helm kubernetes example based on kind cluster

contrib/helm/.gitignore

@@ -0,0 +1 @@
+charts/

contrib/helm/Chart.lock

@@ -0,0 +1,15 @@
+dependencies:
+- name: dex
+  repository: https://kubernetes-charts.storage.googleapis.com
+  version: 2.11.0
+- name: oauth2-proxy
+  repository: https://kubernetes-charts.storage.googleapis.com
+  version: 3.1.0
+- name: httpbin
+  repository: file://./httpbin
+  version: 0.6.1
+- name: hello-world
+  repository: file://./hello-world
+  version: 0.0.1
+digest: sha256:b5fe4db7a523b28321708a12ae0d2608ea32836b322ae7941c820b626a180af2
+generated: "2020-06-12T13:10:21.718689-05:00"

contrib/helm/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+description: K8S example based on https://kind.sigs.k8s.io and https://helm.sh.
+name: helm
+version: 5.1.1
+appVersion: 5.1.1
+# helm search repo -l stable/nginx-ingress | head -n 5
+dependencies:
+  - name: dex
+    version: 2.11.0
+    repository: https://kubernetes-charts.storage.googleapis.com
+  - name: oauth2-proxy
+    version: 3.1.0
+    repository: https://kubernetes-charts.storage.googleapis.com
+  # https://github.com/postmanlabs/httpbin/issues/549 is still in progress, for now creating our own chart
+  - name: httpbin
+    version: 0.6.1
+    repository: file://./httpbin
+  - name: hello-world
+    version: 0.0.1
+    repository: file://./hello-world

contrib/helm/Makefile

@@ -0,0 +1,44 @@
+# create kind cluster with nginx-ingress as the most popular ingress controller for K8S
+.PHONY: deploy
+create-cluster:
+	kind create cluster --name oauth2-proxy --config kind-cluster.yaml
+	make setup-dns
+	make setup-ingress
+
+.PHONY: setup-ingress
+setup-ingress:
+	kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/static/provider/kind/deploy.yaml
+	sleep 5 # because of https://github.com/kubernetes/kubernetes/issues/83242
+	kubectl --namespace ingress-nginx wait --for=condition=available --timeout=30s deployment/ingress-nginx-controller
+	kubectl --namespace ingress-nginx rollout status --timeout 90s deployment/ingress-nginx-controller
+
+# default Pod CIDR is 10.244.0.0/16 https://github.com/kubernetes-sigs/kind/blob/master/pkg/apis/config/v1alpha4/default.go
+# what makes cluster host IP equal to 10.244.0.1
+# thus we add dex.localtest.me and oauth2-proxy.localtest.me stub hosts pointing to this IP
+# NOT NEEDED IN REAL LIFE!
+.PHONY: setup-dns
+setup-dns:
+	kubectl apply -f custom-dns.yaml
+	kubectl -n kube-system rollout restart deployment/coredns
+	kubectl -n kube-system rollout status --timeout 60s deployment/coredns
+
+.PHONY: undeploy
+delete-cluster:
+	kind delete cluster --name oauth2-proxy
+
+.PHONY: helm-init
+helm-init:
+	helm dep update
+
+.PHONY: undeploy
+deploy: helm-init
+	helm upgrade --wait --debug --install --render-subchart-notes oauth2-proxy-example .
+
+.PHONY: undeploy
+undeploy:
+	helm del oauth2-proxy-example
+
+# unpacking is useful to be able to explore underlying helm charts
+.PHONY: helm-unpack
+helm-unpack:
+	cd charts; for f in *.tgz; do tar -zxf "$$f"; done

contrib/helm/README.md

@@ -0,0 +1,23 @@
+# Kubernetes example
+Based on [kind](https://kind.sigs.k8s.io) as a local Kubernetes cluster and the package manager [helm](https://helm.sh).
+
+
+## Quick start
+
+Before you start: 
+
+_Required_
+* install [kind](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+* install [helm 3](https://helm.sh/docs/intro/quickstart/#install-helm).
+* install [kubectl](https://kubernetes.io/docs/tasks/tools/install-kubectl/)
+
+Then: 
+
+* `make create-cluster`
+* `make deploy`
+
+Visit http://httpbin.localtest.me or http://hello-world.localtest.me/
+
+## Uninstall
+
+* `make delete-cluster`

contrib/helm/custom-dns.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+           lameduck 5s
+        }
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+           pods insecure
+           fallthrough in-addr.arpa ip6.arpa
+           ttl 30
+        }
+        prometheus :9153
+        forward . /etc/resolv.conf
+        cache 30
+        loop
+        reload
+        loadbalance
+        hosts {
+            10.244.0.1 dex.localtest.me
+            10.244.0.1 oauth2-proxy.localtest.me
+            fallthrough
+        }
+    }
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system

contrib/helm/hello-world/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: hello-world
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.0.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.0.1

contrib/helm/hello-world/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "helloWorld.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "helloWorld.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "helloWorld.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "helloWorld.labels" -}}
+helm.sh/chart: {{ include "helloWorld.chart" . }}
+{{ include "helloWorld.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "helloWorld.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "helloWorld.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "helloWorld.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "helloWorld.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

contrib/helm/hello-world/templates/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "helloWorld.fullname" . }}
+  labels:
+    {{- include "helloWorld.labels" . | nindent 4 }}
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "helloWorld.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "helloWorld.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "helloWorld.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

contrib/helm/hello-world/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "helloWorld.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "helloWorld.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

contrib/helm/hello-world/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "helloWorld.fullname" . }}
+  labels:
+    {{- include "helloWorld.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "helloWorld.selectorLabels" . | nindent 4 }}

contrib/helm/hello-world/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "helloWorld.serviceAccountName" . }}
+  labels:
+    {{- include "helloWorld.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

contrib/helm/hello-world/values.yaml

@@ -0,0 +1,79 @@
+# Default values for helloWorld.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: tutum/hello-world
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart version.
+  tag: latest
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

contrib/helm/httpbin/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: httpbin
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.6.1
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 0.6.1

contrib/helm/httpbin/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "httpbin.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "httpbin.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "httpbin.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "httpbin.labels" -}}
+helm.sh/chart: {{ include "httpbin.chart" . }}
+{{ include "httpbin.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "httpbin.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "httpbin.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "httpbin.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "httpbin.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

contrib/helm/httpbin/templates/deployment.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "httpbin.fullname" . }}
+  labels:
+    {{- include "httpbin.labels" . | nindent 4 }}
+spec:
+{{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+{{- end }}
+  selector:
+    matchLabels:
+      {{- include "httpbin.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+    {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      labels:
+        {{- include "httpbin.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "httpbin.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

contrib/helm/httpbin/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "httpbin.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "httpbin.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

contrib/helm/httpbin/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "httpbin.fullname" . }}
+  labels:
+    {{- include "httpbin.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "httpbin.selectorLabels" . | nindent 4 }}

contrib/helm/httpbin/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "httpbin.serviceAccountName" . }}
+  labels:
+    {{- include "httpbin.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

contrib/helm/httpbin/values.yaml

@@ -0,0 +1,79 @@
+# Default values for httpbin.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: kennethreitz/httpbin
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart version.
+  tag: latest
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: false
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: chart-example.local
+      paths: []
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

contrib/helm/kind-cluster.yaml

@@ -0,0 +1,14 @@
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+    kubeadmConfigPatches:
+      - |
+        kind: InitConfiguration
+        nodeRegistration:
+          kubeletExtraArgs:
+            node-labels: "ingress-ready=true"
+    extraPortMappings:
+      - containerPort: 80
+        hostPort: 80
+        protocol: TCP

contrib/helm/values.yaml

@@ -0,0 +1,95 @@
+dex:
+  ingress:
+    enabled: true
+    hosts:
+      - dex.localtest.me
+  grpc: false
+  certs:
+    grpc:
+      create: false
+    web:
+      create: false
+
+  config:
+    issuer: http://dex.localtest.me
+    expiry:
+      signingKeys: "4h"
+      idTokens: "1h"
+    staticClients:
+      - id: oauth2-proxy
+        redirectURIs:
+          # These redirect URI points to the `--redirect-url` for OAuth2 proxy.
+          - 'http://oauth2-proxy.localtest.me/oauth2/callback'
+        name: 'OAuth2 Proxy'
+        secret: "b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+    staticPasswords:
+     - email: "admin@example.com"
+       # bcrypt hash of the string "password"
+       hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
+       username: "admin"
+       userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
+
+oauth2-proxy:
+  nameOverride: oauth2-proxy-sample
+  ingress:
+    enabled: true
+    hosts:
+      - oauth2-proxy.localtest.me
+    annotations:
+      nginx.ingress.kubernetes.io/server-snippet: |
+        large_client_header_buffers 4 32k;
+  # pick up client_id and client_secret from configFile as opposed to helm .Values.config.clientID and .Values.config.clientSecret
+  proxyVarsAsSecrets: false
+  config:
+    configFile: |-
+      cookie_secret="OQINaROshtE9TcZkNAm-5Zs2Pv3xaWytBmc5W7sPX7w="
+      cookie_domain=".localtest.me"
+      whitelist_domains=[".localtest.me"]
+      # only users with this domain will be let in
+      email_domains=["example.com"]
+
+      client_id="oauth2-proxy"
+      client_secret="b2F1dGgyLXByb3h5LWNsaWVudC1zZWNyZXQK"
+      cookie_secure="false"
+
+      redirect_url="http://oauth2-proxy.localtest.me/oauth2/callback"
+
+      # we don't want to proxy anything so pick a non-existent directory
+      upstreams = [ "file:///dev/null" ]
+
+      # return authenticated user to nginx
+      set_xauthrequest = true
+      # using http://dex.localtest.me/.well-known/openid-configuration oauth2-proxy will populate
+      # login_url, redeem_url, and oidc_jwks_url
+      provider="oidc"
+      oidc_issuer_url="http://dex.localtest.me"
+
+httpbin:
+  ingress:
+    enabled: true
+    hosts:
+      - host: httpbin.localtest.me
+        paths:
+          - /
+    annotations:
+      nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
+      # That's what will be used in REAL LIFE
+      #nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.localtest.me/oauth2/auth
+      # but because of https://github.com/kubernetes/ingress-nginx/issues/3665
+      nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy-example-oauth2-proxy-sample.default.svc.cluster.local/oauth2/auth
+      nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email
+
+hello-world:
+  ingress:
+    enabled: true
+    hosts:
+      - host: hello-world.localtest.me
+        paths:
+          - /
+    annotations:
+      nginx.ingress.kubernetes.io/auth-signin: http://oauth2-proxy.localtest.me/oauth2/start
+      # That's what will be used in REAL LIFE
+      #nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy.localtest.me/oauth2/auth
+      # but because of https://github.com/kubernetes/ingress-nginx/issues/3665
+      nginx.ingress.kubernetes.io/auth-url: http://oauth2-proxy-example-oauth2-proxy-sample.default.svc.cluster.local/oauth2/auth
+      nginx.ingress.kubernetes.io/auth-response-headers: X-Auth-Request-User,X-Auth-Request-Email