actually add the things properly, fix bad previous commit

Author: batpad

helm/Chart.yaml

@@ -1 +1,6 @@
- 
+apiVersion: v2
+name: stac-auth-proxy
+description: A Helm chart for stac-auth-proxy
+type: application
+version: 0.1.0
+appVersion: "1.0.0" 

helm/templates/_helpers.tpl

@@ -1 +1,49 @@
- 
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "stac-auth-proxy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+*/}}
+{{- define "stac-auth-proxy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "stac-auth-proxy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "stac-auth-proxy.labels" -}}
+helm.sh/chart: {{ include "stac-auth-proxy.chart" . }}
+{{ include "stac-auth-proxy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "stac-auth-proxy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "stac-auth-proxy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }} 

helm/templates/deployment.yaml

@@ -1 +1,42 @@
- 
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "stac-auth-proxy.fullname" . }}
+  labels:
+    {{- include "stac-auth-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "stac-auth-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "stac-auth-proxy.selectorLabels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml .Values.securityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.containerSecurityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }} 

helm/templates/ingress.yaml

@@ -1 +1,40 @@
- 
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "stac-auth-proxy.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "stac-auth-proxy.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if and .Values.ingress.tls.enabled .Values.ingress.host }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName | default (printf "%s-tls" .Values.ingress.host) }}
+  {{- end }}
+  rules:
+    {{- if .Values.ingress.host }}
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+    {{- end }}
+{{- end }} 

helm/values.schema.yaml

@@ -1,18 +1,152 @@
-image:
-  type: object
-  properties:
-    repository:
-      type: string
-      description: "Docker image repository"
-      default: "ghcr.io/developmentseed/stac-auth-proxy"
-    pullPolicy:
-      type: string
-      enum: ["IfNotPresent", "Always", "Never"]
-      description: "Kubernetes image pull policy"
-    tag:
+"$schema": "https://json-schema.org/draft-07/schema#"
+type: object
+properties:
+  replicaCount:
+    type: integer
+    minimum: 1
+    description: "Number of replicas for the deployment"
+
+  image:
+    type: object
+    properties:
+      repository:
+        type: string
+        description: "Docker image repository"
+        default: "ghcr.io/developmentseed/stac-auth-proxy"
+      pullPolicy:
+        type: string
+        enum: ["IfNotPresent", "Always", "Never"]
+        description: "Kubernetes image pull policy"
+      tag:
+        type: string
+        description: "Docker image tag"
+        default: "latest"
+
+  service:
+    type: object
+    required: ["type", "port"]
+    properties:
+      type:
+        type: string
+        enum: ["ClusterIP", "NodePort", "LoadBalancer"]
+        description: "Kubernetes service type"
+      port:
+        type: integer
+        minimum: 1
+        maximum: 65535
+        description: "Service port number"
+
+  ingress:
+    type: object
+    properties:
+      enabled:
+        type: boolean
+        description: "Enable ingress resource"
+      className:
+        type: string
+        description: "Ingress class name (e.g., nginx)"
+      annotations:
+        type: object
+        additionalProperties:
+          type: string
+        description: "Annotations for the ingress resource"
+      host:
+        type: string
+        description: "Hostname for the ingress"
+      tls:
+        type: object
+        properties:
+          enabled:
+            type: boolean
+            description: "Enable TLS configuration"
+          secretName:
+            type: string
+            description: "Name of the TLS secret (optional, will be auto-generated if empty)"
+        required: ["enabled"]
+
+  resources:
+    type: object
+    properties:
+      limits:
+        type: object
+        properties:
+          cpu:
+            type: string
+            pattern: "^[0-9]+m?$|^[0-9]+\\.[0-9]+$"
+            description: "CPU limit (e.g., 500m, 1.5)"
+          memory:
+            type: string
+            pattern: "^[0-9]+(Ki|Mi|Gi|Ti|Pi|Ei|[kMGTPE]i?)?$"
+            description: "Memory limit (e.g., 512Mi, 1Gi)"
+      requests:
+        type: object
+        properties:
+          cpu:
+            type: string
+            pattern: "^[0-9]+m?$|^[0-9]+\\.[0-9]+$"
+            description: "CPU request (e.g., 200m, 0.5)"
+          memory:
+            type: string
+            pattern: "^[0-9]+(Ki|Mi|Gi|Ti|Pi|Ei|[kMGTPE]i?)?$"
+            description: "Memory request (e.g., 256Mi, 1Gi)"
+
+  securityContext:
+    type: object
+    properties:
+      runAsNonRoot:
+        type: boolean
+        description: "Requires the container to run without root privileges"
+      runAsUser:
+        type: integer
+        description: "The UID to run the entrypoint of the container process"
+      runAsGroup:
+        type: integer
+        description: "The GID to run the entrypoint of the container process"
+    description: "Pod-level security context"
+
+  containerSecurityContext:
+    type: object
+    properties:
+      allowPrivilegeEscalation:
+        type: boolean
+        description: "Controls whether a process can gain more privileges than its parent process"
+      capabilities:
+        type: object
+        properties:
+          drop:
+            type: array
+            items:
+              type: string
+            description: "List of capabilities to drop"
+    description: "Container-level security context"
+
+  nodeSelector:
+    type: object
+    additionalProperties:
       type: string
-      description: "Docker image tag"
-      default: "latest"
+    description: "Node labels for pod assignment"
+
+  tolerations:
+    type: array
+    items:
+      type: object
+      properties:
+        key:
+          type: string
+        operator:
+          type: string
+          enum: ["Exists", "Equal"]
+        value:
+          type: string
+        effect:
+          type: string
+          enum: ["NoSchedule", "PreferNoSchedule", "NoExecute"]
+    description: "Pod tolerations"
+
+  affinity:
+    type: object
+    additionalProperties: true
+    description: "Pod affinity rules"
 
 required:
   - service 

helm/values.yaml

@@ -1,4 +1,47 @@
+# Default values for stac-auth-proxy
+
+replicaCount: 1
+
 image:
   repository: ghcr.io/developmentseed/stac-auth-proxy
   pullPolicy: IfNotPresent
-  tag: "latest" 
+  tag: "latest"
+
+service:
+  type: ClusterIP
+  port: 8000
+
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+  host: "stac-proxy.example.com"  # This should be overridden in production
+  tls:
+    enabled: true
+    secretName: ""  # If empty, will be auto-generated as "{host}-tls"
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 200m
+    memory: 256Mi
+
+# Pod-level security context
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1000
+  runAsGroup: 1000
+
+# Container-level security context
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+      - ALL
+
+nodeSelector: {}
+tolerations: []
+affinity: {}