simple homelab helm package

helm/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: n8n-self-hosted
+description: A quick helm chart for n8n 
+type: application
+version: 0.0.1
+appVersion: "1.123.18"
+icon: "https://raw.githubusercontent.com/n8n-io/n8n-hosting/refs/heads/main/helm/assets/icon.png"

helm/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 n8n - Workflow Automation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

helm/README.md

@@ -0,0 +1,33 @@
+# 🚀 n8n Self-Hosted on Kubernetes
+
+This repository contains a Helm-based deployment for **n8n**, including a managed **PostgreSQL** instance. It is designed for ease of use in homelab environments, featuring a secure "Global Secret" bridge and automated volume permission handling.
+
+---
+## 📋 Table of Contents
+1. [Prerequisites](#-prerequisites)
+2. [Setup Guide](#-setup-guide)
+---
+## 🏗 Prerequisites
+
+* **Kubernetes Cluster** (v1.22+)
+* **Helm 3** installed
+* **NGINX Ingress Controller** (installed and reachable - optional)
+* **Default StorageClass** (for PVC automated provisioning)
+---
+
+## 🏁 Setup Guide
+
+### 1. Create a Namespace
+Isolate your n8n instance from other applications.
+```
+kubectl create namespace n8n
+```
+### 2. Apply secret
+If needed, change database passwords in the n8n-secrets.yaml file.
+```
+kubectl apply -f ./helm/n8n-secrets.yaml -n n8n
+```
+### 3. Apply helm chart
+```
+helm install ./helm my-n8n -n n8n 
+```

helm/n8n-secrets.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: n8n-secrets
+  namespace: n8n-demo
+type: Opaque
+stringData:
+  POSTGRES_USER: admin
+  POSTGRES_PASSWORD: admin
+  POSTGRES_DB: n8n
+  POSTGRES_NON_ROOT_USER: standard
+  POSTGRES_NON_ROOT_PASSWORD: standard

helm/templates/NOTES.txt

@@ -0,0 +1,45 @@
+{{- $externalSecret := (lookup "v1" "Secret" .Release.Namespace .Values.global.secretName) -}}
+
+===============================================================================
+  🚀 n8n has been successfully deployed to namespace "{{ .Release.Namespace }}"!
+===============================================================================
+
+{{- if not $externalSecret }}
+[WARNING] ⚠️  SECURITY ALERT ⚠️
+-------------------------------------------------------------------------------
+The global secret "{{ .Values.global.secretName }}" was NOT found.
+n8n is currently using DEFAULT/FALLBACK settings for database credentials.
+
+To fix this:
+1. Create the secret:
+   kubectl create secret generic {{ .Values.global.secretName }} \
+     --namespace {{ .Release.Namespace }} \
+     --from-literal=POSTGRES_USER=yourUser \
+     --from-literal=POSTGRES_PASSWORD=yourSecurePassword
+
+2. Trigger a rollout to apply changes:
+   kubectl rollout restart deployment n8n --namespace {{ .Release.Namespace }}
+-------------------------------------------------------------------------------
+{{- else }}
+[INFO] ✅ Success: Database credentials loaded from "{{ .Values.global.secretName }}".
+{{- end }}
+
+CONFIGURATION SUMMARY:
+-------------------------------------------------------------------------------
+Host:         http://{{ ( .Values.n8n ).host | default "localhost" }}
+Webhook-URL:  https://{{ ( .Values.n8n ).host | default "localhost" }}/
+Timezone:     {{ ( .Values.n8n ).timezone | default "Europe/Berlin" }}
+
+USEFUL COMMANDS:
+-------------------------------------------------------------------------------
+# Check pod status:
+kubectl get pods -n {{ .Release.Namespace }} -l service=n8n
+
+# Stream n8n logs:
+kubectl logs -f deployment/n8n -n {{ .Release.Namespace }}
+
+# Local access (if no Ingress is configured):
+kubectl port-forward svc/n8n 5678:5678 -n {{ .Release.Namespace }}
+-------------------------------------------------------------------------------
+
+Happy Automating!

helm/templates/ingress.yaml

@@ -0,0 +1,43 @@
+{{- if .Values.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: n8n-ingress
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- with .pathType }}
+            pathType: {{ . }}
+            {{- end }}
+            backend:
+              service:
+                name: n8n
+                port:
+                  number: 5678
+          {{- end }}
+    {{- end }}
+{{- end }}

helm/templates/n8n-claim0-persistentvolumeclaim.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    service: n8n-claim0
+  name: n8n-claim0
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi

helm/templates/n8n-deployment.yaml

@@ -0,0 +1,92 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    service: n8n
+  name: n8n
+  namespace: {{ .Release.Namespace }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      service: n8n
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        service: n8n
+    spec:
+      initContainers:
+        - name: volume-permissions
+          image: busybox:1.36
+          command: ["sh", "-c", "chown 1000:1000 /data"]
+          volumeMounts:
+            - name: n8n-claim0
+              mountPath: /data
+      containers:
+        - command:
+            - /bin/sh
+          args:
+            - -c
+            - sleep 5; n8n start
+          env:
+          {{- range $key, $val := .Values.n8n.extraEnv }}
+            - name: {{ $key }}
+              value: {{ $val | quote }}
+          {{- end }}
+            - name: N8N_SECURE_COOKIE
+              value: {{ if .Values.n8n.disableSecureCookie }}"false"{{ else }}"true"{{ end }}
+            - name: GENERIC_TIMEZONE
+              value: {{ .Values.n8n.timezone | default "Europe/Berlin" | quote }}
+            - name: N8N_HOST
+              value: {{ ( .Values.n8n ).host | default "localhost" | quote }}
+            - name: WEBHOOK_URL
+              value: {{ printf "https://%s/" ( ( .Values.n8n ).host | default "localhost" ) | quote }}
+            - name: DB_TYPE
+              value: postgresdb
+            - name: DB_POSTGRESDB_HOST
+              value: {{ printf "postgres-service.%s.svc.cluster.local" .Release.Namespace }}
+            - name: DB_POSTGRESDB_PORT
+              value: "5432"
+            - name: DB_POSTGRESDB_DATABASE
+              value: n8n
+            - name: DB_POSTGRESDB_USER
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: POSTGRES_NON_ROOT_USER
+            - name: DB_POSTGRESDB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: POSTGRES_NON_ROOT_PASSWORD
+            - name: N8N_PROTOCOL
+              value: http
+            - name: N8N_PORT
+              value: "5678"
+          image: n8nio/n8n:1.123.18
+          name: n8n
+          ports:
+            - containerPort: 5678
+          resources:
+            requests:
+              cpu: {{ (((( .Values.n8n ).resources ).requests ).cpu ) | default "100m" | quote }}
+              memory: {{ (((( .Values.n8n ).resources ).requests ).memory ) | default "250Mi" | quote }}
+            limits:
+              cpu: {{ (((( .Values.n8n ).resources ).limits ).cpu ) | default "500m" | quote }}
+              memory: {{ (((( .Values.n8n ).resources ).limits ).memory ) | default "1024Mi" | quote }}
+          volumeMounts:
+            - mountPath: /home/node/.n8n
+              name: n8n-claim0
+      restartPolicy: Always
+      volumes:
+        - name: n8n-claim0
+          persistentVolumeClaim:
+            claimName: n8n-claim0
+        - name: n8n-secret
+          secret:
+            secretName: n8n-secret
+        - name: postgres-secret
+          secret:
+            secretName: postgres-secret

helm/templates/n8n-service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    service: n8n
+  name: n8n
+  namespace: {{ .Release.Namespace }}
+spec:
+  type: ClusterIP
+  ports:
+    - name: "5678"
+      port: 5678
+      targetPort: 5678
+      protocol: TCP
+  selector:
+    service: n8n

helm/templates/postgres-claim0-persistentvolumeclaim.yaml

@@ -0,0 +1,11 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: postgresql-pv
+  namespace: {{ .Release.Namespace }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.postgres.size }}

helm/templates/postgres-configmap.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: init-data
+  namespace: {{ .Release.Namespace }}
+data:
+  init-data.sh: |
+    #!/bin/bash
+    set -e;
+    if [ -n "${POSTGRES_NON_ROOT_USER:-}" ] && [ -n "${POSTGRES_NON_ROOT_PASSWORD:-}" ]; then
+    	psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
+    		CREATE USER "${POSTGRES_NON_ROOT_USER}" WITH PASSWORD '${POSTGRES_NON_ROOT_PASSWORD}';
+    		GRANT ALL PRIVILEGES ON DATABASE ${POSTGRES_DB} TO "${POSTGRES_NON_ROOT_USER}";
+    		GRANT ALL ON SCHEMA public TO "${POSTGRES_NON_ROOT_USER}";
+    	EOSQL
+    else
+    	echo "SETUP INFO: No Environment variables given!"
+    fi