diff --git a/wekan/Chart.yaml b/wekan/Chart.yaml
new file mode 100644
index 0000000..0a1c1ac
--- /dev/null
+++ b/wekan/Chart.yaml
@@ -0,0 +1,28 @@
+apiVersion: v2
+name: wekan
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
+
+dependencies:
+- name: wekan
+  version: 7.92.0
+  repository: https://wekan.github.io/charts/
\ No newline at end of file
diff --git a/wekan/templates/_helpers.tpl b/wekan/templates/_helpers.tpl
new file mode 100644
index 0000000..680af16
--- /dev/null
+++ b/wekan/templates/_helpers.tpl
@@ -0,0 +1,12 @@
+{{- define "wekan.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
\ No newline at end of file
diff --git a/wekan/templates/configmap.yaml b/wekan/templates/configmap.yaml
new file mode 100644
index 0000000..b66f0c3
--- /dev/null
+++ b/wekan/templates/configmap.yaml
@@ -0,0 +1,12 @@
+{{ if .Values.configMapsManaged }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "wekan.fullname" $ }}-config
+data:
+{{- range $key := .Values.configMapEnv -}}
+{{ if $key.value }}
+{{ $key.name | indent 2 }}: {{ $key.value | toString | quote }}
+{{- end }}
+{{- end }}
+{{ end }}
\ No newline at end of file
diff --git a/wekan/templates/externalsecret.yaml b/wekan/templates/externalsecret.yaml
new file mode 100644
index 0000000..a7c84b7
--- /dev/null
+++ b/wekan/templates/externalsecret.yaml
@@ -0,0 +1,31 @@
+{{- if .Values.externalSecretsManaged }}
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: {{ include "wekan.fullname" . }}-extsecret
+spec:
+  data:
+  {{- if .Values.externalSecrets.secrets }}
+  {{- range $key := .Values.externalSecrets.secrets }}
+  {{- if $key.keyName }}
+    - secretKey: {{ $key.secretKeyName }}
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: {{ $key.keyName }}
+        metadataPolicy: None
+        property: {{ $key.property }}
+  {{- end }}
+  {{- end }}
+  {{- else }}
+  {{- fail "externalSecrets.secrets must be defined when externalSecretsManaged is true" }}
+  {{- end }}
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: {{ .Values.externalSecrets.secretStore.kind }}
+    name: {{ .Values.externalSecrets.secretStore.name }}
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: {{ .Values.externalSecrets.targetSecretName }}
+{{- end }}
\ No newline at end of file
diff --git a/wekan/values.yaml b/wekan/values.yaml
new file mode 100644
index 0000000..ab30dcc
--- /dev/null
+++ b/wekan/values.yaml
@@ -0,0 +1,63 @@
+externalSecretsManaged: true
+externalSecrets:
+  targetSecretName: wekan-secrets
+  secrets:
+    - keyName: wekan
+      secretKeyName: OAUTH2_CLIENT_ID
+      property: client_id
+    - keyName: wekan
+      secretKeyName: OAUTH2_SECRET
+      property: secret
+  secretStore:
+    kind: ClusterSecretStore
+    name: weyma-vault
+configMapsManaged: true
+configMapEnv:
+  - name: OAUTH2_ENABLED
+    value: "true"
+  - name: OAUTH2_LOGIN_STYLE
+    value: redirect
+  - name: OAUTH2_SERVER_URL
+    value: https://auth.dubyatp.xyz
+  - name: OAUTH2_AUTH_ENDPOINT
+    value: /application/o/authorize/
+  - name: OAUTH2_USERINFO_ENDPOINT
+    value: /application/o/userinfo/
+  - name: OAUTH2_TOKEN_ENDPOINT
+    value: /application/o/token/
+  - name: OAUTH2_ID_MAP
+    value: sub
+  - name: OAUTH2_USERNAME_MAP
+    value: email
+  - name: OAUTH2_FULLNAME_MAP
+    value: given_name
+  - name: OAUTH2_EMAIL_MAP
+    value: email
+wekan:
+  endpoint: wekan.dubyatp.xyz
+  root_url: https://wekan.dubyatp.xyz
+  secretManaged: false
+  podAnnotations:
+    backup.velero.io/backup-volumes: shared-data-volume
+  sharedDataFolder:
+    accessMode: ReadWriteMany
+  extraEnvFrom: |
+    - configMapRef:
+        name: wekan-config
+    - secretRef:
+        name: wekan-secrets
+  ingress:
+    enabled: true
+    path: /
+    pathtype: ImplementationSpecific
+    hosts:
+      - wekan.dubyatp.xyz
+    tls:
+      - secretName: cert-dubyatp-xyz
+        hosts:
+          - wekan.dubyatp.xyz
+  mongodb:
+    updateStrategy:
+      type: Recreate
+    podAnnotations:
+      backup.velero.io/backup-volumes: datadir
\ No newline at end of file