diff --git a/.github/workflows/helm.yaml b/.github/workflows/helm.yaml
new file mode 100644
index 0000000..94a5795
--- /dev/null
+++ b/.github/workflows/helm.yaml
@@ -0,0 +1,57 @@
+name: Deploy with Helm
+
+on:
+  push:
+    branches:
+    - main
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+    - id: 'auth'
+      uses: 'google-github-actions/auth@v1'
+      with:
+        credentials_json: '${{ secrets.GOOGLE_CREDENTIALS }}'
+
+    - name: 'Set up Cloud SDK'
+      uses: 'google-github-actions/setup-gcloud@v1'
+    - name: Configure kubectl
+      run: |
+        gcloud components install gke-gcloud-auth-plugin
+        gcloud config set project ${{ secrets.PROJECT_ID }}
+        gcloud config set compute/zone ${{ secrets.COMPUTE_ZONE }}
+        gcloud container clusters get-credentials ${{ secrets.CLUSTER_NAME }}
+
+    - name: 'Set up Helm'
+      uses: 'Azure/setup-helm@v1'
+      with:
+        version: 'v3.12.0'
+
+    - name: "Deploy eoAPI Helm Chart"
+      run: |
+        helm upgrade --install --namespace ifrc-eoapi-risk --create-namespace \
+        --repo https://devseed.com/eoapi-k8s/ \
+        -f deploy/helm/eoapi/values.yaml ifrc-eoapi-risk eoapi \
+        --version 0.1.12 \
+        --set db.settings.secrets.PGPASSWORD="${{ secrets.PGPASSWORD }}" \
+        --set db.settings.secrets.POSTGRES_PASSWORD="${{ secrets.PGPASSWORD }}"
+
+    - name: "Deploy JupyterHub"
+      run: |
+        helm upgrade --cleanup-on-fail \
+        --repo https://hub.jupyter.org/helm-chart/ \
+        --install ifrc-eoapi-risk-jupyterhub jupyterhub \
+        --namespace ifrc-eoapi-risk \
+        --create-namespace \
+        --version=3.1.0 \
+        --values deploy/helm/jupyterhub/values.yaml
+        --set hub.config.GitHubOAuthenticator.client_secret="${{ secrets.GH_CLIENT_SECRET }}"
+
+    - name: Create contacts configmap
+      run: kubectl apply -f deploy/k8s/project-contact.yaml --namespace ifrc-eoapi-risk
diff --git a/deploy/helm/eoapi/values.yaml b/deploy/helm/eoapi/values.yaml
new file mode 100644
index 0000000..3a8dfc2
--- /dev/null
+++ b/deploy/helm/eoapi/values.yaml
@@ -0,0 +1,38 @@
+db:
+  settings:
+    secrets:
+      PGUSER: "dbuser"
+      POSTGRES_USER: "dbuser"
+      PGPASSWORD: ""
+      POSTGRES_PASSWORD: ""
+    resources:
+      requests:
+        storage: "100Mi"
+        cpu: "212m"
+        memory: "512Mi"
+      limits:
+        cpu: "212m"
+        memory: "512Mi"
+
+raster:
+  enabled: true
+  image:
+    name: ghcr.io/stac-utils/titiler-pgstac
+    tag: uvicorn-0.6.0
+  settings:
+    resources:
+      limits:
+        cpu: "500m"
+        memory: "512Mi"
+      requests:
+        cpu: "256m"
+        memory: "512Mi"
+
+ingress:
+  host: eoapi.ifrc-risk.k8s.labs.ds.io
+  tls:
+    enabled: true
+    secretName: eoapi-tls
+    certManager: true
+    certManagerIssuer: letsencrypt-prod
+    cerrtManagerEmail: tarashish@developmentseed.org
diff --git a/deploy/helm/jupyterhub/values.yaml b/deploy/helm/jupyterhub/values.yaml
new file mode 100644
index 0000000..c6bed02
--- /dev/null
+++ b/deploy/helm/jupyterhub/values.yaml
@@ -0,0 +1,73 @@
+singleuser:
+  # Base image used for spawning user's notebook servers
+  image:
+    name: jupyter/minimal-notebook
+    tag: latest
+  cmd: null
+
+  # Resource allocation per user
+  memory:
+    limit: 1G
+    guarantee: 1G
+  cpu:
+    limit: 0.5
+    guarantee: 0.5
+  storage:
+    extraVolumes:
+      - name: shm-volume
+        emptyDir:
+          medium: Memory
+    extraVolumeMounts:
+      - name: shm-volume
+        mountPath: /dev/shm
+    capacity: 50Gi
+  
+  # Culling idle servers
+  extraFiles:
+    # jupyter_notebook_config reference: https://jupyter-notebook.readthedocs.io/en/stable/config.html
+    jupyter_notebook_config.json:
+      mountPath: /etc/jupyter/jupyter_notebook_config.json
+      # data is a YAML structure here but will be rendered to JSON file as our
+      # file extension is ".json".
+      data:
+        MappingKernelManager:
+          # cull_idle_timeout: timeout (in seconds) after which an idle kernel is
+          # considered ready to be culled
+          cull_idle_timeout: 1200 # default: 0
+
+          # cull_interval: the interval (in seconds) on which to check for idle
+          # kernels exceeding the cull timeout value
+          cull_interval: 120 # default: 300
+
+          # cull_connected: whether to consider culling kernels which have one
+          # or more connections
+          cull_connected: true # default: false
+
+          # cull_busy: whether to consider culling kernels which are currently
+          # busy running some code
+          cull_busy: false # default: false
+
+hub:
+  config:
+    GitHubOAuthenticator:
+      client_id: 80a37fd680d7d7095d58
+      client_secret: ""
+      oauth_callback_url: https://jupyter.ifrc-risk.k8s.labs.ds.io/hub/oauth_callback
+      allowed_organizations:
+        - developmentseed
+      scope:
+        - read:org
+    JupyterHub:
+      authenticator_class: github
+
+ingress:
+  enabled: true
+  hosts:
+    - jupyter.ifrc-risk.k8s.labs.ds.io
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    cert-manager.io/issuer: letsencrypt-prod
+  tls:
+    - hosts:
+        - jupyter.ifrc-risk.k8s.labs.ds.io
+      secretName: jupyterhub-tls
diff --git a/deploy/k8s/project-contact.yaml b/deploy/k8s/project-contact.yaml
new file mode 100644
index 0000000..89b4809
--- /dev/null
+++ b/deploy/k8s/project-contact.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ifrc-eoapi-risk-contacts
+data:
+  project: ifrc-eoapi-risk
+  repo: "github.com/developmentseed/eoapi-risk"
+  contacts: |
+    - name: Sanjay Bhangar
+      email: sanjay@developmentseed.org
+      slack: batpad
+    - name: Tarashish Mishra
+      email: tarashish@developmentseed.org
+      slack: tarashish
\ No newline at end of file