feat: Add Helm chart (#1350)

* Add Helm chart

* Add chrome temp dir and flags

6 files changed, 240 insertions, 0 deletions

diff --git a/charts/karakeep/.helmignore b/charts/karakeep/.helmignore
new file mode 100644
index 00000000..0e8a0eb3
--- /dev/null
+++ b/charts/karakeep/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/karakeep/Chart.lock b/charts/karakeep/Chart.lock
new file mode 100644
index 00000000..3775c36c
--- /dev/null
+++ b/charts/karakeep/Chart.lock
@@ -0,0 +1,9 @@
+dependencies:
+- name: common
+  repository: https://bjw-s-labs.github.io/helm-charts
+  version: 3.7.3
+- name: meilisearch
+  repository: https://meilisearch.github.io/meilisearch-kubernetes
+  version: 0.12.0
+digest: sha256:3e2a57756d58bd85ff03cf0dc7f0b6beb972b77fc6036d4f29421e7207a1bce0
+generated: "2025-05-02T18:15:07.080331+01:00"
diff --git a/charts/karakeep/Chart.yaml b/charts/karakeep/Chart.yaml
new file mode 100644
index 00000000..d8ec7810
--- /dev/null
+++ b/charts/karakeep/Chart.yaml
@@ -0,0 +1,13 @@
+apiVersion: v2
+name: karakeep
+description: A Helm chart for Karakeep
+type: application
+version: 0.24.1
+appVersion: 0.24.1
+dependencies:
+  - name: common
+    version: 3.7.3
+    repository: https://bjw-s-labs.github.io/helm-charts
+  - name: meilisearch
+    version: 0.12.0
+    repository: https://meilisearch.github.io/meilisearch-kubernetes
diff --git a/charts/karakeep/README.md b/charts/karakeep/README.md
new file mode 100644
index 00000000..a785958c
--- /dev/null
+++ b/charts/karakeep/README.md
@@ -0,0 +1,38 @@
+# Karakeep Helm chart
+
+Helm chart for deploying Karakeep along with:
+
+- **[Meilisearch](https://github.com/meilisearch/meilisearch-kubernetes)**: for fast and lightweight full-text search
+- **[Headless Chrome](https://github.com/jlandure/alpine-chrome)**: enables web page previews
+
+This chart inherits from the [bjw-s/common](https://github.com/bjw-s/helm-charts/tree/main/charts/library/common) library.
+
+### Configuration
+
+| Key                    | Description                              | Default                  |
+| ---------------------- | ---------------------------------------- | ------------------------ |
+| `applicationHost`      | Hostname used in ingress/service         | `karakeep.domain`        |
+| `applicationProtocol`  | Protocol for internal service references | `http`                   |
+| `applicationSecretKey` | Secret used for app authentication       | Auto-generated if `null` |
+| `meilisearchMasterKey` | Meilesearch master key                   | Auto-generated if `null` |
+
+#### Example with OIDC Authentication
+
+```yaml
+controllers:
+  karakeep:
+    containers:
+      karakeep:
+        env:
+          DISABLE_PASSWORD_AUTH: "true"
+          OAUTH_ALLOW_DANGEROUS_EMAIL_ACCOUNT_LINKING: "true"
+          OAUTH_PROVIDER_NAME: OIDC
+          OAUTH_SCOPE: openid email profile
+          OAUTH_WELLKNOWN_URL: https://auth.company/application/o/karakeep/.well-known/openid-configuration
+
+secrets:
+  karakeep:
+    stringData:
+      OAUTH_CLIENT_ID: your-client-id
+      OAUTH_CLIENT_SECRET: your-client-secret
+```
diff --git a/charts/karakeep/templates/common.yaml b/charts/karakeep/templates/common.yaml
new file mode 100644
index 00000000..effc5354
--- /dev/null
+++ b/charts/karakeep/templates/common.yaml
@@ -0,0 +1 @@
+{{ include "bjw-s.common.loader.all" . }}
\ No newline at end of file
diff --git a/charts/karakeep/values.yaml b/charts/karakeep/values.yaml
new file mode 100644
index 00000000..6f287e32
--- /dev/null
+++ b/charts/karakeep/values.yaml
@@ -0,0 +1,156 @@
+#
+# IMPORTANT NOTE
+#
+# This chart inherits from the bjw-s library chart. You can check the default values/options here:
+# https://github.com/bjw-s/helm-charts/tree/main/charts/library/common
+#
+
+applicationProtocol: http
+applicationHost: karakeep.domain
+applicationSecretKey: ~
+meilisearchMasterKey: ~
+
+controllers:
+  karakeep:
+    type: statefulset
+
+    containers:
+      karakeep:
+        image:
+          repository: ghcr.io/karakeep-app/karakeep
+          tag: "{{ .Chart.AppVersion }}"
+
+        env:
+          NEXTAUTH_URL:  "{{ .Values.applicationProtocol }}://{{ .Values.applicationHost }}"
+          
+          DATA_DIR: /data
+          MEILI_ADDR: "http://{{ .Release.Name }}-meilisearch:7700"
+          BROWSER_WEB_URL: http://{{ .Release.Name }}-chrome:9222
+
+        envFrom:
+          - secretRef:
+              name: "{{ .Release.Name }}"
+          - secretRef:
+              name: "{{ .Release.Name }}-meilesearch"
+          
+        probes:
+          liveness:
+            enabled: true
+            spec:
+              initialDelaySeconds: 10
+              httpGet:
+                path: /api/health
+                port: 3000
+          readiness:
+            enabled: true
+            spec:
+              initialDelaySeconds: 10
+              httpGet:
+                path: /api/health
+                port: 3000
+
+    statefulset:
+      volumeClaimTemplates:
+        - name: data
+          accessMode: ReadWriteOnce
+          size: 2Gi
+          globalMounts:
+            - path: /data
+
+  chrome:
+    containers:
+      chrome:
+        image:
+          repository: gcr.io/zenika-hub/alpine-chrome
+          tag: 124
+
+        args:
+          - --remote-debugging-address=0.0.0.0
+          - --remote-debugging-port=9222
+          - --headless
+          - --hide-scrollbars
+          - --disable-gpu
+          - --disable-dev-shm-usage
+
+        probes:
+          liveness:
+            enabled: true
+            spec:
+              httpGet:
+                path: /
+                port: 9222
+          readiness:
+            enabled: true
+            spec:
+              httpGet:
+                path: /
+                port: 9222
+
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - SYS_ADMIN
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+
+        resources:
+          requests:
+            memory: 100Mi
+            cpu: 500m
+          limits:
+            memory: 1Gi
+            cpu: 1000m
+
+service:
+  karakeep:
+    controller: karakeep
+    ports:
+      http:
+        port: 3000
+  chrome:
+    controller: chrome
+    ports:
+      http:
+        port: 9222
+
+secrets:
+  karakeep:
+    enabled: true
+    stringData:
+      NEXTAUTH_SECRET: "{{ default (randAlphaNum 48) .Values.applicationSecretKey }}"
+  meilesearch:
+    enabled: true
+    stringData:
+      MEILI_MASTER_KEY: "{{ default (randAlphaNum 30) .Values.meilisearchMasterKey }}"
+
+ingress:
+  karakeep:
+    hosts:
+      - host: "{{ .Values.applicationHost }}"
+        paths:
+          - path: /
+            pathType: Prefix
+            service:
+              identifier: karakeep
+              port: http
+
+persistence:
+  chrome-tmp:
+    type: emptyDir
+    advancedMounts:
+      chrome:
+        chrome:
+          - path: /tmp
+            readonly: false
+
+meilisearch:
+  auth:
+    existingMasterKeySecret: "{{ .Release.Name }}-meilesearch"
+  environment:
+    MEILI_ENV: production
+  persistence:
+    enabled: true
+    size: 1Gi