From 9f537ab4692c6098c6fb1384e36afcd8cf5823ec Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Tue, 16 Dec 2025 10:47:17 +0100
Subject: [PATCH 1/2] Added basic README.md and tests.

---
 helm/README.md | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 helm/README.md

diff --git a/helm/README.md b/helm/README.md
new file mode 100644
index 00000000..3db3e67c
--- /dev/null
+++ b/helm/README.md
@@ -0,0 +1,82 @@
+# STAC Auth Proxy Helm Chart
+
+A Helm chart for deploying [STAC Auth Proxy](https://developmentseed.org/stac-auth-proxy) on Kubernetes.
+
+## Overview
+
+This chart deploys a reverse proxy that adds authentication and authorization capabilities to your STAC API using OpenID Connect (OIDC).
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.0+
+- An OIDC provider (e.g., Keycloak, Auth0, Google, etc.)
+- A STAC API backend
+
+## Installation
+
+```bash
+helm install stac-auth-proxy ./stac-auth-proxy \
+  --set env.UPSTREAM_URL=https://your-stac-api.example.com \
+  --set env.OIDC_DISCOVERY_URL=https://your-oidc-provider.example.com/.well-known/openid-configuration \
+  --set ingress.host=stac-proxy.example.com
+```
+
+## Configuration
+
+### Required Values
+
+| Parameter | Description |
+|-----------|-------------|
+| `env.UPSTREAM_URL` | URL of the upstream STAC API |
+| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery URL |
+| `ingress.host` | Hostname for the ingress |
+
+### Common Configurations
+
+See [`values.yaml`](./values.yaml) for all available configuration options, including:
+
+- **Authentication**: Configure OIDC settings and endpoint protection
+- **Resources**: Set CPU/memory limits and requests
+- **Ingress**: Configure TLS, annotations, and hostname
+- **Security**: Pod and container security contexts
+
+### Example: Custom Values File
+
+```yaml
+# custom-values.yaml
+image:
+  tag: "v1.0.0"
+
+ingress:
+  host: "my-stac-api.example.com"
+
+env:
+  UPSTREAM_URL: "https://stac-api.internal:8080"
+  OIDC_DISCOVERY_URL: "https://my-auth.example.com/.well-known/openid-configuration"
+  DEFAULT_PUBLIC: false
+```
+
+Install with custom values:
+
+```bash
+helm install stac-auth-proxy ./stac-auth-proxy -f custom-values.yaml
+```
+
+## Upgrading
+
+```bash
+helm upgrade stac-auth-proxy ./stac-auth-proxy -f custom-values.yaml
+```
+
+## Uninstalling
+
+```bash
+helm uninstall stac-auth-proxy
+```
+
+## Documentation
+
+For more information about STAC Auth Proxy features and configuration:
+- [Project Documentation](https://developmentseed.org/stac-auth-proxy)
+- [GitHub Repository](https://github.com/developmentseed/stac-auth-proxy)

From 5c59e2d519febcdd9eb06e037ea3cb2e8c5632ed Mon Sep 17 00:00:00 2001
From: Felix Delattre <felix@developmentseed.org>
Date: Tue, 16 Dec 2025 10:57:17 +0100
Subject: [PATCH 2/2] Added helm unit tests.

---
 .github/workflows/cicd.yaml     | 16 +++++++++++
 helm/README.md                  | 14 +++++++++
 helm/tests/deployment_test.yaml | 51 +++++++++++++++++++++++++++++++++
 helm/tests/service_test.yaml    | 36 +++++++++++++++++++++++
 4 files changed, 117 insertions(+)
 create mode 100644 helm/tests/deployment_test.yaml
 create mode 100644 helm/tests/service_test.yaml

diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
index 9758a836..22cd8f01 100644
--- a/.github/workflows/cicd.yaml
+++ b/.github/workflows/cicd.yaml
@@ -50,3 +50,19 @@ jobs:
           path: |
             htmlcov/
             coverage.xml
+
+  helm-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Helm install
+        uses: azure/setup-helm@v4
+        with:
+          version: latest
+      - run: helm lint helm
+      - name: Helm unit tests
+        uses: d3adb5/helm-unittest-action@v2
+        with:
+          helm-version: latest
+          charts: helm/
diff --git a/helm/README.md b/helm/README.md
index 3db3e67c..6df7960a 100644
--- a/helm/README.md
+++ b/helm/README.md
@@ -75,6 +75,20 @@ helm upgrade stac-auth-proxy ./stac-auth-proxy -f custom-values.yaml
 helm uninstall stac-auth-proxy
 ```
 
+## Testing
+
+Run unit tests to validate chart templates:
+
+```bash
+helm unittest helm/
+```
+
+Requires the [helm-unittest](https://github.com/helm-unittest/helm-unittest) plugin:
+
+```bash
+helm plugin install https://github.com/helm-unittest/helm-unittest
+```
+
 ## Documentation
 
 For more information about STAC Auth Proxy features and configuration:
diff --git a/helm/tests/deployment_test.yaml b/helm/tests/deployment_test.yaml
new file mode 100644
index 00000000..0cc72add
--- /dev/null
+++ b/helm/tests/deployment_test.yaml
@@ -0,0 +1,51 @@
+suite: test deployment
+templates:
+  - deployment.yaml
+tests:
+  - it: should create deployment with correct name
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - isKind:
+          of: Deployment
+      - matchRegex:
+          path: metadata.name
+          pattern: ^RELEASE-NAME-stac-auth-proxy$
+
+  - it: should set replica count
+    set:
+      replicaCount: 3
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 3
+
+  - it: should set required environment variables
+    set:
+      env.UPSTREAM_URL: "https://stac-api.example.com"
+      env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: UPSTREAM_URL
+            value: "https://stac-api.example.com"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: OIDC_DISCOVERY_URL
+            value: "https://auth.example.com/.well-known/openid-configuration"
+
+  - it: should use correct image
+    set:
+      image.repository: "custom/repo"
+      image.tag: "v1.2.3"
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "custom/repo:v1.2.3"
diff --git a/helm/tests/service_test.yaml b/helm/tests/service_test.yaml
new file mode 100644
index 00000000..386a56a3
--- /dev/null
+++ b/helm/tests/service_test.yaml
@@ -0,0 +1,36 @@
+suite: test service
+templates:
+  - service.yaml
+tests:
+  - it: should create service with correct name
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - isKind:
+          of: Service
+      - matchRegex:
+          path: metadata.name
+          pattern: ^RELEASE-NAME-stac-auth-proxy$
+
+  - it: should use ClusterIP by default
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: should expose correct port
+    set:
+      service.port: 8000
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.ports[0].port
+          value: 8000
+      - equal:
+          path: spec.ports[0].targetPort
+          value: http