From d7759a01f2763a82b3c3e4e3bed895d854b594b2 Mon Sep 17 00:00:00 2001
From: rlaisqls <rlaisqls@gmail.com>
Date: Thu, 24 Aug 2023 17:37:25 +0900
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=80=20::=20dex?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/publish.yaml                |  16 +-
 .../redis-ha/templates/redis-auth-secret.yaml |  15 -
 .../templates/sentinel-auth-secret.yaml       |  15 -
 .../charts/grafana/templates/ingress.yaml     |  63 ----
 helm/dex/Chart.yaml                           |  28 ++
 helm/dex/LICENSE                              | 202 +++++++++++
 helm/dex/README.md                            | 190 ++++++++++
 helm/dex/README.md.gotmpl                     | 103 ++++++
 helm/dex/ci/config-secret-values.yaml         |  10 +
 helm/dex/ci/label-annotations-values.yaml     |  19 +
 helm/dex/ci/no-config-secret.yaml             |  10 +
 helm/dex/ci/test-values.yaml                  |   7 +
 helm/dex/templates/NOTES.txt                  |  22 ++
 helm/dex/templates/_helpers.tpl               |  76 ++++
 helm/dex/templates/deployment.yaml            | 145 ++++++++
 helm/dex/templates/hpa.yaml                   |  50 +++
 helm/dex/templates/ingress.yaml               |  61 ++++
 helm/dex/templates/networkpolicy.yaml         |  35 ++
 helm/dex/templates/poddisruptionbudget.yaml   |  22 ++
 helm/dex/templates/rbac.yaml                  |  55 +++
 helm/dex/templates/secret.yaml                |  11 +
 helm/dex/templates/service.yaml               |  59 +++
 helm/dex/templates/serviceaccount.yaml        |  12 +
 helm/dex/templates/servicemonitor.yaml        |  54 +++
 .../dex/templates/tests/no-config-secret.yaml |  13 +
 helm/dex/values.yaml                          | 336 ++++++++++++++++++
 26 files changed, 1526 insertions(+), 103 deletions(-)
 delete mode 100644 helm/argocd/charts/redis-ha/templates/redis-auth-secret.yaml
 delete mode 100644 helm/argocd/charts/redis-ha/templates/sentinel-auth-secret.yaml
 delete mode 100755 helm/cost-analyzer/charts/grafana/templates/ingress.yaml
 create mode 100644 helm/dex/Chart.yaml
 create mode 100644 helm/dex/LICENSE
 create mode 100644 helm/dex/README.md
 create mode 100644 helm/dex/README.md.gotmpl
 create mode 100644 helm/dex/ci/config-secret-values.yaml
 create mode 100644 helm/dex/ci/label-annotations-values.yaml
 create mode 100644 helm/dex/ci/no-config-secret.yaml
 create mode 100644 helm/dex/ci/test-values.yaml
 create mode 100644 helm/dex/templates/NOTES.txt
 create mode 100644 helm/dex/templates/_helpers.tpl
 create mode 100644 helm/dex/templates/deployment.yaml
 create mode 100644 helm/dex/templates/hpa.yaml
 create mode 100644 helm/dex/templates/ingress.yaml
 create mode 100644 helm/dex/templates/networkpolicy.yaml
 create mode 100644 helm/dex/templates/poddisruptionbudget.yaml
 create mode 100644 helm/dex/templates/rbac.yaml
 create mode 100644 helm/dex/templates/secret.yaml
 create mode 100644 helm/dex/templates/service.yaml
 create mode 100644 helm/dex/templates/serviceaccount.yaml
 create mode 100644 helm/dex/templates/servicemonitor.yaml
 create mode 100644 helm/dex/templates/tests/no-config-secret.yaml
 create mode 100644 helm/dex/values.yaml

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index d4014671..9df5f768 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -30,18 +30,14 @@ jobs:
       - name: Helm package
         id: helm_package
         run: |
-          find helm -mindepth 1 -maxdepth 1 -type d |
-          while IFS= read -r package_directory; do
-              package_name=$(basename "$package_directory")
-              cd helm/$package_name
-              helm dependency update .
-              helm dependency build .
-              cd ../../
-          done
-
-          helm package $(find helm -type d -mindepth 1 -maxdepth 1 -exec basename {} \; | tr '\n' ' ')
+          package_dir=$(find helm -type d -mindepth 1 -maxdepth 1 -exec basename {} \; | tr '\n' ' ')
+          echo $package_dir
+          cd helm
+          helm package $package_dir
+          cd ../
 
           package_list=$(find . -type f -mindepth 1 -maxdepth 1 -name "*.tgz" -exec basename {} \; | tr '\n' ' ')
+          echo $package_list
           echo "package_list=$package_list" >> $GITHUB_OUTPUT
           
       - name: Checkout gh-pages branch
diff --git a/helm/argocd/charts/redis-ha/templates/redis-auth-secret.yaml b/helm/argocd/charts/redis-ha/templates/redis-auth-secret.yaml
deleted file mode 100644
index a1fd6311..00000000
--- a/helm/argocd/charts/redis-ha/templates/redis-auth-secret.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-{{- if and .Values.auth (not .Values.existingSecret) -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "redis-ha.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-{{ include "labels.standard" . | indent 4 }}
-    {{- range $key, $value := .Values.extraLabels }}
-    {{ $key }}: {{ $value | quote }}
-    {{- end }}
-type: Opaque
-data:
-  {{ .Values.authKey }}: {{ .Values.redisPassword | b64enc | quote }}
-{{- end -}}
diff --git a/helm/argocd/charts/redis-ha/templates/sentinel-auth-secret.yaml b/helm/argocd/charts/redis-ha/templates/sentinel-auth-secret.yaml
deleted file mode 100644
index d351be65..00000000
--- a/helm/argocd/charts/redis-ha/templates/sentinel-auth-secret.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-{{- if and .Values.sentinel.auth (not .Values.sentinel.existingSecret) -}}
-apiVersion: v1
-kind: Secret
-metadata:
-  name: {{ template "redis-ha.fullname" . }}-sentinel
-  namespace: {{ .Release.Namespace | quote }}
-  labels:
-{{ include "labels.standard" . | indent 4 }}
-    {{- range $key, $value := .Values.extraLabels }}
-    {{ $key }}: {{ $value | quote }}
-    {{- end }}
-type: Opaque
-data:
-  {{ .Values.sentinel.authKey }}: {{ .Values.sentinel.password | b64enc | quote }}
-{{- end -}}
\ No newline at end of file
diff --git a/helm/cost-analyzer/charts/grafana/templates/ingress.yaml b/helm/cost-analyzer/charts/grafana/templates/ingress.yaml
deleted file mode 100755
index 1c65e211..00000000
--- a/helm/cost-analyzer/charts/grafana/templates/ingress.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-{{ if .Values.global.grafana.enabled }}
-{{- if .Values.ingress.enabled -}}
-{{- $fullName := include "grafana.fullname" . -}}
-{{- $servicePort := .Values.service.port -}}
-{{- $ingressPath := .Values.ingress.path -}}
-{{- $apiV1 := false -}}
-{{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
-{{- $apiV1 = true -}}
-apiVersion: networking.k8s.io/v1
-{{ else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" }}
-apiVersion: networking.k8s.io/v1beta1
-{{ else }}
-apiVersion: extensions/v1beta1
-{{ end -}}
-kind: Ingress
-metadata:
-  name: {{ $fullName }}
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app: {{ template "grafana.name" . }}
-    chart: {{ template "grafana.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-{{- if .Values.ingress.labels }}
-{{ toYaml .Values.ingress.labels | indent 4 }}
-{{- end }}
-{{- with .Values.ingress.annotations }}
-  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . | quote }}
-      {{- end }}
-      secretName: {{ .secretName }}
-  {{- end }}
-{{- end }}
-  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . }}
-      http:
-        paths:
-        {{- if $apiV1 }}
-          - path: {{ $ingressPath }}
-            pathType: {{ $.Values.ingress.pathType }}
-            backend:
-              service:
-                name: {{ $fullName }}
-                port:
-                  number: {{ $servicePort }}
-        {{- else }}
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: {{ $servicePort }}
-        {{- end }}
-  {{- end }}
-{{- end }}
-{{ end }}
diff --git a/helm/dex/Chart.yaml b/helm/dex/Chart.yaml
new file mode 100644
index 00000000..309fb9cd
--- /dev/null
+++ b/helm/dex/Chart.yaml
@@ -0,0 +1,28 @@
+apiVersion: v2
+type: application
+name: dex
+version: 0.15.3
+appVersion: "2.37.0"
+kubeVersion: ">=1.14.0-0"
+description: OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
+icon: https://dexidp.io/favicon.png
+keywords:
+  - oidc
+  - oauth
+  - identity-provider
+  - saml
+home: https://dexidp.io/
+sources:
+  - https://github.com/dexidp/dex
+  - https://github.com/dexidp/helm-charts/tree/master/charts/dex
+maintainers:
+  - name: sagikazarmark
+    email: mark.sagikazar@gmail.com
+    url: https://sagikazarmark.hu
+annotations:
+  artifacthub.io/changes: |
+    - kind: added
+      description: "Add default values for path and honorLabels to ServiceMonitor"
+  artifacthub.io/images: |
+    - name: dex
+      image: ghcr.io/dexidp/dex:v2.37.0
diff --git a/helm/dex/LICENSE b/helm/dex/LICENSE
new file mode 100644
index 00000000..d6456956
--- /dev/null
+++ b/helm/dex/LICENSE
@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
diff --git a/helm/dex/README.md b/helm/dex/README.md
new file mode 100644
index 00000000..cbab192a
--- /dev/null
+++ b/helm/dex/README.md
@@ -0,0 +1,190 @@
+# dex
+
+![version: 0.15.3](https://img.shields.io/badge/version-0.15.3-informational?style=flat-square) ![type: application](https://img.shields.io/badge/type-application-informational?style=flat-square) ![app version: 2.37.0](https://img.shields.io/badge/app%20version-2.37.0-informational?style=flat-square) ![kube version: >=1.14.0-0](https://img.shields.io/badge/kube%20version->=1.14.0--0-informational?style=flat-square) [![artifact hub](https://img.shields.io/badge/artifact%20hub-dex-informational?style=flat-square)](https://artifacthub.io/packages/helm/dex/dex)
+
+OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors.
+
+**Homepage:** <https://dexidp.io/>
+
+## TL;DR;
+
+```bash
+helm repo add dex https://charts.dexidp.io
+helm install --generate-name --wait dex/dex
+```
+
+## Getting started
+
+### Minimal configuration
+
+Dex requires a minimal configuration in order to work.
+You can pass configuration to Dex using Helm values:
+
+```yaml
+config:
+  # Set it to a valid URL
+  issuer: http://my-issuer-url.com
+
+  # See https://dexidp.io/docs/storage/ for more options
+  storage:
+    type: memory
+
+  # Enable at least one connector
+  # See https://dexidp.io/docs/connectors/ for more options
+  enablePasswordDB: true
+```
+
+The above configuration won't make Dex automatically available on the configured URL.
+One (and probably the easiest) way to achieve that is configuring ingress:
+
+```yaml
+ingress:
+  enabled: true
+
+  hosts:
+    - host: my-issuer-url.com
+      paths:
+        - path: /
+```
+
+### Minimal TLS configuration
+
+HTTPS is basically mandatory these days, especially for authentication and authorization services.
+There are several solutions for protecting services with TlS in Kubernetes,
+but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io).
+
+Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps:
+
+```shell
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+kubectl create namespace cert-manager
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --set installCRDs=true
+```
+
+The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)):
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme
+spec:
+  acme:
+    email: YOUR@EMAIL_ADDRESS
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: acme-account-key
+    solvers:
+    - http01:
+       ingress:
+         class: YOUR_INGRESS_CLASS
+EOF
+```
+
+Finally, change the ingress config to use TLS:
+
+```yaml
+ingress:
+  enabled: true
+
+  annotations:
+    cert-manager.io/cluster-issuer: acme
+
+  hosts:
+    - host: my-issuer-url.com
+      paths:
+        - path: /
+
+  tls:
+    - hosts:
+        - my-issuer-url.com
+      secretName: dex-cert
+```
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| replicaCount | int | `1` | Number of replicas (pods) to launch. |
+| commonLabels | object | `{}` | Labels to apply to all resources and selectors. |
+| image.repository | string | `"ghcr.io/dexidp/dex"` | Name of the image repository to pull the container image from. |
+| image.pullPolicy | string | `"IfNotPresent"` | [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node. |
+| image.tag | string | `""` | Image tag override for the default value (chart appVersion). |
+| imagePullSecrets | list | `[]` | Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries). |
+| nameOverride | string | `""` | A name in place of the chart name for `app:` labels. |
+| fullnameOverride | string | `""` | A name to substitute for the full names of resources. |
+| hostAliases | list | `[]` | A list of hosts and IPs that will be injected into the pod's hosts file if specified. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution) |
+| https.enabled | bool | `false` | Enable the HTTPS endpoint. |
+| grpc.enabled | bool | `false` | Enable the gRPC endpoint. Read more in the [documentation](https://dexidp.io/docs/api/). |
+| configSecret.create | bool | `true` | Enable creating a secret from the values passed to `config`. If set to false, name must point to an existing secret. |
+| configSecret.name | string | `""` | The name of the secret to mount as configuration in the pod. If not set and create is true, a name is generated using the fullname template. Must point to secret that contains at least a `config.yaml` key. |
+| config | object | `{}` | Application configuration. See the [official documentation](https://dexidp.io/docs/). |
+| volumes | list | `[]` | Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
+| volumeMounts | list | `[]` | Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details. |
+| envFrom | list | `[]` | Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
+| env | object | `{}` | Additional environment variables passed directly to containers. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
+| envVars | list | `[]` | Similar to env but with support for all possible configurations. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details. |
+| serviceAccount.create | bool | `true` | Enable service account creation. |
+| serviceAccount.annotations | object | `{}` | Annotations to be added to the service account. |
+| serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
+| rbac.create | bool | `true` | Specifies whether RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources based on the templates. |
+| rbac.createClusterScoped | bool | `true` | Specifies which RBAC resources should be created. If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's) |
+| deploymentAnnotations | object | `{}` | Annotations to be added to deployment. |
+| deploymentLabels | object | `{}` | Labels to be added to deployment. |
+| podAnnotations | object | `{}` | Annotations to be added to pods. |
+| podLabels | object | `{}` | Labels to be added to pods. |
+| podDisruptionBudget.enabled | bool | `false` | Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/). It is **highly recommended** for webhooks as disruptions can prevent launching new pods. |
+| podDisruptionBudget.minAvailable | int/percentage | `nil` | Number or percentage of pods that must remain available. |
+| podDisruptionBudget.maxUnavailable | int/percentage | `nil` | Number or percentage of pods that can be unavailable. |
+| priorityClassName | string | `""` | Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority). |
+| podSecurityContext | object | `{}` | Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details. |
+| revisionHistoryLimit | int | `10` | Define the [count of deployment revisions](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) to be kept. May be set to 0 in case of GitOps deployment approach. |
+| securityContext | object | `{}` | Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details. |
+| service.annotations | object | `{}` | Annotations to be added to the service. |
+| service.type | string | `"ClusterIP"` | Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types). |
+| service.clusterIP | string | `""` | Internal cluster service IP (when applicable) |
+| service.ports.http.port | int | `5556` | HTTP service port |
+| service.ports.http.nodePort | int | `nil` | HTTP node port (when applicable) |
+| service.ports.https.port | int | `5554` | HTTPS service port |
+| service.ports.https.nodePort | int | `nil` | HTTPS node port (when applicable) |
+| service.ports.grpc.port | int | `5557` | gRPC service port |
+| service.ports.grpc.nodePort | int | `nil` | gRPC node port (when applicable) |
+| ingress.enabled | bool | `false` | Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/). |
+| ingress.className | string | `""` | Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class). |
+| ingress.annotations | object | `{}` | Annotations to be added to the ingress. |
+| ingress.hosts | list | See [values.yaml](values.yaml). | Ingress host configuration. |
+| ingress.tls | list | See [values.yaml](values.yaml). | Ingress TLS configuration. |
+| serviceMonitor.enabled | bool | `false` | Enable Prometheus ServiceMonitor. See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details. |
+| serviceMonitor.namespace | string | Release namespace. | Namespace where the ServiceMonitor resource should be deployed. |
+| serviceMonitor.interval | duration | `nil` | Prometheus scrape interval. |
+| serviceMonitor.scrapeTimeout | duration | `nil` | Prometheus scrape timeout. |
+| serviceMonitor.labels | object | `{}` | Labels to be added to the ServiceMonitor. |
+| serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
+| serviceMonitor.scheme | string | `""` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS. |
+| serviceMonitor.path | string | `"/metrics"` | HTTP path to scrape for metrics. |
+| serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS. |
+| serviceMonitor.bearerTokenFile | string | `nil` | Prometheus scrape bearerTokenFile |
+| serviceMonitor.honorLabels | bool | `false` | HonorLabels chooses the metric's labels on collisions with target labels. |
+| serviceMonitor.metricRelabelings | list | `[]` | Prometheus scrape metric relabel configs to apply to samples before ingestion. |
+| serviceMonitor.relabelings | list | `[]` | Relabel configs to apply to samples before ingestion. |
+| resources | object | No requests or limits. | Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/). See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details. |
+| autoscaling | object | Disabled by default. | Autoscaling configuration (see [values.yaml](values.yaml) for details). |
+| nodeSelector | object | `{}` | [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration. |
+| tolerations | list | `[]` | [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
+| affinity | object | `{}` | [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
+| topologySpreadConstraints | list | `[]` | [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration. See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details. |
+| strategy | object | `{}` | Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration. |
+| networkPolicy.enabled | bool | `false` | Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/) |
+| networkPolicy.egressRules | list | `[]` | A list of network policy egress rules |
+
+## Migrating from stable/dex (or banzaicloud-stable/dex) chart
+
+This chart is not backwards compatible with the `stable/dex` (or `banzaicloud-stable/dex`) chart.
+
+However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one
+and continue using Dex with a minimal downtime.
diff --git a/helm/dex/README.md.gotmpl b/helm/dex/README.md.gotmpl
new file mode 100644
index 00000000..3c2639af
--- /dev/null
+++ b/helm/dex/README.md.gotmpl
@@ -0,0 +1,103 @@
+{{ template "chart.baseHead" . }}
+
+## Getting started
+
+### Minimal configuration
+
+Dex requires a minimal configuration in order to work.
+You can pass configuration to Dex using Helm values:
+
+```yaml
+config:
+  # Set it to a valid URL
+  issuer: http://my-issuer-url.com
+
+  # See https://dexidp.io/docs/storage/ for more options
+  storage:
+    type: memory
+
+  # Enable at least one connector
+  # See https://dexidp.io/docs/connectors/ for more options
+  enablePasswordDB: true
+```
+
+The above configuration won't make Dex automatically available on the configured URL.
+One (and probably the easiest) way to achieve that is configuring ingress:
+
+```yaml
+ingress:
+  enabled: true
+
+  hosts:
+    - host: my-issuer-url.com
+      paths:
+        - path: /
+```
+
+### Minimal TLS configuration
+
+HTTPS is basically mandatory these days, especially for authentication and authorization services.
+There are several solutions for protecting services with TlS in Kubernetes,
+but by far the most popular and portable is undoubtedly [Cert Manager](https://cert-manager.io).
+
+Cert Manager can be [installed](https://cert-manager.io/docs/installation/kubernetes) with a few steps:
+
+```shell
+helm repo add jetstack https://charts.jetstack.io
+helm repo update
+kubectl create namespace cert-manager
+helm install \
+  cert-manager jetstack/cert-manager \
+  --namespace cert-manager \
+  --set installCRDs=true
+```
+
+The next step is setting up an [issuer](https://cert-manager.io/docs/concepts/issuer/) (eg. [Let's Encrypt](https://letsencrypt.org/)):
+
+```shell
+cat <<EOF | kubectl apply -f -
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme
+spec:
+  acme:
+    email: YOUR@EMAIL_ADDRESS
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: acme-account-key
+    solvers:
+    - http01:
+       ingress:
+         class: YOUR_INGRESS_CLASS
+EOF
+```
+
+Finally, change the ingress config to use TLS:
+
+```yaml
+ingress:
+  enabled: true
+
+  annotations:
+    cert-manager.io/cluster-issuer: acme
+
+  hosts:
+    - host: my-issuer-url.com
+      paths:
+        - path: /
+
+  tls:
+    - hosts:
+        - my-issuer-url.com
+      secretName: dex-cert
+```
+
+{{ template "chart.valuesSection" . }}
+
+## Migrating from stable/dex (or banzaicloud-stable/dex) chart
+
+This chart is not backwards compatible with the `stable/dex` (or `banzaicloud-stable/dex`) chart.
+
+However, Dex itself remains backwards compatible, so you can easily install the new chart in place of the old one
+and continue using Dex with a minimal downtime.
diff --git a/helm/dex/ci/config-secret-values.yaml b/helm/dex/ci/config-secret-values.yaml
new file mode 100644
index 00000000..4798710d
--- /dev/null
+++ b/helm/dex/ci/config-secret-values.yaml
@@ -0,0 +1,10 @@
+config:
+  issuer: https://my-issuer.com
+
+  storage:
+    type: memory
+
+  enablePasswordDB: true
+
+configSecret:
+  name: my-super-special-dex-secret
diff --git a/helm/dex/ci/label-annotations-values.yaml b/helm/dex/ci/label-annotations-values.yaml
new file mode 100644
index 00000000..876c699f
--- /dev/null
+++ b/helm/dex/ci/label-annotations-values.yaml
@@ -0,0 +1,19 @@
+config:
+  issuer: https://my-issuer.com
+
+  storage:
+    type: memory
+
+  enablePasswordDB: true
+
+deploymentAnnotations:
+  reloader.stakater.com/auto: "true"
+
+podAnnotations:
+  vault.security.banzaicloud.io/vault-addr: "https://vault.vault:8200"
+
+deploymentLabels:
+  hello: world
+
+podLabels:
+  hello: world
diff --git a/helm/dex/ci/no-config-secret.yaml b/helm/dex/ci/no-config-secret.yaml
new file mode 100644
index 00000000..8e667025
--- /dev/null
+++ b/helm/dex/ci/no-config-secret.yaml
@@ -0,0 +1,10 @@
+config:
+  issuer: https://my-issuer.com
+
+  storage:
+    type: memory
+
+  enablePasswordDB: true
+
+configSecret:
+  create: false
diff --git a/helm/dex/ci/test-values.yaml b/helm/dex/ci/test-values.yaml
new file mode 100644
index 00000000..a4eb6576
--- /dev/null
+++ b/helm/dex/ci/test-values.yaml
@@ -0,0 +1,7 @@
+config:
+  issuer: https://my-issuer.com
+
+  storage:
+    type: memory
+
+  enablePasswordDB: true
diff --git a/helm/dex/templates/NOTES.txt b/helm/dex/templates/NOTES.txt
new file mode 100644
index 00000000..f324e002
--- /dev/null
+++ b/helm/dex/templates/NOTES.txt
@@ -0,0 +1,22 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dex.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dex.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dex.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dex.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
+{{- end }}
diff --git a/helm/dex/templates/_helpers.tpl b/helm/dex/templates/_helpers.tpl
new file mode 100644
index 00000000..5ca8115f
--- /dev/null
+++ b/helm/dex/templates/_helpers.tpl
@@ -0,0 +1,76 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dex.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dex.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "dex.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "dex.labels" -}}
+helm.sh/chart: {{ include "dex.chart" . }}
+{{ include "dex.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- if .Values.commonLabels}}
+{{ toYaml .Values.commonLabels }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "dex.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "dex.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dex.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dex.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the secret containing the config file to use
+*/}}
+{{- define "dex.configSecretName" -}}
+{{- if .Values.configSecret.create }}
+{{- default (include "dex.fullname" .) .Values.configSecret.name }}
+{{- else }}
+{{- default "default" .Values.configSecret.name }}
+{{- end }}
+{{- end }}
diff --git a/helm/dex/templates/deployment.yaml b/helm/dex/templates/deployment.yaml
new file mode 100644
index 00000000..247dd39f
--- /dev/null
+++ b/helm/dex/templates/deployment.yaml
@@ -0,0 +1,145 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+    {{ with .Values.deploymentLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{ with .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "dex.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+      {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{ if .Values.configSecret.create }}
+        checksum/config: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+      {{- end }}
+      labels:
+        {{- include "dex.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "dex.serviceAccountName" . }}
+      {{- with .Values.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- with .Values.hostAliases }}
+      hostAliases:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+            - dex
+            - serve
+            - --web-http-addr
+            - 0.0.0.0:5556
+            {{- if .Values.https.enabled }}
+            - --web-https-addr
+            - 0.0.0.0:5554
+            {{- end }}
+            {{- if .Values.grpc.enabled }}
+            - --grpc-addr
+            - 0.0.0.0:5557
+            {{- end }}
+            - --telemetry-addr
+            - 0.0.0.0:5558
+            - /etc/dex/config.yaml
+          env:
+            {{- range $key, $value := .Values.env }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+            {{- end }}
+          {{- with .Values.envVars }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.envFrom }}
+          envFrom:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 5556
+              protocol: TCP
+            {{- if .Values.https.enabled }}
+            - name: https
+              containerPort: 5554
+              protocol: TCP
+            {{- end }}
+            {{- if .Values.grpc.enabled }}
+            - name: grpc
+              containerPort: 5557
+              protocol: TCP
+            {{- end }}
+            - name: telemetry
+              containerPort: 5558
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz/live
+              port: telemetry
+          readinessProbe:
+            httpGet:
+              path: /healthz/ready
+              port: telemetry
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - name: config
+              mountPath: /etc/dex
+              readOnly: true
+          {{- with .Values.volumeMounts }}
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      volumes:
+        - name: config
+          secret:
+            secretName: {{ include "dex.configSecretName" . }}
+      {{- with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/helm/dex/templates/hpa.yaml b/helm/dex/templates/hpa.yaml
new file mode 100644
index 00000000..166faea9
--- /dev/null
+++ b/helm/dex/templates/hpa.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.autoscaling.enabled }}
+{{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: autoscaling/v2
+{{- else -}}
+apiVersion: autoscaling/v2beta1
+{{- end }}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "dex.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- else }}
+    - type: Resource
+      resource:
+        name: cpu
+        targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- if semverCompare ">=1.23-0" .Capabilities.KubeVersion.GitVersion }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- else }}
+    - type: Resource
+      resource:
+        name: memory
+        targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/helm/dex/templates/ingress.yaml b/helm/dex/templates/ingress.yaml
new file mode 100644
index 00000000..0b881d04
--- /dev/null
+++ b/helm/dex/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "dex.fullname" . -}}
+{{- $svcPort := .Values.service.ports.http.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ tpl . $ | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ tpl .host $ | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/helm/dex/templates/networkpolicy.yaml b/helm/dex/templates/networkpolicy.yaml
new file mode 100644
index 00000000..acd51b9d
--- /dev/null
+++ b/helm/dex/templates/networkpolicy.yaml
@@ -0,0 +1,35 @@
+{{- if .Values.networkPolicy.enabled }}
+{{- if semverCompare "<1.7-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: extensions/v1beta1
+{{- else -}}
+apiVersion: networking.k8s.io/v1
+{{- end }}
+kind: NetworkPolicy
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+spec:
+  policyTypes:
+    {{- if .Values.networkPolicy.egressRules }}
+    - Egress
+    {{- end }}
+    - Ingress
+  podSelector:
+    matchLabels:
+      {{- include "dex.selectorLabels" . | nindent 6 }}
+  ingress:
+    - ports:
+        - port: http
+        {{- if .Values.https.enabled }}
+        - port: https
+        {{- end }}
+        {{- if .Values.grpc.enabled }}
+        - port: grpc
+        {{- end }}
+        - port: telemetry
+  {{- with .Values.networkPolicy.egressRules }}
+  egress:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/helm/dex/templates/poddisruptionbudget.yaml b/helm/dex/templates/poddisruptionbudget.yaml
new file mode 100644
index 00000000..6ec1032a
--- /dev/null
+++ b/helm/dex/templates/poddisruptionbudget.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+{{- if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: policy/v1
+{{- else -}}
+apiVersion: policy/v1beta1
+{{- end }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ template "dex.fullname" . }}
+  labels:
+{{ include "dex.labels" . | indent 4 }}
+spec:
+  {{- with .Values.podDisruptionBudget.minAvailable }}
+  minAvailable: {{ . }}
+  {{- end }}
+  {{- with .Values.podDisruptionBudget.maxUnavailable }}
+  maxUnavailable: {{ . }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "dex.selectorLabels" . | nindent 6 }}
+{{- end }}
diff --git a/helm/dex/templates/rbac.yaml b/helm/dex/templates/rbac.yaml
new file mode 100644
index 00000000..333f2f10
--- /dev/null
+++ b/helm/dex/templates/rbac.yaml
@@ -0,0 +1,55 @@
+{{- if .Values.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["dex.coreos.com"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+roleRef:
+  kind: Role
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ include "dex.fullname" . }}  
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "dex.serviceAccountName" . }}
+{{- if .Values.rbac.createClusterScoped }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["list", "create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "dex.fullname" . }}-cluster
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+roleRef:
+  kind: ClusterRole
+  apiGroup: rbac.authorization.k8s.io
+  name: {{ include "dex.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  namespace: {{ .Release.Namespace }}
+  name: {{ include "dex.serviceAccountName" . }}
+{{- end }}
+{{- end }}
diff --git a/helm/dex/templates/secret.yaml b/helm/dex/templates/secret.yaml
new file mode 100644
index 00000000..27d39546
--- /dev/null
+++ b/helm/dex/templates/secret.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.configSecret.create -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "dex.configSecretName" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+type: Opaque
+data:
+  config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
+{{- end }}
diff --git a/helm/dex/templates/service.yaml b/helm/dex/templates/service.yaml
new file mode 100644
index 00000000..8114e8d5
--- /dev/null
+++ b/helm/dex/templates/service.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "dex.fullname" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+  {{- with .Values.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.type }}
+  {{- with .Values.service.clusterIP }}
+  clusterIP: {{ . }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.service.ports.http.port }}
+      {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.http.nodePort }}
+      nodePort: {{ .Values.service.ports.http.nodePort }}
+      {{- end }}
+      targetPort: http
+      protocol: TCP
+      {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
+      appProtocol: http
+      {{- end }}
+    {{- if .Values.https.enabled }}
+    - name: https
+      port: {{ .Values.service.ports.https.port }}
+      {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.https.nodePort }}
+      nodePort: {{ .Values.service.ports.https.nodePort }}
+      {{- end }}
+      targetPort: https
+      protocol: TCP
+      {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
+      appProtocol: https
+      {{- end }}
+    {{- end }}
+    {{- if .Values.grpc.enabled }}
+    - name: grpc
+      port: {{ .Values.service.ports.grpc.port }}
+      {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) .Values.service.ports.grpc.nodePort }}
+      nodePort: {{ .Values.service.ports.grpc.nodePort }}
+      {{- end }}
+      targetPort: grpc
+      protocol: TCP
+      {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
+      appProtocol: http
+      {{- end }}
+    {{- end }}
+    - name: telemetry
+      port: 5558
+      targetPort: telemetry
+      protocol: TCP
+      {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.GitVersion }}
+      appProtocol: http
+      {{- end }}
+  selector:
+    {{- include "dex.selectorLabels" . | nindent 4 }}
diff --git a/helm/dex/templates/serviceaccount.yaml b/helm/dex/templates/serviceaccount.yaml
new file mode 100644
index 00000000..30c3ddd9
--- /dev/null
+++ b/helm/dex/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dex.serviceAccountName" . }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/helm/dex/templates/servicemonitor.yaml b/helm/dex/templates/servicemonitor.yaml
new file mode 100644
index 00000000..ce96e5be
--- /dev/null
+++ b/helm/dex/templates/servicemonitor.yaml
@@ -0,0 +1,54 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  {{- with .Values.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ include "dex.fullname" . }}
+  {{- with .Values.serviceMonitor.namespace }}
+  namespace: {{ . }}
+  {{- end }}
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  endpoints:
+    - port: telemetry
+      {{- with .Values.serviceMonitor.interval }}
+      interval: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scheme }}
+      scheme: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.bearerTokenFile }}
+      bearerTokenFile: {{ . }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.tlsConfig }}
+      tlsConfig:
+        {{- toYaml .| nindent 6 }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ . }}
+      {{- end }}
+      path: {{ .Values.serviceMonitor.path }}
+      honorLabels: {{ .Values.serviceMonitor.honorLabels }}
+      {{- with .Values.serviceMonitor.metricRelabelings }}
+      metricRelabelings:
+        {{- tpl (toYaml . | nindent 6) $ }}
+      {{- end }}
+      {{- with .Values.serviceMonitor.relabelings }}
+      relabelings:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+  jobLabel: {{ include "dex.fullname" . }}
+  selector:
+    matchLabels:
+      {{- include "dex.selectorLabels" . | nindent 6 }}
+  namespaceSelector:
+    matchNames:
+      - {{ .Release.Namespace }}
+{{- end }}
diff --git a/helm/dex/templates/tests/no-config-secret.yaml b/helm/dex/templates/tests/no-config-secret.yaml
new file mode 100644
index 00000000..4b7804f5
--- /dev/null
+++ b/helm/dex/templates/tests/no-config-secret.yaml
@@ -0,0 +1,13 @@
+{{- if not .Values.configSecret.create -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "dex.configSecretName" . }}-test-no-create
+  labels:
+    {{- include "dex.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+type: Opaque
+data:
+  config.yaml: {{ .Values.config | toYaml | b64enc | quote }}
+{{- end }}
diff --git a/helm/dex/values.yaml b/helm/dex/values.yaml
new file mode 100644
index 00000000..7452791e
--- /dev/null
+++ b/helm/dex/values.yaml
@@ -0,0 +1,336 @@
+# Default values for dex.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+# -- Number of replicas (pods) to launch.
+replicaCount: 1
+
+# -- Labels to apply to all resources and selectors.
+commonLabels: {}
+# team_name: dev
+
+image:
+  # -- Name of the image repository to pull the container image from.
+  repository: ghcr.io/dexidp/dex
+
+  # -- [Image pull policy](https://kubernetes.io/docs/concepts/containers/images/#updating-images) for updating already existing images on a node.
+  pullPolicy: IfNotPresent
+
+  # -- Image tag override for the default value (chart appVersion).
+  tag: ""
+
+# -- Reference to one or more secrets to be used when [pulling images](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#create-a-pod-that-uses-your-secret) (from private registries).
+imagePullSecrets: []
+
+# -- A name in place of the chart name for `app:` labels.
+nameOverride: ""
+
+# -- A name to substitute for the full names of resources.
+fullnameOverride: ""
+
+# -- A list of hosts and IPs that will be injected into the pod's hosts file if specified.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#hostname-and-name-resolution)
+hostAliases: []
+
+https:
+  # -- Enable the HTTPS endpoint.
+  enabled: false
+
+grpc:
+  # -- Enable the gRPC endpoint.
+  # Read more in the [documentation](https://dexidp.io/docs/api/).
+  enabled: false
+
+configSecret:
+  # -- Enable creating a secret from the values passed to `config`.
+  # If set to false, name must point to an existing secret.
+  create: true
+
+  # -- The name of the secret to mount as configuration in the pod.
+  # If not set and create is true, a name is generated using the fullname template.
+  # Must point to secret that contains at least a `config.yaml` key.
+  name: ""
+
+# -- Application configuration.
+# See the [official documentation](https://dexidp.io/docs/).
+config: {}
+
+# -- Additional storage [volumes](https://kubernetes.io/docs/concepts/storage/volumes/).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
+volumes: []
+
+# -- Additional [volume mounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-volume-storage/).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#volumes-1) for details.
+volumeMounts: []
+
+# -- Additional environment variables mounted from [secrets](https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-environment-variables) or [config maps](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
+envFrom: []
+
+# -- Additional environment variables passed directly to containers.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
+env: {}
+
+# -- Similar to env but with support for all possible configurations.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#environment-variables) for details.
+envVars: []
+# - name: SOME_ENV_VAR
+#   value: value
+# - name: SOME_ENV_VAR2
+#   valueFrom:
+#     secretKeyRef:
+#       name: secret-name
+#       key: secret-key
+# - name: SOME_ENV_VAR3
+#   valueFrom:
+#     configMapKeyRef:
+#       name: config-map-name
+#       key: config-map-key
+
+serviceAccount:
+  # -- Enable service account creation.
+  create: true
+
+  # -- Annotations to be added to the service account.
+  annotations: {}
+
+  # -- The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template.
+  name: ""
+
+rbac:
+  # -- Specifies whether RBAC resources should be created.
+  # If disabled, the operator is responsible for creating the necessary resources based on the templates.
+  create: true
+
+  # -- Specifies which RBAC resources should be created.
+  # If disabled, the operator is responsible for creating the necessary resources (ClusterRole and RoleBinding or CRD's)
+  createClusterScoped: true
+
+# -- Annotations to be added to deployment.
+deploymentAnnotations: {}
+
+# -- Labels to be added to deployment.
+deploymentLabels: {}
+
+# -- Annotations to be added to pods.
+podAnnotations: {}
+
+# -- Labels to be added to pods.
+podLabels: {}
+
+podDisruptionBudget:
+  # -- Enable a [pod distruption budget](https://kubernetes.io/docs/tasks/run-application/configure-pdb/) to help dealing with [disruptions](https://kubernetes.io/docs/concepts/workloads/pods/disruptions/).
+  # It is **highly recommended** for webhooks as disruptions can prevent launching new pods.
+  enabled: false
+
+  # -- (int/percentage) Number or percentage of pods that must remain available.
+  minAvailable:
+
+  # -- (int/percentage) Number or percentage of pods that can be unavailable.
+  maxUnavailable:
+
+# -- Specify a priority class name to set [pod priority](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#pod-priority).
+priorityClassName: ""
+
+# -- Pod [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context) for details.
+podSecurityContext: {}
+  # fsGroup: 2000
+
+# -- Define the [count of deployment revisions](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#clean-up-policy) to be kept.
+# May be set to 0 in case of GitOps deployment approach.
+revisionHistoryLimit: 10
+
+# -- Container [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1) for details.
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  # -- Annotations to be added to the service.
+  annotations: {}
+
+  # -- Kubernetes [service type](https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types).
+  type: ClusterIP
+
+  # -- Internal cluster service IP (when applicable)
+  clusterIP: ""
+
+  ports:
+    http:
+      # -- HTTP service port
+      port: 5556
+
+      # -- (int) HTTP node port (when applicable)
+      nodePort:
+
+    https:
+      # -- HTTPS service port
+      port: 5554
+
+      # -- (int) HTTPS node port (when applicable)
+      nodePort:
+
+    grpc:
+      # -- gRPC service port
+      port: 5557
+
+      # -- (int) gRPC node port (when applicable)
+      nodePort:
+
+ingress:
+  # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/).
+  enabled: false
+
+  # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class).
+  className: ""
+
+  # -- Annotations to be added to the ingress.
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+
+  # -- Ingress host configuration.
+  # @default -- See [values.yaml](values.yaml).
+  hosts:
+    - host: chart-example.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+
+  # -- Ingress TLS configuration.
+  # @default -- See [values.yaml](values.yaml).
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+serviceMonitor:
+  # -- Enable Prometheus ServiceMonitor.
+  # See the [documentation](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/design.md#servicemonitor) and the [API reference](https://github.com/prometheus-operator/prometheus-operator/blob/main/Documentation/api.md#servicemonitor) for details.
+  enabled: false
+
+  # -- Namespace where the ServiceMonitor resource should be deployed.
+  # @default -- Release namespace.
+  namespace: ""
+
+  # -- (duration) Prometheus scrape interval.
+  interval:
+
+  # -- (duration) Prometheus scrape timeout.
+  scrapeTimeout:
+
+  # -- Labels to be added to the ServiceMonitor.
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
+  labels: {}
+
+  # -- Annotations to be added to the ServiceMonitor.
+  ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
+  annotations: {}
+
+  # -- HTTP scheme to use for scraping.
+  # Can be used with `tlsConfig` for example if using istio mTLS.
+  scheme: ""
+
+  # -- HTTP path to scrape for metrics.
+  path: /metrics
+
+  # -- TLS configuration to use when scraping the endpoint.
+  # For example if using istio mTLS.
+  ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
+  tlsConfig: {}
+
+  # -- Prometheus scrape bearerTokenFile
+  bearerTokenFile:
+
+  # -- HonorLabels chooses the metric's labels on collisions with target labels.
+  honorLabels: false
+
+  # -- Prometheus scrape metric relabel configs
+  # to apply to samples before ingestion.
+  ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
+  metricRelabelings: []
+  # - action: keep
+  #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+  #   sourceLabels: [__name__]
+
+  # -- Relabel configs to apply
+  # to samples before ingestion.
+  ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
+  relabelings: []
+  # - sourceLabels: [__meta_kubernetes_pod_node_name]
+  #   separator: ;
+  #   regex: ^(.*)$
+  #   targetLabel: nodename
+  #   replacement: $1
+  #   action: replace
+
+# -- Container resource [requests and limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#resources) for details.
+# @default -- No requests or limits.
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# -- Autoscaling configuration (see [values.yaml](values.yaml) for details).
+# @default -- Disabled by default.
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+# -- [Node selector](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector) configuration.
+nodeSelector: {}
+
+# -- [Tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) for node taints.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
+tolerations: []
+
+# -- [Affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) configuration.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
+affinity: {}
+
+# -- [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
+# See the [API reference](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling) for details.
+topologySpreadConstraints: []
+
+# -- Deployment [strategy](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy) configuration.
+strategy: {}
+  # rollingUpdate:
+  #   maxUnavailable: 1
+  # type: RollingUpdate
+
+networkPolicy:
+  # -- Create [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
+  enabled: false
+  # -- A list of network policy egress rules
+  egressRules: []
+  # Allow DNS egress traffic
+  # - ports:
+  #     - port: 53
+  #       protocol: UDP
+  #     - port: 53
+  #       protocol: TCP
+  # Example to allow LDAP connector to reach LDAPs port on 1.2.3.4 server
+  #  - to:
+  #      - ipBlock
+  #          cidr: 1.2.3.4/32
+  #    ports:
+  #      - port: 636
+  #        protocol: TCP