feat: add Helm chart for Kubernetes deployment

Best-practice chart with PSS restricted security context, CA certificate
injection for air-gapped environments, and all cooked flags exposed as
values. Includes HPA, PDB, NetworkPolicy, Ingress, schema validation,
and chart-testing CI config.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: wthrbtn

.github/workflows/release.yml

@@ -148,6 +148,38 @@ jobs:
             DELAY=$((DELAY * 2))
           done
 
+  helm-chart:
+    needs: release-please
+    if: needs.release-please.outputs.release_created
+    runs-on: ubuntu-24.04
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+    environment: release
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@fb28c2b6339dcd94da6e4cbcbc5e888961f6f8c3 # v3.9.0
+
+      - name: Log in to GHCR
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Package and push
+        run: |
+          helm package charts/cooked/
+          PACKAGE=$(ls cooked-*.tgz)
+          helm push "$PACKAGE" oci://ghcr.io/${{ github.repository_owner }}/charts
+
+      - name: Sign chart
+        env:
+          TAG: ${{ needs.release-please.outputs.tag_name }}
+          OWNER: ${{ github.repository_owner }}
+        run: |
+          VERSION="${TAG#v}"
+          cosign sign --yes "ghcr.io/${OWNER}/charts/cooked:${VERSION}"
+
   upload-assets:
     needs: [release-please, build-binaries]
     if: needs.release-please.outputs.release_created

charts/cooked/.helmignore

@@ -0,0 +1,29 @@
+# VCS
+.git/
+.github/
+.gitignore
+
+# IDE/OS
+.DS_Store
+.idea/
+.vscode/
+*.swp
+*.tmp
+
+# CI
+Makefile
+Jenkinsfile
+
+# Security
+.env
+*secret*
+*.key
+*.pem
+*.crt
+
+# Development
+*.md.gotmpl
+ci/
+
+# Snapshots
+*/__snapshot__/*

charts/cooked/Chart.yaml

@@ -0,0 +1,19 @@
+apiVersion: v2
+name: cooked
+description: A rendering proxy for air-gapped environments — fetches raw documents and serves styled HTML
+type: application
+version: 1.3.2 # x-release-please-version
+appVersion: "1.3.2" # x-release-please-version
+kubeVersion: ">=1.22.0"
+home: https://github.com/air-gapped/cooked
+sources:
+  - https://github.com/air-gapped/cooked
+keywords:
+  - rendering
+  - proxy
+  - markdown
+  - asciidoc
+  - air-gapped
+maintainers:
+  - name: air-gapped
+    url: https://github.com/air-gapped

charts/cooked/ci/ca-values.yaml

@@ -0,0 +1,22 @@
+# CI test values — CA certificate injection
+replicaCount: 1
+
+cooked:
+  allowedUpstreams: "*.internal"
+  tlsSkipVerify: false
+
+caCertificates:
+  enabled: true
+  inline:
+    internal-ca.crt: |
+      -----BEGIN CERTIFICATE-----
+      MIIBkTCB+wIUYz1234567890abcdef=
+      -----END CERTIFICATE-----
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi

charts/cooked/ci/default-values.yaml

@@ -0,0 +1,14 @@
+# CI test values — default configuration
+replicaCount: 1
+
+cooked:
+  allowedUpstreams: "*.example.com,10.0.0.0/8"
+  defaultTheme: "auto"
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi

charts/cooked/templates/NOTES.txt

@@ -0,0 +1,31 @@
+Thank you for installing {{ .Chart.Name }}!
+
+{{- if .Values.ingress.enabled }}
+
+Access cooked at:
+{{- range .Values.ingress.hosts }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .host }}{{ (first .paths).path }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+
+Get the application URL:
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "cooked.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "ClusterIP" .Values.service.type }}
+
+Port-forward to access cooked:
+  kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "cooked.fullname" . }} {{ .Values.service.port }}:{{ .Values.service.port }}
+
+Then open:
+  http://localhost:{{ .Values.service.port }}/https://example.com/README.md
+{{- end }}
+
+{{- if .Values.cooked.allowedUpstreams }}
+
+Allowed upstreams: {{ .Values.cooked.allowedUpstreams }}
+{{- else }}
+
+WARNING: No --allowed-upstreams configured. SSRF protection is active (private IPs blocked).
+For air-gapped environments, set cooked.allowedUpstreams to your internal hosts.
+{{- end }}

charts/cooked/templates/_helpers.tpl

@@ -0,0 +1,88 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cooked.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+Truncated to 63 characters (DNS label limit).
+*/}}
+{{- define "cooked.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version for the helm.sh/chart label.
+*/}}
+{{- define "cooked.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Standard labels for all resources.
+*/}}
+{{- define "cooked.labels" -}}
+helm.sh/chart: {{ include "cooked.chart" . }}
+{{ include "cooked.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels (immutable — never include version here).
+*/}}
+{{- define "cooked.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cooked.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Common annotations for all resources.
+*/}}
+{{- define "cooked.annotations" -}}
+{{- with .Values.commonAnnotations }}
+{{- toYaml . }}
+{{- end }}
+{{- end }}
+
+{{/*
+Service account name.
+*/}}
+{{- define "cooked.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cooked.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Container image string from registry/repository/tag/digest.
+When using appVersion as the default tag, prepends "v" to match GHCR tag format (v1.3.2).
+An explicit image.tag is used as-is.
+*/}}
+{{- define "cooked.image" -}}
+{{- if .Values.image.digest }}
+{{- printf "%s/%s@%s" .Values.image.registry .Values.image.repository .Values.image.digest }}
+{{- else if .Values.image.tag }}
+{{- printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
+{{- else }}
+{{- printf "%s/%s:v%s" .Values.image.registry .Values.image.repository .Chart.AppVersion }}
+{{- end }}
+{{- end }}

charts/cooked/templates/configmap-ca.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.caCertificates.enabled .Values.caCertificates.inline (not .Values.caCertificates.existingConfigMap) (not .Values.caCertificates.existingSecret) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cooked.fullname" . }}-ca-certs
+  namespace: {{ .Release.Namespace }}
+  labels:
+    {{- include "cooked.labels" . | nindent 4 }}
+  {{- with (include "cooked.annotations" .) }}
+  annotations:
+    {{- . | nindent 4 }}
+  {{- end }}
+data:
+  {{- range $name, $cert := .Values.caCertificates.inline }}
+  {{ $name }}: |
+    {{- $cert | nindent 4 }}
+  {{- end }}
+{{- end }}