with target labels
432
honorLabels: false
433
# -- List of metric relabel configs to apply to samples before ingestion
434
metricRelabelings: []
435
# -- List of relabel configs to apply to samples before scraping
436
relabelings: []
437
# -- Additional annotations for the service monitor
438
annotations: {}
439
# -- Additional labels for the service monitor
440
labels: {}
441
# Enable or Disable Network Policy.
442
# See also: https://kubernetes.io/docs/concepts/services-networking/network-policies/
443
networkPolicy:
444
enabled: false
445
# Allow all connections from any source. To be set to false if extraIngress is used.
446
allowIngress: true
447
# Allow all connections to any destinations. To be set to false if extraEgress is used.
448
allowEgress: true
449
# Config custom ingress rules to the NetworkPolicy.
450
extraIngress: []
451
# extraIngress:
452
# - from:
453
# - podSelector:
454
# matchLabels:
455
# component: apache
456
# ports:
457
# - port: 8080
458
# protocol: TCP
459
# Config custom egress rules to the NetworkPolicy.
460
extraEgress: []
461
# extraEgress:
462
# - to:
463
# - podSelector:
464
# matchLabels:
465
# component: apache
466
# ports:
467
# - port: 80
468
# protocol: TCP
469
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.