Add Helm chart for Kubernetes deployment of CodeRAG

.dockerignore

@@ -3,6 +3,7 @@
 .github
 .gitignore
 tests
+deploy
 DEVELOPMENT.md
 AGENTS.md
 example.env

.github/workflows/helm.yml

@@ -0,0 +1,66 @@
+name: Helm chart
+
+# Lint and schema-validate the Kubernetes Helm chart. Runs only when the chart (or this
+# workflow) changes, so it stays out of the way of pure-Python PRs.
+on:
+  push:
+    branches: [master]
+    paths:
+      - "deploy/helm/**"
+      - ".github/workflows/helm.yml"
+  pull_request:
+    branches: [master]
+    paths:
+      - "deploy/helm/**"
+      - ".github/workflows/helm.yml"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: helm-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  CHART: deploy/helm/coderag
+  KUBECONFORM_VERSION: "0.6.7"
+
+jobs:
+  lint-and-validate:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Set up Helm
+        uses: azure/setup-helm@v4
+        with:
+          version: v3.16.4
+
+      - name: Helm lint (default + full value sets)
+        run: |
+          helm lint "$CHART" -f "$CHART/ci/default-values.yaml"
+          helm lint "$CHART" -f "$CHART/ci/full-values.yaml"
+
+      - name: Install kubeconform
+        run: |
+          curl -fsSL \
+            "https://github.com/yannh/kubeconform/releases/download/v${KUBECONFORM_VERSION}/kubeconform-linux-amd64.tar.gz" \
+            | tar -xz -C /usr/local/bin kubeconform
+          kubeconform -v
+
+      - name: Render and schema-validate
+        run: |
+          # Standalone: the chart must render and install with zero required config.
+          echo "::group::standalone defaults (no values)"
+          helm template coderag "$CHART" | kubeconform -strict -summary -kubernetes-version 1.29.0
+          echo "::endgroup::"
+          for values in default full; do
+            for kube in 1.27.0 1.29.0 1.31.0; do
+              echo "::group::$values values @ k8s $kube"
+              helm template coderag "$CHART" -f "$CHART/ci/${values}-values.yaml" \
+                | kubeconform -strict -summary -kubernetes-version "$kube"
+              echo "::endgroup::"
+            done
+          done

README.md

@@ -133,6 +133,30 @@ adds a `-ui` suffix. The container indexes `/workspace` and stores its index in
 (`CODERAG_WATCHED_DIR` / `CODERAG_STORE_DIR`). For OpenAI embeddings/answers, add
 `-e OPENAI_API_KEY=…`.
 
+## ☸️ Kubernetes (Helm)
+
+For teams who want a shared, always-on deployment, a Helm chart self-hosts the HTTP API
+(and optional UI) with a persistent index, scheduled re-indexing, and hardened defaults
+(non-root, read-only rootfs, single-writer-safe). It runs **standalone with zero config**
+on your cluster's default storage:
+
+```bash
+helm install coderag ./deploy/helm/coderag --namespace coderag --create-namespace
+```
+
+Then point it at your code (a git repo, or a PVC you already have):
+
+```bash
+helm upgrade coderag ./deploy/helm/coderag -n coderag --reuse-values \
+  --set workspace.source=git \
+  --set workspace.git.repository=https://github.com/Neverdecel/CodeRAG.git
+```
+
+It provisions the index volume, clones the repo into the pod, and builds the index
+automatically. Not a Helm user? `helm template … | kubectl apply -f -` works too. See the
+full guide — storage options, private repos, OpenAI/Anthropic keys, ingress, the UI,
+scheduled reindex — in [`deploy/README.md`](deploy/README.md).
+
 ## 🏗️ How it works
 
 ```mermaid