diff --git a/swh/templates/web/_helper-cronjob.yaml b/swh/templates/web/_helper-cronjob.yaml
index 11f50f956006e72f41ba66d8d2c394c9fecc064e..f0f2d86dee2338151cd41b0193456da2c72e5246 100644
--- a/swh/templates/web/_helper-cronjob.yaml
+++ b/swh/templates/web/_helper-cronjob.yaml
@@ -1,6 +1,6 @@
 {{/*
-Create a Kind CronJob for service .serviceType
-*/}}
+   * Create a Kind CronJob for service .serviceType
+   */}}
 {{- define "swh.web.cronjob" -}}
 {{- with .configuration -}}
 {{- $log_level := .logLevel -}}
@@ -8,6 +8,7 @@ apiVersion: batch/v1
 kind: CronJob
 metadata:
   name: {{ $.serviceType }}-cronjob
+  namespace: {{ $.Values.namespace }}
 spec:
   schedule: {{ .cron | quote}}
   {{- if .concurrencyPolicy }}
@@ -49,21 +50,21 @@ spec:
               - -c
               - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
               env:
-                {{- if $.Values.web.databaseConfigurationRef }}
+                {{- if $.webConfiguration.databaseConfigurationRef }}
                 {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                            "configurationRef" $.Values.web.databaseConfigurationRef) | nindent 16 -}}
+                                                            "configurationRef" $.webConfiguration.databaseConfigurationRef) | nindent 16 -}}
                 {{ end }}
-                {{- if $.Values.web.djangoConfigurationRef }}
+                {{- if $.webConfiguration.djangoConfigurationRef }}
                 {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                            "configurationRef" $.Values.web.djangoConfigurationRef) | nindent 16 }}
+                                                            "configurationRef" $.webConfiguration.djangoConfigurationRef) | nindent 16 }}
                 {{ end }}
-                {{- if $.Values.web.depositConfigurationRef -}}
+                {{- if $.webConfiguration.depositConfigurationRef -}}
                 {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                            "configurationRef" $.Values.web.depositConfigurationRef) | nindent 16 }}
+                                                            "configurationRef" $.webConfiguration.depositConfigurationRef) | nindent 16 }}
                 {{ end }}
-                {{- if $.Values.web.giveConfigurationRef -}}
+                {{- if $.webConfiguration.giveConfigurationRef -}}
                 {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                            "configurationRef" $.Values.web.giveConfigurationRef) | nindent 16 }}
+                                                            "configurationRef" $.webConfiguration.giveConfigurationRef) | nindent 16 }}
                 {{ end }}
                 {{- if $.Values.web.sentry.enabled }}
                 - name: SWH_SENTRY_DSN
@@ -149,7 +150,7 @@ spec:
           {{- if $.pgService }}
           - name: pgservice-configuration-template
             configMap:
-              name: pgservice-configuration-template
+              name: pgservice-{{ $.webType }}-configuration-template
               items:
               - key: "pg-service-conf"
                 path: "pg_service.conf"
diff --git a/swh/templates/web/_helper_configmap.yaml b/swh/templates/web/_helper_configmap.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..8b734ffa35b05b6e952ff047bf47bc8b614c613c
--- /dev/null
+++ b/swh/templates/web/_helper_configmap.yaml
@@ -0,0 +1,88 @@
+{{/*
+   * Create a web configmap for service .serviceType
+   */}}
+{{ define "swh.web.configmap" }}
+{{- $hosts := .configuration.hosts }}
+{{- $allowed_instance := first $hosts }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: {{ .Values.namespace }}
+  name: {{ .serviceType }}-configuration-template
+data:
+  config.yml.template: |
+    instance_name: {{ $allowed_instance }}
+    allowed_hosts:
+      {{- range $host := $hosts }}
+      - {{ $host }}
+      {{- end }}
+    {{- if and .Values.environment (eq .Values.environment "production") }}
+    production_server_names:
+      {{- range $host := $hosts }}
+      - {{ $host }}
+      {{- end }}
+    {{- end }}
+    {{- include "swh.service.fromYaml" (dict "service" "storage"
+                                             "configurationRef" .configuration.storageConfigurationRef
+                                             "Values" .Values) | nindent 4 }}
+    {{- if .configuration.searchConfigurationRef }}
+      {{- include "swh.service.fromYaml" (dict "service" "search"
+                                               "configurationRef" .configuration.searchConfigurationRef
+                                               "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.schedulerConfigurationRef }}
+      {{- include "swh.service.fromYaml" (dict "service" "scheduler"
+                                               "configurationRef" .configuration.schedulerConfigurationRef
+                                               "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.vaultConfigurationRef }}
+      {{- include "swh.service.fromYaml" (dict "service" "vault"
+                                               "configurationRef" .configuration.vaultConfigurationRef
+                                               "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.indexerStorageConfigurationRef }}
+      {{- include "swh.service.fromYaml" (dict "service" "indexer_storage"
+                                               "configurationRef" .configuration.indexerStorageConfigurationRef
+                                               "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.countersConfigurationRef }}
+    counters_backend: swh-counters
+    {{- include "swh.service.fromYaml" (dict "service" "counters"
+                                             "configurationRef" .configuration.countersConfigurationRef
+                                             "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.depositConfigurationRef }}
+    {{- include "deposit.configuration.api.private" (dict "configurationRef" .configuration.depositConfigurationRef
+                                                          "Values" .Values) | nindent 4 }}
+    {{- end -}}
+    {{- if .configuration.addForgeNowConfigurationRef }}
+      {{- include "addforgenow.configuration" (dict "configurationRef" .configuration.addForgeNowConfigurationRef
+                                                    "Values" .Values) | nindent 4 }}
+    {{- end -}}
+{{/* TODO: Manage the webapp logging */}}
+{{/* log_dir: */}}
+    secret_key: ${DJANGO_SECRET_KEY}
+    {{- if .configuration.databaseConfigurationRef }}
+    production_db:
+    {{- include "django.postgresql" (dict "configurationRef" .configuration.databaseConfigurationRef
+                                          "Values" .Values) | nindent 4 -}}
+    {{ end }}
+    {{- if $.Values.web.sentry.enabled }}
+    client_config:
+      sentry_dsn: ${SWH_SENTRY_DSN}
+    {{- end }}
+    {{- if .configuration.throttlingConfigurationRef -}}
+    {{- include "swh.web.throttling" (dict "configurationRef" .configuration.throttlingConfigurationRef
+                                           "Values" .Values) | nindent 4 -}}
+    {{- end }}
+    {{- if .Values.web.keycloakConfigurationRef }}
+    {{- include "swh.service.fromYaml" (dict "service" "keycloak"
+                                             "configurationRef" .Values.web.keycloakConfigurationRef
+                                             "Values" .Values) | nindent 4 }}
+    {{ end }}
+    {{- if .configuration.extraConfig -}}
+    {{ toYaml .configuration.extraConfig | nindent 4 }}
+    {{- end }}
+
+{{- end -}}
diff --git a/swh/templates/web/autoscaling.yaml b/swh/templates/web/autoscaling.yaml
index fcbee1bc74715395ce0d6e0d364e7bf65def5977..aafacf03219407d9d816dea0bc0bb25da076d2f6 100644
--- a/swh/templates/web/autoscaling.yaml
+++ b/swh/templates/web/autoscaling.yaml
@@ -1,5 +1,11 @@
-{{- if and .Values.web.enabled .Values.web.autoScaling -}}
-{{- include "swh.autoscale" (dict "Values"        .Values
-                                  "serviceType"   "web"
-                                  "configuration" .Values.web) -}}
+{{- if and .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if and (or (not (hasKey $web_config "enabled")) (get $web_config "enabled"))
+           (hasKey $web_config "autoScaling") -}}
+{{- include "swh.autoscale" (dict "Values"        $.Values
+                                  "serviceType"   ( print "web-" $web_type )
+                                  "configuration" $web_config) -}}
 {{- end -}}
+{{ end -}}
+{{- end -}}
+
diff --git a/swh/templates/web/configmap-pgservice.yaml b/swh/templates/web/configmap-pgservice.yaml
index 53a29dca65752317a32fb96794f21ecad74778e4..d65e614f2e5813aa90d07971c154f798f96af65d 100644
--- a/swh/templates/web/configmap-pgservice.yaml
+++ b/swh/templates/web/configmap-pgservice.yaml
@@ -1,13 +1,20 @@
-{{- if and .Values.web.enabled .Values.web.syncMailmaps.enabled -}}
+{{- if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if and (or (not (hasKey $web_config "enabled"))
+               (get $web_config "enabled"))
+           (hasKey $web_config "syncMailmaps")
+           $web_config.syncMailmaps.enabled -}}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
-  namespace: {{ .Values.namespace }}
-  name: pgservice-configuration-template
+  name: pgservice-{{ $web_type }}-configuration-template
+  namespace: {{ $.Values.namespace }}
 data:
   pg-service-conf: |
     {{- include "swh.web.pgService" (dict "serviceType" "syncmailmaps"
-                                          "configurationRef" .Values.web.syncMailmaps.configurationRef
-                                          "Values" .Values) | nindent 4 }}
+                                          "configurationRef" $web_config.syncMailmaps.configurationRef
+                                          "Values" $.Values) | nindent 4 }}
+{{- end -}}
+{{ end -}}
 {{- end -}}
diff --git a/swh/templates/web/configmap.yaml b/swh/templates/web/configmap.yaml
index 6fe12be01e25efee4e0c81059344839441743d4c..09c1fd8899c4f991ab29f357beb46b9d4d5173e0 100644
--- a/swh/templates/web/configmap.yaml
+++ b/swh/templates/web/configmap.yaml
@@ -1,74 +1,9 @@
-{{- if .Values.web.enabled -}}
-{{- $hosts := .Values.web.hosts }}
-{{- $allowed_instance := first $hosts }}
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  namespace: {{ .Values.namespace }}
-  name: web-configuration-template
-data:
-  config.yml.template: |
-    instance_name: {{ $allowed_instance }}
-    allowed_hosts:
-      {{- range $host := $hosts }}
-      - {{ $host }}
-      {{- end }}
-    {{- if and .Values.environment (eq .Values.environment "production") }}
-    production_server_names:
-      {{- range $host := $hosts }}
-      - {{ $host }}
-      {{- end }}
-    {{- end }}
-    {{- include "swh.service.fromYaml" (dict "service" "storage"
-                                             "configurationRef" .Values.web.storageConfigurationRef
-                                             "Values" .Values) | nindent 4 }}
-    {{- if .Values.web.searchConfigurationRef }}
-      {{- include "swh.service.fromYaml" (dict "service" "search" "configurationRef" .Values.web.searchConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.schedulerConfigurationRef }}
-      {{- include "swh.service.fromYaml" (dict "service" "scheduler" "configurationRef" .Values.web.schedulerConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.vaultConfigurationRef }}
-      {{- include "swh.service.fromYaml" (dict "service" "vault" "configurationRef" .Values.web.vaultConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.indexerStorageConfigurationRef }}
-      {{- include "swh.service.fromYaml" (dict "service" "indexer_storage" "configurationRef" .Values.web.indexerStorageConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.countersConfigurationRef }}
-    counters_backend: swh-counters
-    {{- include "swh.service.fromYaml" (dict "service" "counters" "configurationRef" .Values.web.countersConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.depositConfigurationRef }}
-    {{- include "deposit.configuration.api.private" (dict "configurationRef" .Values.web.depositConfigurationRef
-                                                          "Values" .Values) | nindent 4 }}
-    {{- end -}}
-    {{- if .Values.web.addForgeNowConfigurationRef }}
-      {{- include "addforgenow.configuration" (dict "configurationRef" .Values.web.addForgeNowConfigurationRef "Values" .Values) | nindent 4 }}
-    {{- end -}}
-{{/* TODO: Manage the webapp logging */}}
-{{/* log_dir: */}}
-    secret_key: ${DJANGO_SECRET_KEY}
-    {{- if .Values.web.databaseConfigurationRef }}
-    production_db:
-    {{- include "django.postgresql" (dict "configurationRef" .Values.web.databaseConfigurationRef
-                                          "Values" .Values) | nindent 4 -}}
-    {{ end }}
-    {{- if .Values.web.sentry.enabled }}
-    client_config:
-      sentry_dsn: ${SWH_SENTRY_DSN}
-    {{- end }}
-    {{- if .Values.web.throttlingConfigurationRef -}}
-    {{- include "swh.web.throttling" (dict "configurationRef" .Values.web.throttlingConfigurationRef
-                                           "Values" .Values) | nindent 4 -}}
-    {{- end }}
-    {{- if .Values.web.keycloakConfigurationRef }}
-    {{- include "swh.service.fromYaml" (dict "service" "keycloak"
-                                             "configurationRef" .Values.web.keycloakConfigurationRef
-                                             "Values" .Values) | nindent 4 }}
-    {{ end }}
-    {{- if .Values.web.extraConfig -}}
-    {{ toYaml .Values.web.extraConfig | nindent 4 }}
-    {{- end }}
-
+{{ if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if or (not (hasKey $web_config "enabled")) (get $web_config "enabled") -}}
+{{ include "swh.web.configmap" (dict "serviceType" (print "web-" $web_type)
+                                     "configuration" $web_config
+                                     "Values" $.Values) }}
+{{- end -}}
+{{ end -}}
 {{- end -}}
diff --git a/swh/templates/web/deployment.yaml b/swh/templates/web/deployment.yaml
index b582b2a99e7aa56e035fa84f99070057e6d7d982..e45c951f5129addd82a59200b1ca592a0fead77b 100644
--- a/swh/templates/web/deployment.yaml
+++ b/swh/templates/web/deployment.yaml
@@ -1,20 +1,25 @@
 {{ if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if or (not (hasKey $web_config "enabled")) (get $web_config "enabled") -}}
+{{- $serviceType := ( print "web-" $web_type ) -}}
+{{- $do_migrations := or (and $web_config.migrations $web_config.migrations.enabled)
+                         (and $.Values.web.migrations $.Values.web.migrations.enabled) -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  namespace: {{ .Values.namespace }}
-  name: web
+  namespace: {{ $.Values.namespace }}
+  name: {{ $serviceType }}
   labels:
-    app: web
+    app: {{ $serviceType }}
 spec:
   revisionHistoryLimit: 2
-  {{ if .Values.web.replicas -}}
-  replicas: {{ .Values.web.replicas }}
+  {{ if $web_config.replicas -}}
+  replicas: {{ $web_config.replicas }}
   {{ end -}}
   selector:
     matchLabels:
-      app: web
+      app: {{ $serviceType }}
   strategy:
     type: RollingUpdate
     rollingUpdate:
@@ -22,13 +27,15 @@ spec:
   template:
     metadata:
       labels:
-        app: web
+        app: {{ $serviceType }}
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/web/configmap.yaml") . | sha256sum }}
+        checksum/config: {{ include "swh.web.configmap" (dict "serviceType" $serviceType
+                                                              "configuration" $web_config
+                                                              "Values" $.Values) | sha256sum }}
     spec:
-      {{- if .Values.web.affinity }}
+      {{- if $.Values.web.affinity }}
       affinity:
-        {{- toYaml .Values.web.affinity | nindent 8 }}
+        {{- toYaml $.Values.web.affinity | nindent 8 }}
       {{- end }}
       {{- if and $.Values.podPriority.enabled $.Values.web.priorityClassName }}
       priorityClassName: {{ $.Values.namespace }}-{{ $.Values.web.priorityClassName }}
@@ -43,36 +50,36 @@ spec:
             - -c
             - eval echo "\"$(</etc/swh/configuration-template/config.yml.template)\"" > /etc/swh/config.yml
           env:
-            {{- if .Values.web.databaseConfigurationRef }}
-            {{- include "swh.secrets.environment" (dict "Values" .Values
-                                                        "configurationRef" .Values.web.databaseConfigurationRef) | nindent 12 -}}
+            {{- if $web_config.databaseConfigurationRef }}
+            {{- include "swh.secrets.environment" (dict "Values" $.Values
+                                                        "configurationRef" $web_config.databaseConfigurationRef) | nindent 12 -}}
             {{ end }}
-            {{- if .Values.web.djangoConfigurationRef }}
-            {{- include "swh.secrets.environment" (dict "Values" .Values
-                                                        "configurationRef" .Values.web.djangoConfigurationRef) | nindent 12 }}
+            {{- if $web_config.djangoConfigurationRef }}
+            {{- include "swh.secrets.environment" (dict "Values" $.Values
+                                                        "configurationRef" $web_config.djangoConfigurationRef) | nindent 12 }}
             {{ end }}
-            {{- if .Values.web.depositConfigurationRef -}}
+            {{- if $web_config.depositConfigurationRef -}}
             {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                        "configurationRef" .Values.web.depositConfigurationRef) | nindent 12 }}
+                                                        "configurationRef" $web_config.depositConfigurationRef) | nindent 12 }}
             {{ end }}
-            {{- if .Values.web.giveConfigurationRef -}}
+            {{- if $web_config.giveConfigurationRef -}}
             {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                        "configurationRef" .Values.web.giveConfigurationRef) | nindent 12 }}
+                                                        "configurationRef" $web_config.giveConfigurationRef) | nindent 12 }}
             {{ end }}
-            {{- if .Values.web.addForgeNowConfigurationRef -}}
+            {{- if $web_config.addForgeNowConfigurationRef -}}
             {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                        "configurationRef" .Values.web.addForgeNowConfigurationRef) | nindent 12 }}
+                                                        "configurationRef" $web_config.addForgeNowConfigurationRef) | nindent 12 }}
             {{- end -}}
-            {{- if .Values.web.webhooksConfigurationRef -}}
+            {{- if $web_config.webhooksConfigurationRef -}}
             {{- include "swh.secrets.environment" (dict "Values" $.Values
-                                                        "configurationRef" .Values.web.webhooksConfigurationRef) | nindent 12 }}
+                                                        "configurationRef" $web_config.webhooksConfigurationRef) | nindent 12 }}
             {{- end -}}
-            {{- if .Values.web.sentry.enabled }}
+            {{- if $.Values.web.sentry.enabled }}
             - name: SWH_SENTRY_DSN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.web.sentry.secretKeyRef }}
-                  key: {{ .Values.web.sentry.secretKeyName }}
+                  name: {{ $.Values.web.sentry.secretKeyRef }}
+                  key: {{ $.Values.web.sentry.secretKeyName }}
                   # 'name' secret should exist & include key
                   # if the setting doesn't exist, sentry pushes will be disabled
                   optional: false
@@ -82,9 +89,9 @@ spec:
               mountPath: /etc/swh
             - name: configuration-template
               mountPath: /etc/swh/configuration-template
-        {{- if .Values.web.migrations.enabled }}
+        {{- if $do_migrations }}
         - name: do-migration
-          image: {{ .Values.swh_web_image }}:{{ .Values.swh_web_image_version }}
+          image: {{ $.Values.swh_web_image }}:{{ $.Values.swh_web_image_version }}
           imagePullPolicy: IfNotPresent
           env:
             - name: SWH_CONFIG_FILENAME
@@ -99,7 +106,7 @@ spec:
               mountPath: /etc/swh
         {{ end }}
         - name: prepare-static
-          image: {{ .Values.swh_web_image }}:{{ .Values.swh_web_image_version }}
+          image: {{ $.Values.swh_web_image }}:{{ $.Values.swh_web_image_version }}
           imagePullPolicy: IfNotPresent
           command:
             - /bin/bash
@@ -110,24 +117,24 @@ spec:
           - name: static
             mountPath: /usr/share/swh/web/static
       containers:
-        - name: web
+        - name: {{ $serviceType }}
           resources:
             requests:
-              memory: {{ .Values.web.requestedMemory | default "512Mi" }}
-              cpu: {{ .Values.web.requestedCpu | default "500m" }}
-          {{- if or .Values.web.limitedMemory .Values.web.limitedCpu }}
+              memory: {{ $web_config.requestedMemory | default "512Mi" }}
+              cpu: {{ $web_config.requestedCpu | default "500m" }}
+          {{- if or $web_config.limitedMemory $web_config.limitedCpu }}
             limits:
-            {{- if .Values.web.limitedMemory }}
-              memory: {{ .Values.web.limitedMemory }}
+            {{- if $web_config.limitedMemory }}
+              memory: {{ $web_config.limitedMemory }}
             {{- end }}
-            {{- if .Values.web.limitedCpu }}
-              cpu: {{ .Values.web.limitedCpu }}
+            {{- if $web_config.limitedCpu }}
+              cpu: {{ $web_config.limitedCpu }}
             {{- end }}
           {{ end }}
-          image: {{ .Values.swh_web_image }}:{{ .Values.swh_web_image_version }}
+          image: {{ $.Values.swh_web_image }}:{{ $.Values.swh_web_image_version }}
           imagePullPolicy: IfNotPresent
           ports:
-            - containerPort: {{ .Values.web.port }}
+            - containerPort: {{ $web_config.port | default $.Values.web.port }}
               name: webapp
           readinessProbe:
             httpGet:
@@ -135,7 +142,7 @@ spec:
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: {{ first .Values.web.hosts }}
+                  value: {{ first $web_config.hosts }}
             initialDelaySeconds: 5
             failureThreshold: 30
             periodSeconds: 10
@@ -146,7 +153,7 @@ spec:
               port: webapp
               httpHeaders:
                 - name: Host
-                  value: {{ first .Values.web.hosts }}
+                  value: {{ first $web_config.hosts }}
             initialDelaySeconds: 3
             periodSeconds: 10
             timeoutSeconds: 30
@@ -156,41 +163,41 @@ spec:
             - -c
             - /opt/swh/entrypoint.sh
           env:
-            {{ if .Values.web.gunicorn -}}
+            {{ if $web_config.gunicorn -}}
             - name: THREADS
-              value: {{ .Values.web.gunicorn.threads | default 5 | quote }}
+              value: {{ $web_config.gunicorn.threads | default 5 | quote }}
             - name: WORKERS
-              value: {{ .Values.web.gunicorn.workers | default 2 | quote }}
+              value: {{ $web_config.gunicorn.workers | default 2 | quote }}
             - name: TIMEOUT
-              value: {{ .Values.web.gunicorn.timeout | default 60 | quote }}
+              value: {{ $web_config.gunicorn.timeout | default 60 | quote }}
             {{ end -}}
             - name: STATSD_HOST
-              value: {{ .Values.statsdExternalHost | default "prometheus-statsd-exporter" }}
+              value: {{ $.Values.statsdExternalHost | default "prometheus-statsd-exporter" }}
             - name: STATSD_PORT
-              value: {{ .Values.statsdPort | default "9125" | quote }}
+              value: {{ $.Values.statsdPort | default "9125" | quote }}
             - name: LOG_LEVEL
-              value: {{ .Values.web.logLevel | quote }}
+              value: {{ $web_config.logLevel | default $.Values.web.logLevel | quote }}
             - name: SWH_CONFIG_FILENAME
               value: /etc/swh/config.yml
-            {{- if .Values.web.sentry.enabled }}
+            {{- if $.Values.web.sentry.enabled }}
             - name: SWH_SENTRY_ENVIRONMENT
-              value: {{ .Values.sentry.environment }}
+              value: {{ $.Values.sentry.environment }}
             - name: SWH_MAIN_PACKAGE
               value: swh.web
             - name: SWH_SENTRY_DSN
               valueFrom:
                 secretKeyRef:
-                  name: {{ .Values.web.sentry.secretKeyRef }}
-                  key: {{ .Values.web.sentry.secretKeyName }}
+                  name: {{ $.Values.web.sentry.secretKeyRef }}
+                  key: {{ $.Values.web.sentry.secretKeyName }}
                   # 'name' secret should exist & include key
                   # if the setting doesn't exist, sentry pushes will be disabled
                   optional: true
             - name: SWH_SENTRY_DISABLE_LOGGING_EVENTS
               value: "true"
             {{- end }}
-            {{- if .Values.web.djangoConfigurationRef }}
-            {{- include "swh.secrets.environment" (dict "Values" .Values
-                                                        "configurationRef" .Values.web.djangoConfigurationRef) | nindent 12 }}
+            {{- if $web_config.djangoConfigurationRef }}
+            {{- include "swh.secrets.environment" (dict "Values" $.Values
+                                                        "configurationRef" $web_config.djangoConfigurationRef) | nindent 12 }}
             {{ end }}
           volumeMounts:
           - name: configuration
@@ -199,8 +206,8 @@ spec:
         - name: nginx
           resources:
             requests:
-              memory: {{ .Values.web.nginxRequestedMemory | default "50Mi" }}
-              cpu: {{ .Values.web.nginxRequestedCpu | default "10m" }}
+              memory: {{ $web_config.nginxRequestedMemory | default "50Mi" }}
+              cpu: {{ $web_config.nginxRequestedCpu | default "10m" }}
           image: nginx:bullseye
           imagePullPolicy: IfNotPresent
           ports:
@@ -227,10 +234,13 @@ spec:
         emptyDir: {}
       - name: configuration-template
         configMap:
-         name: web-configuration-template
+         name: {{ $serviceType }}-configuration-template
          items:
          - key: "config.yml.template"
            path: "config.yml.template"
       - name: static
         emptyDir: {}
 {{ end }}
+{{ end -}}
+{{- end -}}
+
diff --git a/swh/templates/web/ingress.yaml b/swh/templates/web/ingress.yaml
index 09b5b9aa05d724e9f0b29b1a25ea6b6c9c1ab9ac..18b3d5570f4a2999fdbd00b7900f80495cc0bd14 100644
--- a/swh/templates/web/ingress.yaml
+++ b/swh/templates/web/ingress.yaml
@@ -1,5 +1,10 @@
-{{ if and .Values.web.enabled .Values.web.ingress.enabled -}}
-{{- include "swh.ingress" (dict "Values"        .Values
-                                "serviceType"   "web"
-                                "configuration" .Values.web) -}}
-{{ end }}
+{{ if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if and (or (not (hasKey $web_config "enabled")) (get $web_config "enabled"))
+           (and (hasKey $web_config "ingress") $web_config.ingress.enabled) -}}
+{{- include "swh.ingress" (dict "serviceType"   ( print "web-" $web_type )
+                                "configuration" $web_config
+                                "Values"        $.Values) -}}
+{{- end -}}
+{{ end -}}
+{{- end -}}
diff --git a/swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml b/swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
index df031bf72806fcc395bcbd346e14d16cf289324b..c800300000f9d75cbf4219c81ce28fa299d21718 100644
--- a/swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
+++ b/swh/templates/web/refresh-savecodenow-statuses-cronjob.yaml
@@ -1,6 +1,15 @@
-{{ if and .Values.web.enabled .Values.web.refreshSavecodenowStatus.enabled -}}
-{{- include "swh.web.cronjob" (dict "Values"        .Values
-                                    "serviceType"   "refresh-savecodenow-statuses"
-                                    "configuration" .Values.web.refreshSavecodenowStatus
-                                    "command"       (list "refresh")) -}}
+{{ if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if and (or (not (hasKey $web_config "enabled"))
+               (get $web_config "enabled"))
+           (hasKey $web_config "refreshSavecodenowStatus")
+           $web_config.refreshSavecodenowStatus.enabled -}}
+{{- include "swh.web.cronjob" (dict "Values"          $.Values
+                                    "serviceType"      (print "web-" $web_type "-refresh-savecodenow-statuses")
+                                    "configuration"    $web_config.refreshSavecodenowStatus
+                                    "webConfiguration" $web_config
+                                    "webType"          $web_type
+                                    "command"         (list "refresh")) -}}
+{{- end -}}
+{{ end -}}
 {{- end -}}
diff --git a/swh/templates/web/service.yaml b/swh/templates/web/service.yaml
index 3d484447b6fe65f21bd9fe4a067596f91c5457cf..e4c71ad50e6ff524767f52dd3403b280359e67e7 100644
--- a/swh/templates/web/service.yaml
+++ b/swh/templates/web/service.yaml
@@ -1,5 +1,15 @@
 {{ if .Values.web.enabled -}}
-{{- include "swh.service" (dict "Values"        .Values
-                                "serviceType"   "web"
-                                "configuration" .Values.web) -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if or (not (hasKey $web_config "enabled")) (get $web_config "enabled") -}}
+{{- if not (hasKey $web_config "port") }}
+{{- $web_config := set $web_config "port" $.Values.web.port -}}
+{{- end -}}
+{{- if not (hasKey $web_config "extraPorts") }}
+{{- $web_config := set $web_config "extraPorts" $.Values.web.extraPorts -}}
+{{- end -}}
+{{- include "swh.service" (dict "serviceType"   ( print "web-" $web_type )
+                                "configuration" $web_config
+                                "Values"        $.Values) -}}
+{{- end -}}
+{{ end -}}
 {{- end -}}
diff --git a/swh/templates/web/sync-mailmaps-cronjob.yaml b/swh/templates/web/sync-mailmaps-cronjob.yaml
index 0b4b6d6f12dd3c8fc9a100aa0d6125e87a608d31..d0122b81cc10bb5919384bc5eaf48bec5c90a7a8 100644
--- a/swh/templates/web/sync-mailmaps-cronjob.yaml
+++ b/swh/templates/web/sync-mailmaps-cronjob.yaml
@@ -1,7 +1,16 @@
-{{ if and .Values.web.enabled .Values.web.syncMailmaps.enabled -}}
-{{- include "swh.web.cronjob" (dict "Values"        .Values
-                                    "serviceType"   "sync-mailmaps"
-                                    "configuration" .Values.web.syncMailmaps
-                                    "pgService"     true
-                                    "command"       (list "sync-mailmaps" "service=syncmailmaps")) -}}
+{{ if .Values.web.enabled -}}
+{{ range $web_type, $web_config := .Values.web.deployments }}
+{{- if and (or (not (hasKey $web_config "enabled"))
+               (get $web_config "enabled"))
+           (hasKey $web_config "syncMailmaps")
+           $web_config.syncMailmaps.enabled -}}
+{{- include "swh.web.cronjob" (dict "Values"           $.Values
+                                    "serviceType"      (print "web-" $web_type "-sync-mailmaps")
+                                    "configuration"    $web_config.syncMailmaps
+                                    "webConfiguration" $web_config
+                                    "pgService"        true
+                                    "webType"          $web_type
+                                    "command"          (list "sync-mailmaps" "service=syncmailmaps")) -}}
+{{- end -}}
+{{ end -}}
 {{- end -}}
diff --git a/swh/values.yaml b/swh/values.yaml
index b3de619ea7b08f0aecd2a3dc89642609fe8eafa1..1d64d482d84f5a99f17afda5acdc7109453e69eb 100644
--- a/swh/values.yaml
+++ b/swh/values.yaml
@@ -719,40 +719,12 @@ storage:
 web:
   enabled: false
   port: 5004
-  extraPorts:
-    webstatic: 80
+  logLevel: INFO
   migrations:
     enabled: false
   priorityClassName: frontend-rpc
-  # debug: false
-  logLevel: INFO
-  requestedCpu: 50m
-  requestedMemory: 100Mi
-  # nginxRequestedCpu: 10m
-  # nginxRequestedMemory: 50m
-  # replicas: 1
-  # autoScaling:
-  #   minReplicaCount: 2
-  #   maxReplicaCount: 10
-  #   cpuPercentageUsage: 50
-  refreshSavecodenowStatus:
-    enabled: false
-    priorityClassName: frontend-rpc-workload
-    logLevel: INFO
-    # concurrencyPolicy: Forbid
-    # Every 2 minute
-    cron: "*/2 * * * *"
-  syncMailmaps:
-    enabled: false
-    priorityClassName: frontend-rpc-workload
-    logLevel: INFO
-    # concurrencyPolicy: Forbid
-    # At minute 15 every hour
-    cron: "15 * * * *"
-#  gunicorn:
-#    threads: 5
-#    workers: 2
-#    timeout: 60
+  extraPorts:
+    webstatic: 80
   sentry:
     enabled: false
     # name of the secret containing the $secretKeyName value
@@ -760,75 +732,113 @@ web:
     # like https://token@sentry.host/id
     secretKeyRef: common-secrets
     secretKeyName: web-sentry-dsn
-  # host: webapp
-  ingress:
-    enabled: false
-  #   extraAnnotations:
-  #     cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-  #     kubernetes.io/ingress.class: nginx
-  #     kubernetes.io/tls-acme: "true"
-  #     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-  #   tlsEnabled: true
-  #   whitelistSourceRangeRef: internalNetworkRanges
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-  #     authenticated:
-  #       paths:
-  #         - path: /api/1/provenance/
-  #         - path: /api/1/entity/
-  #         - path: /api/1/content/[^/]+/symbol/
-  #       # auth-file with authentication
-  #       authentication: swh/ingress-auth
-  # searchConfigurationRef: searchConfiguration
-  # Configure the scheduler instance used for save code now requests
-  # schedulerConfigurationRef: schedulerConfiguration
-  # storageConfigurationRef: globalROStorageConfiguration
-  # vaultConfigurationRef: remoteVaultConfiguration
-  # indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
-  # countersConfigurationRef: remoteCountersConfiguration
-  # djangoConfigurationRef: djangoWebConfiguration
-  # If not specified, this will use a sqlite db which is not performant enough for
-  # production use.
-  # databaseConfigurationRef: postgresqlWebConfiguration
-  # depositConfigurationRef: depositConfiguration
-  # giveConfigurationRef: giveConfiguration
-  # throttlingConfigurationRef: throttlingConfiguration
-  # keycloakConfigurationRef: keycloakConfiguration
-  # extraConfig:
-  #   debug: false
-  #   history_counters_url: http://elastichost.swh.org:5011/counters_history/history.json
-  #   es_workers_index_url: http://elastichost.swh.org:9200/swh_workers-*
-  #   search_config:
-  #     # swh-indexer-storage or swh-search
-  #     metadata_backend: swh-indexer-storage
-  #   # max content size in bytes
-  #   content_display_max_size: 5242880
-  #   swh_extra_django_apps:
-  #     - swh.web.add_forge_now
-  #     - swh.web.archive_coverage
-  #     - swh.web.badges
-  #     - swh.web.banners
-  #     - swh.web.deposit
-  #     - swh.web.inbound_email
-  #     - swh.web.jslicenses
-  #     - swh.web.mailmap
-  #     - swh.web.metrics
-  #     - swh.web.save_code_now
-  #     - swh.web.save_origin_webhooks
-  #     - swh.web.vault
-  #   add_forge_now:
-  #     email_address: add-forge-now@archive.swh.org
-  #   deposit:
-  #     private_api_url: "https://deposit-rp.i.s.s.n/1/private/"
-  #     private_api_user: "${DEPOSIT_USERNAME}"
-  #     private_api_password: "${DEPOSIT_PASSWORD}"
-  #   give:
-  #     public_key: ${GIVE_PUBLIC_KEY}
-  #     token: ${GIVE_PRIVATE_TOKEN}
+  deployments:
+    instance:
+      enabled: false
+      # can be overriden per instance
+      # port: 5004
+      # extraPorts:
+      #   webstatic: 80
+      # migrations:
+      #   enabled: truew
+      # logLevel: INFO
+      # # debug: false
+      # requestedCpu: 50m
+      # requestedMemory: 100Mi
+      # nginxRequestedCpu: 10m
+      # nginxRequestedMemory: 50m
+      # replicas: 1
+      # autoScaling:
+      #   minReplicaCount: 2
+      #   maxReplicaCount: 10
+      #   cpuPercentageUsage: 50
+      refreshSavecodenowStatus:
+        enabled: false
+        priorityClassName: frontend-rpc-workload
+        logLevel: INFO
+        # concurrencyPolicy: Forbid
+        # Every 2 minute
+        cron: "*/2 * * * *"
+      syncMailmaps:
+        enabled: false
+        priorityClassName: frontend-rpc-workload
+        logLevel: INFO
+        # concurrencyPolicy: Forbid
+        # At minute 15 every hour
+        cron: "15 * * * *"
+     # gunicorn:
+     #   threads: 5
+     #   workers: 2
+     #   timeout: 60
+      # host: webapp
+      ingress:
+        enabled: false
+        # extraAnnotations:
+        #   cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+        #   kubernetes.io/ingress.class: nginx
+        #   kubernetes.io/tls-acme: "true"
+        #   nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        # tlsEnabled: true
+        # whitelistSourceRangeRef: internalNetworkRanges
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+          # authenticated:
+          #   paths:
+          #     - path: /api/1/provenance/
+          #     - path: /api/1/entity/
+          #     - path: /api/1/content/[^/]+/symbol/
+          #   # auth-file with authentication
+          #   authentication: swh/ingress-auth
+      # searchConfigurationRef: searchConfiguration
+      # # Configure the scheduler instance used for save code now requests
+      # schedulerConfigurationRef: schedulerConfiguration
+      # storageConfigurationRef: globalROStorageConfiguration
+      # vaultConfigurationRef: remoteVaultConfiguration
+      # indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
+      # countersConfigurationRef: remoteCountersConfiguration
+      # djangoConfigurationRef: djangoWebConfiguration
+      # # If not specified, this will use a sqlite db which is not performant enough for
+      # # production use.
+      # databaseConfigurationRef: postgresqlWebConfiguration
+      # depositConfigurationRef: depositConfiguration
+      # giveConfigurationRef: giveConfiguration
+      # throttlingConfigurationRef: throttlingConfiguration
+      # keycloakConfigurationRef: keycloakConfiguration
+      # extraConfig:
+      #   debug: false
+      #   history_counters_url: http://elastichost.swh.org:5011/counters_history/history.json
+      #   es_workers_index_url: http://elastichost.swh.org:9200/swh_workers-*
+      #   search_config:
+      #     # swh-indexer-storage or swh-search
+      #     metadata_backend: swh-indexer-storage
+      #   # max content size in bytes
+      #   content_display_max_size: 5242880
+      #   swh_extra_django_apps:
+      #     - swh.web.add_forge_now
+      #     - swh.web.archive_coverage
+      #     - swh.web.badges
+      #     - swh.web.banners
+      #     - swh.web.deposit
+      #     - swh.web.inbound_email
+      #     - swh.web.jslicenses
+      #     - swh.web.mailmap
+      #     - swh.web.metrics
+      #     - swh.web.save_code_now
+      #     - swh.web.save_origin_webhooks
+      #     - swh.web.vault
+      #   add_forge_now:
+      #     email_address: add-forge-now@archive.swh.org
+      #   deposit:
+      #     private_api_url: "https://deposit-rp.i.s.s.n/1/private/"
+      #     private_api_user: "${DEPOSIT_USERNAME}"
+      #     private_api_password: "${DEPOSIT_PASSWORD}"
+      #   give:
+      #     public_key: ${GIVE_PUBLIC_KEY}
+      #     token: ${GIVE_PRIVATE_TOKEN}
 
 statsd_exporter:
   enabled: false
diff --git a/swh/values/minikube.yaml b/swh/values/minikube.yaml
index eed8872e4c39118a7c373d81c8e4c4d2a7f27429..fcca340efbe160542eed46e962391c9568e58e14 100644
--- a/swh/values/minikube.yaml
+++ b/swh/values/minikube.yaml
@@ -263,89 +263,91 @@ webThrottling:
 
 web:
   enabled: false
-  requestedMemory: 50Mi
-  requestedCpu: 50m
-  storageConfigurationRef: fakeRemoteStorageConfiguration
-
-  searchConfigurationRef: fakeRemoteSearchConfiguration
-  schedulerConfigurationRef: fakeRemoteSchedulerConfiguration
-  vaultConfigurationRef: fakeRemoteVaultConfiguration
-  countersConfigurationRef: fakeRemoteCountersConfiguration
-  databaseConfigurationRef: fakePostgresqlWebConfiguration
-  djangoConfigurationRef: djangoWebConfiguration
-  depositConfigurationRef: fakeDepositConfiguration
-  giveConfigurationRef: giveConfiguration
-  throttlingConfigurationRef: webThrottling
-  keycloakConfigurationRef: fakeKeycloakConfiguration
-  hosts:
-    - webapp.internal.minikube
-  ingress:
-    enabled: true
-    tlsEnabled: true
-    extraAnnotations:
-      nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
-      nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
-      nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
-      nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
-      nginx.ingress.kubernetes.io/proxy-body-size: "4G"
-    whitelistSourceRangeRef: internalNetworkRanges
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-      authenticated:
-        paths:
-          - path: /api/1/provenance/
-          - path: /api/1/entity/
-          - path: /api/1/content/[^/]+/symbol/
-        # auth-file with authentication
-        authentication: basic-auth
-  autoScaling:
-    minReplicaCount: 1
-    maxReplicaCount: 2
-    cpuPercentageUsage: 50
-  refreshSavecodenowStatus:
-    enabled: false
-    cron: "* 5 * * *"
-  syncMailmaps:
-    enabled: false
-    cron: "30 * * * *"
-    configurationRef: fakeSyncmailmapsConfiguration
-  sentry:
-    enabled: false
-    secretKeyRef: sentry-secrets
-    secretKeyName: web-sentry-dsn
-  extraConfig:
-    debug: false
-    search_config:
-      metadata_backend: swh-indexer-storage
-    content_display_max_size: 5242880
-    history_counters_url: http://counters0.i.s.s.n:5011/counters_history/history.json
-    add_forge_now:
-      email_address: add-forge-now@webapp.s.s.n
-    swh_extra_django_apps:
-    - swh.web.add_forge_now
-    - swh.web.archive_coverage
-    - swh.web.badges
-    - swh.web.banners
-    - swh.web.deposit
-    - swh.web.inbound_email
-    - swh.web.jslicenses
-    - swh.web.mailmap
-    - swh.web.metrics
-    - swh.web.save_code_now
-    - swh.web.save_origin_webhooks
-    - swh.web.vault
-    matomo: {}
-    deposit:
-      private_api_url: "https://deposit-rp.i.s.s.n/1/private/"
-      private_api_user: "${DEPOSIT_USERNAME}"
-      private_api_password: "${DEPOSIT_PASSWORD}"
-    give:
-      public_key: ${GIVE_PUBLIC_KEY}
-      token: ${GIVE_PRIVATE_TOKEN}
+  deployments:
+    minikube:
+      enabled: true
+      hosts:
+        - webapp.internal.minikube
+      requestedMemory: 50Mi
+      requestedCpu: 50m
+      storageConfigurationRef: fakeRemoteStorageConfiguration
+      searchConfigurationRef: fakeRemoteSearchConfiguration
+      schedulerConfigurationRef: fakeRemoteSchedulerConfiguration
+      vaultConfigurationRef: fakeRemoteVaultConfiguration
+      countersConfigurationRef: fakeRemoteCountersConfiguration
+      databaseConfigurationRef: fakePostgresqlWebConfiguration
+      djangoConfigurationRef: djangoWebConfiguration
+      depositConfigurationRef: fakeDepositConfiguration
+      giveConfigurationRef: giveConfiguration
+      throttlingConfigurationRef: webThrottling
+      keycloakConfigurationRef: fakeKeycloakConfiguration
+      ingress:
+        enabled: true
+        tlsEnabled: true
+        extraAnnotations:
+          nginx.ingress.kubernetes.io/proxy-connect-timeout: "90"
+          nginx.ingress.kubernetes.io/proxy-send-timeout: "90"
+          nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+          nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+          nginx.ingress.kubernetes.io/proxy-body-size: "4G"
+        whitelistSourceRangeRef: internalNetworkRanges
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+          authenticated:
+            paths:
+              - path: /api/1/provenance/
+              - path: /api/1/entity/
+              - path: /api/1/content/[^/]+/symbol/
+            # auth-file with authentication
+            authentication: basic-auth
+      autoScaling:
+        minReplicaCount: 1
+        maxReplicaCount: 2
+        cpuPercentageUsage: 50
+      refreshSavecodenowStatus:
+        enabled: false
+        cron: "* 5 * * *"
+      syncMailmaps:
+        enabled: false
+        cron: "30 * * * *"
+        configurationRef: fakeSyncmailmapsConfiguration
+      sentry:
+        enabled: false
+        secretKeyRef: sentry-secrets
+        secretKeyName: web-sentry-dsn
+      extraConfig:
+        debug: false
+        search_config:
+          metadata_backend: swh-indexer-storage
+        content_display_max_size: 5242880
+        history_counters_url: http://counters0.i.s.s.n:5011/counters_history/history.json
+        add_forge_now:
+          email_address: add-forge-now@webapp.s.s.n
+        swh_extra_django_apps:
+        - swh.web.add_forge_now
+        - swh.web.archive_coverage
+        - swh.web.badges
+        - swh.web.banners
+        - swh.web.deposit
+        - swh.web.inbound_email
+        - swh.web.jslicenses
+        - swh.web.mailmap
+        - swh.web.metrics
+        - swh.web.save_code_now
+        - swh.web.save_origin_webhooks
+        - swh.web.vault
+        matomo: {}
+        deposit:
+          private_api_url: "https://deposit-rp.i.s.s.n/1/private/"
+          private_api_user: "${DEPOSIT_USERNAME}"
+          private_api_password: "${DEPOSIT_PASSWORD}"
+        give:
+          public_key: ${GIVE_PUBLIC_KEY}
+          token: ${GIVE_PRIVATE_TOKEN}
 
 fakeAzureDepositConfiguration:
   connection_string: "DefaultEndpointsProtocol=https;AccountName=swhdepositstoragestaging;AccountKey=${ACCOUNT_KEY};EndpointSuffix=core.windows.net"
diff --git a/swh/values/production/swh-cassandra.yaml b/swh/values/production/swh-cassandra.yaml
index d468346dea6f03c75fb2cadcc7e729d7ed3b03fd..13d32dff8f8be62141cde9b922d274f35c715648 100644
--- a/swh/values/production/swh-cassandra.yaml
+++ b/swh/values/production/swh-cassandra.yaml
@@ -260,69 +260,74 @@ postgresqlWebConfiguration:
 web:
   enabled: true
   logLevel: INFO
-  requestedCpu: 500m
-  requestedMemory: 500Mi
-  autoScaling:
-    minReplicaCount: 2
-    maxReplicaCount: 4
-    cpuPercentageUsage: 50
-  hosts:
-    - webapp-cassandra.internal.softwareheritage.org
-  ingress:
-    enabled: true
-    secretName: swh-web-crt
-    extraAnnotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    tlsEnabled: true
-    whitelistSourceRangeRef: internalNetworkRanges
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-        extraWhitelistSourceRange:
-          - 192.168.50.0/24 # for blackbox monitoring
-          - 192.168.101.0/24 # vpn network
+  deployments:
+    cassandra:
+      requestedCpu: 500m
+      requestedMemory: 500Mi
+      autoScaling:
+        minReplicaCount: 2
+        maxReplicaCount: 4
+        cpuPercentageUsage: 50
+      hosts:
+        - webapp-cassandra.internal.softwareheritage.org
+      ingress:
+        enabled: true
+        secretName: swh-web-crt
+        extraAnnotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        tlsEnabled: true
+        whitelistSourceRangeRef: internalNetworkRanges
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+            extraWhitelistSourceRange:
+              - 192.168.50.0/24 # for blackbox monitoring
+              - 192.168.101.0/24 # vpn network
 
-  databaseConfigurationRef: postgresqlWebConfiguration
-  searchConfigurationRef: remoteSearchConfiguration
-  schedulerConfigurationRef: remoteSchedulerConfiguration
-  storageConfigurationRef: remoteStorageConfiguration
-  vaultConfigurationRef: remoteVaultConfiguration
-  indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
-  countersConfigurationRef: remoteCountersConfiguration
-  djangoConfigurationRef: djangoWebConfiguration
-  giveConfigurationRef: giveConfiguration
-  throttlingConfigurationRef: webThrottling
-  addForgeNowConfigurationRef: addForgeNowConfiguration
-  depositConfigurationRef: depositConfiguration
-  keycloakConfigurationRef: keycloakConfiguration
-  extraConfig:
-    search_config:
-      metadata_backend: swh-search
-    content_display_max_size: 5242880
-    history_counters_url: http://counters1.internal.softwareheritage.org:5011/counters_history/history.json#
-    es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
-    swh_extra_django_apps:
-      - swh.web.add_forge_now
-      - swh.web.archive_coverage
-      - swh.web.badges
-      - swh.web.banners
-      - swh.web.deposit
-      - swh.web.inbound_email
-      - swh.web.jslicenses
-      - swh.web.mailmap
-      - swh.web.metrics
-      - swh.web.save_code_now
-      - swh.web.save_origin_webhooks
-      - swh.web.vault
-    give:
-      public_key: ${GIVE_PUBLIC_KEY}
-      token: ${GIVE_PRIVATE_TOKEN}
+      databaseConfigurationRef: postgresqlWebConfiguration
+      searchConfigurationRef: remoteSearchConfiguration
+      schedulerConfigurationRef: remoteSchedulerConfiguration
+      storageConfigurationRef: remoteStorageConfiguration
+      vaultConfigurationRef: remoteVaultConfiguration
+      indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
+      countersConfigurationRef: remoteCountersConfiguration
+      djangoConfigurationRef: djangoWebConfiguration
+      giveConfigurationRef: giveConfiguration
+      throttlingConfigurationRef: webThrottling
+      addForgeNowConfigurationRef: addForgeNowConfiguration
+      depositConfigurationRef: depositConfiguration
+      keycloakConfigurationRef: keycloakConfiguration
+      extraConfig:
+        keycloak:
+          server_url: https://auth.softwareheritage.org/auth/
+          realm_name: SoftwareHeritage
+        search_config:
+          metadata_backend: swh-search
+        content_display_max_size: 5242880
+        history_counters_url: http://counters1.internal.softwareheritage.org:5011/counters_history/history.json#
+        es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
+        swh_extra_django_apps:
+          - swh.web.add_forge_now
+          - swh.web.archive_coverage
+          - swh.web.badges
+          - swh.web.banners
+          - swh.web.deposit
+          - swh.web.inbound_email
+          - swh.web.jslicenses
+          - swh.web.mailmap
+          - swh.web.metrics
+          - swh.web.save_code_now
+          - swh.web.save_origin_webhooks
+          - swh.web.vault
+        give:
+          public_key: ${GIVE_PUBLIC_KEY}
+          token: ${GIVE_PRIVATE_TOKEN}
 
 graphql:
   enabled: true
diff --git a/swh/values/production/swh.yaml b/swh/values/production/swh.yaml
index 97f1fa1d31b252a12e8eb0afa6bec7d535631856..9f0459f2d08cb7d4e9709aa7c757381de9d2d66f 100644
--- a/swh/values/production/swh.yaml
+++ b/swh/values/production/swh.yaml
@@ -1120,85 +1120,91 @@ storage:
 web:
   enabled: true
   logLevel: INFO
-  requestedCpu: 500m
-  requestedMemory: 1024Mi
-  refreshSavecodenowStatus:
-    enabled: true
-    concurrencyPolicy: Forbid
-  syncMailmaps:
-    enabled: true
-    concurrencyPolicy: Forbid
-    configurationRef: postgresqlSyncmailmapsConfiguration
-  replicas: 2
-  # autoScaling:
-  #   minReplicaCount: 2
-  #   maxReplicaCount: 4
-  #   cpuPercentageUsage: 100
-  hosts:
-    - webapp1.internal.softwareheritage.org
-    - archive.softwareheritage.org
-    - base.softwareheritage.org
-    - archive.internal.softwareheritage.org
-  ingress:
-    enabled: true
-    secretName: swh-web-crt
-    extraAnnotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    tlsEnabled: true
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-      authenticated:
-        paths:
-          - path: /api/1/provenance/
-          - path: /api/1/entity/
-          - path: /api/1/content/[^/]+/symbol/
-        # auth-file with authentication
-        authentication: swh/web-auth-secrets
-  databaseConfigurationRef: postgresqlWebConfiguration
-  searchConfigurationRef: remoteSearchConfiguration
-  schedulerConfigurationRef: remoteSchedulerConfiguration
-  storageConfigurationRef: remoteStorageConfiguration
-  vaultConfigurationRef: remoteVaultConfiguration
-  indexerStorageConfigurationRef: remoteReadOnlyIndexerStorageConfiguration
-  countersConfigurationRef: remoteCountersConfiguration
-  djangoConfigurationRef: djangoWebConfiguration
-  giveConfigurationRef: giveConfiguration
-  throttlingConfigurationRef: webThrottling
-  addForgeNowConfigurationRef: addForgeNowConfiguration
-  depositConfigurationRef: depositConfiguration
-  keycloakConfigurationRef: keycloakConfiguration
-  extraConfig:
-    search_config:
-      metadata_backend: swh-search
-    content_display_max_size: 5242880
-    history_counters_url: http://counters1.internal.softwareheritage.org:5011/counters_history/history.json#
-    es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
-    swh_extra_django_apps:
-      - swh.web.add_forge_now
-      - swh.web.archive_coverage
-      - swh.web.badges
-      - swh.web.banners
-      - swh.web.deposit
-      - swh.web.inbound_email
-      - swh.web.jslicenses
-      - swh.web.mailmap
-      - swh.web.metrics
-      - swh.web.save_code_now
-      - swh.web.save_origin_webhooks
-      - swh.web.vault
-    give:
-      public_key: ${GIVE_PUBLIC_KEY}
-      token: ${GIVE_PRIVATE_TOKEN}
-    matomo:
-      url: https://piwik.inria.fr/
-      site_id: 59
+  deployments:
+    app1:
+      requestedCpu: 500m
+      requestedMemory: 1024Mi
+      refreshSavecodenowStatus:
+        enabled: true
+        concurrencyPolicy: Forbid
+        priorityClassName: frontend-rpc-workload
+        cron: "*/2 * * * *"
+      syncMailmaps:
+        enabled: true
+        concurrencyPolicy: Forbid
+        configurationRef: postgresqlSyncmailmapsConfiguration
+        priorityClassName: frontend-rpc-workload
+        cron: "15 * * * *"
+      replicas: 2
+      # autoScaling:
+      #   minReplicaCount: 2
+      #   maxReplicaCount: 4
+      #   cpuPercentageUsage: 100
+      hosts:
+        - webapp1.internal.softwareheritage.org
+        - archive.softwareheritage.org
+        - base.softwareheritage.org
+        - archive.internal.softwareheritage.org
+      ingress:
+        enabled: true
+        secretName: swh-web-crt
+        extraAnnotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        tlsEnabled: true
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+          authenticated:
+            paths:
+              - path: /api/1/provenance/
+              - path: /api/1/entity/
+              - path: /api/1/content/[^/]+/symbol/
+            # auth-file with authentication
+            authentication: swh/web-auth-secrets
+      databaseConfigurationRef: postgresqlWebConfiguration
+      searchConfigurationRef: remoteSearchConfiguration
+      schedulerConfigurationRef: remoteSchedulerConfiguration
+      storageConfigurationRef: remoteStorageConfiguration
+      vaultConfigurationRef: remoteVaultConfiguration
+      indexerStorageConfigurationRef: remoteReadOnlyIndexerStorageConfiguration
+      countersConfigurationRef: remoteCountersConfiguration
+      djangoConfigurationRef: djangoWebConfiguration
+      giveConfigurationRef: giveConfiguration
+      throttlingConfigurationRef: webThrottling
+      addForgeNowConfigurationRef: addForgeNowConfiguration
+      depositConfigurationRef: depositConfiguration
+      keycloakConfigurationRef: keycloakConfiguration
+      extraConfig:
+        search_config:
+          metadata_backend: swh-search
+        content_display_max_size: 5242880
+        history_counters_url: http://counters1.internal.softwareheritage.org:5011/counters_history/history.json#
+        es_workers_index_url: http://esnode1.internal.softwareheritage.org:9200/swh_workers-*
+        swh_extra_django_apps:
+          - swh.web.add_forge_now
+          - swh.web.archive_coverage
+          - swh.web.badges
+          - swh.web.banners
+          - swh.web.deposit
+          - swh.web.inbound_email
+          - swh.web.jslicenses
+          - swh.web.mailmap
+          - swh.web.metrics
+          - swh.web.save_code_now
+          - swh.web.save_origin_webhooks
+          - swh.web.vault
+        give:
+          public_key: ${GIVE_PUBLIC_KEY}
+          token: ${GIVE_PRIVATE_TOKEN}
+        matomo:
+          url: https://piwik.inria.fr/
+          site_id: 59
 
 objstorage:
   enabled: true
diff --git a/swh/values/staging/overrides/swh-cassandra-next-version.yaml b/swh/values/staging/overrides/swh-cassandra-next-version.yaml
index 91618f9cc5f6b136605b85e3631ce9d58135a550..092f8d8e606bd41dbd623ed3df40f2d57d58d4a3 100644
--- a/swh/values/staging/overrides/swh-cassandra-next-version.yaml
+++ b/swh/values/staging/overrides/swh-cassandra-next-version.yaml
@@ -234,37 +234,40 @@ postgresqlWebConfiguration:
       secretKeyName: postgres-swh-web-password
 
 web:
-  replicas: 1
-  autoScaling:
-    minReplicaCount: 1
-    maxReplicaCount: 1
-  hosts:
-    - webapp-cassandra-next-version.internal.staging.swh.network
-  refreshSavecodenowStatus:
-    enabled: false
-  syncMailmaps:
-    enabled: false
-  ingress:
-    whitelistSourceRangeRef: stagingNetworkRanges
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-        extraWhitelistSourceRange:
-          # vpn network
-          - 192.168.101.0/24
-      authenticated:
-        paths:
-          - path: /api/1/provenance/
-          - path: /api/1/entity/
-          - path: /api/1/content/[^/]+/symbol/
-        # auth-file with authentication
-        authentication: swh-cassandra/web-auth-secrets
-        extraWhitelistSourceRange:
-          # vpn network
-          - 192.168.101.0/24
+  deployments:
+    cassandra:
+      replicas: 1
+      autoScaling:
+        minReplicaCount: 1
+        maxReplicaCount: 1
+      hosts:
+        - webapp-cassandra-next-version.internal.staging.swh.network
+      refreshSavecodenowStatus:
+        enabled: false
+      syncMailmaps:
+        enabled: false
+      ingress:
+        whitelistSourceRangeRef: stagingNetworkRanges
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+            extraWhitelistSourceRange:
+              # vpn network
+              - 192.168.101.0/24
+          authenticated:
+            paths:
+              - path: /api/1/provenance/
+              - path: /api/1/entity/
+              - path: /api/1/content/[^/]+/symbol/
+            # auth-file with authentication
+            authentication: swh-cassandra/web-auth-secrets
+            extraWhitelistSourceRange:
+              # vpn network
+              - 192.168.101.0/24
+
 deposit:
   enabled: false
 
diff --git a/swh/values/staging/swh-cassandra.yaml b/swh/values/staging/swh-cassandra.yaml
index 5e2bcf47928728975bd9fe3419c4cd9a04633a57..a6ae1ef8048252bc1723a082c6a0ac02fca02afd 100644
--- a/swh/values/staging/swh-cassandra.yaml
+++ b/swh/values/staging/swh-cassandra.yaml
@@ -549,86 +549,94 @@ storage:
 web:
   enabled: true
   logLevel: INFO
-  # Usual consumption with visits webhook is 200m cpu (/2 replicas)
-  # Scale up if a real burst happen (>1 cpu per pod)
-  requestedCpu: 100m
-  requestedMemory: 300Mi
-  autoScaling:
-    minReplicaCount: 2
-    maxReplicaCount: 4 # 4 to test the autoscaling in extreme scenarios
-    cpuPercentageUsage: 1000
-  hosts:
-    - webapp.staging.swh.network
-    - webapp-cassandra.internal.staging.swh.network
-  syncMailmaps:
-    enabled: true
-    concurrencyPolicy: Forbid
-    configurationRef: postgresqlSyncmailmapsConfiguration
-  ingress:
-    enabled: true
-    secretName: swh-web-crt
-    extraAnnotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-    tlsEnabled: true
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-      authenticated:
-        paths:
-          - path: /api/1/provenance/
-          - path: /api/1/entity/
-          - path: /api/1/content/[^/]+/symbol/
-        # auth-file with authentication
-        authentication: swh-cassandra/web-auth-secrets
-      webhooks:
-        paths:
-          - path: /save/origin/visit/webhook
-        extraWhitelistSourceRange:
-          - 192.168.130.1
-          - 192.168.130.2
-  databaseConfigurationRef: postgresqlWebConfiguration
-  searchConfigurationRef: remoteSearchConfiguration
-  schedulerConfigurationRef: remoteSchedulerConfiguration
-  storageConfigurationRef: remoteStorageConfiguration
-  vaultConfigurationRef: remoteVaultConfiguration
-  indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
-  countersConfigurationRef: remoteCountersConfiguration
-  djangoConfigurationRef: djangoWebConfiguration
-  depositConfigurationRef: depositConfiguration
-  giveConfigurationRef: giveConfiguration
-  throttlingConfigurationRef: webThrottling
-  addForgeNowConfigurationRef: addForgeNowConfiguration
-  webhooksConfigurationRef: webhooksConfiguration
-  keycloakConfigurationRef: keycloakConfiguration
-  extraConfig:
-    save_code_now_webhook_secret: ${WEBHOOKS_SECRET}
-    search_config:
-      metadata_backend: swh-search
-    content_display_max_size: 5242880
-    history_counters_url: http://counters-rpc-ingress/counters_history/history.json
-    swh_extra_django_apps:
-    - swh.web.add_forge_now
-    - swh.web.archive_coverage
-    - swh.web.badges
-    - swh.web.banners
-    - swh.web.deposit
-    - swh.web.inbound_email
-    - swh.web.jslicenses
-    - swh.web.mailmap
-    - swh.web.metrics
-    - swh.web.save_code_now
-    - swh.web.save_origin_webhooks
-    - swh.web.vault
-    matomo: {}
-    give:
-      public_key: ${GIVE_PUBLIC_KEY}
-      token: ${GIVE_PRIVATE_TOKEN}
+  deployments:
+    cassandra:
+      # Usual consumption with visits webhook is 200m cpu (/2 replicas)
+      # Scale up if a real burst happen (>1 cpu per pod)
+      requestedCpu: 100m
+      requestedMemory: 300Mi
+      autoScaling:
+        minReplicaCount: 2
+        maxReplicaCount: 4 # 4 to test the autoscaling in extreme scenarios
+        cpuPercentageUsage: 1000
+      hosts:
+        - webapp.staging.swh.network
+        - webapp-cassandra.internal.staging.swh.network
+      syncMailmaps:
+        enabled: true
+        concurrencyPolicy: Forbid
+        configurationRef: postgresqlSyncmailmapsConfiguration
+        priorityClassName: frontend-rpc-workload
+        cron: "15 * * * *"
+      ingress:
+        enabled: true
+        secretName: swh-web-crt
+        extraAnnotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        tlsEnabled: true
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+          authenticated:
+            paths:
+              - path: /api/1/provenance/
+              - path: /api/1/entity/
+              - path: /api/1/content/[^/]+/symbol/
+            # auth-file with authentication
+            authentication: swh-cassandra/web-auth-secrets
+          webhooks:
+            paths:
+              - path: /save/origin/visit/webhook
+            extraWhitelistSourceRange:
+              - 192.168.130.1
+              - 192.168.130.2
+      databaseConfigurationRef: postgresqlWebConfiguration
+      searchConfigurationRef: remoteSearchConfiguration
+      schedulerConfigurationRef: remoteSchedulerConfiguration
+      storageConfigurationRef: remoteStorageConfiguration
+      vaultConfigurationRef: remoteVaultConfiguration
+      indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
+      countersConfigurationRef: remoteCountersConfiguration
+      djangoConfigurationRef: djangoWebConfiguration
+      depositConfigurationRef: depositConfiguration
+      giveConfigurationRef: giveConfiguration
+      throttlingConfigurationRef: webThrottling
+      addForgeNowConfigurationRef: addForgeNowConfiguration
+      webhooksConfigurationRef: webhooksConfiguration
+      keycloakConfigurationRef: keycloakConfiguration
+
+      extraConfig:
+        keycloak:
+          server_url: https://auth.softwareheritage.org/auth/
+          realm_name: SoftwareHeritageStaging
+        save_code_now_webhook_secret: ${WEBHOOKS_SECRET}
+        search_config:
+          metadata_backend: swh-search
+        content_display_max_size: 5242880
+        history_counters_url: http://counters-rpc-ingress/counters_history/history.json
+        swh_extra_django_apps:
+        - swh.web.add_forge_now
+        - swh.web.archive_coverage
+        - swh.web.badges
+        - swh.web.banners
+        - swh.web.deposit
+        - swh.web.inbound_email
+        - swh.web.jslicenses
+        - swh.web.mailmap
+        - swh.web.metrics
+        - swh.web.save_code_now
+        - swh.web.save_origin_webhooks
+        - swh.web.vault
+        matomo: {}
+        give:
+          public_key: ${GIVE_PUBLIC_KEY}
+          token: ${GIVE_PRIVATE_TOKEN}
 
 graphql:
   enabled: true
diff --git a/swh/values/staging/swh.yaml b/swh/values/staging/swh.yaml
index 9aa82ccb49f67cddda2885cf6c81abd5f46ead2d..9dd689a08933b101d56b9153199926394abb17a2 100644
--- a/swh/values/staging/swh.yaml
+++ b/swh/values/staging/swh.yaml
@@ -753,82 +753,80 @@ search:
 web:
   enabled: true
   logLevel: INFO
-  # small footprint because this webapp is almost not used, only for tests
-  replicas: 1
-  requestedCpu: 50m
-  requestedMemory: 250Mi
-  hosts:
-    - webapp-postgresql.internal.staging.swh.network
-  refreshSavecodenowStatus:
-    enabled: false
-    concurrencyPolicy: Forbid
-  syncMailmaps:
-    enabled: false
-    concurrencyPolicy: Forbid
-    configurationRef: postgresqlSyncmailmapsConfiguration
-  ingress:
-    enabled: true
-    secretName: swh-web-crt
-    extraAnnotations:
-      cert-manager.io/cluster-issuer: letsencrypt-production-gandi
-      kubernetes.io/ingress.class: nginx
-      kubernetes.io/tls-acme: "true"
-      nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    tlsEnabled: true
-    endpoints:
-      default:
-        paths:
-          - path: /
-          - path: /static
-            port: 80
-      authenticated:
-        paths:
-          - path: /api/1/provenance/
-          - path: /api/1/entity/
-          - path: /api/1/content/[^/]+/symbol/
-        # auth-file with authentication
-        authentication: swh-cassandra/web-auth-secrets
-      webhooks:
-        paths:
-          - path: /save/origin/visit/webhook
-        extraWhitelistSourceRange:
-          - 192.168.130.1
-          - 192.168.130.2
-  databaseConfigurationRef: postgresqlWebConfiguration
-  searchConfigurationRef: remoteSearchConfiguration
-  schedulerConfigurationRef: remoteSchedulerConfiguration
-  storageConfigurationRef: remoteReadOnlyStorageConfiguration
-  vaultConfigurationRef: remoteVaultConfiguration
-  indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
-  countersConfigurationRef: remoteCountersConfiguration
-  djangoConfigurationRef: djangoWebConfiguration
-  depositConfigurationRef: depositConfiguration
-  giveConfigurationRef: giveConfiguration
-  throttlingConfigurationRef: webThrottling
-  addForgeNowConfigurationRef: addForgeNowConfiguration
-  keycloakConfigurationRef: keycloakConfiguration
-  extraConfig:
-    search_config:
-      metadata_backend: swh-search
-    content_display_max_size: 5242880
-    history_counters_url: http://counters-rpc-ingress/counters_history/history.json
-    swh_extra_django_apps:
-    - swh.web.add_forge_now
-    - swh.web.archive_coverage
-    - swh.web.badges
-    - swh.web.banners
-    - swh.web.deposit
-    - swh.web.inbound_email
-    - swh.web.jslicenses
-    - swh.web.mailmap
-    - swh.web.metrics
-    - swh.web.save_code_now
-    - swh.web.save_origin_webhooks
-    - swh.web.vault
-    matomo: {}
-    give:
-      public_key: ${GIVE_PUBLIC_KEY}
-      token: ${GIVE_PRIVATE_TOKEN}
+  deployments:
+    postgresql:
+      # small footprint because this webapp is almost not used, only for tests
+      replicas: 1
+      requestedCpu: 50m
+      requestedMemory: 250Mi
+      hosts:
+        - webapp-postgresql.internal.staging.swh.network
+      ingress:
+        enabled: true
+        secretName: swh-web-crt
+        extraAnnotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production-gandi
+          kubernetes.io/ingress.class: nginx
+          kubernetes.io/tls-acme: "true"
+          nginx.ingress.kubernetes.io/ssl-redirect: "true"
+        tlsEnabled: true
+        endpoints:
+          default:
+            paths:
+              - path: /
+              - path: /static
+                port: 80
+          authenticated:
+            paths:
+              - path: /api/1/provenance/
+              - path: /api/1/entity/
+              - path: /api/1/content/[^/]+/symbol/
+            # auth-file with authentication
+            authentication: swh-cassandra/web-auth-secrets
+          webhooks:
+            paths:
+              - path: /save/origin/visit/webhook
+            extraWhitelistSourceRange:
+              - 192.168.130.1
+              - 192.168.130.2
+      databaseConfigurationRef: postgresqlWebConfiguration
+      searchConfigurationRef: remoteSearchConfiguration
+      schedulerConfigurationRef: remoteSchedulerConfiguration
+      storageConfigurationRef: remoteReadOnlyStorageConfiguration
+      vaultConfigurationRef: remoteVaultConfiguration
+      indexerStorageConfigurationRef: remoteIndexerStorageConfiguration
+      countersConfigurationRef: remoteCountersConfiguration
+      djangoConfigurationRef: djangoWebConfiguration
+      depositConfigurationRef: depositConfiguration
+      giveConfigurationRef: giveConfiguration
+      throttlingConfigurationRef: webThrottling
+      addForgeNowConfigurationRef: addForgeNowConfiguration
+      keycloakConfigurationRef: keycloakConfiguration
+      extraConfig:
+        keycloak:
+          server_url: https://auth.softwareheritage.org/auth/
+          realm_name: SoftwareHeritageStaging
+        search_config:
+          metadata_backend: swh-search
+        content_display_max_size: 5242880
+        history_counters_url: http://counters-rpc-ingress/counters_history/history.json
+        swh_extra_django_apps:
+        - swh.web.add_forge_now
+        - swh.web.archive_coverage
+        - swh.web.badges
+        - swh.web.banners
+        - swh.web.deposit
+        - swh.web.inbound_email
+        - swh.web.jslicenses
+        - swh.web.mailmap
+        - swh.web.metrics
+        - swh.web.save_code_now
+        - swh.web.save_origin_webhooks
+        - swh.web.vault
+        matomo: {}
+        give:
+          public_key: ${GIVE_PUBLIC_KEY}
+          token: ${GIVE_PRIVATE_TOKEN}
 
 scrubber:
   enabled: true