diff --git a/k8s/HELM.md b/k8s/HELM.md
new file mode 100644
index 0000000000..726e0ca50a
--- /dev/null
+++ b/k8s/HELM.md
@@ -0,0 +1,428 @@
+# Chart Overview
+### Chart structure explanation
+Here is the file tree structure:
+
+```
+dinfochart/
+├── charts
+├── Chart.yaml
+├── templates
+│   ├── deployment.yaml
+│   ├── _helpers.tpl
+│   ├── hooks
+│   │   ├── post-install-job.yaml
+│   │   └── pre-install-job.yaml
+│   ├── NOTES.txt
+│   └── service.yaml
+├── values-dev.yaml
+├── values-prod.yaml
+└── values.yaml
+```
+
+### Key template files and their purpose
+- `_helpers.tpl`: defines helpful values for templates
+- `deployment.yaml`: defines the structure for the k8s deployment
+- `service.yaml`: defines the structure for the k8s service
+
+### Values organization strategy
+We extract the values or blocks that we would like to be configurable from the `.yaml` files into `values.yaml`,
+preserving the original names for clarity.
+
+# Configuration Guide
+### Important values and their purpose
+
+- `replicaCount`: number of pods that will be run.
+- `image`: the information about which image to pull (name, tag)
+- `service`: configuration for the reverse proxy
+- `resources`: limits and reservations for memory and CPU time
+- `livenessProbe`: command for checking the responsiveness of a container
+- `readinessProbe`: command for checking the health of a container
+
+### How to customize for different environments
+We define another value file with overrides and later supply it in the command:
+
+```bash
+helm install myapp-dev k8s/mychart -f k8s/mychart/values-dev.yaml
+```
+
+Or specify overrides right in the command line:
+```bash
+helm install myapp k8s/mychart --set replicaCount=10
+```
+
+### Example installations with different configurations
+As shown in the lab material:
+```bash
+# Development
+helm install myapp-dev k8s/mychart -f k8s/mychart/values-dev.yaml
+
+# Production
+helm install myapp-prod k8s/mychart -f k8s/mychart/values-prod.yaml
+
+# Override specific value
+helm install myapp k8s/mychart --set replicaCount=10
+```
+
+# Hook Implementation
+### What hooks you implemented and why
+I implemented the pre-install hook and the post-install one. I did that because it was prescribed by the lab.
+
+### Hook execution order and weights
+Hook         | Order  | Weight
+------------------------------
+Pre-install  | Before | -5
+Post-install | After  | 5
+
+### Deletion policies explanation
+It allows to set a rule that dictates when the executed hook jobs will be deleted. `before-hook-creation` means right
+before the hook is run, its previous invokation will be deleted. `hook-succeeded` and `hook-failed` delete the hook
+immediately after it succeeds or fails (respectively).
+
+# Installation Evidence
+### `helm list` output
+```text
+NAME     	NAMESPACE	REVISION	UPDATED                               	STATUS  	CHART           	APP VERSION
+myrelease	default  	1       	2026-04-02 18:01:48.36966193 +0300 MSK	deployed	dinfochart-0.1.0	1.1.1      
+```
+
+### `kubectl get all` showing deployed resources
+```text
+NAME                                        READY   STATUS    RESTARTS   AGE
+pod/myrelease-dinfochart-5b67fb98d9-2jk9d   1/1     Running   0          22m
+pod/myrelease-dinfochart-5b67fb98d9-8c448   1/1     Running   0          22m
+pod/myrelease-dinfochart-5b67fb98d9-fq5mz   1/1     Running   0          22m
+pod/myrelease-dinfochart-5b67fb98d9-v5zjk   1/1     Running   0          22m
+pod/myrelease-dinfochart-5b67fb98d9-wtx52   1/1     Running   0          22m
+
+NAME                           TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)        AGE
+service/kubernetes             ClusterIP   10.96.0.1       <none>        443/TCP        9d
+service/myrelease-dinfochart   NodePort    10.102.118.72   <none>        80:30952/TCP   22m
+
+NAME                                   READY   UP-TO-DATE   AVAILABLE   AGE
+deployment.apps/myrelease-dinfochart   5/5     5            5           22m
+
+NAME                                              DESIRED   CURRENT   READY   AGE
+replicaset.apps/myrelease-dinfochart-5b67fb98d9   5         5         5       22m
+```
+### Hook execution output (`kubectl get jobs`, `kubectl describe job`)
+As per the deletion policy, the hook jobs get deleted after they run and succeed, which is my case. These commands
+report errors because there are no jobs to inspect.
+
+### Different environment deployments (dev vs prod)
+`dev` is for testing the latest changes (with the `latest` tag, plenty of resources).
+
+`prod` is for deployment on a real cluster (with a fixed version and limited resources).
+
+# Operations
+### Installation commands used
+```text
+helm install <name> <what to install> [-f <value overrides>]
+```
+
+### How to upgrade a release
+```bash
+helm upgrade myrelease ./mychart
+```
+
+### How to rollback
+```bash
+helm rollback myrelease 1
+```
+
+### How to uninstall
+```bash
+helm uninstall myrelease
+```
+
+# Testing & Validation
+### `helm lint` output
+```text
+==> Linting dinfochart/
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
+```
+
+### `helm template` verification
+```yaml
+---
+# Source: dinfochart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: release-name-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: release-name
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 5000
+---
+# Source: dinfochart/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: release-name-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 5
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dinfochart
+      app.kubernetes.io/instance: release-name
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Extra pods during update
+      maxUnavailable: 0  # Ensure availability
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: dinfochart-0.1.0
+        app.kubernetes.io/name: dinfochart
+        app.kubernetes.io/instance: release-name
+        app.kubernetes.io/version: "1.1.1"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      containers:
+        - name: dinfochart
+          image:  "timurusmanov/devops-infoservice:1.1.1"
+          ports:
+          - containerPort: 80
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 3
+---
+# Source: dinfochart/templates/hooks/post-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'release-name-dinfochart-post-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'release-name-dinfochart-post-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: post-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed']
+---
+# Source: dinfochart/templates/hooks/pre-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'release-name-dinfochart-pre-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: release-name
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'release-name-dinfochart-pre-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: pre-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed']
+```
+
+### Dry-run output
+```yaml
+NAME: test-release
+LAST DEPLOYED: Thu Apr  2 18:29:57 2026
+NAMESPACE: default
+STATUS: pending-install
+REVISION: 1
+DESCRIPTION: Dry run complete
+TEST SUITE: None
+HOOKS:
+---
+# Source: dinfochart/templates/hooks/post-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'test-release-dinfochart-post-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'test-release-dinfochart-post-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: post-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed']
+---
+# Source: dinfochart/templates/hooks/pre-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'test-release-dinfochart-pre-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'test-release-dinfochart-pre-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: pre-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed']
+MANIFEST:
+---
+# Source: dinfochart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-release-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 5000
+---
+# Source: dinfochart/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-release-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 5
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dinfochart
+      app.kubernetes.io/instance: test-release
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Extra pods during update
+      maxUnavailable: 0  # Ensure availability
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: dinfochart-0.1.0
+        app.kubernetes.io/name: dinfochart
+        app.kubernetes.io/instance: test-release
+        app.kubernetes.io/version: "1.1.1"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      containers:
+        - name: dinfochart
+          image:  "timurusmanov/devops-infoservice:1.1.1"
+          ports:
+          - containerPort: 80
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 3
+```
+
+### Application accessibility verification
+```bash
+kubectl port-forward service/myrelease-dinfochart 8080:80 &
+curl localhost:8080/health
+```
+```json
+{"status":"healthy","timestamp":"2026-04-02T15:35:47.354190+00:00","uptime_seconds":2010}
+```
diff --git a/k8s/LAB10.md b/k8s/LAB10.md
new file mode 100644
index 0000000000..02f6061fef
--- /dev/null
+++ b/k8s/LAB10.md
@@ -0,0 +1,447 @@
+# Task 1
+
+### Installation
+```sh
+sudo pacman -S --needed helm
+```
+```text
+warning: helm-4.1.3-1 is up to date -- skipping
+ there is nothing to do
+```
+
+### Version
+```sh
+helm version
+```
+```text
+version.BuildInfo{Version:"v4.1.3", GitCommit:"c94d381b03be117e7e57908edbf642104e00eb8f", GitTreeState:"", GoVersion:"go1.26.1-X:nodwarf5", KubeClientVersion:"v1.35"}
+```
+
+### Output of exploring a public chart
+
+```sh
+helm show chart prometheus-community/prometheus
+```
+```yaml
+annotations:
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/links: |
+    - name: Chart Source
+      url: https://github.com/prometheus-community/helm-charts
+    - name: Upstream Project
+      url: https://github.com/prometheus/prometheus
+apiVersion: v2
+appVersion: v3.10.0
+dependencies:
+- condition: alertmanager.enabled
+  name: alertmanager
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 1.34.*
+- condition: kube-state-metrics.enabled
+  name: kube-state-metrics
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 7.2.*
+- condition: prometheus-node-exporter.enabled
+  name: prometheus-node-exporter
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 4.52.*
+- condition: prometheus-pushgateway.enabled
+  name: prometheus-pushgateway
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 3.6.*
+description: Prometheus is a monitoring system and time series database.
+home: https://prometheus.io/
+icon: https://raw.githubusercontent.com/prometheus/prometheus.github.io/master/assets/prometheus_logo-cb55bb5c346.png
+keywords:
+- monitoring
+- prometheus
+kubeVersion: '>=1.19.0-0'
+maintainers:
+- email: gianrubio@gmail.com
+  name: gianrubio
+  url: https://github.com/gianrubio
+- email: zanhsieh@gmail.com
+  name: zanhsieh
+  url: https://github.com/zanhsieh
+- email: miroslav.hadzhiev@gmail.com
+  name: Xtigyro
+  url: https://github.com/Xtigyro
+- email: naseem@transit.app
+  name: naseemkullah
+  url: https://github.com/naseemkullah
+- email: rootsandtrees@posteo.de
+  name: zeritti
+  url: https://github.com/zeritti
+name: prometheus
+sources:
+- https://github.com/prometheus/alertmanager
+- https://github.com/prometheus/prometheus
+- https://github.com/prometheus/pushgateway
+- https://github.com/prometheus/node_exporter
+- https://github.com/kubernetes/kube-state-metrics
+type: application
+version: 28.14.1
+```
+
+# Task 2
+
+```sh
+helm lint dinfochart
+```
+```text
+==> Linting dinfochart
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
+```
+
+```sh
+helm template dinfochart dinfochart/
+```
+```yaml
+---
+# Source: dinfochart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: dinfochart
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: dinfochart
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 5000
+---
+# Source: dinfochart/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: dinfochart
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 5
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dinfochart
+      app.kubernetes.io/instance: dinfochart
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Extra pods during update
+      maxUnavailable: 0  # Ensure availability
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: dinfochart-0.1.0
+        app.kubernetes.io/name: dinfochart
+        app.kubernetes.io/instance: dinfochart
+        app.kubernetes.io/version: "1.1.1"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      containers:
+        - name: dinfochart
+          image:  "timurusmanov/devops-infoservice:1.1.1"
+          ports:
+          - containerPort: 80
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 3
+```
+
+```sh
+helm install --dry-run --debug test-release dinfochart/
+```
+```text
+level=WARN msg="--dry-run is deprecated and should be replaced with '--dry-run=client'"
+level=DEBUG msg="Original chart version" version=""
+level=DEBUG msg="Chart path" path=/home/timur/proj/DevOps-Core-Course/k8s/dinfochart
+level=DEBUG msg="number of dependencies in the chart" chart=dinfochart dependencies=0
+NAME: test-release
+LAST DEPLOYED: Thu Apr  2 17:17:49 2026
+NAMESPACE: default
+STATUS: pending-install
+REVISION: 1
+DESCRIPTION: Dry run complete
+TEST SUITE: None
+USER-SUPPLIED VALUES:
+{}
+
+COMPUTED VALUES:
+image:
+  pullPolicy: IfNotPresent
+  repository: timurusmanov/devops-infoservice
+  tag: 1.1.1
+livenessProbe:
+  httpGet:
+    path: /health
+    port: 5000
+  initialDelaySeconds: 10
+  periodSeconds: 5
+readinessProbe:
+  httpGet:
+    path: /health
+    port: 5000
+  initialDelaySeconds: 5
+  periodSeconds: 3
+replicaCount: 5
+resources:
+  limits:
+    cpu: 200m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+service:
+  port: 80
+  targetPort: 5000
+  type: NodePort
+
+HOOKS:
+MANIFEST:
+---
+# Source: dinfochart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-release-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: NodePort
+  selector:
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 5000
+---
+# Source: dinfochart/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: test-release-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 5
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: dinfochart
+      app.kubernetes.io/instance: test-release
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Extra pods during update
+      maxUnavailable: 0  # Ensure availability
+  template:
+    metadata:
+      labels:
+        helm.sh/chart: dinfochart-0.1.0
+        app.kubernetes.io/name: dinfochart
+        app.kubernetes.io/instance: test-release
+        app.kubernetes.io/version: "1.1.1"
+        app.kubernetes.io/managed-by: Helm
+    spec:
+      containers:
+        - name: dinfochart
+          image:  "timurusmanov/devops-infoservice:1.1.1"
+          ports:
+          - containerPort: 80
+          resources:
+            limits:
+              cpu: 200m
+              memory: 256Mi
+            requests:
+              cpu: 100m
+              memory: 128Mi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 10
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 5000
+            initialDelaySeconds: 5
+            periodSeconds: 3
+
+```
+
+```sh
+helm install myrelease dinfochart/
+```
+```text
+NAME: myrelease
+LAST DEPLOYED: Thu Apr  2 17:18:20 2026
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+DESCRIPTION: Install complete
+TEST SUITE: None
+```
+
+# Task 4
+
+```sh
+# Lint chart
+helm lint k8s/dinfochart
+```
+```text
+==> Linting k8s/dinfochart
+[INFO] Chart.yaml: icon is recommended
+
+1 chart(s) linted, 0 chart(s) failed
+```
+
+```sh
+# Dry run to see hooks
+helm install --dry-run=client --debug test-release k8s/dinfochart | grep -A 20 "HOOK\|hook"
+```
+```text
+level=DEBUG msg="Original chart version" version=""
+level=DEBUG msg="Chart path" path=/home/timur/proj/DevOps-Core-Course/k8s/dinfochart
+level=DEBUG msg="number of dependencies in the chart" chart=dinfochart dependencies=0
+HOOKS:
+---
+# Source: dinfochart/templates/hooks/post-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'test-release-dinfochart-post-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'test-release-dinfochart-post-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: post-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed']
+---
+# Source: dinfochart/templates/hooks/pre-install-job.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: 'test-release-dinfochart-pre-install'
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+    app.kubernetes.io/instance: test-release
+    app.kubernetes.io/version: "1.1.1"
+    app.kubernetes.io/managed-by: Helm
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: 'test-release-dinfochart-pre-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: pre-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed']
+MANIFEST:
+---
+# Source: dinfochart/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: test-release-dinfochart
+  labels:
+    helm.sh/chart: dinfochart-0.1.0
+    app.kubernetes.io/name: dinfochart
+```
+
+```sh
+# Install and watch hooks
+helm install myrelease k8s/dinfochart
+kubectl get jobs -w
+kubectl get pods -w
+```
+```text
+NAME: myrelease
+LAST DEPLOYED: Thu Apr  2 18:01:48 2026
+NAMESPACE: default
+STATUS: deployed
+REVISION: 1
+DESCRIPTION: Install complete
+TEST SUITE: None
+```
+```text
+No resources found in default namespace.
+```
+```text
+NAME                                    READY   STATUS    RESTARTS   AGE
+myrelease-dinfochart-5b67fb98d9-2jk9d   1/1     Running   0          39s
+myrelease-dinfochart-5b67fb98d9-8c448   1/1     Running   0          39s
+myrelease-dinfochart-5b67fb98d9-fq5mz   1/1     Running   0          39s
+myrelease-dinfochart-5b67fb98d9-v5zjk   1/1     Running   0          39s
+myrelease-dinfochart-5b67fb98d9-wtx52   1/1     Running   0          39s
+```
+
+```sh
+# Verify deletion policy worked
+kubectl get jobs
+```
+```text
+No resources found in default namespace.
+```
+
+# Task 5
+
+Refer to `k8s/HELM.md`.
diff --git a/k8s/SECRETS.md b/k8s/SECRETS.md
new file mode 100644
index 0000000000..79a74ca774
--- /dev/null
+++ b/k8s/SECRETS.md
@@ -0,0 +1,155 @@
+# Kubernetes Secrets
+### Output of creating and viewing your secret
+```sh
+kubectl get secret app-credentials -o yaml
+```
+```text
+apiVersion: v1
+data:
+  password: YWRtaW4xMjM=
+  username: dGltdXI=
+kind: Secret
+metadata:
+  creationTimestamp: "2026-04-08T14:10:34Z"
+  name: app-credentials
+  namespace: default
+  resourceVersion: "7121"
+  uid: cde19220-e95a-4b61-9386-b6b8f4b37f45
+type: Opaque
+```
+
+### Decoded secret values demonstration
+```sh
+base64 -d <<<"dGltdXI="
+```
+```text
+timur
+```
+```sh
+base64 -d <<<"YWRtaW4xMjM="
+```
+```text
+admin123
+```
+
+### Explanation of base64 encoding vs encryption
+`base64`-encoding is is still plaintext: it obfuscates the information to a human reader, but the data is decodeable
+with one command.
+
+Real encryption requires the attacker to guess a key, which should be difficult to do.
+
+# Helm Secret Integration
+### Chart structure showing secrets.yaml
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-credentials
+type: Opaque
+stringData:
+  username: {{ .Values.secret.username | quote }}
+  password: {{ .Values.secret.password | quote }}
+```
+
+### How secrets are consumed in deployment
+Secrets are consumed through environment variables.
+
+### Verification output (env vars in pod, excluding actual values)
+```sh
+kubectl exec dinfoserv-dinfochart-575476d846-4424h -- env
+```
+```text
+PATH=/venv/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+HOSTNAME=dinfoserv-dinfochart-575476d846-4424h
+username=placeholder
+password=placeholder
+DINFOSERV_DINFOCHART_PORT_80_TCP=tcp://10.100.233.185:80
+DINFOSERV_DINFOCHART_PORT_80_TCP_PROTO=tcp
+KUBERNETES_PORT=tcp://10.96.0.1:443
+KUBERNETES_PORT_443_TCP=tcp://10.96.0.1:443
+DINFOSERV_DINFOCHART_PORT_80_TCP_PORT=80
+KUBERNETES_SERVICE_HOST=10.96.0.1
+KUBERNETES_SERVICE_PORT_HTTPS=443
+KUBERNETES_PORT_443_TCP_PORT=443
+KUBERNETES_PORT_443_TCP_ADDR=10.96.0.1
+DINFOSERV_DINFOCHART_SERVICE_HOST=10.100.233.185
+DINFOSERV_DINFOCHART_SERVICE_PORT=80
+DINFOSERV_DINFOCHART_PORT=tcp://10.100.233.185:80
+DINFOSERV_DINFOCHART_PORT_80_TCP_ADDR=10.100.233.185
+KUBERNETES_SERVICE_PORT=443
+KUBERNETES_PORT_443_TCP_PROTO=tcp
+GPG_KEY=7169605F62C751356D054A26A821E680E5FA6305
+PYTHON_VERSION=3.13.12
+PYTHON_SHA256=2a84cd31dd8d8ea8aaff75de66fc1b4b0127dd5799aa50a64ae9a313885b4593
+VIRTUAL_ENV=/venv
+HOME=/home/infoservice
+```
+
+Note the "username" and "password" env variables.
+
+# Resource Management
+### Resource limits configuration
+Resource limits are configured with the `values` files.
+
+### Explanation of requests vs limits
+Requests = how much is guaranteed.
+Limits = how much is the hard maximum.
+
+### How to choose appropriate values
+In the development environment, give more resources to debug and test.
+In production, look at the cluster and see how much is available. Then assign that much as the limit. Requests are the
+minimal requirements for the containers to function at all.
+
+# Vault Integration
+### Vault installation verification (`kubectl get pods`)
+```text
+NAME                                    READY   STATUS     RESTARTS   AGE
+dinfoserv-dinfochart-b9cc59fdf-2dv4n    2/2     Running    0          4m4s
+dinfoserv-dinfochart-b9cc59fdf-6chxr    2/2     Running    0          4m4s
+dinfoserv-dinfochart-b9cc59fdf-b6cqg    2/2     Running    0          4m4s
+dinfoserv-dinfochart-b9cc59fdf-fkfwn    2/2     Running    0          4m4s
+dinfoserv-dinfochart-b9cc59fdf-nh9r2    2/2     Running    0          4m4s
+vault-0                                 1/1     Running    0          15h
+vault-agent-injector-848dd747d7-b2pt4   1/1     Running    0          15h
+```
+
+### Policy and role configuration (sanitized)
+Policy:
+```sh
+cat >dinfoservice-secret-access.hcl <<EOF
+path "secret/myapp/config" {
+    capabilities = ["read"]
+}
+EOF
+vault policy write dinfoservice-secret-access.hcl dinfoservice-secret-access.hcl
+```
+
+Role:
+```sh
+vault write auth/kubernetes/role/demo \
+    bound_service_account_names=myapp \
+    bound_service_account_namespaces=default \
+    policies=default \
+    ttl=1h
+```
+
+### Proof of secret injection (show file exists, path structure)
+The secrets are mounted at `/etc/app-secret`:
+```text
+app-secret/
+├── password
+└── username
+```
+
+# Security Analysis
+### Comparison: K8s Secrets vs Vault
+K8s secrets are the native tool that is easy to use with kubernetes. HashiCorp Vault is a separate solution, although it
+integrates well with Kubernetes.
+
+K8s Secrets are stored in `etcd` by Kubernetes directly, by default unencrypted; Vault secrets are stored separately in
+any provider that is configured, but that requires additional configuration.
+
+### When to use each approach
+There are ways to use both K8s secrets and HashiCorp Vault securely. But if the cloud provider, for example, provides a
+secret management service, HC Vault probably will be easier to configure to use it, especially if the cloud provider
+supplies documentation for that.
diff --git a/k8s/deployment.yml b/k8s/deployment.yml
deleted file mode 100644
index 5b57351844..0000000000
--- a/k8s/deployment.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: devops-infoservice
-  labels:
-    app: devops-infoservice
-spec:
-  replicas: 5
-  selector:
-    matchLabels:
-      app: devops-infoservice
-  strategy:
-    type: RollingUpdate
-    rollingUpdate:
-      maxSurge: 1        # Extra pods during update
-      maxUnavailable: 0  # Ensure availability
-  template:
-    metadata:
-      labels:
-        app: devops-infoservice
-    spec:
-      containers:
-      - name: devops-infoservice
-        image: 127.0.0.1:5000/timurusmanov/devops-infoservice:latest
-        ports:
-        - containerPort: 5000
-        resources:
-          requests:
-            memory: "128Mi"
-            cpu: "100m"
-          limits:
-            memory: "256Mi"
-            cpu: "200m"
-        livenessProbe:
-          httpGet:
-            path: /health
-            port: 5000
-          initialDelaySeconds: 10
-        readinessProbe:
-          httpGet:
-            path: /health
-            port: 5000
-          initialDelaySeconds: 5
diff --git a/k8s/dinfochart/.gitignore b/k8s/dinfochart/.gitignore
new file mode 100644
index 0000000000..721e9b3ae7
--- /dev/null
+++ b/k8s/dinfochart/.gitignore
@@ -0,0 +1 @@
+/charts/
diff --git a/k8s/dinfochart/.helmignore b/k8s/dinfochart/.helmignore
new file mode 100644
index 0000000000..0e8a0eb36f
--- /dev/null
+++ b/k8s/dinfochart/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/k8s/dinfochart/Chart.yaml b/k8s/dinfochart/Chart.yaml
new file mode 100644
index 0000000000..9f61b15d84
--- /dev/null
+++ b/k8s/dinfochart/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: dinfochart
+description: A Helm chart for devops-infoservice
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "1.1.1"
diff --git a/k8s/dinfochart/templates/NOTES.txt b/k8s/dinfochart/templates/NOTES.txt
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/k8s/dinfochart/templates/_helpers.tpl b/k8s/dinfochart/templates/_helpers.tpl
new file mode 100644
index 0000000000..4c45c4b07d
--- /dev/null
+++ b/k8s/dinfochart/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dinfochart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dinfochart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dinfochart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dinfochart.labels" -}}
+helm.sh/chart: {{ include "dinfochart.chart" . }}
+{{ include "dinfochart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dinfochart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dinfochart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dinfochart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dinfochart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/k8s/dinfochart/templates/deployment.yaml b/k8s/dinfochart/templates/deployment.yaml
new file mode 100644
index 0000000000..328aa59b6e
--- /dev/null
+++ b/k8s/dinfochart/templates/deployment.yaml
@@ -0,0 +1,64 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dinfochart.fullname" . }}
+  labels:
+    {{- include "dinfochart.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "dinfochart.selectorLabels" . | nindent 6 }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1        # Extra pods during update
+      maxUnavailable: 0  # Ensure availability
+  template:
+    metadata:
+      labels:
+        {{- include "dinfochart.labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        vault.hashicorp.com/agent-inject: "true"
+        vault.hashicorp.com/role: "dinfoservice-role"
+        vault.hashicorp.com/agent-inject-secret-config: "secret/data/myapp/config"
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          image:  "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          ports:
+          - containerPort: {{ .Values.service.port }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.livenessProbe }}
+          livenessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.readinessProbe }}
+          readinessProbe:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+            - name: username
+              valueFrom:
+                secretKeyRef:
+                  name: app-credentials
+                  key: username
+            - name: password
+              valueFrom:
+                secretKeyRef:
+                  name: app-credentials
+                  key: password
+          volumeMounts:
+            - name: app-secret
+              mountPath: "/etc/app-secret"
+              readOnly: true
+      volumes:
+        - name: app-secret
+          secret:
+            secretName: app-credentials
diff --git a/k8s/dinfochart/templates/hooks/post-install-job.yaml b/k8s/dinfochart/templates/hooks/post-install-job.yaml
new file mode 100644
index 0000000000..fa5018c191
--- /dev/null
+++ b/k8s/dinfochart/templates/hooks/post-install-job.yaml
@@ -0,0 +1,20 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: '{{ include "dinfochart.fullname" . }}-post-install'
+  labels:
+    {{- include "dinfochart.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": post-install
+    "helm.sh/hook-weight": "5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: '{{ include "dinfochart.fullname" . }}-post-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: post-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Post-install validation && sleep 1 && echo Validation passed']
diff --git a/k8s/dinfochart/templates/hooks/pre-install-job.yaml b/k8s/dinfochart/templates/hooks/pre-install-job.yaml
new file mode 100644
index 0000000000..2afe4aef29
--- /dev/null
+++ b/k8s/dinfochart/templates/hooks/pre-install-job.yaml
@@ -0,0 +1,20 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: '{{ include "dinfochart.fullname" . }}-pre-install'
+  labels:
+    {{- include "dinfochart.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "-5"
+    "helm.sh/hook-delete-policy": hook-succeeded
+spec:
+  template:
+    metadata:
+      name: '{{ include "dinfochart.fullname" . }}-pre-install'
+    spec:
+      restartPolicy: Never
+      containers:
+      - name: pre-install-job
+        image: busybox
+        command: ['sh', '-c', 'echo Pre-install task running && sleep 1 && echo Pre-install completed']
diff --git a/k8s/dinfochart/templates/secrets.yaml b/k8s/dinfochart/templates/secrets.yaml
new file mode 100644
index 0000000000..baf570432f
--- /dev/null
+++ b/k8s/dinfochart/templates/secrets.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: app-credentials
+type: Opaque
+stringData:
+  username: {{ .Values.secret.username | quote }}
+  password: {{ .Values.secret.password | quote }}
diff --git a/k8s/dinfochart/templates/service.yaml b/k8s/dinfochart/templates/service.yaml
new file mode 100644
index 0000000000..ba11f6feea
--- /dev/null
+++ b/k8s/dinfochart/templates/service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dinfochart.fullname" . }}
+  labels:
+    {{- include "dinfochart.labels" . | nindent 4 }}
+spec:
+  type: NodePort
+  selector:
+    {{- include "dinfochart.selectorLabels" . | nindent 4 }}
+  ports:
+    - protocol: TCP
+      port: {{ .Values.service.port }}
+      targetPort: {{ .Values.service.targetPort }}
diff --git a/k8s/dinfochart/values-dev.yaml b/k8s/dinfochart/values-dev.yaml
new file mode 100644
index 0000000000..3967731b96
--- /dev/null
+++ b/k8s/dinfochart/values-dev.yaml
@@ -0,0 +1,23 @@
+replicaCount: 1
+
+image:
+  tag: "latest"
+
+resources:
+  limits:
+    cpu: 100m
+    memory: 128Mi
+  requests:
+    cpu: 50m
+    memory: 64Mi
+
+service:
+  type: NodePort
+
+livenessProbe:
+  initialDelaySeconds: 5
+  periodSeconds: 10
+
+secret:
+  username: "placeholder"
+  password: "placeholder"
diff --git a/k8s/dinfochart/values-prod.yaml b/k8s/dinfochart/values-prod.yaml
new file mode 100644
index 0000000000..30b1371674
--- /dev/null
+++ b/k8s/dinfochart/values-prod.yaml
@@ -0,0 +1,27 @@
+replicaCount: 5
+
+image:
+  tag: "1.0.0"  # Specific version
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+
+service:
+  type: LoadBalancer
+
+livenessProbe:
+  initialDelaySeconds: 30
+  periodSeconds: 5
+
+readinessProbe:
+  initialDelaySeconds: 10
+  periodSeconds: 3
+
+secret:
+  username: "placeholder"
+  password: "placeholder"
diff --git a/k8s/dinfochart/values.yaml b/k8s/dinfochart/values.yaml
new file mode 100644
index 0000000000..329839cebd
--- /dev/null
+++ b/k8s/dinfochart/values.yaml
@@ -0,0 +1,36 @@
+replicaCount: 5
+image:
+  repository: timurusmanov/devops-infoservice
+  tag: "1.1.1"
+  pullPolicy: IfNotPresent
+
+service:
+  type: NodePort
+  port: 80
+  targetPort: 5000
+
+resources:
+  limits:
+    cpu: 200m
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 128Mi
+
+livenessProbe:
+  httpGet:
+    path: /health
+    port: 5000
+  initialDelaySeconds: 10
+  periodSeconds: 5
+
+readinessProbe:
+  httpGet:
+    path: /health
+    port: 5000
+  initialDelaySeconds: 5
+  periodSeconds: 3
+
+secret:
+  username: "placeholder"
+  password: "placeholder"
diff --git a/k8s/service.yml b/k8s/service.yml
deleted file mode 100644
index 853cd0860f..0000000000
--- a/k8s/service.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: devops-infoservice-service
-spec:
-  type: NodePort
-  selector:
-    app: devops-infoservice  # Must match Deployment labels
-  ports:
-    - protocol: TCP
-      port: 80        # Service port
-      targetPort: 5000  # Container port
-      nodePort: 30080   # Optional: specific node port (30000-32767)