diff --git a/.github/workflows/helm-chart.yml b/.github/workflows/helm-chart.yml
new file mode 100644
index 0000000..a8a1447
--- /dev/null
+++ b/.github/workflows/helm-chart.yml
@@ -0,0 +1,56 @@
+name: Helm Chart CI
+
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - env:
+              IMAGE_EDITION: community
+          - env:
+              IMAGE_EDITION: developer
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set yaml value change dict with random generated secrets
+        run: |
+          echo "VALUE_CHANGES={\"[0].data.sonar_db_password\":\"$(echo ${RANDOM} | md5sum | head -c 16 | base64)\",\"[0].data.postgres_db_password\":\"$(echo ${RANDOM} | base64)\",\"[1].data.SONARQUBE_USERNAME\":\"$(echo admin | base64)\",\"[1].data.SONARQUBE_PASSWORD\":\"$(echo ${RANDOM} | md5sum | head -c 16 | base64)\"}" >> $GITHUB_ENV
+
+      - name: Update values.yaml
+        uses: fjogeleit/yaml-update-action@v0.15.0
+        with:
+          valueFile: "helm/deploy-ci.yaml"
+          commitChange: false
+          changes: ${{ env.VALUE_CHANGES }}
+
+      - name: Start minikube
+        uses: medyagh/setup-minikube@latest
+        with:
+          driver: docker
+          container-runtime: containerd
+        timeout-minutes: 2
+
+      - name: Build and run chart
+        run: |
+          docker build --build-arg="IMAGE_EDITION=${{ matrix.env.IMAGE_EDITION }}" -t ci .
+          eval $(minikube -p minikube docker-env)
+          kubectl apply -f helm/deploy-ci.yaml
+          helm dependency build helm
+          helm upgrade --install --render-subchart-notes ictu-sonarqube helm
+
+      - name: Wait for Sonar instance to start
+        # profile for language 'web' is the last; assume everything is working if we got this far
+        run: |
+          eval $(minikube -p minikube docker-env)
+          kubectl wait --all pods --timeout=4m --for=condition=Ready
+          kubectl wait --all deployments --timeout=30s --for=condition=Available
+          kubectl logs -f pod/ictu-sonarqube-sonarqube-0 |& sed "/Current profile for language 'web' is 'Sonar way'/ q"
+        timeout-minutes: 5
diff --git a/helm/Chart.yaml b/helm/Chart.yaml
new file mode 100644
index 0000000..1456e99
--- /dev/null
+++ b/helm/Chart.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: v2
+name: ictu-sonarqube
+version: 1.0.0
+appVersion: "10.5.1"
+description: A SonarQube helm chart with plugins, profiles and config used at ICTU
+type: application
+home: https://github.com/ICTU/sonar
+dependencies:
+  - name: postgresql
+    version: 15.2.2  # appVersion 16.2.0
+    repository: https://charts.bitnami.com/bitnami  # TODO - 3rd party helm chart or postgres docker container? NB: sonar defines bitnami postgres 10.15.0 as a dependency
+  - name: sonarqube
+    version: 10.5.1
+    repository: https://SonarSource.github.io/helm-chart-sonarqube
diff --git a/helm/deploy-ci.yaml b/helm/deploy-ci.yaml
new file mode 100644
index 0000000..b169391
--- /dev/null
+++ b/helm/deploy-ci.yaml
@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sonarqube-postgresql-secret
+  labels:
+    app: sonarqube
+    release: sonarqube
+data:
+  sonar_db_password: ""
+  postgres_db_password: ""
+type: Opaque
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sonarqube-sonarqube-secret
+  labels:
+    app: sonarqube
+    release: sonarqube
+data:
+  SONARQUBE_USERNAME: ""
+  SONARQUBE_PASSWORD: ""
+type: Opaque
diff --git a/helm/templates/sonarqube-env-vars-configmap.yaml b/helm/templates/sonarqube-env-vars-configmap.yaml
new file mode 100644
index 0000000..30e877f
--- /dev/null
+++ b/helm/templates/sonarqube-env-vars-configmap.yaml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-sonarqube-env-vars
+  labels:
+    app: sonarqube
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{- range $key, $val := .Values.env_vars }}
+  {{ $key }}: "{{ $val }}"
+{{- end }}
diff --git a/helm/values.yaml b/helm/values.yaml
new file mode 100644
index 0000000..9169d50
--- /dev/null
+++ b/helm/values.yaml
@@ -0,0 +1,69 @@
+---
+secrets:
+  dbCredential: &dbCredential "sonarqube-postgresql-secret"
+  sonarCredential: &sonarCredential "sonarqube-sonarqube-secret"
+
+settings:
+  sonar.core.serverBaseURL: "test.local"
+  sonar.forceAuthentication: false
+
+postgresql:
+  audit:
+    logTimezone: "Europe/Amsterdam"
+  auth:
+    username: sonar
+    database: sonar
+    existingSecret: *dbCredential
+    secretKeys:
+      userPasswordKey: sonar_db_password
+      adminPasswordKey: postgres_db_password
+  primary:
+    persistence:
+      size: 1Gi
+    extraVolumes:
+      - name: tz-config
+        hostPath:
+          path: /etc/localtime
+    extraVolumeMounts:
+      - name: tz-config
+        mountPath: /etc/localtime
+
+sonarqube:
+  image:
+    repository: ictu/sonar
+    tag: "10.5.1"
+    pullPolicy: IfNotPresent
+  jdbcOverwrite:
+    enable: true
+    jdbcUrl: jdbc:postgresql://ictu-sonarqube-postgresql:5432/sonar?socketTimeout=1500
+    jdbcUsername: sonar
+    jdbcSecretName: *dbCredential
+    jdbcSecretPasswordKey: sonar_db_password
+  nginx:
+    enabled: false
+  postgresql:
+    enabled: false
+  initSysctl:
+    enabled: false
+  initFs:
+    enabled: false
+  ingress:
+    enabled: false
+
+  env:
+    - name: SONARQUBE_USERNAME
+      valueFrom:
+        secretKeyRef:
+          name: *sonarCredential
+          key: SONARQUBE_USERNAME
+          optional: true
+    - name: SONARQUBE_PASSWORD
+      valueFrom:
+        secretKeyRef:
+          name: *sonarCredential
+          key: SONARQUBE_PASSWORD
+          optional: true
+
+  extraConfig:
+    configmaps:
+      - ictu-sonarqube-sonarqube-env-vars