developmentseed · pantierra · Jan 15, 2026 · Jan 15, 2026
diff --git a/docs/user-guide/deployment.md b/docs/user-guide/deployment.md
@@ -61,4 +61,47 @@ docker pull ghcr.io/developmentseed/stac-auth-proxy:v0.7.1
 
 ## Kubernetes
 
-See [Kubernetes deployment](kubernetes.md) for detailed instructions on deploying to Kubernetes using Helm.
+The STAC Auth Proxy can be deployed to Kubernetes via the [Helm Chart available on the GitHub Container Registry (GHCR)](https://github.com/developmentseed/stac-auth-proxy/pkgs/container/stac-auth-proxy%2Fcharts%2Fstac-auth-proxy).
+
+### Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.2.0+
+
+### Installation
+
+```bash
+# Add the Helm repository
+helm registry login ghcr.io
+
+# Install with minimal configuration
+helm install stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy \
+  --set env.UPSTREAM_URL=https://your-stac-api.com/stac \
+  --set env.OIDC_DISCOVERY_URL=https://your-auth-server/.well-known/openid-configuration \
+  --set ingress.host=stac-proxy.your-domain.com
+```
+
+### Configuration
+
+| Parameter                | Description                                   | Required | Default |
+| ------------------------ | --------------------------------------------- | -------- | ------- |
+| `env.UPSTREAM_URL`       | URL of the STAC API to proxy                  | Yes      | -       |
+| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery document URL         | Yes      | -       |
+| `env`                    | Environment variables passed to the container | No       | `{}`    |
+| `ingress.enabled`        | Enable ingress                                | No       | `true`  |
+| `ingress.className`      | Ingress class name                            | No       | `nginx` |
+| `ingress.host`           | Hostname for the ingress                      | No       | `""`    |
+| `ingress.tls.enabled`    | Enable TLS for ingress                        | No       | `true`  |
+| `replicaCount`           | Number of replicas                            | No       | `1`     |
+
+For a complete list of values, see the [values.yaml](https://github.com/developmentseed/stac-auth-proxy/blob/main/helm/values.yaml) file.
+
+### Management
+
+```bash
+# Upgrade
+helm upgrade stac-auth-proxy oci://ghcr.io/developmentseed/stac-auth-proxy/charts/stac-auth-proxy
+
+# Uninstall
+helm uninstall stac-auth-proxy
+```
diff --git a/docs/user-guide/kubernetes.md b/docs/user-guide/kubernetes.md
diff --git a/helm/data/custom_filters.py b/helm/data/custom_filters.py
diff --git a/helm/templates/_helpers.tpl b/helm/templates/_helpers.tpl
@@ -69,76 +69,3 @@ Render env var value based on type
   {{- . | toJson | quote -}}
 {{- end -}}
 {{- end -}}
-
-{{/*
-Generate authorization environment variables
-*/}}
-{{- define "stac-auth-proxy.authorizationEnv" -}}
-{{- $routeMode := .Values.authorization.route.mode | default "default" -}}
-{{- $recordMode := .Values.authorization.record.mode | default "disabled" -}}
-
-{{- /* Route-level authorization */ -}}
-{{- if eq $routeMode "default" -}}
-{{- if not (hasKey .Values.env "DEFAULT_PUBLIC") }}
-- name: DEFAULT_PUBLIC
-  value: "true"
-{{- end }}
-{{- else if eq $routeMode "custom" -}}
-{{- if not (hasKey .Values.env "DEFAULT_PUBLIC") }}
-- name: DEFAULT_PUBLIC
-  value: "false"
-{{- end }}
-{{- if and .Values.authorization.route.publicEndpoints (gt (len .Values.authorization.route.publicEndpoints) 0) (not (hasKey .Values.env "PUBLIC_ENDPOINTS")) }}
-- name: PUBLIC_ENDPOINTS
-  value: {{ .Values.authorization.route.publicEndpoints | toJson | quote }}
-{{- end }}
-{{- if and .Values.authorization.route.privateEndpoints (gt (len .Values.authorization.route.privateEndpoints) 0) (not (hasKey .Values.env "PRIVATE_ENDPOINTS")) }}
-- name: PRIVATE_ENDPOINTS
-  value: {{ .Values.authorization.route.privateEndpoints | toJson | quote }}
-{{- end }}
-{{- end }}
-
-{{- /* Record-level authorization */ -}}
-{{- if eq $recordMode "custom" -}}
-{{- if not (hasKey .Values.env "COLLECTIONS_FILTER_CLS") }}
-- name: COLLECTIONS_FILTER_CLS
-  value: "stac_auth_proxy.custom_filters:CollectionsFilter"
-{{- end }}
-{{- if not (hasKey .Values.env "ITEMS_FILTER_CLS") }}
-- name: ITEMS_FILTER_CLS
-  value: "stac_auth_proxy.custom_filters:ItemsFilter"
-{{- end }}
-{{- else if eq $recordMode "opa" -}}
-{{- if not (hasKey .Values.env "ITEMS_FILTER_CLS") }}
-- name: ITEMS_FILTER_CLS
-  value: "stac_auth_proxy.filters:opa.Opa"
-{{- end }}
-{{- if and (not (hasKey .Values.env "ITEMS_FILTER_ARGS")) .Values.authorization.record.opa }}
-- name: ITEMS_FILTER_ARGS
-  value: {{ list .Values.authorization.record.opa.url .Values.authorization.record.opa.policy | toJson | quote }}
-{{- end }}
-{{- end }}
-{{- end -}}
-
-{{/*
-Generate authorization volumes
-*/}}
-{{- define "stac-auth-proxy.authorizationVolumes" -}}
-{{- if and (eq (.Values.authorization.record.mode | default "disabled") "custom") .Values.authorization.record.custom.filtersFile }}
-- name: custom-filters
-  configMap:
-    name: {{ include "stac-auth-proxy.fullname" . }}-filters
-{{- end }}
-{{- end -}}
-
-{{/*
-Generate authorization volume mounts
-*/}}
-{{- define "stac-auth-proxy.authorizationVolumeMounts" -}}
-{{- if and (eq (.Values.authorization.record.mode | default "disabled") "custom") .Values.authorization.record.custom.filtersFile }}
-- name: custom-filters
-  mountPath: /app/src/stac_auth_proxy/custom_filters.py
-  subPath: custom_filters.py
-  readOnly: true
-{{- end }}
-{{- end -}}
diff --git a/helm/templates/configmap.yaml b/helm/templates/configmap.yaml
diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml
@@ -34,21 +34,19 @@ spec:
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
           env:
-            {{- include "stac-auth-proxy.authorizationEnv" . | nindent 12 }}
             {{- range $key, $value := .Values.env }}
             - name: {{ $key }}
               value: {{ include "stac-auth-proxy.envValue" $value }}
             {{- end }}
+          {{- with .Values.extraVolumeMounts }}
           volumeMounts:
-            {{- include "stac-auth-proxy.authorizationVolumeMounts" . | nindent 12 }}
-            {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
-            {{- end }}
+          {{- end }}
+
+      {{- with .Values.extraVolumes }}
       volumes:
-        {{- include "stac-auth-proxy.authorizationVolumes" . | nindent 8 }}
-        {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
-        {{- end }}
+      {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}