feat(charts): initialize edgehog charts

.github/CODEOWNERS

@@ -4,3 +4,4 @@
 *           @edgehog-device-manager/cloud-devs
 /frontend/  @edgehog-device-manager/cloud-frontend-devs
 /backend/   @edgehog-device-manager/cloud-backend-devs
+/charts/    @edgehog-device-manager/platform-team

.github/release-please/config.json

@@ -7,13 +7,19 @@
       "package-name": "backend",
       "release-type": "elixir",
       "component": "backend",
-      "include-component-in-tag": true
+      "include-component-in-tag": false
     },
     "frontend": {
       "package-name": "frontend",
       "release-type": "node",
       "component": "frontend",
-      "include-component-in-tag": true
+      "include-component-in-tag": false
+    },
+    "charts": {
+      "package-name": "charts",
+      "release-type": "helm",
+      "component": "charts",
+      "include-component-in-tag": false
     }
   },
   "plugins": [

.github/release-please/manifest.json

@@ -1,4 +1,5 @@
 {
   "backend": "0.12.0",
-  "frontend": "0.12.0"
+  "frontend": "0.12.0",
+  "charts": "0.1.0"
 }

REUSE.toml

@@ -86,3 +86,21 @@ path = ".github/CODEOWNERS"
 precedence = "aggregate"
 SPDX-FileCopyrightText = "2026 Seco Mind Srl"
 SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "chart/Chart.lock"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2026 SECO Mind Srl"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "chart/.helmignore"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2026 SECO Mind Srl"
+SPDX-License-Identifier = "Apache-2.0"
+
+[[annotations]]
+path = "chart/templates/_helpers.tpl"
+precedence = "aggregate"
+SPDX-FileCopyrightText = "2026 SECO Mind Srl"
+SPDX-License-Identifier = "Apache-2.0"

chart/.gitignore

@@ -0,0 +1,19 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+charts/**

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.17.1
+- name: ingress-nginx
+  repository: https://kubernetes.github.io/ingress-nginx
+  version: 4.11.0
+digest: sha256:941919e43787d1340bc9a7b7774a39bd49ba31a49c7e797331ea995579efd3d5
+generated: "2026-02-10T11:16:01.916697939+01:00"

chart/Chart.yaml

@@ -0,0 +1,33 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v2
+name: edgehog
+description: A Helm chart Edgehog, the Open Device Manager Platform.
+
+dependencies:
+  - name: cert-manager
+    version: 1.17.1
+    repository: https://charts.jetstack.io
+  - name: ingress-nginx
+    version: 4.11.0
+    repository: https://kubernetes.github.io/ingress-nginx
+
+type: application
+version: 0.1.0
+appVersion: "0.11"

chart/README.md

@@ -0,0 +1,9 @@
+<!---
+  Copyright 2026 SECO Mind Srl
+
+  SPDX-License-Identifier: Apache-2.0
+-->
+
+# Edgehog charts
+
+This project contains Edgehog charts to deploy Edgehog with kubernetes.

chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "edgehog.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "edgehog.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "edgehog.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "edgehog.labels" -}}
+helm.sh/chart: {{ include "edgehog.chart" . }}
+{{ include "edgehog.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "edgehog.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "edgehog.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "edgehog.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "edgehog.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/templates/backend-deployment.yaml

@@ -0,0 +1,148 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: edgehog-backend
+  name: edgehog-backend
+  namespace: {{ .Values.namespace | default "edgehog" }}
+spec:
+  replicas: 1 #TODO: make this customizable once clustering is available
+  selector:
+    matchLabels:
+      app: edgehog-backend
+  template:
+    metadata:
+      labels:
+        app: edgehog-backend
+    spec:
+      containers:
+      - name: edgehog-backend
+        image: "edgehogdevicemanager/edgehog-backend:{{ .Values.backend.version }}"
+        ports:
+        - containerPort: 4000
+          name: http
+          protocol: TCP
+        volumes:
+        - name: admin-public-key
+          secret:
+            secretName: edgehog-admin-api-public-key
+            items:
+            - key: admin_public.pem
+              path: admin_public.pem
+        env:
+        - name: DATABASE_SSL_VERIFY
+          value: "true"
+        - name: DATABASE_USE_OS_CERTS
+          value: "true"
+        - name: DATABASE_ENABLE_SSL
+          value: {{ .Values.database.enableSsl | quote }}
+        - name: SEEDS_ASTARTE_BASE_API_URL
+          value: {{ .Values.astarte.apiDomain | default "http://api.astarte.customdomain.com" | quote }}
+        - name: SEEDS_REALM
+          value: {{ .Values.astarte.realm | default "test" | quote }}
+        - name: SEEDS_REALM_PRIVATE_KEY_FILE
+          value: {{ .Values.astarte.realmPrivateKeyFile | default "../test_private.pem" | quote }}
+        - name: SEEDS_TENANT_PRIVATE_KEY_FILE
+          value: {{ .Values.astarte.tenantPrivateKeyFile | default "../acme_private.pem" | quote }}
+        - name: RELEASE_NAME
+          value: edgehog
+        - name: PORT
+          value: "4000"
+        - name: URL_HOST
+          value: {{ .Values.backend.host | quote }}
+        - name: DATABASE_HOSTNAME
+          value: {{ .Values.database.hostname | quote }}
+        - name: DATABASE_NAME
+          value: {{ .Values.database.name | quote }}
+        - name: DATABASE_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: {{ .Values.database.secretName | quote }}
+        - name: DATABASE_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: {{ .Values.database.secretName | quote }}
+        - name: SECRET_KEY_BASE
+          valueFrom:
+            secretKeyRef:
+              key: secret-key-base
+              name: edgehog-secret-key-base
+        - name: MAX_UPLOAD_SIZE_BYTES
+          value: {{ .Values.backend.maxUploadSizeBytes | default "4294967296" | quote }}
+        {{- if eq .Values.s3.provider "minio" }}
+        - name: S3_ACCESS_KEY_ID
+          valueFrom:
+            secretKeyRef:
+              name: edgehog-minio-connection
+              key: minio-root-user
+        - name: S3_SECRET_ACCESS_KEY
+          valueFrom:
+            secretKeyRef:
+              name: edgehog-minio-connection
+              key: minio-root-password
+        {{- else if eq .Values.s3.provider "gcp" }}
+        - name: S3_GCP_CREDENTIALS
+          valueFrom:
+            secretKeyRef:
+              key: gcp-credentials
+              name: edgehog-s3-credentials
+        - name: S3_SCHEME
+          value: {{ .Values.s3.scheme | default "http" | quote }}
+        - name: S3_HOST
+          value: {{ .Values.s3.host | quote }}
+        - name: S3_PORT
+          value: {{ .Values.s3.port | quote }}
+        - name: S3_BUCKET
+          value: {{ .Values.s3.bucket | quote }}
+        - name: S3_ASSET_HOST
+          value: {{ .Values.s3.assetHost | quote }}
+        - name: S3_REGION
+          value: {{ .Values.s3.region | quote }}
+        {{- end }}
+        - name: EDGEHOG_FORWARDER_HOSTNAME
+          value: {{ .Values.deviceForwarder.host | quote }}
+        - name: EDGEHOG_FORWARDER_PORT
+          value: {{ .Values.deviceForwarder.port | default "443" | quote }}
+        - name: EDGEHOG_FORWARDER_SECURE_SESSIONS
+          value: {{ .Values.deviceForwarder.secureSessions | default "true" | quote }}
+        {{- if .Values.enabledSecrets.ipbase }}
+        - name: IPBASE_API_KEY
+         valueFrom:
+           secretKeyRef:
+             key: api-key
+             name: edgehog-ipbase-credentials
+        {{- end }}
+        {{- if .Values.enabledSecrets.googleGeolocation }}
+        - name: GOOGLE_GEOCODING_API_KEY
+          valueFrom:
+            secretKeyRef:
+              key: api-key
+              name: edgehog-google-geocoding-credentials
+        {{- end }}
+        {{- if .Values.enabledSecrets.googleGeocoding }}
+        - name: GOOGLE_GEOLOCATION_API_KEY
+          valueFrom:
+            secretKeyRef:
+              key: api-key
+              name: edgehog-google-geolocation-credentials
+        {{- end }}

chart/templates/backend-service.yaml

@@ -0,0 +1,32 @@
+# This file is part of Edgehog.
+#
+# Copyright 2026 SECO Mind Srl
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: edgehog-backend
+  name: edgehog-backend
+  namespace: {{ .Values.namespace | default "edgehog" }}
+spec:
+  ports:
+  - port: 4000
+    protocol: TCP
+    targetPort: 4000
+  selector:
+    app: edgehog-backend