diff --git a/k8s/README.md b/k8s/README.md
index e80affc..12b3385 100644
--- a/k8s/README.md
+++ b/k8s/README.md
@@ -683,3 +683,28 @@ Install client side tools:
 brew tap tektoncd/tools
 brew install tektoncd/tools/tektoncd-cli
 ```
+
+## cnpg - Cloud Native Postgres
+
+cnpg is a postgres operator that is recommended by n8n. So I installed it.
+
+Instructions [here](https://cloudnative-pg.io/documentation/1.26/installation_upgrade/)
+
+Executed:
+
+```sh
+kubectl apply --server-side -f \
+  https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.26/releases/cnpg-1.26.1.yaml
+```
+
+## n8n
+
+Using helm chart from [https://github.com/8gears/n8n-helm-chart](https://github.com/8gears/n8n-helm-chart).
+
+```sh
+kubectl create ns n8n
+helm upgrade --cleanup-on-fail --install mop-n8n \
+oci://8gears.container-registry.com/library/n8n \
+--namespace n8n --values n8n/n8n.secret.yml --version 1.0.15
+```
+
diff --git a/k8s/n8n/n8n.secret.yml b/k8s/n8n/n8n.secret.yml
new file mode 100644
index 0000000..ae4f19c
--- /dev/null
+++ b/k8s/n8n/n8n.secret.yml
@@ -0,0 +1,97 @@
+#small deployment with nodeport for local testing or small deployments
+main:
+  config:
+    generic:
+      timezone: Europe/Berlin
+    n8n:
+      editor_base_url: https://n8n.moritzgraf.de
+    webhook_url: https://n8n.moritzgraf.de
+    db:
+      type: postgresdb
+      postgresdb:
+        host: db-rw
+        user: n8n
+#        password: password is read from cnpg db-app secretKeyRef
+# Moritz: Assuming the db-app secret is created by cnpg operator
+        pool:
+          size: 10
+        ssl:
+          enabled: true
+          reject_Unauthorized: true
+          ca_file: "/home/ssl/certs/postgresql/ca.crt"
+  secret:
+    n8n:
+      encryption_key: "iHiquee6joibooK1aj9doh8wieliehua5ni6oSheix4oopheiz"
+  extraEnv:
+    DB_POSTGRESDB_PASSWORD:
+      valueFrom:
+        secretKeyRef:
+          name: db-app
+          key: password
+  # Mount the CNPG CA Cert into N8N container
+  extraVolumeMounts:
+    - name: db-ca-cert
+      mountPath: /home/ssl/certs/postgresql
+      readOnly: true
+
+  extraVolumes:
+    - name: db-ca-cert
+      secret:
+        secretName: db-ca
+        items:
+          - key: ca.crt
+            path: ca.crt
+  resources:
+    limits:
+      memory: 2048Mi
+    requests:
+      memory: 512Mi
+  service:
+    type: NodePort
+    port: 5678
+
+
+ingress:
+  # Enable ingress for home assistant
+  enabled: true
+  className: "nginx"
+  annotations:
+    kubernetes.io/ingress.class: "nginx"    
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    nginx.ingress.kubernetes.io/proxy-buffering: "off"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+  hosts:
+    - host: n8n.moritzgraf.de
+      paths:
+        - /
+  tls:
+  - hosts:
+    - "n8n.moritzgraf.de"
+    secretName: n8n-moritzgraf-de
+
+# cnpg DB cluster request
+extraManifests:
+  - apiVersion: postgresql.cnpg.io/v1
+    kind: Cluster
+    metadata:
+      name: db
+    spec:
+      instances: 1
+      bootstrap:
+        initdb:
+          database: n8n
+          owner: n8n
+      postgresql:
+        parameters:
+          shared_buffers: "64MB"
+      resources:
+        requests:
+          memory: "512Mi"
+        limits:
+          memory: "512Mi"
+      storage:
+        size: 1Gi
\ No newline at end of file