OpenCut
OpenCut is an open-source video editor. The HelmForge chart deploys the OpenCut web application with HelmForge PostgreSQL and Redis dependencies plus the Redis-over-HTTP bridge required by the upstream runtime.
Key Features
- HelmForge-maintained
docker.io/helmforge/opencut:v0.3.0image - HelmForge PostgreSQL dependency for application metadata
- HelmForge Redis dependency plus Redis-over-HTTP bridge
- External database and Redis/Valkey modes
- Ingress, Gateway API through the single
gatewayvalues block, dual-stack Service fields, HPA, PDB, NetworkPolicy, External Secrets, and Helm tests
Installation
helm repo add helmforge https://repo.helmforge.dev
helm repo update
helm install opencut helmforge/opencut --namespace opencut --create-namespacehelm install opencut oci://ghcr.io/helmforgedev/helm/opencut --namespace opencut --create-namespaceExamples
Gateway API:
gateway:
enabled: true
parentRefs:
- name: public
namespace: gateway-system
hostnames:
- opencut.example.comExternal services:
postgresql:
enabled: false
redis:
enabled: false
database:
external:
host: postgres.example.com
existingSecret: opencut-db
redisHttp:
externalUrl: http://redis-http.example.comOperations
The chart uses HelmForge subcharts for databases by default. For production, pin credentials through existing Secrets or External Secrets and size PostgreSQL and Redis PVCs explicitly.
Architecture
The chart deploys OpenCut with HelmForge PostgreSQL and Redis by default, plus the Redis-over-HTTP bridge required by the application path. The application pod receives a stable site URL, authentication secret, database connection, Redis connection, and optional workspace integration values.
Runtime flow:
- Public traffic enters through Ingress or Gateway API.
- OpenCut handles browser and API traffic through the main Service.
- PostgreSQL stores application state.
- Redis and the Redis HTTP bridge support cache and application integration paths.
- Optional External Secrets reconcile database, Redis, and app secrets.
Production Values
Use stable application secrets, durable PostgreSQL and Redis, explicit route settings, and NetworkPolicy:
opencut:
siteUrl: https://opencut.example.com
betterAuthSecret: replace-with-a-stable-secret
marbleWorkspaceKey: replace-with-workspace-key
postgresql:
auth:
existingSecret: opencut-postgresql-auth
existingSecretUserPasswordKey: user-password
standalone:
persistence:
enabled: true
storageClass: fast-retain
size: 50Gi
redis:
auth:
enabled: true
existingSecret: opencut-redis-auth
existingSecretPasswordKey: redis-password
standalone:
persistence:
enabled: true
storageClass: fast-retain
size: 8Gi
redisHttp:
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
networkPolicy:
enabled: trueopencut.siteUrl should match the externally visible URL exactly. Authentication callback and generated links depend on
that value.
External Services
Use external dependencies when PostgreSQL or Redis are platform-managed:
opencut:
siteUrl: https://opencut.example.com
betterAuthSecret: replace-with-a-stable-secret
postgresql:
enabled: false
database:
external:
host: postgres.example.com
port: 5432
name: opencut
username: opencut
existingSecret: opencut-db
existingSecretPasswordKey: database-password
redis:
enabled: false
external:
host: redis.example.com
port: 6379
existingSecret: opencut-redis
existingSecretPasswordKey: redis-passwordKeep the Redis HTTP bridge enabled unless your deployment provides a compatible external bridge through
redisHttp.externalUrl.
Networking And Scaling
Ingress example:
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: opencut.example.com
paths:
- path: /
pathType: Prefix
tls:
- secretName: opencut-tls
hosts:
- opencut.example.comGateway API example:
gateway:
enabled: true
parentRefs:
- name: public
namespace: gateway-system
hostnames:
- opencut.example.com
path: /
pathType: PathPrefixEnable HPA only after database and Redis capacity have been sized for additional application pods:
autoscaling:
enabled: true
minReplicas: 2
maxReplicas: 6Secrets
For GitOps, store app and dependency secrets outside values files. The chart supports generated Kubernetes Secrets for local tests, existing Secrets for production, and ExternalSecret resources when External Secrets Operator is installed.
Rotate betterAuthSecret carefully because it can invalidate sessions or signed application state.
Validation
After deployment:
helm test opencut -n opencut
kubectl get pods -n opencut -l app.kubernetes.io/name=opencut
kubectl logs -n opencut deploy/opencut --since=10m
kubectl get events -n opencut --sort-by=.lastTimestampAlso validate the browser editor loads, authentication works, project creation succeeds, and the Redis HTTP bridge is reachable from the OpenCut pod.
Common Issues
| Symptom | Likely Cause | Fix |
|---|---|---|
| Login or callbacks use the wrong URL | opencut.siteUrl does not match public route | Set the exact external HTTPS URL. |
| App starts before dependencies are ready | External DB/Redis DNS or credentials are wrong | Check connection Secrets and service reachability. |
| Redis HTTP bridge errors | Bridge disabled or external URL wrong | Keep redisHttp.enabled=true or set a valid externalUrl. |
| Sessions break after redeploy | Auth secret changed | Store betterAuthSecret in a stable Secret. |
Values
| Parameter | Default | Description |
|---|---|---|
replicaCount | 1 | Number of OpenCut pods when autoscaling is disabled. |
image.repository | docker.io/helmforge/opencut | HelmForge OpenCut image. |
postgresql.enabled | true | Deploy HelmForge PostgreSQL dependency. |
redis.enabled | true | Deploy HelmForge Redis dependency. |
database.external.host | "" | External PostgreSQL host. |
redisHttp.enabled | true | Deploy Redis-over-HTTP bridge. |
service.ipFamilyPolicy | null | Optional Service dual-stack policy. |
ingress.enabled | false | Render Ingress. |
gateway.enabled | false | Render Gateway API HTTPRoute. |
externalSecrets.enabled | false | Render ExternalSecret resources. |