Merge "[AAI] Kiali Validation - KIA0601 - Port name must follow [-suffix] form"
diff --git a/kubernetes/common/common/templates/_serviceMesh.tpl b/kubernetes/common/common/templates/_serviceMesh.tpl
index fe2424c..3ba945e 100644
--- a/kubernetes/common/common/templates/_serviceMesh.tpl
+++ b/kubernetes/common/common/templates/_serviceMesh.tpl
@@ -98,7 +98,7 @@
               app.kubernetes.io/name: <app-to-match>    ("app.kubernetes.io/name" corresponds to key defined in "common.labels", which is included in "common.service")
 
     If common.useAuthorizationPolicies returns false:
-      Will create an authorization policy without rules, i.e., an allow-all policy
+      Will not create an authorization policy
 */}}
 {{- define "common.authorizationPolicy" -}}
 {{-   $dot := default . .dot -}}
@@ -106,6 +106,7 @@
 {{-   $authorizedPrincipals := default list $dot.Values.serviceMesh.authorizationPolicy.authorizedPrincipals -}}
 {{-   $defaultOperationMethods := list "GET" "POST" "PUT" "PATCH" "DELETE" -}}
 {{-   $relName := include "common.release" . -}}
+{{-   if (include "common.useAuthorizationPolicies" .) }}
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@@ -117,7 +118,6 @@
       app.kubernetes.io/name: {{ include "common.servicename" . }}
   action: ALLOW
   rules:
-{{-   if (include "common.useAuthorizationPolicies" .) }}
 {{-     if $authorizedPrincipals }}
 {{-       range $principal := $authorizedPrincipals }}
   - from:
@@ -143,7 +143,5 @@
 {{-         end }}
 {{-       end }}
 {{-     end }}
-{{-   else }}
-    - {}
 {{-   end }}
 {{- end -}}
diff --git a/kubernetes/common/repositoryGenerator/templates/_repository.tpl b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
index 1b99285..09a799e 100644
--- a/kubernetes/common/repositoryGenerator/templates/_repository.tpl
+++ b/kubernetes/common/repositoryGenerator/templates/_repository.tpl
@@ -59,6 +59,16 @@
 {{- end -}}
 
 {{/*
+  Resolve the name of the quay.io Repository image repository.
+
+  - .Values.global.quayRepository  : default image quayRepository for all images using quay repository
+  - .Values.quayRepositoryOverride : override global quayRepository repository on a per chart basis
+*/}}
+{{- define "repositoryGenerator.quayRepository" -}}
+  {{- include "repositoryGenerator._repositoryHelper" (merge (dict "repoName" "quayRepository") .) }}
+{{- end -}}
+
+{{/*
   Resolve the name of the googleK8sRepository image repository.
 
   - .Values.global.googleK8sRepository  : default image dockerHubRepository for all dockerHub images
diff --git a/kubernetes/common/repositoryGenerator/values.yaml b/kubernetes/common/repositoryGenerator/values.yaml
index 5d886aa..b89c2b2 100644
--- a/kubernetes/common/repositoryGenerator/values.yaml
+++ b/kubernetes/common/repositoryGenerator/values.yaml
@@ -21,6 +21,7 @@
   elasticRepository: docker.elastic.co
   googleK8sRepository: k8s.gcr.io
   githubContainerRegistry: ghcr.io
+  quayRepository: quay.io
 
   # common global images
   busyboxImage: busybox:1.34.1
diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
index 00e7b2a..4697146 100644
--- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
+++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
@@ -142,6 +142,8 @@
     enabled: false
   keycloak-init:
     enabled: true
+  oauth2-proxy:
+    enabled: true
 policy:
   enabled: true
 portal:
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 40ac5ed..a8b44e3 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -47,6 +47,7 @@
   repository: nexus3.onap.org:10001
   dockerHubRepository: &dockerHubRepository docker.io
   elasticRepository: &elasticRepository docker.elastic.co
+  quayRepository: quay.io
   googleK8sRepository: k8s.gcr.io
   githubContainerRegistry: ghcr.io
 
diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml
index 0f8f510..8eba95f 100644
--- a/kubernetes/platform/Chart.yaml
+++ b/kubernetes/platform/Chart.yaml
@@ -25,20 +25,20 @@
   - name: oom-cert-service
     version: ~12.x-0
     repository: '@local'
-    #repository: 'file://components/oom-cert-service'
     condition: oom-cert-service.enabled
   - name: cmpv2-cert-provider
     version: ~12.x-0
     repository: '@local'
-    #repository: 'file://components/cmpv2-cert-provider'
     condition: cmpv2-cert-provider.enabled
   - name: chartmuseum
     version: ~12.x-0
     repository: '@local'
-    #repository: 'file://components/chartmuseum'
     condition: chartmuseum.enabled
   - name: keycloak-init
     version: ~12.x-0
     repository: '@local'
-    #repository: 'file://components/keycloak-init'
     condition: keycloak-init.enabled
+  - name: oauth2-proxy
+    version: ~12.x-0
+    repository: '@local'
+    condition: oauth2-proxy.enabled
diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/platform/components/keycloak-init/Chart.yaml
index d9add71..8e0a46f 100644
--- a/kubernetes/platform/components/keycloak-init/Chart.yaml
+++ b/kubernetes/platform/components/keycloak-init/Chart.yaml
@@ -30,6 +30,6 @@
   - name: serviceAccount
     version: ~12.x-0
     repository: '@local'
-  - name: keycloak-config-cli
+  - name: onap-keycloak-config-cli
     version: 5.6.1
     repository: 'file://components/keycloak-config-cli'
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
index 3f48ef7..882e12a 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
+++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
@@ -17,7 +17,7 @@
 # limitations under the License.
 # ============LICENSE_END=========================================================
 apiVersion: v2
-name: keycloak-config-cli
+name: onap-keycloak-config-cli
 description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
 home: https://github.com/adorsys/keycloak-config-cli
 version: 5.6.1
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
index fb2a895..14870e6 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
+++ b/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
@@ -21,9 +21,6 @@
 fullnameOverride: ""
 nameOverride: ""
 
-keycloakUrl: "https://keycloak-ui.simpledemo.onap.org/auth/"
-portalUrl: "https://portal-ng-ui.simpledemo.onap.org"
-
 image:
   repository: adorsys/keycloak-config-cli
   tag: "{{ .Chart.AppVersion }}-19.0.3"
diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml
index 7eecf19..9fbaedc 100644
--- a/kubernetes/platform/components/keycloak-init/values.yaml
+++ b/kubernetes/platform/components/keycloak-init/values.yaml
@@ -22,7 +22,7 @@
 KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/"
 PORTAL_URL: "https://portal-ui.simpledemo.onap.org"
 
-keycloak-config-cli:
+onap-keycloak-config-cli:
   #existingSecret: "keycloak-keycloakx-admin-creds"
   env:
     KEYCLOAK_URL: http://keycloak-http.keycloak.svc.cluster.local/auth/
diff --git a/kubernetes/platform/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/.helmignore
new file mode 100644
index 0000000..825c007
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+OWNERS
diff --git a/kubernetes/platform/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/Chart.yaml
new file mode 100644
index 0000000..1da3d7e
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/Chart.yaml
@@ -0,0 +1,34 @@
+#============LICENSE_START========================================================
+# ================================================================================
+# Copyright © 2022 Deutsche Telekom
+# ================================================================================
+# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE)
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ============LICENSE_END=========================================================
+apiVersion: v2
+version: 12.0.0
+description: ONAP Oauth2-proxy
+name: oauth2-proxy
+sources:
+- https://github.com/oauth2-proxy/manifests
+
+dependencies:
+  - name: common
+    version: ~12.x-0
+    repository: '@local'
+  - name: serviceAccount
+    version: ~12.x-0
+    repository: '@local'
+  - name: onap-oauth2-proxy
+    version: 6.10.1
+    repository: 'file://components/oauth2-proxy'
\ No newline at end of file
diff --git a/kubernetes/platform/components/oauth2-proxy/Makefile b/kubernetes/platform/components/oauth2-proxy/Makefile
new file mode 100644
index 0000000..5970a97
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/Makefile
@@ -0,0 +1,60 @@
+# Copyright © 2020 Samsung Electronics
+# Modifications Copyright © 2020 Nokia
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+OUTPUT_DIR := $(ROOT_DIR)/../../dist
+PACKAGE_DIR := $(OUTPUT_DIR)/packages
+SECRET_DIR := $(OUTPUT_DIR)/secrets
+
+EXCLUDES :=
+HELM_BIN := helm
+ifneq ($(SKIP_LINT),TRUE)
+	HELM_LINT_CMD := $(HELM_BIN) lint
+else
+	HELM_LINT_CMD := echo "Skipping linting of"
+endif
+
+HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.))))
+HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}")
+
+.PHONY: $(EXCLUDES) $(HELM_CHARTS)
+
+all: $(HELM_CHARTS)
+
+$(HELM_CHARTS):
+	@echo "\n[$@]"
+	@make package-$@
+
+make-%:
+	@if [ -f $*/Makefile ]; then make -C $*; fi
+
+dep-%: make-%
+	@if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi
+
+lint-%: dep-%
+	@if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi
+
+package-%: lint-%
+	@mkdir -p $(PACKAGE_DIR)
+	@if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi
+	@sleep 3
+	#@$(HELM_BIN) repo index $(PACKAGE_DIR)
+
+clean:
+	@rm -f */Chart.lock
+	@rm -f *tgz */charts/*tgz
+	@rm -rf $(PACKAGE_DIR)
+%:
+	@:
diff --git a/kubernetes/platform/components/oauth2-proxy/components/Makefile b/kubernetes/platform/components/oauth2-proxy/components/Makefile
new file mode 100755
index 0000000..9544d70
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/Makefile
@@ -0,0 +1,58 @@
+# Copyright © 2020 Samsung Electronics
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
+OUTPUT_DIR := $(ROOT_DIR)/../../dist
+PACKAGE_DIR := $(OUTPUT_DIR)/packages
+SECRET_DIR := $(OUTPUT_DIR)/secrets
+
+EXCLUDES :=
+HELM_BIN := helm
+ifneq ($(SKIP_LINT),TRUE)
+	HELM_LINT_CMD := $(HELM_BIN) lint
+else
+	HELM_LINT_CMD := echo "Skipping linting of"
+endif
+
+HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.))))
+
+.PHONY: $(EXCLUDES) $(HELM_CHARTS)
+
+all: $(HELM_CHARTS)
+
+$(HELM_CHARTS):
+	@echo "\n[$@]"
+	@make package-$@
+
+make-%:
+	@if [ -f $*/Makefile ]; then make -C $*; fi
+
+dep-%: make-%
+	@if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi
+
+lint-%: dep-%
+	@if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi
+
+package-%: lint-%
+	@mkdir -p $(PACKAGE_DIR)
+	@if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi
+	@sleep 3
+	#@$(HELM_BIN) repo index $(PACKAGE_DIR)
+
+clean:
+	@rm -f */Chart.lock
+	@rm -f *tgz */charts/*tgz
+	@rm -rf $(PACKAGE_DIR)
+%:
+	@:
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore
new file mode 100644
index 0000000..825c007
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+OWNERS
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml
new file mode 100644
index 0000000..0609a0f
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml
@@ -0,0 +1,41 @@
+name: onap-oauth2-proxy
+version: 6.10.1
+apiVersion: v2
+appVersion: 7.4.0
+home: https://oauth2-proxy.github.io/oauth2-proxy/
+description: A reverse proxy that provides authentication with Google, Github or other providers
+keywords:
+  - kubernetes
+  - oauth
+  - oauth2
+  - authentication
+  - google
+  - github
+  - redis
+dependencies:
+  - name: redis
+    version: ~16.13.2
+    repository: https://charts.bitnami.com/bitnami
+    alias: redis
+    condition: redis.enabled
+  - name: common
+    version: ~12.x-0
+    repository: '@local'
+  - name: repositoryGenerator
+    version: ~12.x-0
+    repository: '@local'
+
+sources:
+  - https://github.com/oauth2-proxy/oauth2-proxy
+  - https://github.com/oauth2-proxy/manifests
+maintainers:
+  - name: desaintmartin
+    email: cedric@desaintmartin.fr
+  - name: tlawrie
+  - name: NickMeves
+    email: nicholas.meves@gmail.com
+  - name: JoelSpeed
+    email: joel.speed@hotmail.co.uk
+  - name: pierluigilenoci
+    email: pierluigi.lenoci@gmail.com
+kubeVersion: ">=1.9.0-0"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md
new file mode 100644
index 0000000..9e18388
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md
@@ -0,0 +1,323 @@
+# oauth2-proxy
+
+[oauth2-proxy](https://github.com/oauth2-proxy/oauth2-proxy) is a reverse proxy and static file server that provides authentication using Providers (Google, GitHub, and others) to validate accounts by email, domain or group.
+
+## TL;DR;
+
+```console
+$ helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
+$ helm install my-release oauth2-proxy/oauth2-proxy
+```
+
+## Introduction
+
+This chart bootstraps an oauth2-proxy deployment on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
+
+## Installing the Chart
+
+To install the chart with the release name `my-release`:
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy
+```
+
+The command deploys oauth2-proxy on the Kubernetes cluster in the default configuration. The [configuration](#configuration) section lists the parameters that can be configured during installation.
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm uninstall my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+## Upgrading an existing Release to a new major version
+
+A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
+incompatible breaking change needing manual actions.
+
+### To 1.0.0
+
+This version upgrades oauth2-proxy to v4.0.0. Please see the [changelog](https://github.com/oauth2-proxy/oauth2-proxy/blob/v4.0.0/CHANGELOG.md#v400) in order to upgrade.
+
+### To 2.0.0
+
+Version 2.0.0 of this chart introduces support for Kubernetes v1.16.x by way of addressing the deprecation of the Deployment object apiVersion `apps/v1beta2`.  See [the v1.16 API deprecations page](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for more information.
+
+Due to [this issue](https://github.com/helm/helm/issues/6583) there may be errors performing a `helm upgrade` of this chart from versions earlier than 2.0.0.
+
+### To 3.0.0
+
+Version 3.0.0 introduces support for [EKS IAM roles for service accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) by adding a managed service account to the chart.  This is a breaking change since the service account is enabled by default.  To disable this behaviour set `serviceAccount.enabled` to `false`
+
+### To 4.0.0
+
+Version 4.0.0 adds support for the new Ingress apiVersion **networking.k8s.io/v1**.
+Therefore the `ingress.extraPaths` parameter needs to be updated to the new format.
+See the [v1.22 API deprecations guide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/#ingress-v122) for more information.
+
+For the same reason `service.port` was renamed to `service.portNumber`.
+
+### To 5.0.0
+
+Version 5.0.0 introduces support for custom labels and refactor [Kubernetes recommended labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/). This is a breaking change because many labels of all resources need to be updated to stay consistent.
+
+In order to upgrade, delete the Deployment before upgrading:
+
+```bash
+kubectl delete deployment my-release-oauth2-proxy
+```
+
+This will introduce a slight downtime.
+
+For users who don't want downtime, you can perform these actions:
+
+- Perform a non-cascading removal of the deployment that keeps the pods running
+- Add new labels to pods
+- Perform `helm upgrade`
+
+### To 6.0.0
+
+Version 6.0.0 bumps the version of the redis subchart from ~10.6.0 to ~16.4.0. You probably need to adjust your redis config. See [here](https://github.com/bitnami/charts/tree/master/bitnami/redis#upgrading) for detailed upgrade instructions.
+
+## Configuration
+
+The following table lists the configurable parameters of the oauth2-proxy chart and their default values.
+
+Parameter | Description | Default
+--- | --- | ---
+`affinity` | node/pod affinities | None
+`authenticatedEmailsFile.enabled` | Enables authorize individual email addresses | `false`
+`authenticatedEmailsFile.persistence` | Defines how the email addresses file will be projected, via a configmap or secret | `configmap`
+`authenticatedEmailsFile.template` | Name of the configmap or secret that is handled outside of that chart | `""`
+`authenticatedEmailsFile.restrictedUserAccessKey` | The key of the configmap or secret that holds the email addresses list | `""`
+`authenticatedEmailsFile.restricted_access` | [email addresses](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider#email-authentication) list config | `""`
+`authenticatedEmailsFile.annotations` | configmap or secret annotations | `nil`
+`config.clientID` | oauth client ID | `""`
+`config.clientSecret` | oauth client secret | `""`
+`config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""`
+`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil`
+`config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""`
+`config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil`
+`config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""`
+`alphaConfig.enabled` | Flag to toggle any alpha config related logic | `false`
+`alphaConfig.annotations` | Configmap annotations | `{}`
+`alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}`
+`alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}`
+`alphaConfig.configData` | Arbitrary configuration data to append | `{}`
+`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil`
+`customLabels` | Custom labels to add into metadata | `{}` |
+`config.google.adminEmail` | user impersonated by the google service account | `""`
+`config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false`
+`config.google.targetPrincipal` | service account to use/impersonate | `""`
+`config.google.serviceAccountJson` | google service account json contents | `""`
+`config.google.existingConfig` | existing Kubernetes configmap to use for the service account file. See [google secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/google-secret.yaml) for the required values | `nil`
+`config.google.groups` | restrict logins to members of these google groups | `[]`
+`containerPort` | used to customise port on the deployment | `""`
+`extraArgs` | Extra arguments to give the binary. Either as a map with key:value pairs or as a list type, which allows to configure the same flag multiple times. (e.g. `["--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_A", "--allowed-role=CLIENT_ID:CLIENT_ROLE_NAME_B"]`). | `{}` or `[]`
+`extraContainers` | List of extra containers to be added to the pod | `[]`
+`extraEnv` | key:value list of extra environment variables to give the binary | `[]`
+`extraVolumes` | list of extra volumes | `[]`
+`extraVolumeMounts` | list of extra volumeMounts | `[]`
+`hostAlias.enabled`  | provide extra ip:hostname alias for network name resolution.
+`hostAlias.ip`  | `ip` address `hostAliases.hostname` should resolve to.
+`hostAlias.hostname`  | `hostname` associated to `hostAliases.ip`.
+`htpasswdFile.enabled` | enable htpasswd-file option | `false`
+`htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}`
+`htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""`
+`httpScheme` | `http` or `https`. `name` used for port on the deployment. `httpGet` port `name` and `scheme` used for `liveness`- and `readinessProbes`. `name` and `targetPort` used for the service. | `http`
+`image.pullPolicy` | Image pull policy | `IfNotPresent`
+`image.repository` | Image repository | `quay.io/oauth2-proxy/oauth2-proxy`
+`image.tag` | Image tag | `""` (defaults to appVersion)
+`imagePullSecrets` | Specify image pull secrets | `nil` (does not add image pull secrets to deployed pods)
+`ingress.enabled` | Enable Ingress | `false`
+`ingress.className` | name referencing IngressClass | `nil`
+`ingress.path` | Ingress accepted path | `/`
+`ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific`
+`ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]`
+`ingress.annotations` | Ingress annotations | `nil`
+`ingress.hosts` | Ingress accepted hostnames | `nil`
+`ingress.tls` | Ingress TLS configuration | `nil`
+`livenessProbe.enabled`  | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
+`livenessProbe.initialDelaySeconds` | number of seconds | 0
+`livenessProbe.timeoutSeconds` | number of seconds | 1
+`nodeSelector` | node labels for pod assignment | `{}`
+`deploymentAnnotations` | annotations to add to the deployment | `{}`
+`podAnnotations` | annotations to add to each pod | `{}`
+`podLabels` | additional labesl to add to each pod | `{}`
+`podDisruptionBudget.enabled`| Enabled creation of PodDisruptionBudget (only if replicaCount > 1) | true
+`podDisruptionBudget.minAvailable`| minAvailable parameter for PodDisruptionBudget | 1
+`podSecurityContext` | Kubernetes security context to apply to pod | `{}`
+`priorityClassName` | priorityClassName | `nil`
+`readinessProbe.enabled` | enable Kubernetes readinessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
+`readinessProbe.initialDelaySeconds` | number of seconds | 0
+`readinessProbe.timeoutSeconds` | number of seconds | 5
+`readinessProbe.periodSeconds` | number of seconds | 10
+`readinessProbe.successThreshold` | number of successes | 1
+`replicaCount` | desired number of pods | `1`
+`resources` | pod resource requests & limits | `{}`
+`revisionHistoryLimit` | maximum number of revisions maintained | 10
+`service.portNumber` | port number for the service | `80`
+`service.appProtocol` | application protocol on the port of the service | `http`
+`service.type` | type of service | `ClusterIP`
+`service.clusterIP` | cluster ip address | `nil`
+`service.loadBalancerIP` | ip of load balancer | `nil`
+`service.loadBalancerSourceRanges` | allowed source ranges in load balancer | `nil`
+`service.nodePort` | external port number for the service when service.type is `NodePort` | `nil`
+`serviceAccount.enabled` | create a service account | `true`
+`serviceAccount.name` | the service account name | ``
+`serviceAccount.annotations` | (optional) annotations for the service account | `{}`
+`tolerations` | list of node taints to tolerate | `[]`
+`securityContext.enabled` | enable Kubernetes security context on container | `false`
+`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
+`proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
+`sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
+`sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""`
+`sessionStorage.redis.password` | Redis password. Applicable for all Redis configurations. Taken from redis subchart secret if not set. sessionStorage.redis.existingSecret takes precedence | `nil`
+`sessionStorage.redis.passwordKey` | Key of the Kubernetes secret data containing the redis password value | `redis-password`
+`sessionStorage.redis.clientType` | Allows the user to select which type of client will be used for redis instance. Possible options are: `sentinel`, `cluster` or `standalone` | `standalone`
+`sessionStorage.redis.standalone.connectionUrl` | URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set. | `""`
+`sessionStorage.redis.cluster.connectionUrls` | List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]`
+`sessionStorage.redis.sentinel.existingSecret` | Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret` | `""`
+`sessionStorage.redis.sentinel.password` | Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password` | `nil`
+`sessionStorage.redis.sentinel.passwordKey` | Key of the Kubernetes secret data containing the redis sentinel password value | `redis-sentinel-password`
+`sessionStorage.redis.sentinel.masterName` | Redis sentinel master name | `nil`
+`sessionStorage.redis.sentinel.connectionUrls` | List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`) | `[]`
+`topologySpreadConstraints` | List of pod topology spread constraints | `[]`
+`redis.enabled` | Enable the redis subchart deployment | `false`
+`checkDeprecation` | Enable deprecation checks | `true`
+`metrics.enabled` | Enable Prometheus metrics endpoint | `true`
+`metrics.port` | Serve Prometheus metrics on this port | `44180`
+`metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil`
+`metrics.service.appProtocol` | application protocol of the metrics port in the service | `http`
+`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false`
+`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""`
+`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default`
+`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s`
+`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s`
+`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}`
+`extraObjects` | Extra K8s manifests to deploy | `[]`
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy \
+  --set=image.tag=v0.0.2,resources.limits.cpu=200m
+```
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install my-release oauth2-proxy/oauth2-proxy -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)
+
+## TLS Configuration
+
+See: [TLS Configuration](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/tls).
+Use ```values.yaml``` like:
+
+```yaml
+...
+extraArgs:
+  tls-cert-file: /path/to/cert.pem
+  tls-key-file: /path/to/cert.key
+
+extraVolumes:
+  - name: ssl-cert
+    secret:
+      secretName: my-ssl-secret
+
+extraVolumeMounts:
+  - mountPath: /path/to/
+    name: ssl-cert
+...
+```
+
+With a secret called `my-ssl-secret`:
+
+```yaml
+...
+data:
+  cert.pem: AB..==
+  cert.key: CD..==
+```
+
+## Extra environment variable templating
+The extraEnv value supports the tpl function which evaluate strings as templates inside the deployment template.
+This is useful to pass a template string as a value to the chart's extra environment variables and to render external configuration environment values
+
+
+```yaml
+...
+tplValue: "This is a test value for the tpl function"
+extraEnv:
+  - name: TEST_ENV_VAR_1
+    value: test_value_1
+  - name: TEST_ENV_VAR_2
+    value: '{{ .Values.tplValue }}'
+```
+
+## Custom templates configuration
+You can replace the default template files using a Kubernetes `configMap` volume. The default templates are the two files [sign_in.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/sign_in.html) and [error.html](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/app/pagewriter/error.html).
+
+```yaml
+config:
+  configFile: |
+    ...
+    custom_templates_dir = "/data/custom-templates"
+
+extraVolumes:
+  - name: custom-templates
+    configMap:
+      name: oauth2-proxy-custom-templates
+
+extraVolumeMounts:
+  - name: custom-templates
+    mountPath: "/data/custom-templates"
+    readOnly: true
+
+extraObjects:
+  - apiVersion: v1
+    kind: ConfigMap
+    metadata:
+      name: oauth2-proxy-custom-templates
+    data:
+      sign_in.html: |
+        <!DOCTYPE html>
+        <html>
+        <body>sign_in</body>
+        </html>
+      error.html: |
+        <!DOCTYPE html>
+        <html>
+        <body>
+        <h1>error</h1>
+        <p>{{.StatusCode}}</p>
+        </body>
+        </html>
+```
+## Multi whitelist-domain configuration
+For using multi whitelist-domain configuration for one Oauth2-proxy instance, you have to use the config.configFile section.
+
+It will be overwriting the `/etc/oauth2_proxy/oauth2_proxy.cfg` configuration file.
+In this example, Google provider is used, but you can find all other provider configuration here [oauth_provider](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/oauth_provider/)
+
+```yaml
+config:
+  ...
+  clientID="$YOUR_GOOGLE_CLIENT_ID"
+  clientSecret="$YOUR_GOOGLE_CLIENT_SECRET"
+  cookieSecret="$YOUR_COOKIE_SECRET"
+  configFile: |
+    ...
+    email_domains = [ "*" ]
+    upstreams = [ "file:///dev/null" ]
+    cookie_secure = "false"
+    cookie_domains = [ ".domain.com", ".otherdomain.io" ]
+    whitelist_domains = [ ".domain.com", ".otherdomain.io"]
+    provider = "google"
+```
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml
new file mode 100644
index 0000000..fc2ba60
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml
@@ -0,0 +1 @@
+# Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml.
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml
new file mode 100644
index 0000000..92dc451
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml
@@ -0,0 +1,4 @@
+extraArgs:
+  pass-authorization-header: "true"
+  request-logging: "true"
+  allowed-role: client_id:client_role
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml
new file mode 100644
index 0000000..5f47a5f
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml
@@ -0,0 +1,5 @@
+extraArgs:
+  - "--pass-authorization-header=true"
+  - "--request-logging=true"
+  - --allowed-role=client_id:client_role_A
+  - --allowed-role=client_id_B:client_role_C
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml
new file mode 100644
index 0000000..357dba9
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml
@@ -0,0 +1,6 @@
+tplValue: "This is a test value for the template function"
+extraEnv:
+  - name: TEST_ENV_VAR_1
+    value: test_value_1
+  - name: TEST_ENV_VAR_2
+    value: '{{ .Values.tplValue }}'
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml
new file mode 100644
index 0000000..e74a393
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml
@@ -0,0 +1,14 @@
+ingress:
+  enabled: true
+  path: /
+  pathType: ImplementationSpecific
+  hosts:
+    - chart-example.local
+  extraPaths:
+    - path: /*
+      pathType: ImplementationSpecific
+      backend:
+        service:
+          name: ssl-redirect
+          port:
+            name: use-annotation
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml
new file mode 100644
index 0000000..25b1627
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml
@@ -0,0 +1 @@
+replicaCount: 2  # Enables PodDisruptionBudget which is disabled when replicaCount is 1
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml
new file mode 100644
index 0000000..b7c8cea
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml
@@ -0,0 +1,4 @@
+# Allocate a FSGroup that owns the pod’s volumes via podSecurityContext
+---
+podSecurityContext:
+  fsGroup: 2000
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml
new file mode 100644
index 0000000..e3418c3
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml
@@ -0,0 +1,12 @@
+sessionStorage:
+  type: redis
+  redis:
+    clientType: "standalone"
+    password: "foo"
+redis:
+  # provision an instance of the redis sub-chart
+  enabled: true
+  architecture: standalone
+  global:
+    redis:
+      password: "foo"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml
new file mode 100644
index 0000000..9d31c28
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml
@@ -0,0 +1,4 @@
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: true
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml
new file mode 100644
index 0000000..65977d9
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml
@@ -0,0 +1,21 @@
+extraEnv:
+  - name: TEST_ENV_VAR_2
+    value: '{{ $.Release.Name }}'
+ingress:
+  enabled: true
+  hosts:
+    - "{{ $.Release.Name }}.local"
+  tls:
+    - hosts:
+        - "{{ $.Release.Name }}.local"
+oauth2-proxy:
+  checkDeprecation: false
+  config:
+    clientSecret: '{{ $.Release.Name }}'
+    configFile: |
+      oidc_issuer_url = "https://{{ $.Release.Name }}/dex"
+
+pass_authorization_header: "true"
+
+extraArgs:
+  pass-authorization-header: "{{ $.Values.pass_authorization_header }}"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt
new file mode 100644
index 0000000..aa749e0
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt
@@ -0,0 +1,3 @@
+To verify that oauth2-proxy has started, run:
+
+  kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.name" . }}"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl
new file mode 100644
index 0000000..f959f10
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl
@@ -0,0 +1,23 @@
+{{/*
+Returns the appropriate apiVersion for podDisruptionBudget object.
+*/}}
+{{- define "capabilities.podDisruptionBudget.apiVersion" -}}
+{{- if semverCompare ">=1.21-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}}
+{{- print "policy/v1" -}}
+{{- else -}}
+{{- print "policy/v1beta1" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the appropriate apiVersion for ingress object.
+*/}}
+{{- define "capabilities.ingress.apiVersion" -}}
+{{- if semverCompare "<1.14-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}}
+{{- print "extensions/v1beta1" -}}
+{{- else if semverCompare "<1.19-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) -}}
+{{- print "networking.k8s.io/v1beta1" -}}
+{{- else -}}
+{{- print "networking.k8s.io/v1" -}}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl
new file mode 100644
index 0000000..87c6449
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl
@@ -0,0 +1,110 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "oauth2-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "oauth2-proxy.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "oauth2-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Generate basic labels
+*/}}
+{{- define "oauth2-proxy.labels" }}
+helm.sh/chart: {{ include "oauth2-proxy.chart" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+app.kubernetes.io/component: authentication-proxy
+app.kubernetes.io/part-of: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+{{- if .Values.customLabels }}
+{{ toYaml .Values.customLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "oauth2-proxy.selectorLabels" }}
+app.kubernetes.io/name: {{ include "oauth2-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Get the secret name.
+*/}}
+{{- define "oauth2-proxy.secretName" -}}
+{{- if .Values.config.existingSecret -}}
+{{- printf "%s" .Values.config.existingSecret -}}
+{{- else -}}
+{{- printf "%s" (include "oauth2-proxy.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "oauth2-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.enabled -}}
+    {{ default (include "oauth2-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Redis subcharts fullname
+*/}}
+{{- define "oauth2-proxy.redis.fullname" -}}
+{{- if .Values.redis.enabled -}}
+{{- include "common.names.fullname" (dict "Chart" (dict "Name" "redis") "Release" .Release "Values" .Values.redis) -}}
+{{- else -}}
+{{ fail "attempting to use redis subcharts fullname, even though the subchart is not enabled. This will lead to misconfiguration" }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Compute the redis url if not set explicitly.
+*/}}
+{{- define "oauth2-proxy.redis.StandaloneUrl" -}}
+{{- if .Values.sessionStorage.redis.standalone.connectionUrl -}}
+{{ .Values.sessionStorage.redis.standalone.connectionUrl }}
+{{- else if .Values.redis.enabled -}}
+{{- printf "redis://%s-master:%.0f" (include "oauth2-proxy.redis.fullname" .) .Values.redis.master.service.ports.redis -}}
+{{- else -}}
+{{ fail "please set sessionStorage.redis.standalone.connectionUrl or enable the redis subchart via redis.enabled" }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns the version
+*/}}
+{{- define "oauth2-proxy.version" -}}
+{{ trimPrefix "v" (lower (.Values.image.tag | default (printf "v%s" .Chart.AppVersion))) }}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl
new file mode 100644
index 0000000..f4a3cad
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl
@@ -0,0 +1,46 @@
+{{/*
+Returns `true` if the API `ingressClassName` field is supported and `false` otherwise
+*/}}
+{{- define "ingress.supportsIngressClassName" -}}
+{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns `true` if the API `pathType` field is supported and `false` otherwise
+*/}}
+{{- define "ingress.supportsPathType" -}}
+{{- if ( semverCompare "<1.18-0" ( .Values.kubeVersion | default .Capabilities.KubeVersion.Version ) ) -}}
+{{- print "false" -}}
+{{- else -}}
+{{- print "true" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Returns the appropriate ingress `backend` fields depending on the Kubernetes API version.
+e.g.: `{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }}`
+Where the dict must contain the following entries:
+- `serviceName` {String} - Name of an existing service backend
+- `servicePort` {String|Number} - Port name or port number of the service.
+- `context` {Dict} - (Parent) Context for the template evaluation required for the API version detection.
+*/}}
+{{- define "ingress.backend" -}}
+{{- $apiVersion := ( include "capabilities.ingress.apiVersion" .context ) -}}
+{{- if or ( eq $apiVersion "extensions/v1beta1" ) ( eq $apiVersion "networking.k8s.io/v1beta1" ) -}}
+serviceName: {{ .serviceName }}
+servicePort: {{ .servicePort }}
+{{- else -}}
+service:
+  name: {{ .serviceName }}
+  port:
+    {{- if typeIs "string" .servicePort }}
+    name: {{ .servicePort }}
+    {{- else if or ( typeIs "int" .servicePort ) ( typeIs "float64" .servicePort ) }}
+    number: {{ .servicePort }}
+    {{- end }}
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml
new file mode 100644
index 0000000..7ba0273
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml
@@ -0,0 +1,32 @@
+{{- if .Values.alphaConfig.enabled }}
+{{- if not .Values.alphaConfig.existingConfig }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+{{- if .Values.alphaConfig.annotations }}
+  annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+    {{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}-alpha
+data:
+  oauth2_proxy.yml: |
+    ---
+    server:
+      BindAddress: '0.0.0.0:4180'
+    {{- if .Values.alphaConfig.serverConfigData }}
+    {{- toYaml .Values.alphaConfig.serverConfigData | nindent 6 }}
+    {{- end }}
+    {{- if .Values.metrics.enabled }}
+    metricsServer:
+      BindAddress: '0.0.0.0:44180'
+    {{- if .Values.alphaConfig.metricsConfigData }}
+    {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 6 }}
+    {{- end }}
+    {{- end }}
+    {{- if .Values.alphaConfig.configData }}
+    {{- toYaml .Values.alphaConfig.configData | nindent 4 }}
+    {{- end }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
new file mode 100644
index 0000000..cf4e77e
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.authenticatedEmailsFile.enabled }}
+{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "configmap")  }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+{{- if .Values.authenticatedEmailsFile.annotations }}
+  annotations:
+{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{- end }}
+  name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+data:
+  {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml
new file mode 100644
index 0000000..8a19ccb
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml
@@ -0,0 +1,17 @@
+{{- if not .Values.config.existingConfig }}
+{{- if .Values.config.configFile }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+{{- if .Values.config.annotations }}
+  annotations:
+{{ toYaml .Values.config.annotations | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+data:
+  oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml
new file mode 100644
index 0000000..4523591
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml
@@ -0,0 +1,345 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  {{- if .Values.deploymentAnnotations }}
+  annotations:
+{{ toYaml .Values.deploymentAnnotations | indent 8 }}
+  {{- end }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  {{- if .Values.revisionHistoryLimit }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        {{- if .Values.alphaConfig.enabled }}
+        checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }}
+        {{- end }}
+        checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
+        checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
+{{- if .Values.htpasswdFile.enabled }}
+        checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }}
+{{- end }}
+    {{- if .Values.podAnnotations }}
+{{ toYaml .Values.podAnnotations | indent 8 }}
+    {{- end }}
+      labels:
+        app: {{ template "oauth2-proxy.name" . }}
+        {{- include "oauth2-proxy.labels" . | indent 8 }}
+      {{- if .Values.podLabels }}
+{{ toYaml .Values.podLabels | indent 8 }}
+      {{- end }}
+    spec:
+    {{- if .Values.priorityClassName }}
+      priorityClassName: "{{ .Values.priorityClassName }}"
+    {{- end }}
+      {{- with .Values.podSecurityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
+      automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.hostAlias.enabled }}
+      hostAliases:
+        - ip: {{ .Values.hostAlias.ip }}
+          hostnames:
+          - {{ .Values.hostAlias.hostname }}
+      {{- end }}
+      containers:
+      - name: {{ .Chart.Name }}
+        image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
+        #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
+        imagePullPolicy: {{ .Values.image.pullPolicy }}
+        args:
+        {{- if .Values.alphaConfig.enabled }}
+          - --alpha-config=/etc/oauth2_proxy/oauth2_proxy.yml
+        {{- else }}
+          - --http-address=0.0.0.0:4180
+          - --https-address=0.0.0.0:4443
+        {{- if .Values.metrics.enabled }}
+          - --metrics-address=0.0.0.0:44180
+        {{- end }}
+        {{- end }}
+        {{- if .Values.config.cookieName }}
+          - --cookie-name={{ .Values.config.cookieName }}
+        {{- end }}
+        {{- if kindIs "map" .Values.extraArgs }}
+          {{- range $key, $value := .Values.extraArgs }}
+          {{- if $value }}
+          - --{{ $key }}={{ tpl ($value | toString) $ }}
+          {{- else }}
+          - --{{ $key }}
+          {{- end }}
+          {{- end }}
+        {{- end }}
+        {{- if kindIs "slice" .Values.extraArgs }}
+          {{- with .Values.extraArgs }}
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+        {{- end }}
+        {{- if or .Values.config.existingConfig .Values.config.configFile }}
+          - --config=/etc/oauth2_proxy/oauth2_proxy.cfg
+        {{- end }}
+        {{- if .Values.authenticatedEmailsFile.enabled }}
+        {{- if .Values.authenticatedEmailsFile.template }}
+          - --authenticated-emails-file=/etc/oauth2-proxy/{{ .Values.authenticatedEmailsFile.template }}
+        {{- else }}
+          - --authenticated-emails-file=/etc/oauth2-proxy/authenticated-emails-list
+        {{- end }}
+        {{- end }}
+        {{- with .Values.config.google }}
+        {{- if and .adminEmail (or .serviceAccountJson .existingSecret .useApplicationDefaultCredentials) }}
+          - --google-admin-email={{ .adminEmail }}
+        {{- if .useApplicationDefaultCredentials }}
+          - --google-use-application-default-credentials=true
+        {{- else }}
+          - --google-service-account-json=/google/service-account.json
+        {{- end }}
+        {{- if .targetPrincipal }}
+          - --google-target-principal={{ .targetPrincipal }}
+        {{- end }}
+        {{- end }}
+        {{- if .groups }}
+        {{- range $group := .groups }}
+          - --google-group={{ $group }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.htpasswdFile.enabled }}
+          - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
+        {{- end }}
+        env:
+        {{- if .Values.proxyVarsAsSecrets }}
+        - name: OAUTH2_PROXY_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "oauth2-proxy.secretName" . }}
+              key: client-id
+        - name: OAUTH2_PROXY_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "oauth2-proxy.secretName" . }}
+              key: client-secret
+        - name: OAUTH2_PROXY_COOKIE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name:  {{ template "oauth2-proxy.secretName" . }}
+              key: cookie-secret
+        {{- end }}
+        {{- if eq (default "cookie" .Values.sessionStorage.type) "redis" }}
+        - name: OAUTH2_PROXY_SESSION_STORE_TYPE
+          value: "redis"
+         {{- if or .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.password (and .Values.redis.enabled (.Values.redis.auth).enabled )}}
+        - name: OAUTH2_PROXY_REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              {{- if .Values.sessionStorage.redis.existingSecret }}
+              name: {{ .Values.sessionStorage.redis.existingSecret }}
+              {{- else if .Values.sessionStorage.redis.password }}
+              name: {{ template "oauth2-proxy.fullname" . }}-redis-access
+              {{- else }}
+              name: {{ include "oauth2-proxy.redis.fullname" . }}
+              {{- end }}
+              key: {{ .Values.sessionStorage.redis.passwordKey }}
+        {{- end }}
+        {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
+        - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
+          value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
+        {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
+        - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
+          value: "true"
+        - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
+          value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
+        {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
+        - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
+          value: "true"
+        - name: OAUTH2_PROXY_REDIS_SENTINEL_MASTER_NAME
+          value: {{ .Values.sessionStorage.redis.sentinel.masterName }}
+        - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
+          value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
+        {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret .Values.sessionStorage.redis.sentinel.password }}
+        - name: OAUTH2_PROXY_REDIS_SENTINEL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              {{- if or .Values.sessionStorage.redis.sentinel.existingSecret .Values.sessionStorage.redis.existingSecret }}
+              name: {{ .Values.sessionStorage.redis.sentinel.existingSecret | default .Values.sessionStorage.redis.existingSecret }}
+              {{- else }}
+              name: {{ template "oauth2-proxy.fullname" . }}-redis-access
+              {{- end }}
+              key: {{ .Values.sessionStorage.redis.sentinel.passwordKey }}
+        {{- end }}
+        {{- end }}
+        {{- end }}
+        {{- if .Values.extraEnv }}
+{{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
+        {{- end }}
+        ports:
+        {{- if .Values.containerPort }}
+          - containerPort: {{ .Values.containerPort }}
+        {{- else if (and (eq .Values.httpScheme "http") (empty .Values.containerPort)) }}
+          - containerPort: 4180
+        {{- else if (and (eq .Values.httpScheme "https") (empty .Values.containerPort)) }}
+          - containerPort: 4443
+        {{- else }}
+        {{- end}}
+            name: {{ .Values.httpScheme }}
+            protocol: TCP
+{{- if .Values.metrics.enabled }}
+          - containerPort: 44180
+            protocol: TCP
+            name: metrics
+{{- end }}
+{{- if .Values.livenessProbe.enabled }}
+        livenessProbe:
+          httpGet:
+            path: /ping
+            port: {{ .Values.httpScheme }}
+            scheme: {{ .Values.httpScheme | upper }}
+          initialDelaySeconds: {{ .Values.livenessProbe.initialDelaySeconds }}
+          timeoutSeconds: {{ .Values.livenessProbe.timeoutSeconds }}
+{{- end }}
+{{- if .Values.readinessProbe.enabled }}
+        readinessProbe:
+          httpGet:
+            path: {{ if gt (include "oauth2-proxy.version" .) "7.4.0" }}/ready{{ else }}/ping{{ end }}
+            port: {{ .Values.httpScheme }}
+            scheme: {{ .Values.httpScheme | upper }}
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+{{- end }}
+        resources:
+{{ toYaml .Values.resources | indent 10 }}
+        volumeMounts:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+        - name: google-secret
+          mountPath: /google
+          readOnly: true
+{{- end }}
+{{- end }}
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+        - mountPath: /etc/oauth2_proxy/oauth2_proxy.cfg
+          name: configmain
+          subPath: oauth2_proxy.cfg
+{{- end }}
+{{- if .Values.alphaConfig.enabled }}
+        - mountPath: /etc/oauth2_proxy/oauth2_proxy.yml
+          name: configalpha
+          subPath: oauth2_proxy.yml
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.enabled }}
+        - mountPath: /etc/oauth2-proxy
+          name: configaccesslist
+          readOnly: true
+{{- end }}
+{{- if .Values.htpasswdFile.enabled }}
+        - mountPath: /etc/oauth2_proxy/htpasswd
+          name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+          readOnly: true
+{{- end }}
+{{- if ne (len .Values.extraVolumeMounts) 0 }}
+{{ toYaml .Values.extraVolumeMounts | indent 8 }}
+{{- end }}
+{{- if .Values.securityContext.enabled }}
+{{- $securityContext := unset .Values.securityContext "enabled" }}
+        securityContext:
+          {{- toYaml $securityContext | nindent 10 }}
+{{- end }}
+{{- if .Values.extraContainers }}
+  {{- toYaml .Values.extraContainers | nindent 6 }}
+{{- end }}
+      volumes:
+{{- with .Values.config.google }}
+{{- if and .adminEmail (or .serviceAccountJson .existingSecret) }}
+      - name: google-secret
+        secret:
+          secretName: {{ if .existingSecret }}{{ .existingSecret }}{{ else }} {{ template "oauth2-proxy.secretName" $ }}-google{{ end }}
+{{- end }}
+{{- end }}
+
+{{- if .Values.htpasswdFile.enabled }}
+      - name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+        secret:
+          secretName: {{ if .Values.htpasswdFile.existingSecret }}{{ .Values.htpasswdFile.existingSecret }}{{ else }} {{ template "oauth2-proxy.fullname" . }}-htpasswd-file {{ end }}
+{{- end }}
+
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "secret") }}
+      - name: configaccesslist
+        secret:
+          items:
+          - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+            path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+            path: authenticated-emails-list
+{{- end }}
+{{- if .Values.authenticatedEmailsFile.template }}
+          secretName: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+          secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+{{- end }}
+
+{{- if or .Values.config.existingConfig .Values.config.configFile }}
+      - configMap:
+          defaultMode: 420
+          name: {{ if .Values.config.existingConfig }}{{ .Values.config.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}{{ end }}
+        name: configmain
+{{- end }}
+{{- if .Values.alphaConfig.enabled }}
+      - configMap:
+          defaultMode: 420
+          name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
+        name: configalpha
+{{- end }}
+{{- if ne (len .Values.extraVolumes) 0 }}
+{{ toYaml .Values.extraVolumes | indent 6 }}
+{{- end }}
+{{- if and (.Values.authenticatedEmailsFile.enabled) (eq .Values.authenticatedEmailsFile.persistence "configmap") }}
+      - configMap:
+{{- if .Values.authenticatedEmailsFile.template }}
+          name: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+          name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+{{- end }}
+          items:
+          - key: {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}
+{{- if .Values.authenticatedEmailsFile.template }}
+            path: {{ .Values.authenticatedEmailsFile.template }}
+{{- else }}
+            path: authenticated-emails-list
+{{- end }}
+        name: configaccesslist
+{{- end }}
+
+      {{- if .Values.imagePullSecrets }}
+      imagePullSecrets:
+{{ toYaml .Values.imagePullSecrets | indent 8 }}
+      {{- end }}
+    {{- if .Values.affinity }}
+      affinity:
+{{ toYaml .Values.affinity | indent 8 }}
+    {{- end }}
+    {{- if .Values.nodeSelector }}
+      nodeSelector:
+{{ toYaml .Values.nodeSelector | indent 8 }}
+    {{- end }}
+      tolerations:
+{{ toYaml .Values.tolerations | indent 8 }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml
new file mode 100644
index 0000000..126d3e7
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.checkDeprecation }}
+    {{- if .Values.service.port }}
+        {{ fail "`service.port` does no longer exist. It has been renamed to `service.portNumber`" }}
+    {{- end }}
+    {{- if eq ( include "capabilities.ingress.apiVersion" . ) "networking.k8s.io/v1" -}}
+        {{- range .Values.ingress.extraPaths }}
+            {{- if or (.backend.serviceName) (.backend.servicePort) }}
+                {{ fail "Please update the format of your `ingress.extraPaths` to the new ingress apiVersion `networking.k8s.io/v1` format" }}
+            {{- end }}
+        {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml
new file mode 100644
index 0000000..a9bb3b6
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml
@@ -0,0 +1,4 @@
+{{ range .Values.extraObjects }}
+---
+{{ tpl (toYaml .) $ }}
+{{ end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml
new file mode 100644
index 0000000..5703273
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.config.google (and (not .Values.config.google.existingSecret) (not .Values.config.google.useApplicationDefaultCredentials)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}-google
+type: Opaque
+data:
+  service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml
new file mode 100644
index 0000000..73fd758
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml
@@ -0,0 +1,40 @@
+{{- if .Values.ingress.enabled -}}
+{{- $serviceName := include "oauth2-proxy.fullname" . -}}
+{{- $servicePort := .Values.service.portNumber -}}
+{{- $ingressPath := .Values.ingress.path -}}
+{{- $ingressPathType := .Values.ingress.pathType -}}
+{{- $extraPaths := .Values.ingress.extraPaths -}}
+apiVersion: {{ include "capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+{{- with .Values.ingress.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+spec:
+  {{- if and .Values.ingress.className ( eq "true" ( include "ingress.supportsIngressClassName" . ) ) }}
+  ingressClassName: {{ .Values.ingress.className | quote }}
+  {{- end }}
+  rules:
+    {{- range $host := .Values.ingress.hosts }}
+    - host: {{ tpl $host $ | quote }}
+      http:
+        paths:
+{{- if $extraPaths }}
+{{ toYaml $extraPaths | indent 10 }}
+{{- end }}
+          - path: {{ $ingressPath }}
+            {{- if eq "true" ( include "ingress.supportsPathType" $ ) }}
+            pathType: {{ $ingressPathType }}
+            {{- end }}
+            backend: {{- include "ingress.backend" ( dict "serviceName" $serviceName "servicePort" $servicePort "context" $ )  | nindent 14 }}
+    {{- end -}}
+  {{- if .Values.ingress.tls }}
+  tls:
+{{ tpl (toYaml .Values.ingress.tls) $ | indent 4 }}
+  {{- end -}}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000..7cdbbbe
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.podDisruptionBudget.enabled (gt (.Values.replicaCount | int) 1) }}
+apiVersion: {{ include "capabilities.podDisruptionBudget.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml
new file mode 100644
index 0000000..7a1555d
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml
@@ -0,0 +1,22 @@
+{{- $name := include "oauth2-proxy.name" .  -}}
+{{- $fullName := include "oauth2-proxy.fullname" .  -}}
+{{- $labels := include "oauth2-proxy.labels" . -}}
+{{- with .Values.sessionStorage }}
+{{- if and (eq .type "redis") (not .redis.existingSecret) (or .redis.password .redis.sentinel.password) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ $name }}
+    {{- $labels | indent 4 }}
+  name: {{ $fullName }}-redis-access
+type: Opaque
+data:
+  {{- if and .redis.password (not .redis.existingSecret) }}
+  {{ .redis.passwordKey }}: {{ .redis.password | b64enc | quote }}
+  {{- end }}
+  {{- if and .redis.sentinel.password (not .redis.sentinel.existingSecret) (ne .redis.sentinel.passwordKey .redis.passwordKey) }}
+  {{ .redis.sentinel.passwordKey }}: {{ .redis.sentinel.password | b64enc | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
new file mode 100644
index 0000000..ce79db1
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.authenticatedEmailsFile.enabled }}
+{{- if and (.Values.authenticatedEmailsFile.restricted_access) (eq .Values.authenticatedEmailsFile.persistence "secret")  }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+{{- if .Values.authenticatedEmailsFile.annotations }}
+  annotations:
+{{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
+{{- end }}
+  name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+data:
+  {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }}
+{{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml
new file mode 100644
index 0000000..44fe67e
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml
@@ -0,0 +1,15 @@
+{{- if and .Values.htpasswdFile.enabled (not .Values.htpasswdFile.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+type: Opaque
+stringData:
+  users.txt: |-
+    {{- range $entries := .Values.htpasswdFile.entries }}
+    {{ $entries }}
+    {{- end -}}
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml
new file mode 100644
index 0000000..c9b3791
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml
@@ -0,0 +1,18 @@
+{{- if and (not .Values.config.existingSecret) (.Values.proxyVarsAsSecrets) }}
+apiVersion: v1
+kind: Secret
+metadata:
+{{- if .Values.config.annotations }}
+  annotations:
+{{ toYaml .Values.config.annotations | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+type: Opaque
+data:
+  cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }}
+  client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }}
+  client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml
new file mode 100644
index 0000000..d9563ac
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml
@@ -0,0 +1,54 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+{{- if .Values.service.annotations }}
+  annotations:
+{{ toYaml .Values.service.annotations | indent 4 }}
+{{- end }}
+spec:
+{{- if (or (eq .Values.service.type "ClusterIP") (empty .Values.service.type)) }}
+  type: ClusterIP
+  {{- if .Values.service.clusterIP }}
+  clusterIP: {{ .Values.service.clusterIP }}
+  {{end}}
+{{- else if eq .Values.service.type "LoadBalancer" }}
+  type: {{ .Values.service.type }}
+  {{- if .Values.service.loadBalancerIP }}
+  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
+  {{- end }}
+  {{- if .Values.service.loadBalancerSourceRanges }}
+  loadBalancerSourceRanges:
+{{ toYaml .Values.service.loadBalancerSourceRanges | indent 4 }}
+  {{- end -}}
+{{- else }}
+  type: {{ .Values.service.type }}
+{{- end }}
+  ports:
+    - port: {{ .Values.service.portNumber }}
+      targetPort: {{ .Values.httpScheme }}
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
+      nodePort: {{ .Values.service.nodePort }}
+      {{- end }}
+      protocol: TCP
+      {{- with .Values.service.appProtocol }}
+      appProtocol: {{ . }}
+      {{- end }}
+      name: {{ .Values.httpScheme }}
+    {{- if and .Values.metrics.enabled .Values.metrics.port }}
+    - port: {{ .Values.metrics.port }}
+      protocol: TCP
+      {{- with .Values.metrics.service.appProtocol }}
+      appProtocol: {{ . }}
+      {{- end }}
+      targetPort: metrics
+      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.metrics.nodePort))) }}
+      nodePort: {{ .Values.metrics.nodePort }}
+      {{- end }}
+      name: metrics
+    {{- end }}
+  selector:
+    {{- include "oauth2-proxy.selectorLabels" . | indent 4 }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000..6d0a9d7
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+{{- if or .Values.serviceAccount.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.serviceAccountName" . }}
+automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml
new file mode 100644
index 0000000..9c29d1b
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml
@@ -0,0 +1,31 @@
+{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "oauth2-proxy.fullname" . }}
+{{- if .Values.metrics.servicemonitor.namespace }}
+  namespace: {{ .Values.metrics.servicemonitor.namespace }}
+{{- else }}
+  namespace: {{ .Release.Namespace | quote }}
+{{- end }}
+  labels:
+    prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }}
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+{{- if .Values.metrics.servicemonitor.labels }}
+{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}}
+{{- end }}
+spec:
+  jobLabel: {{ template "oauth2-proxy.fullname" . }}
+  selector:
+    matchLabels:
+      {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+  endpoints:
+  - port: metrics
+    path: "/metrics"
+    interval: {{ .Values.metrics.servicemonitor.interval }}
+    scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml
new file mode 100644
index 0000000..7e5f939
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml
@@ -0,0 +1,364 @@
+global:
+  quayRepository: quay.io
+
+# Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
+# This is especially useful for `helm template` as capabilities are always empty
+# due to the fact that it doesn't query an actual cluster
+kubeVersion:
+
+# Oauth client configuration specifics
+config:
+  # Add config annotations
+  annotations: {}
+  # OAuth client ID
+  clientID: "XXXXXXX"
+  # OAuth client secret
+  clientSecret: "XXXXXXXX"
+  # Create a new secret with the following command
+  # openssl rand -base64 32 | head -c 32 | base64
+  # Use an existing secret for OAuth2 credentials (see secret.yaml for required fields)
+  # Example:
+  # existingSecret: secret
+  cookieSecret: "XXXXXXXXXXXXXXXX"
+  # The name of the cookie that oauth2-proxy will create
+  # If left empty, it will default to the release name
+  cookieName: ""
+  google: {}
+    # adminEmail: xxxx
+    # useApplicationDefaultCredentials: true
+    # targetPrincipal: xxxx
+    # serviceAccountJson: xxxx
+    # Alternatively, use an existing secret (see google-secret.yaml for required fields)
+    # Example:
+    # existingSecret: google-secret
+    # groups: []
+    # Example:
+    #  - group1@example.com
+    #  - group2@example.com
+  # Default configuration, to be overridden
+  configFile: |-
+    email_domains = [ "*" ]
+    upstreams = [ "file:///dev/null" ]
+  # Custom configuration file: oauth2_proxy.cfg
+  # configFile: |-
+  #   pass_basic_auth = false
+  #   pass_access_token = true
+  # Use an existing config map (see configmap.yaml for required fields)
+  # Example:
+  # existingConfig: config
+
+alphaConfig:
+  enabled: false
+  # Add config annotations
+  annotations: {}
+  # Arbitrary configuration data to append to the server section
+  serverConfigData: {}
+  # Arbitrary configuration data to append to the metrics section
+  metricsConfigData: {}
+  # Arbitrary configuration data to append
+  configData: {}
+  # Use an existing config map (see configmap-alpha.yaml for required fields)
+  existingConfig: ~
+
+image:
+  #repository: "quay.io/oauth2-proxy/oauth2-proxy"
+  repository: "oauth2-proxy/oauth2-proxy"
+  # appVersion is used by default
+  tag: ""
+  pullPolicy: "IfNotPresent"
+
+# Optionally specify an array of imagePullSecrets.
+# Secrets must be manually created in the namespace.
+# ref: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
+# imagePullSecrets:
+  # - name: myRegistryKeySecretName
+
+# Set a custom containerPort if required.
+# This will default to 4180 if this value is not set and the httpScheme set to http
+# This will default to 4443 if this value is not set and the httpScheme set to https
+# containerPort: 4180
+
+extraArgs: {}
+extraEnv: []
+
+# -- Custom labels to add into metadata
+customLabels: {}
+
+# To authorize individual email addresses
+# That is part of extraArgs but since this needs special treatment we need to do a separate section
+authenticatedEmailsFile:
+  enabled: false
+  # Defines how the email addresses file will be projected, via a configmap or secret
+  persistence: configmap
+  # template is the name of the configmap what contains the email user list but has been configured without this chart.
+  # It's a simpler way to maintain only one configmap (user list) instead changing it for each oauth2-proxy service.
+  # Be aware the value name in the extern config map in data needs to be named to "restricted_user_access" or to the
+  # provided value in restrictedUserAccessKey field.
+  template: ""
+  # The configmap/secret key under which the list of email access is stored
+  # Defaults to "restricted_user_access" if not filled-in, but can be overridden to allow flexibility
+  restrictedUserAccessKey: ""
+  # One email per line
+  # example:
+  # restricted_access: |-
+  #   name1@domain
+  #   name2@domain
+  # If you override the config with restricted_access it will configure a user list within this chart what takes care of the
+  # config map resource.
+  restricted_access: ""
+  annotations: {}
+  # helm.sh/resource-policy: keep
+
+service:
+  type: ClusterIP
+  # when service.type is ClusterIP ...
+  # clusterIP: 192.0.2.20
+  # when service.type is LoadBalancer ...
+  # loadBalancerIP: 198.51.100.40
+  # loadBalancerSourceRanges: 203.0.113.0/24
+  # when service.type is NodePort ...
+  # nodePort: 80
+  portNumber: 80
+  # Protocol set on the service
+  appProtocol: http
+  annotations: {}
+  # foo.io/bar: "true"
+
+## Create or use ServiceAccount
+serviceAccount:
+  ## Specifies whether a ServiceAccount should be created
+  enabled: true
+  ## The name of the ServiceAccount to use.
+  ## If not set and create is true, a name is generated using the fullname template
+  name:
+  automountServiceAccountToken: true
+  annotations: {}
+
+ingress:
+  enabled: false
+  # className: nginx
+  path: /
+  # Only used if API capabilities (networking.k8s.io/v1) allow it
+  pathType: ImplementationSpecific
+  # Used to create an Ingress record.
+  # hosts:
+    # - chart-example.local
+  # Extra paths to prepend to every host configuration. This is useful when working with annotation based services.
+  # Warning! The configuration is dependant on your current k8s API version capabilities (networking.k8s.io/v1)
+  # extraPaths:
+  # - path: /*
+  #   pathType: ImplementationSpecific
+  #   backend:
+  #     service:
+  #       name: ssl-redirect
+  #       port:
+  #         name: use-annotation
+  # annotations:
+  #   kubernetes.io/ingress.class: nginx
+  #   kubernetes.io/tls-acme: "true"
+  # tls:
+    # Secrets must be manually created in the namespace.
+    # - secretName: chart-example-tls
+    #   hosts:
+    #     - chart-example.local
+
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 300Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 300Mi
+
+extraVolumes: []
+  # - name: ca-bundle-cert
+  #   secret:
+  #     secretName: <secret-name>
+
+extraVolumeMounts: []
+  # - mountPath: /etc/ssl/certs/
+  #   name: ca-bundle-cert
+
+# Additional containers to be added to the pod.
+extraContainers: []
+  #  - name: my-sidecar
+  #    image: nginx:latest
+
+priorityClassName: ""
+
+# Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts.
+hostAlias:
+  enabled: false
+  # ip: "10.xxx.xxx.xxx"
+  # hostname: "auth.example.com"
+
+# [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
+# Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
+# topologySpreadConstraints: []
+
+# Affinity for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+# affinity: {}
+
+# Tolerations for pod assignment
+# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+tolerations: []
+
+# Node labels for pod assignment
+# Ref: https://kubernetes.io/docs/user-guide/node-selection/
+nodeSelector: {}
+
+# Whether to use secrets instead of environment values for setting up OAUTH2_PROXY variables
+proxyVarsAsSecrets: true
+
+# Configure Kubernetes liveness and readiness probes.
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
+# Disable both when deploying with Istio 1.0 mTLS. https://istio.io/help/faq/security/#k8s-health-checks
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  timeoutSeconds: 1
+
+readinessProbe:
+  enabled: true
+  initialDelaySeconds: 0
+  timeoutSeconds: 5
+  periodSeconds: 10
+  successThreshold: 1
+
+# Configure Kubernetes security context for container
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+securityContext:
+  enabled: false
+  runAsNonRoot: true
+  # allowPrivilegeEscalation: false
+  # runAsUser: 2000
+
+deploymentAnnotations: {}
+podAnnotations: {}
+podLabels: {}
+replicaCount: 1
+revisionHistoryLimit: 10
+
+## PodDisruptionBudget settings
+## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
+podDisruptionBudget:
+  enabled: true
+  minAvailable: 1
+
+# Configure Kubernetes security context for pod
+# Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+podSecurityContext: {}
+
+# whether to use http or https
+httpScheme: http
+
+# Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
+# Alternatively supply an existing secret which contains the required information.
+htpasswdFile:
+  enabled: false
+  existingSecret: ""
+  entries: {}
+  # One row for each user
+  # example:
+  # entries:
+  #  - testuser:$2y$05$gY6dgXqjuzFhwdhsiFe7seM9q9Tile4Y3E.CBpAZJffkeiLaC21Gy
+
+# Configure the session storage type, between cookie and redis
+sessionStorage:
+  # Can be one of the supported session storage cookie|redis
+  type: cookie
+  redis:
+    # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
+    existingSecret: ""
+    # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
+    password: ""
+    # Key of the Kubernetes secret data containing the redis password value
+    passwordKey: "redis-password"
+    # Can be one of standalone|cluster|sentinel
+    clientType: "standalone"
+    standalone:
+      # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
+      connectionUrl: ""
+    cluster:
+      # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+      connectionUrls: []
+    sentinel:
+      # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
+      existingSecret: ""
+      # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
+      password: ""
+      # Key of the Kubernetes secret data containing the redis sentinel password value
+      passwordKey: "redis-sentinel-password"
+      # Redis sentinel master name
+      masterName: ""
+      # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+      connectionUrls: []
+
+# Enables and configure the automatic deployment of the redis subchart
+redis:
+  # provision an instance of the redis sub-chart
+  enabled: false
+  # Redis specific helm chart settings, please see:
+  # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
+  # redisPort: 6379
+  # cluster:
+  #   enabled: false
+  #   slaveCount: 1
+
+# Enables apiVersion deprecation checks
+checkDeprecation: true
+
+metrics:
+  # Enable Prometheus metrics endpoint
+  enabled: true
+  # Serve Prometheus metrics on this port
+  port: 44180
+  # when service.type is NodePort ...
+  # nodePort: 44180
+  # Protocol set on the service for the metrics port
+  service:
+    appProtocol: http
+  servicemonitor:
+    # Enable Prometheus Operator ServiceMonitor
+    enabled: false
+    # Define the namespace where to deploy the ServiceMonitor resource
+    namespace: ""
+    # Prometheus Instance definition
+    prometheusInstance: default
+    # Prometheus scrape interval
+    interval: 60s
+    # Prometheus scrape timeout
+    scrapeTimeout: 30s
+    # Add custom labels to the ServiceMonitor resource
+    labels: {}
+
+# Extra K8s manifests to deploy
+extraObjects: []
+  # - apiVersion: secrets-store.csi.x-k8s.io/v1
+  #   kind: SecretProviderClass
+  #   metadata:
+  #     name: oauth2-proxy-secrets-store
+  #   spec:
+  #     provider: aws
+  #     parameters:
+  #       objects: |
+  #         - objectName: "oauth2-proxy"
+  #           objectType: "secretsmanager"
+  #           jmesPath:
+  #               - path: "client_id"
+  #                 objectAlias: "client-id"
+  #               - path: "client_secret"
+  #                 objectAlias: "client-secret"
+  #               - path: "cookie_secret"
+  #                 objectAlias: "cookie-secret"
+  #     secretObjects:
+  #     - data:
+  #       - key: client-id
+  #         objectName: client-id
+  #         - key: client-secret
+  #           objectName: client-secret
+  #         - key: cookie-secret
+  #         objectName: cookie-secret
+  #       secretName: oauth2-proxy-secrets-store
+  #       type: Opaque
diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml
new file mode 100644
index 0000000..81a9986
--- /dev/null
+++ b/kubernetes/platform/components/oauth2-proxy/values.yaml
@@ -0,0 +1,74 @@
+onap-oauth2-proxy:
+  # Oauth client configuration specifics
+  config:
+    cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA="
+    configFile: |-
+      email_domains = [ "*" ]        # Restrict to these E-Mail Domains, a wildcard "*" allows any email
+
+  alphaConfig:
+    enabled: true
+    configData:
+      providers:
+      - clientID: "oauth2-proxy"
+        clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp"
+        id: oidc-istio
+        provider: oidc   # We use the generic 'oidc' provider
+        loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth
+        #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token
+        redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token
+        profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
+        validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
+        scope: "openid email profile groups"
+        #allowedGroups:
+        # - admins # List all groups managed at our your IdP which should be allowed access
+        # - infrateam
+        # - anothergroup
+        oidcConfig:
+          emailClaim: email  # Name of the clain in JWT containing the E-Mail
+          groupsClaim: groups # Name of the claim in JWT containing the Groups
+          userIDClaim: email  # Name of the claim in JWT containing the User ID
+          audienceClaims: ["aud"]
+          insecureAllowUnverifiedEmail: true
+          insecureSkipIssuerVerification: true
+          skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
+          issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP
+          jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs
+      upstreamConfig:
+        upstreams:
+          - id: static_200
+            path: /
+            static: true
+            staticCode: 200
+      # Headers that should be added to responses from the proxy
+      injectResponseHeaders: # Send this headers in responses from oauth2-proxy
+        - name: X-Auth-Request-Preferred-Username
+          values:
+            - claim: preferred_username
+        - name: X-Auth-Request-Email
+          values:
+            - claim: email
+
+  extraArgs:
+    cookie-secure: "false"
+    cookie-domain: ".simpledemo.onap.org"    # Replace with your base domain
+    cookie-samesite: lax
+    cookie-expire: 12h               # How long our Cookie is valid
+    auth-logging: true               # Enable / Disable auth logs
+    request-logging: true            # Enable / Disable request logs
+    standard-logging: true           # Enable / Disable the standart logs
+    show-debug-on-error: true        # Disable in production setups
+    skip-provider-button: true       # We only have one provider configured (Keycloak)
+    silence-ping-logging: true       # Keeps our logs clean
+    whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain
+
+  # Enables and configure the automatic deployment of the redis subchart
+  redis:
+    # provision an instance of the redis sub-chart
+    enabled: false
+
+
+serviceAccount:
+  nameOverride: oauth2-proxy
+  roles:
+    - read
+
diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml
index af760ea..5cc7612 100644
--- a/kubernetes/platform/values.yaml
+++ b/kubernetes/platform/values.yaml
@@ -41,6 +41,8 @@
   enabled: true
 keycloak-init:
   enabled: false
+oauth2-proxy:
+  enabled: false
 
 flavor: small
 # default number of instances
diff --git a/kubernetes/policy/components/policy-gui/values.yaml b/kubernetes/policy/components/policy-gui/values.yaml
index 8b41911..5e48e99 100644
--- a/kubernetes/policy/components/policy-gui/values.yaml
+++ b/kubernetes/policy/components/policy-gui/values.yaml
@@ -84,7 +84,7 @@
   enabled: false
   service:
     - baseaddr: "policy-ui"
-      name: "policygui"
+      name: "policy-gui"
       port: 2443
   config:
     ssl: "redirect"
diff --git a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties
index 51cb9be..71a9f78 100644
--- a/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties
+++ b/kubernetes/sdnc/resources/config/conf/mountpoint-registrar.properties
@@ -1,6 +1,6 @@
 [general]
 dmaapEnabled={{.Values.config.sdnr.mountpointRegistrarEnabled | default "false"}}
-baseUrl=http://localhost:{{.Values.service.internalPort}}
+baseUrl=http://{{.Values.service.name}}.{{.Release.Namespace}}:{{.Values.service.internalPort}}
 sdnrUser=${ODL_ADMIN_USERNAME}
 sdnrPasswd=${ODL_ADMIN_PASSWORD}
 
@@ -37,3 +37,22 @@
 group=myG
 id=C1
 limit=10000
+
+[provisioning]
+username=${DMAAP_CM_TOPIC_USERNAME}
+password=${DMAAP_CM_TOPIC_PASSWORD}
+topic=unauthenticated.SEC_3GPP_PROVISIONING_OUTPUT
+TransportType=HTTPNOAUTH
+Protocol=http
+host=message-router.{{.Release.Namespace}}:{{.Values.config.dmaapPort | default "3904"}}
+contenttype=application/json
+group=myG
+id=C1
+timeout=20000
+limit=10000
+fetchPause=5000
+jersey.config.client.readTimeout=25000
+jersey.config.client.connectTimeout=25000
+jersey.config.client.proxy.username=${HTTP_PROXY_USERNAME}
+jersey.config.client.proxy.password=${HTTP_PROXY_PASSWORD}
+jersey.config.client.proxy.uri=${HTTP_PROXY_URI}
\ No newline at end of file
diff --git a/kubernetes/sdnc/values.yaml b/kubernetes/sdnc/values.yaml
index 36cde48..f02bc0b 100644
--- a/kubernetes/sdnc/values.yaml
+++ b/kubernetes/sdnc/values.yaml
@@ -470,10 +470,7 @@
     service:
       - baseaddr: "sdnc-dgbuilder-ui"
         name: "sdnc-dgbuilder"
-        port: 3000
-      - baseaddr: "sdnc-web-service-api"
-        name: "sdnc-web-service"
-        port: 8080
+        port: 3100
     config:
       ssl: "redirect"
 
@@ -581,7 +578,7 @@
     name: "sdnc"
     port: 8282
   - baseaddr: "sdnc-callhome"
-    name: "onap-sdnc-callhome"
+    name: "sdnc-callhome"
     port: *chport
     protocol: tcp
     exposedPort: *chport