[AUTHENTICATION] Restructured keycloak and Oauth2-proxy

Changed keycloak-init to "authentication"
and moved as root chart
Moved oauth2-proxy to onap-authentication and updated
to version 7.5.4
Use TCL proposal for REALM creation.
Update keycloak-config-cli version to 5.12.0.
Ingress AuthorizationPolicy creation for all defined accessRoles
in the configured realms

Issue-ID: OOM-3292
Issue-ID: OOM-3268

Change-Id: I0901cd416ca5da871931d7cf084cd35c55f804f1
Signed-off-by: Andreas Geissler <andreas-geissler@telekom.de>

75 files changed, 2214 insertions, 883 deletions

diff --git a/docs/sections/resources/yaml/keycloak-server-values.yaml b/docs/sections/resources/yaml/keycloak-server-values.yaml
index 0160ce86e8..516a26a76b 100644
--- a/docs/sections/resources/yaml/keycloak-server-values.yaml
+++ b/docs/sections/resources/yaml/keycloak-server-values.yaml
@@ -46,3 +46,7 @@ secrets:
     stringData:
       user: admin
       password: secret
+
+http:
+  # For backwards compatibility reasons we set this to the value used by previous Keycloak versions.
+  relativePath: "/" # "/auth"
diff --git a/kubernetes/platform/components/keycloak-init/.helmignore b/kubernetes/authentication/.helmignore
index cf02291a2a..cf02291a2a 100644
--- a/kubernetes/platform/components/keycloak-init/.helmignore
+++ b/kubernetes/authentication/.helmignore
diff --git a/kubernetes/platform/components/keycloak-init/Chart.yaml b/kubernetes/authentication/Chart.yaml
index 44ac9f5213..a3ac43c4e7 100644
--- a/kubernetes/platform/components/keycloak-init/Chart.yaml
+++ b/kubernetes/authentication/Chart.yaml
@@ -1,6 +1,6 @@
 #============LICENSE_START========================================================
 # ================================================================================
-# Copyright © 2022 Deutsche Telekom
+# Copyright © 2024 Deutsche Telekom
 # ================================================================================
 # Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE)
 # Licensed under the Apache License, Version 2.0 (the "License");
@@ -16,9 +16,9 @@
 # limitations under the License.
 # ============LICENSE_END=========================================================
 apiVersion: v2
-version: 13.0.1
-description: ONAP Realm creation and configuration
-name: keycloak-init
+version: 14.0.0
+description: ONAP Realm creation, Oauth2Proxy installation and configuration
+name: authentication
 sources:
 - https://github.com/adorsys/keycloak-config-cli
 
@@ -31,5 +31,8 @@ dependencies:
     version: ~13.x-0
     repository: '@local'
   - name: onap-keycloak-config-cli
-    version: 5.10.0
+    version: 5.12.0
     repository: 'file://components/keycloak-config-cli'
+  - name: onap-oauth2-proxy
+    version: 7.5.4
+    repository: 'file://components/oauth2-proxy'
diff --git a/kubernetes/platform/components/oauth2-proxy/Makefile b/kubernetes/authentication/Makefile
index 5970a97115..f47666e135 100644
--- a/kubernetes/platform/components/oauth2-proxy/Makefile
+++ b/kubernetes/authentication/Makefile
@@ -18,7 +18,7 @@ OUTPUT_DIR := $(ROOT_DIR)/../../dist
 PACKAGE_DIR := $(OUTPUT_DIR)/packages
 SECRET_DIR := $(OUTPUT_DIR)/secrets
 
-EXCLUDES :=
+EXCLUDES := dist resources templates charts
 HELM_BIN := helm
 ifneq ($(SKIP_LINT),TRUE)
 	HELM_LINT_CMD := $(HELM_BIN) lint
diff --git a/kubernetes/authentication/README.md b/kubernetes/authentication/README.md
new file mode 100644
index 0000000000..75d8f05ebd
--- /dev/null
+++ b/kubernetes/authentication/README.md
@@ -0,0 +1,54 @@
+TBD: Description about settings...
+
+
+```
+realmSettings:
+  - name: <Realm ID>                - unique ID for a realm (e.g. "ONAP")
+    displayName: <Display Name>     - (optional) Keycloak Display Name (e.g. "ONAP Realm")
+    themes:                         - (optional) Keycloak Theme settings
+      login: <login theme>          - (optional) Keycloak Theme for Login UI (e.g. "base")
+      admin: <admin theme>          - (optional) Keycloak Theme for Admin UI (e.g. "base")
+      account: <account theme>      - (optional) Keycloak Theme for Account UI (e.g. "base")
+      email: <email theme>          - (optional) Keycloak Theme for Email UI (e.g. "base")
+    groups:                         - (optional) Group definitions
+      - name: <group name>          - Group name
+        path: /path>                - Group URL path
+        realmRoles: [ <role>,... ]  - (optional) List of Realm roles
+    initialUsers:                   - (optional) List of initial users
+      - username: <user name>       - Name of the User
+        password: <password>        - Initial Password
+        email: <email>              - Email Address
+        firstName: <first name>     - (optional) First Name
+        lastName: <last name>       - (optional) Last Name
+        groups:                     - (optional) group membership
+          - <group name>
+```
+
+```
+    clients:
+      oauth2_proxy:
+        clientId: "oauth2-proxy-onap"
+        name: "Oauth2 Proxy"
+        secret: 5YSOkJz99WHv8enDZPknzJuGqVSerELp
+        protocol: openid-connect
+      portal_app:
+        clientId: "portal-app"
+        redirectUris:
+          - "https://portal-$PARAM_BASE_URL/*"
+          - "http://localhost/*"
+        protocol: openid-connect
+```
+
+```
+    accessControl:
+      assignableRoles:
+        - name: onap-operator-read
+          description: "Allows to perform GET operations for all ONAP components"
+          associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ]
+
+      accessRoles:
+        "oauth2_proxy":
+        - name: dmaap-bc-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: dmaap-bc-api
+```
\ No newline at end of file
diff --git a/kubernetes/platform/components/keycloak-init/components/Makefile b/kubernetes/authentication/components/Makefile
index 4ecfbc53cc..4ecfbc53cc 100644
--- a/kubernetes/platform/components/keycloak-init/components/Makefile
+++ b/kubernetes/authentication/components/Makefile
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore b/kubernetes/authentication/components/keycloak-config-cli/.helmignore
index 0e8a0eb36f..0e8a0eb36f 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/.helmignore
+++ b/kubernetes/authentication/components/keycloak-config-cli/.helmignore
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml
index abcf889834..80e5d27c9f 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/Chart.yaml
+++ b/kubernetes/authentication/components/keycloak-config-cli/Chart.yaml
@@ -20,8 +20,8 @@ apiVersion: v2
 name: onap-keycloak-config-cli
 description: Import JSON-formatted configuration files into Keycloak - Configuration as Code for Keycloak.
 home: https://github.com/adorsys/keycloak-config-cli
-version: 5.10.0
-appVersion: 5.10.0
+version: 5.12.0
+appVersion: 5.12.0
 maintainers:
   - name: jkroepke
     email: joe@adorsys.de
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl
index cc1ad7ad8d..cc1ad7ad8d 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/_helpers.tpl
+++ b/kubernetes/authentication/components/keycloak-config-cli/templates/_helpers.tpl
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml
index 322db2b7a1..322db2b7a1 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/job.yaml
+++ b/kubernetes/authentication/components/keycloak-config-cli/templates/job.yaml
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml
index fa9363e9d0..fa9363e9d0 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/realms.yaml
+++ b/kubernetes/authentication/components/keycloak-config-cli/templates/realms.yaml
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml
index 94505289e6..94505289e6 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/templates/secrets.yaml
+++ b/kubernetes/authentication/components/keycloak-config-cli/templates/secrets.yaml
diff --git a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml b/kubernetes/authentication/components/keycloak-config-cli/values.yaml
index 5f8d4a3fd5..46c67dd220 100644
--- a/kubernetes/platform/components/keycloak-init/components/keycloak-config-cli/values.yaml
+++ b/kubernetes/authentication/components/keycloak-config-cli/values.yaml
@@ -47,10 +47,10 @@ labels: {}
 resources: {}
   # limits:
   #   cpu: "100m"
-  #   memory: "1Gi"
+  #   memory: "1024Mi"
   # requests:
   #   cpu: "100m"
-#   memory: "1Gi"
+#   memory: "1024Mi"
 
 env:
   KEYCLOAK_URL: http://keycloak:8080
diff --git a/kubernetes/platform/components/oauth2-proxy/.helmignore b/kubernetes/authentication/components/oauth2-proxy/.helmignore
index 825c007791..825c007791 100644
--- a/kubernetes/platform/components/oauth2-proxy/.helmignore
+++ b/kubernetes/authentication/components/oauth2-proxy/.helmignore
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml
index b31b35f46d..3bcf687241 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/Chart.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/Chart.yaml
@@ -1,7 +1,7 @@
 name: onap-oauth2-proxy
-version: 6.10.1
+version: 7.5.4
 apiVersion: v2
-appVersion: 7.4.0
+appVersion: 7.6.0
 home: https://oauth2-proxy.github.io/oauth2-proxy/
 description: A reverse proxy that provides authentication with Google, Github or other providers
 keywords:
@@ -14,7 +14,7 @@ keywords:
   - redis
 dependencies:
   - name: redis
-    version: ~16.13.2
+    version: 19.1.0
     repository: https://charts.bitnami.com/bitnami
     alias: redis
     condition: redis.enabled
@@ -39,3 +39,10 @@ maintainers:
   - name: pierluigilenoci
     email: pierluigi.lenoci@gmail.com
 kubeVersion: ">=1.9.0-0"
+annotations:
+  artifacthub.io/changes: |
+    - kind: changed
+      description: Wait for redis script fixes for cluster and sentinel
+      links:
+        - name: Github PR
+          url: https://github.com/oauth2-proxy/manifests/issues/205
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md b/kubernetes/authentication/components/oauth2-proxy/README.md
index 9e18388501..55a5e44429 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/README.md
+++ b/kubernetes/authentication/components/oauth2-proxy/README.md
@@ -98,7 +98,7 @@ Parameter | Description | Default
 `config.clientID` | oauth client ID | `""`
 `config.clientSecret` | oauth client secret | `""`
 `config.cookieSecret` | server specific cookie for the secret; create a new one with `openssl rand -base64 32 \| head -c 32 \| base64` | `""`
-`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [secret template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret.yaml) for the required values | `nil`
+`config.existingSecret` | existing Kubernetes secret to use for OAuth2 credentials. See [oauth2-proxy.secrets helper](https://github.com/oauth2-proxy/manifests/blob/main/helm/oauth2-proxy/templates/_helpers.tpl#L157C13-L157C33) for the required values | `nil`
 `config.configFile` | custom [oauth2_proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/contrib/oauth2-proxy.cfg.example) contents for settings not overridable via environment nor command line | `""`
 `config.existingConfig` | existing Kubernetes configmap to use for the configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap.yaml) for the required values | `nil`
 `config.cookieName` | The name of the cookie that oauth2-proxy will create. | `""`
@@ -107,7 +107,9 @@ Parameter | Description | Default
 `alphaConfig.serverConfigData` | Arbitrary configuration data to append to the server section | `{}`
 `alphaConfig.metricsConfigData` | Arbitrary configuration data to append to the metrics section | `{}`
 `alphaConfig.configData` | Arbitrary configuration data to append | `{}`
-`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/configmap-alpha.yaml) for the required values | `nil`
+`alphaConfig.configFile` | Arbitrary configuration to append, treated as a Go template and rendered with the root context | `""`
+`alphaConfig.existingConfig` | existing Kubernetes configmap to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil`
+`alphaConfig.existingSecret` | existing Kubernetes secret to use for the alpha configuration file. See [config template](https://github.com/oauth2-proxy/manifests/blob/master/helm/oauth2-proxy/templates/secret-alpha.yaml) for the required values | `nil`
 `customLabels` | Custom labels to add into metadata | `{}` |
 `config.google.adminEmail` | user impersonated by the google service account | `""`
 `config.google.useApplicationDefaultCredentials` | use the application-default credentials (i.e. Workload Identity on GKE) instead of providing a service account json | `false`
@@ -121,9 +123,7 @@ Parameter | Description | Default
 `extraEnv` | key:value list of extra environment variables to give the binary | `[]`
 `extraVolumes` | list of extra volumes | `[]`
 `extraVolumeMounts` | list of extra volumeMounts | `[]`
-`hostAlias.enabled`  | provide extra ip:hostname alias for network name resolution.
-`hostAlias.ip`  | `ip` address `hostAliases.hostname` should resolve to.
-`hostAlias.hostname`  | `hostname` associated to `hostAliases.ip`.
+`hostAliases`  | hostAliases is a list of aliases to be added to /etc/hosts for network name resolution.
 `htpasswdFile.enabled` | enable htpasswd-file option | `false`
 `htpasswdFile.entries` | list of [encrypted user:passwords](https://oauth2-proxy.github.io/oauth2-proxy/docs/configuration/overview#command-line-options) | `{}`
 `htpasswdFile.existingSecret` | existing Kubernetes secret to use for OAuth2 htpasswd file | `""`
@@ -137,12 +137,21 @@ Parameter | Description | Default
 `ingress.path` | Ingress accepted path | `/`
 `ingress.pathType` | Ingress [path type](https://kubernetes.io/docs/concepts/services-networking/ingress/#path-types) | `ImplementationSpecific`
 `ingress.extraPaths` | Ingress extra paths to prepend to every host configuration. Useful when configuring [custom actions with AWS ALB Ingress Controller](https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#actions). | `[]`
+`ingress.labels` | Ingress extra labels | `{}`
 `ingress.annotations` | Ingress annotations | `nil`
 `ingress.hosts` | Ingress accepted hostnames | `nil`
 `ingress.tls` | Ingress TLS configuration | `nil`
+`initContainers.waitForRedis.enabled` | if `redis.enabled` is true, use an init container to wait for the redis master pod to be ready. If `serviceAccount.enabled` is true, create additionally a role/binding to get, list and watch the redis master pod | `true`
+`initContainers.waitForRedis.image.pullPolicy` | kubectl image pull policy | `IfNotPresent`
+`initContainers.waitForRedis.image.repository` | kubectl image repository | `docker.io/bitnami/kubectl`
+`initContainers.waitForRedis.kubectlVersion` | kubectl version to use for the init container | `printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "")`
+`initContainers.waitForRedis.securityContext.enabled` | enable Kubernetes security context on container | `true`
+`initContainers.waitForRedis.timeout` | number of seconds | 180
+`initContainers.waitForRedis.resources` | pod resource requests & limits | `{}`
 `livenessProbe.enabled`  | enable Kubernetes livenessProbe. Disable to use oauth2-proxy with Istio mTLS. See [Istio FAQ](https://istio.io/help/faq/security/#k8s-health-checks) | `true`
 `livenessProbe.initialDelaySeconds` | number of seconds | 0
 `livenessProbe.timeoutSeconds` | number of seconds | 1
+`namespaceOverride` | Override the deployment namespace | `""`
 `nodeSelector` | node labels for pod assignment | `{}`
 `deploymentAnnotations` | annotations to add to the deployment | `{}`
 `podAnnotations` | annotations to add to each pod | `{}`
@@ -169,9 +178,9 @@ Parameter | Description | Default
 `serviceAccount.enabled` | create a service account | `true`
 `serviceAccount.name` | the service account name | ``
 `serviceAccount.annotations` | (optional) annotations for the service account | `{}`
+`strategy` | configure deployment strategy | `{}`
 `tolerations` | list of node taints to tolerate | `[]`
-`securityContext.enabled` | enable Kubernetes security context on container | `false`
-`securityContext.runAsNonRoot` | make sure that the container runs as a non-root user | `true`
+`securityContext.enabled` | enable Kubernetes security context on container | `true`
 `proxyVarsAsSecrets` | choose between environment values or secrets for setting up OAUTH2_PROXY variables. When set to false, remember to add the variables OAUTH2_PROXY_CLIENT_ID, OAUTH2_PROXY_CLIENT_SECRET, OAUTH2_PROXY_COOKIE_SECRET in extraEnv | `true`
 `sessionStorage.type` | Session storage type which can be one of the following: cookie or redis | `cookie`
 `sessionStorage.redis.existingSecret` | Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`) | `""`
@@ -192,12 +201,18 @@ Parameter | Description | Default
 `metrics.port` | Serve Prometheus metrics on this port | `44180`
 `metrics.nodePort` | External port for the metrics when service.type is `NodePort` | `nil`
 `metrics.service.appProtocol` | application protocol of the metrics port in the service | `http`
-`metrics.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false`
-`metrics.servicemonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""`
-`metrics.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default`
-`metrics.servicemonitor.interval` | Prometheus scrape interval | `60s`
-`metrics.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s`
-`metrics.servicemonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}`
+`metrics.serviceMonitor.enabled` | Enable Prometheus Operator ServiceMonitor | `false`
+`metrics.serviceMonitor.namespace` | Define the namespace where to deploy the ServiceMonitor resource | `""`
+`metrics.serviceMonitor.prometheusInstance` | Prometheus Instance definition | `default`
+`metrics.serviceMonitor.interval` | Prometheus scrape interval | `60s`
+`metrics.serviceMonitor.scrapeTimeout` | Prometheus scrape timeout | `30s`
+`metrics.serviceMonitor.labels` | Add custom labels to the ServiceMonitor resource| `{}`
+`metrics.serviceMonitor.scheme` | HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.| `""`
+`metrics.serviceMonitor.tlsConfig` | TLS configuration to use when scraping the endpoint. For example if using istio mTLS.| `{}`
+`metrics.serviceMonitor.bearerTokenFile` | Path to bearer token file.| `""`
+`metrics.serviceMonitor.annotations` | Used to pass annotations that are used by the Prometheus installed in your cluster| `{}`
+`metrics.serviceMonitor.metricRelabelings` | Metric relabel configs to apply to samples before ingestion.| `[]`
+`metrics.serviceMonitor.relabelings` | Relabel configs to apply to samples before ingestion.| `[]`
 `extraObjects` | Extra K8s manifests to deploy | `[]`
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml
index fc2ba605ad..fc2ba605ad 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/default-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/default-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml
index 92dc451807..92dc451807 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-dict-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml
index 5f47a5f479..5f47a5f479 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-args-as-list-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-args-as-list-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml
index 357dba9153..357dba9153 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/extra-env-tpl-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/extra-env-tpl-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml
index e74a393db0..e74a393db0 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/ingress-extra-paths-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml
index 25b16272a7..25b16272a7 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pdb-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/pdb-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml
index b7c8cea546..b7c8cea546 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/pod-security-context-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/pod-security-context-values.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml
index e3418c39fa..e58c32cf0c 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/redis-standalone-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/redis-standalone-values.yaml
@@ -10,3 +10,6 @@ redis:
   global:
     redis:
       password: "foo"
+initContainers:
+  waitForRedis:
+    enabled: true
diff --git a/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml
new file mode 100644
index 0000000000..0c232bf5c1
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/servicemonitor-values.yaml
@@ -0,0 +1,18 @@
+metrics:
+  enabled: true
+  serviceMonitor:
+    enabled: true
+    annotations:
+      key: value
+    metricRelabelings:
+    - action: keep
+      regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+      sourceLabels: [__name__]
+
+    relabelings:
+    - sourceLabels: [__meta_kubernetes_pod_node_name]
+      separator: ;
+      regex: ^(.*)$
+      targetLabel: nodename
+      replacement: $1
+      action: replace
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml
index 65977d921b..65977d921b 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/tpl-values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/ci/tpl-values.yaml
diff --git a/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh
new file mode 100644
index 0000000000..24e628f426
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/scripts/check-redis.sh
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+RETRY_INTERVAL=5  # Interval between retries in seconds
+elapsed=0  # Elapsed time
+
+check_redis() {
+    host=$1
+    port=$2
+    while [ $elapsed -lt $TOTAL_RETRY_TIME ]; do
+        echo "Checking Redis at $host:$port... Elapsed time: ${elapsed}s"
+        if nc -z -w1 $TIMEOUT $host $port > /dev/null 2>&1; then
+            echo "Redis is up at $host:$port!"
+            return 0
+        else
+            echo "Redis is down at $host:$port. Retrying in $RETRY_INTERVAL seconds."
+            sleep $RETRY_INTERVAL
+            elapsed=$((elapsed + RETRY_INTERVAL))
+        fi
+    done
+    echo "Failed to connect to Redis at $host:$port after $TOTAL_RETRY_TIME seconds."
+    return 1
+}
+
+# For parsing and checking connections
+parse_and_check() {
+    url=$1
+    clean_url=${url#redis://}
+    host=$(echo $clean_url | cut -d':' -f1)
+    port=$(echo $clean_url | cut -d':' -f2)
+    check_redis $host $port
+}
+
+# Main
+if [ -n "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" ]; then
+    echo "Checking Redis in cluster mode..."
+    echo "$OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do
+        parse_and_check $addr || exit 1
+    done
+elif [ -n "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" ]; then
+    echo "Checking Redis in sentinel mode..."
+    echo "$OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS" | tr ',' '\n' | while read -r addr; do
+        parse_and_check $addr || exit 1
+    done
+elif [ -n "$OAUTH2_PROXY_REDIS_CONNECTION_URL" ]; then
+    echo "Checking standalone Redis..."
+    parse_and_check "$OAUTH2_PROXY_REDIS_CONNECTION_URL" || exit 1
+else
+    echo "Redis configuration not specified."
+    exit 1
+fi
+
+echo "Redis check completed."
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt
new file mode 100644
index 0000000000..36ded35867
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/NOTES.txt
@@ -0,0 +1,3 @@
+To verify that oauth2-proxy has started, run:
+
+  kubectl --namespace={{ template "oauth2-proxy.namespace" $ }} get pods -l "app={{ template "oauth2-proxy.name" . }}"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl
index f959f10e49..f959f10e49 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_capabilities.tpl
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/_capabilities.tpl
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl
index 87c64493b7..6a9bbb320d 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_helpers.tpl
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/_helpers.tpl
@@ -79,6 +79,17 @@ Create the name of the service account to use
 {{- end -}}
 
 {{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts
+*/}}
+{{- define "oauth2-proxy.namespace" -}}
+  {{- if .Values.namespaceOverride -}}
+    {{- .Values.namespaceOverride -}}
+  {{- else -}}
+    {{- .Release.Namespace -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
 Redis subcharts fullname
 */}}
 {{- define "oauth2-proxy.redis.fullname" -}}
@@ -106,5 +117,45 @@ Compute the redis url if not set explicitly.
 Returns the version
 */}}
 {{- define "oauth2-proxy.version" -}}
-{{ trimPrefix "v" (lower (.Values.image.tag | default (printf "v%s" .Chart.AppVersion))) }}
+{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}
+{{- end -}}
+
+{{/*
+Returns the kubectl version
+Workaround for EKS https://github.com/aws/eks-distro/issues/1128
+*/}}
+{{- define "kubectl.version" -}}
+{{- if .Values.initContainers.waitForRedis.kubectlVersion -}}
+{{ .Values.initContainers.waitForRedis.kubectlVersion }}
+{{- else -}}
+{{- printf "%s.%s" .Capabilities.KubeVersion.Major (.Capabilities.KubeVersion.Minor | replace "+" "") -}}
+{{- end -}}
+{{- end -}}
+
+{{- define "oauth2-proxy.alpha-config" -}}
+---
+server:
+  BindAddress: '0.0.0.0:4180'
+{{- if .Values.alphaConfig.serverConfigData }}
+{{- toYaml .Values.alphaConfig.serverConfigData | nindent 2 }}
+{{- end }}
+{{- if .Values.metrics.enabled }}
+metricsServer:
+  BindAddress: '0.0.0.0:44180'
+{{- if .Values.alphaConfig.metricsConfigData }}
+{{- toYaml .Values.alphaConfig.metricsConfigData | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- if .Values.alphaConfig.configData }}
+{{- toYaml .Values.alphaConfig.configData | nindent 0 }}
+{{- end }}
+{{- if .Values.alphaConfig.configFile }}
+{{- tpl .Values.alphaConfig.configFile $ | nindent 0 }}
+{{- end }}
+{{- end -}}
+
+{{- define "oauth2-proxy.secrets" -}}
+cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }}
+client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }}
+client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }}
 {{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl
index f4a3cad0e4..f4a3cad0e4 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/_ingress.tpl
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/_ingress.tpl
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
index cf4e77eaaa..d9f9cffef7 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-authenticated-emails-file.yaml
@@ -11,6 +11,7 @@ metadata:
 {{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
 {{- end }}
   name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 data:
   {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | quote }}
 {{- end }}
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml
new file mode 100644
index 0000000000..721048d786
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap-wait-for-redis.yaml
@@ -0,0 +1,13 @@
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
+data:
+  check-redis.sh: |
+{{ .Files.Get "scripts/check-redis.sh" | indent 4 }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml
index 8a19ccb943..94d7806d2e 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/configmap.yaml
@@ -11,6 +11,7 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 data:
   oauth2_proxy.cfg: {{ tpl .Values.config.configFile $ | quote }}
 {{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml
index 4523591231..1a626d1ab8 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deployment.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/deployment.yaml
@@ -9,10 +9,13 @@ metadata:
 {{ toYaml .Values.deploymentAnnotations | indent 8 }}
   {{- end }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 spec:
   replicas: {{ .Values.replicaCount }}
-  {{- if .Values.revisionHistoryLimit }}
   revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
+  {{- with .Values.strategy }}
+  strategy:
+    {{ toYaml . | nindent 4 }}
   {{- end }}
   selector:
     matchLabels:
@@ -20,16 +23,18 @@ spec:
   template:
     metadata:
       annotations:
-        checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
+        checksum/config: {{ tpl .Values.config.configFile $ | sha256sum }}
         {{- if .Values.alphaConfig.enabled }}
-        checksum/alpha-config: {{ include (print $.Template.BasePath "/configmap-alpha.yaml") . | sha256sum }}
+        checksum/alpha-config: {{ include "oauth2-proxy.alpha-config" . | sha256sum }}
         {{- end }}
+        {{- if .Values.authenticatedEmailsFile.enabled }}
         checksum/config-emails: {{ include (print $.Template.BasePath "/configmap-authenticated-emails-file.yaml") . | sha256sum }}
-        checksum/secret: {{ include (print $.Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
+        checksum/secret: {{ include "oauth2-proxy.secrets" . | sha256sum }}
         checksum/google-secret: {{ include (print $.Template.BasePath "/google-secret.yaml") . | sha256sum }}
         checksum/redis-secret: {{ include (print $.Template.BasePath "/redis-secret.yaml") . | sha256sum }}
 {{- if .Values.htpasswdFile.enabled }}
-        checksum/htpasswd: {{ include (print $.Template.BasePath "/secret-htpasswd-file.yaml") . | sha256sum }}
+        checksum/htpasswd: {{ toYaml .Values.htpasswdFile.entries | sha256sum }}
 {{- end }}
     {{- if .Values.podAnnotations }}
 {{ toYaml .Values.podAnnotations | indent 8 }}
@@ -49,17 +54,53 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ template "oauth2-proxy.serviceAccountName" . }}
-      automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
-      {{- if .Values.hostAlias.enabled }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+      {{- if .Values.hostAliases }}
       hostAliases:
-        - ip: {{ .Values.hostAlias.ip }}
-          hostnames:
-          - {{ .Values.hostAlias.hostname }}
+        {{ toYaml .Values.hostAliases | nindent 8}}
+      {{- end }}
+      {{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+      initContainers:
+      - name: wait-for-redis
+        #image: "{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}"
+        image: "{{ include "repositoryGenerator.dockerHubRepository" . }}/{{ .Values.initContainers.waitForRedis.image.repository }}:{{ .Values.initContainers.waitForRedis.image.tag }}"
+        imagePullPolicy: {{ .Values.initContainers.waitForRedis.image.pullPolicy }}
+        command: ["/bin/sh", "-c", "/scripts/check-redis.sh"]
+        env:
+        - name: TOTAL_RETRY_TIME
+          value: "{{ .Values.initContainers.waitForRedis.timeout }}"
+        {{- if eq (default "" .Values.sessionStorage.redis.clientType) "standalone" }}
+        - name: OAUTH2_PROXY_REDIS_CONNECTION_URL
+          value: {{ include "oauth2-proxy.redis.StandaloneUrl" . }}
+        {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "cluster" }}
+        - name: OAUTH2_PROXY_REDIS_USE_CLUSTER
+          value: "true"
+        - name: OAUTH2_PROXY_REDIS_CLUSTER_CONNECTION_URLS
+          value: {{ .Values.sessionStorage.redis.cluster.connectionUrls }}
+        {{- else if eq (default "" .Values.sessionStorage.redis.clientType) "sentinel" }}
+        - name: OAUTH2_PROXY_REDIS_USE_SENTINEL
+          value: "true"
+        - name: OAUTH2_PROXY_REDIS_SENTINEL_CONNECTION_URLS
+          value: {{ .Values.sessionStorage.redis.sentinel.connectionUrls }}
+        {{- end }}
+      {{- if .Values.initContainers.waitForRedis.securityContext.enabled }}
+      {{- $securityContext := unset .Values.initContainers.waitForRedis.securityContext "enabled" }}
+        securityContext:
+          {{- toYaml $securityContext | nindent 10 }}
+      {{- end }}
+        resources:
+          {{- toYaml .Values.initContainers.waitForRedis.resources | nindent 10 }}
+        volumeMounts:
+        - name: redis-script
+          mountPath: /scripts
+      {{- end }}
+      {{- if .Values.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }}
       {{- end }}
       containers:
       - name: {{ .Chart.Name }}
-        image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
-        #image: "{{ .Values.image.repository }}:v{{ include "oauth2-proxy.version" . }}"
+        image: "{{ include "repositoryGenerator.quayRepository" . }}/{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
+        #image: "{{ .Values.image.repository }}:{{ include "oauth2-proxy.version" . }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         args:
         {{- if .Values.alphaConfig.enabled }}
@@ -76,7 +117,7 @@ spec:
         {{- end }}
         {{- if kindIs "map" .Values.extraArgs }}
           {{- range $key, $value := .Values.extraArgs }}
-          {{- if $value }}
+          {{- if not (kindIs "invalid" $value) }}
           - --{{ $key }}={{ tpl ($value | toString) $ }}
           {{- else }}
           - --{{ $key }}
@@ -119,6 +160,10 @@ spec:
         {{- if .Values.htpasswdFile.enabled }}
           - --htpasswd-file=/etc/oauth2_proxy/htpasswd/users.txt
         {{- end }}
+{{- if .Values.lifecycle }}
+        lifecycle:
+{{ toYaml .Values.lifecycle | indent 10 }}
+{{- end }}
         env:
         {{- if .Values.proxyVarsAsSecrets }}
         - name: OAUTH2_PROXY_CLIENT_ID
@@ -184,6 +229,10 @@ spec:
         {{- if .Values.extraEnv }}
 {{ tpl (toYaml .Values.extraEnv) . | indent 8 }}
         {{- end }}
+        {{- if .Values.envFrom }}
+        envFrom:
+{{ tpl (toYaml .Values.envFrom) . | indent 8 }}
+        {{- end }}
         ports:
         {{- if .Values.containerPort }}
           - containerPort: {{ .Values.containerPort }}
@@ -292,7 +341,12 @@ spec:
           secretName: {{ template "oauth2-proxy.fullname" . }}-accesslist
 {{- end }}
 {{- end }}
-
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+      - name: redis-script
+        configMap:
+          name: {{ template "oauth2-proxy.fullname" . }}-wait-for-redis
+          defaultMode: 0775
+{{- end }}
 {{- if or .Values.config.existingConfig .Values.config.configFile }}
       - configMap:
           defaultMode: 420
@@ -300,10 +354,17 @@ spec:
         name: configmain
 {{- end }}
 {{- if .Values.alphaConfig.enabled }}
+{{- if .Values.alphaConfig.existingConfig }}
       - configMap:
           defaultMode: 420
-          name: {{ if .Values.alphaConfig.existingConfig }}{{ .Values.alphaConfig.existingConfig }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
+          name: {{ .Values.alphaConfig.existingConfig }}
         name: configalpha
+{{- else }}
+      - secret:
+          defaultMode: 420
+          secretName: {{ if .Values.alphaConfig.existingSecret }}{{ .Values.alphaConfig.existingSecret }}{{ else }}{{ template "oauth2-proxy.fullname" . }}-alpha{{ end }}
+        name: configalpha
+{{- end }}
 {{- end }}
 {{- if ne (len .Values.extraVolumes) 0 }}
 {{ toYaml .Values.extraVolumes | indent 6 }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml
index 126d3e7a18..126d3e7a18 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/deprecation.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/deprecation.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml
index a9bb3b6ba8..a9bb3b6ba8 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/extra-manifests.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/extra-manifests.yaml
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml
index 5703273d93..30a9ae1bb6 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/google-secret.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/google-secret.yaml
@@ -6,6 +6,7 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}-google
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 type: Opaque
 data:
   service-account.json: {{ .Values.config.google.serviceAccountJson | b64enc | quote }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml
index 73fd758d16..5323820487 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/ingress.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/ingress.yaml
@@ -9,8 +9,12 @@ kind: Ingress
 metadata:
   labels:
     app: {{ template "oauth2-proxy.name" . }}
-{{- include "oauth2-proxy.labels" . | indent 4 }}
+    {{- include "oauth2-proxy.labels" . | indent 4 }}
+{{- if .Values.ingress.labels }}
+{{ toYaml .Values.ingress.labels | indent 4 }}
+{{- end }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 {{- with .Values.ingress.annotations }}
   annotations:
 {{ toYaml . | indent 4 }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml
index 7cdbbbeabb..1fc8ecc005 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/poddisruptionbudget.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/poddisruptionbudget.yaml
@@ -6,6 +6,7 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 spec:
   selector:
     matchLabels:
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml
index 7a1555d8b3..202e9243e3 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/redis-secret.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/redis-secret.yaml
@@ -10,6 +10,7 @@ metadata:
     app: {{ $name }}
     {{- $labels | indent 4 }}
   name: {{ $fullName }}-redis-access
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 type: Opaque
 data:
   {{- if and .redis.password (not .redis.existingSecret) }}
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml
new file mode 100644
index 0000000000..15bb89338e
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-alpha.yaml
@@ -0,0 +1,20 @@
+{{-
+  if and
+    .Values.alphaConfig.enabled
+    (not .Values.alphaConfig.existingConfig)
+    (not .Values.alphaConfig.existingSecret)
+}}
+apiVersion: v1
+kind: Secret
+metadata:
+{{- if .Values.alphaConfig.annotations }}
+  annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }}
+{{- end }}
+  labels:
+    app: {{ template "oauth2-proxy.name" . }}
+    {{- include "oauth2-proxy.labels" . | indent 4 }}
+  name: {{ template "oauth2-proxy.fullname" . }}-alpha
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
+data:
+  oauth2_proxy.yml: {{ include "oauth2-proxy.alpha-config" . | b64enc | quote }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
index ce79db1dce..95f85a8006 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-authenticated-emails-file.yaml
@@ -12,6 +12,7 @@ metadata:
 {{ toYaml .Values.authenticatedEmailsFile.annotations | indent 4 }}
 {{- end }}
   name: {{ template "oauth2-proxy.fullname" . }}-accesslist
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 data:
   {{ default "restricted_user_access" .Values.authenticatedEmailsFile.restrictedUserAccessKey }}: {{ .Values.authenticatedEmailsFile.restricted_access | b64enc }}
 {{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml
index 44fe67e96a..c5ea330ff7 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret-htpasswd-file.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret-htpasswd-file.yaml
@@ -6,10 +6,11 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}-htpasswd-file
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 type: Opaque
 stringData:
   users.txt: |-
     {{- range $entries := .Values.htpasswdFile.entries }}
     {{ $entries }}
     {{- end -}}
-{{- end }}
\ No newline at end of file
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml
index c9b3791f89..f3364e95a9 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/secret.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/secret.yaml
@@ -10,9 +10,8 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 type: Opaque
 data:
-  cookie-secret: {{ tpl .Values.config.cookieSecret $ | b64enc | quote }}
-  client-secret: {{ tpl .Values.config.clientSecret $ | b64enc | quote }}
-  client-id: {{ tpl .Values.config.clientID $ | b64enc | quote }}
+{{- include "oauth2-proxy.secrets" . | nindent 2 }}
 {{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml
index d9563ac283..d16120ee91 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/service.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/service.yaml
@@ -5,6 +5,7 @@ metadata:
     app: {{ template "oauth2-proxy.name" . }}
 {{- include "oauth2-proxy.labels" . | indent 4 }}
   name: {{ template "oauth2-proxy.fullname" . }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
 {{- if .Values.service.annotations }}
   annotations:
 {{ toYaml .Values.service.annotations | indent 4 }}
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..2a89c4b9e3
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/serviceaccount.yaml
@@ -0,0 +1,60 @@
+{{- if or .Values.serviceAccount.enabled -}}
+{{- $fullName := include "oauth2-proxy.fullname" .  -}}
+{{- $saName := include "oauth2-proxy.serviceAccountName" . -}}
+{{- $name := include "oauth2-proxy.name" . -}}
+{{- $namespace := include "oauth2-proxy.namespace" $ -}}
+{{- $labels := include "oauth2-proxy.labels" . -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ $name }}
+{{- $labels | indent 4 }}
+  name: {{ $saName }}
+  namespace: {{ $namespace }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+{{- if and .Values.redis.enabled .Values.initContainers.waitForRedis.enabled }}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $fullName }}-watch-redis
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+rules:
+- apiGroups:
+    - ""
+  resources:
+    - pods
+  resourceNames:
+    - "{{ include "oauth2-proxy.redis.fullname" . }}-master-0"
+  verbs:
+    - get
+    - list
+    - watch
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ $saName }}-watch-redis
+  namespace: {{ $namespace }}
+  labels:
+    app: {{ $name }}
+    {{- $labels | nindent 4 }}
+subjects:
+- kind: ServiceAccount
+  name: {{ $saName }}
+  apiGroup: ""
+roleRef:
+  kind: Role
+  name: {{ $fullName }}-watch-redis
+  apiGroup: ""
+{{- end -}}
+{{- end -}}
diff --git a/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml
new file mode 100644
index 0000000000..3802666be0
--- /dev/null
+++ b/kubernetes/authentication/components/oauth2-proxy/templates/servicemonitor.yaml
@@ -0,0 +1,57 @@
+{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  {{- with .Values.metrics.serviceMonitor.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  name: {{ template "oauth2-proxy.fullname" . }}
+{{- if .Values.metrics.serviceMonitor.namespace }}
+  namespace: {{ .Values.metrics.serviceMonitor.namespace }}
+{{- else }}
+  namespace: {{ template "oauth2-proxy.namespace" $ }}
+{{- end }}
+  labels:
+    prometheus: {{ .Values.metrics.serviceMonitor.prometheusInstance }}
+    app: {{ template "oauth2-proxy.name" . }}
+{{- include "oauth2-proxy.labels" . | indent 4 }}
+{{- if .Values.metrics.serviceMonitor.labels }}
+{{ toYaml .Values.metrics.serviceMonitor.labels | indent 4}}
+{{- end }}
+spec:
+  jobLabel: {{ template "oauth2-proxy.fullname" . }}
+  selector:
+    matchLabels:
+      {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
+  namespaceSelector:
+    matchNames:
+      - {{ template "oauth2-proxy.namespace" $ }}
+  endpoints:
+  - port: metrics
+    path: "/metrics"
+    {{- with .Values.metrics.serviceMonitor.interval }}
+    interval: {{ . }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ . }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.scheme }}
+    scheme: {{ . }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.bearerTokenFile }}
+    bearerTokenFile: {{ . }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.tlsConfig }}
+    tlsConfig:
+      {{- toYaml .| nindent 6 }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.metricRelabelings }}
+    metricRelabelings:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+    {{- with .Values.metrics.serviceMonitor.relabelings }}
+    relabelings:
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml b/kubernetes/authentication/components/oauth2-proxy/values.yaml
index 8f81e15d03..f49cb638fa 100644
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/values.yaml
+++ b/kubernetes/authentication/components/oauth2-proxy/values.yaml
@@ -1,5 +1,17 @@
 global:
   quayRepository: quay.io
+  dockerHubRepository: docker.io
+  # Additions for Redis ****************************
+  # If dockerHubRepository is changes the following entry needs
+  # to be changed as well
+  imageRegistry: docker.io
+  imagePullSecrets:
+    - '{{ include "common.names.namespace" . }}-docker-registry-key'
+  # *************************************************
+
+## Override the deployment namespace
+##
+namespaceOverride: ""
 
 # Force the target Kubernetes version (it uses Helm `.Capabilities` if not set).
 # This is especially useful for `helm template` as capabilities are always empty
@@ -57,8 +69,13 @@ alphaConfig:
   metricsConfigData: {}
   # Arbitrary configuration data to append
   configData: {}
-  # Use an existing config map (see configmap-alpha.yaml for required fields)
+  # Arbitrary configuration to append
+  # This is treated as a Go template and rendered with the root context
+  configFile: ""
+  # Use an existing config map (see secret-alpha.yaml for required fields)
   existingConfig: ~
+  # Use an existing secret
+  existingSecret: ~
 
 image:
   #repository: "quay.io/oauth2-proxy/oauth2-proxy"
@@ -81,6 +98,19 @@ image:
 extraArgs: {}
 extraEnv: []
 
+envFrom: []
+# Load environment variables from a ConfigMap(s) and/or Secret(s)
+# that already exists (created and managed by you).
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables
+#
+# PS: Changes in these ConfigMaps or Secrets will not be automatically
+#     detected and you must manually restart the relevant Pods after changes.
+#
+#  - configMapRef:
+#      name: special-config
+#  - secretRef:
+#      name: special-config-secret
+
 # -- Custom labels to add into metadata
 customLabels: {}
 
@@ -153,6 +183,7 @@ ingress:
   #       name: ssl-redirect
   #       port:
   #         name: use-annotation
+  labels: {}
   # annotations:
   #   kubernetes.io/ingress.class: nginx
   #   kubernetes.io/tls-acme: "true"
@@ -164,11 +195,11 @@ ingress:
 
 resources: {}
   # limits:
-  #   cpu: "100m"
-  #   memory: "300Mi"
+  #   cpu: 100m
+  #   memory: 300Mi
   # requests:
-  #   cpu: "100m"
-  #   memory: "300Mi"
+  #   cpu: 100m
+  #   memory: 300Mi
 
 extraVolumes: []
   # - name: ca-bundle-cert
@@ -186,11 +217,15 @@ extraContainers: []
 
 priorityClassName: ""
 
-# Host aliases, useful when working "on premise" where (public) DNS resolver does not know about my hosts.
-hostAlias:
-  enabled: false
-  # ip: "10.xxx.xxx.xxx"
-  # hostname: "auth.example.com"
+# hostAliases is a list of aliases to be added to /etc/hosts for network name resolution
+hostAliases: []
+# - ip: "10.xxx.xxx.xxx"
+#   hostnames:
+#     - "auth.example.com"
+# - ip: 127.0.0.1
+#   hostnames:
+#     - chart-example.local
+#     - example.local
 
 # [TopologySpreadConstraints](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/) configuration.
 # Ref: https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling
@@ -229,16 +264,24 @@ readinessProbe:
 # Configure Kubernetes security context for container
 # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 securityContext:
-  enabled: false
+  enabled: true
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
   runAsNonRoot: true
-  # allowPrivilegeEscalation: false
-  # runAsUser: 2000
+  runAsUser: 2000
+  runAsGroup: 2000
+  seccompProfile:
+    type: RuntimeDefault
 
 deploymentAnnotations: {}
 podAnnotations: {}
 podLabels: {}
 replicaCount: 1
 revisionHistoryLimit: 10
+strategy: {}
 
 ## PodDisruptionBudget settings
 ## ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@@ -253,12 +296,47 @@ podSecurityContext: {}
 # whether to use http or https
 httpScheme: http
 
+initContainers:
+  # if the redis sub-chart is enabled, wait for it to be ready
+  # before starting the proxy
+  # creates a role binding to get, list, watch, the redis master pod
+  # if service account is enabled
+  waitForRedis:
+    enabled: true
+    image:
+      repository: "alpine"
+      tag: "latest"
+      pullPolicy: "IfNotPresent"
+    # uses the kubernetes version of the cluster
+    # the chart is deployed on, if not set
+    kubectlVersion: ""
+    securityContext:
+      enabled: true
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+      runAsUser: 65534
+      runAsGroup: 65534
+      seccompProfile:
+        type: RuntimeDefault
+    timeout: 180
+    resources: {}
+      # limits:
+      #   cpu: 100m
+      #   memory: 300Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 300Mi
+
 # Additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -B" for bcrypt encryption.
 # Alternatively supply an existing secret which contains the required information.
 htpasswdFile:
   enabled: false
   existingSecret: ""
-  entries: {}
+  entries: []
   # One row for each user
   # example:
   # entries:
@@ -302,13 +380,18 @@ redis:
   # Redis specific helm chart settings, please see:
   # https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
   # redisPort: 6379
-  # cluster:
-  #   enabled: false
-  #   slaveCount: 1
+  # architecture: standalone
 
 # Enables apiVersion deprecation checks
 checkDeprecation: true
 
+# Allows graceful shutdown
+# terminationGracePeriodSeconds: 65
+# lifecycle:
+#   preStop:
+#     exec:
+#       command: [ "sh", "-c", "sleep 60" ]
+
 metrics:
   # Enable Prometheus metrics endpoint
   enabled: true
@@ -319,7 +402,7 @@ metrics:
   # Protocol set on the service for the metrics port
   service:
     appProtocol: http
-  servicemonitor:
+  serviceMonitor:
     # Enable Prometheus Operator ServiceMonitor
     enabled: false
     # Define the namespace where to deploy the ServiceMonitor resource
@@ -333,6 +416,37 @@ metrics:
     # Add custom labels to the ServiceMonitor resource
     labels: {}
 
+    ## scheme: HTTP scheme to use for scraping. Can be used with `tlsConfig` for example if using istio mTLS.
+    scheme: ""
+
+    ## tlsConfig: TLS configuration to use when scraping the endpoint. For example if using istio mTLS.
+    ## Of type: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#tlsconfig
+    tlsConfig: {}
+
+    ## bearerTokenFile: Path to bearer token file.
+    bearerTokenFile: ""
+
+    ## Used to pass annotations that are used by the Prometheus installed in your cluster to select Service Monitors to work with
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#prometheusspec
+    annotations: {}
+
+    ## Metric relabel configs to apply to samples before ingestion.
+    ## [Metric Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs)
+    metricRelabelings: []
+    # - action: keep
+    #   regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
+    #   sourceLabels: [__name__]
+
+    ## Relabel configs to apply to samples before ingestion.
+    ## [Relabeling](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config)
+    relabelings: []
+    # - sourceLabels: [__meta_kubernetes_pod_node_name]
+    #   separator: ;
+    #   regex: ^(.*)$
+    #   targetLabel: nodename
+    #   replacement: $1
+    #   action: replace
+
 # Extra K8s manifests to deploy
 extraObjects: []
   # - apiVersion: secrets-store.csi.x-k8s.io/v1
diff --git a/kubernetes/authentication/resources/oauth2_proxy.cfg b/kubernetes/authentication/resources/oauth2_proxy.cfg
new file mode 100644
index 0000000000..60aaad4b52
--- /dev/null
+++ b/kubernetes/authentication/resources/oauth2_proxy.cfg
@@ -0,0 +1,38 @@
+provider = "oidc"
+provider_display_name = "ONAPKeycloakID"
+client_id = "{{ index .Values "onap-oauth2-proxy" "config" "clientId" }}"
+client_secret = "{{ index .Values "onap-oauth2-proxy" "config" "clientSecret" }}"
+oidc_issuer_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap'
+oidc_jwks_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/certs'
+profile_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo'
+validate_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/userinfo'
+redeem_url = 'http://{{ include "common.namespace" . }}-authentication-keycloakx-http.{{ include "common.namespace" . }}/realms/onap/protocol/openid-connect/token'
+scope = "openid email profile groups onap_roles"
+skip_oidc_discovery = true
+cookie_secure = false
+cookie_secret = "{{ index .Values "onap-oauth2-proxy" "config" "cookieSecret" }}"
+email_domains = [ "*" ]
+auth_logging = true
+request_logging = true
+standard_logging = true
+show_debug_on_error = true
+cookie_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}"
+cookie_samesite = "lax"
+whitelist_domains = ".{{ .Values.global.ingress.virtualhost.baseurl }}"
+login_url = 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/realms/onap/protocol/openid-connect/auth'
+pass_access_token = true
+pass_authorization_header = true
+pass_host_header = true
+pass_user_headers = true
+http_address = "0.0.0.0:4180"
+oidc_email_claim = "email"
+oidc_groups_claim = "groups"
+insecure_oidc_skip_issuer_verification = true
+insecure_oidc_allow_unverified_email = true
+silence_ping_logging = true
+upstreams = "static://200"
+set_xauthrequest = true
+set_authorization_header = true
+skip_provider_button = true
+skip_jwt_bearer_tokens = true
+cookie_expire = "30m"
diff --git a/kubernetes/authentication/templates/_utils.tpl b/kubernetes/authentication/templates/_utils.tpl
new file mode 100644
index 0000000000..0cdcd7955a
--- /dev/null
+++ b/kubernetes/authentication/templates/_utils.tpl
@@ -0,0 +1,813 @@
+{{/*
+# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+
+{{/*
+Renders a value that contains template.
+Usage:
+{{ include "auth.realm" ( dict "dot" . "realm" .Values.path.to.realm) }}
+*/}}
+{{- define "auth.realm" -}}
+{{- $dot := default . .dot -}}
+{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
+realm: {{ $realm.name }}
+{{ if $realm.displayName }}displayName: {{ $realm.displayName }}{{ end }}
+id: {{ $realm.name }}
+accessTokenLifespan: 1900
+registrationAllowed: false
+resetPasswordAllowed: true
+enabled: true
+{{ if $realm.themes }}
+{{   if $realm.themes.login }}loginTheme: {{ $realm.themes.login }}{{ end }}
+{{   if $realm.themes.admin }}adminTheme: {{ $realm.themes.admin }}{{ end }}
+{{   if $realm.themes.account }}accountTheme: {{ $realm.themes.account }}{{ end }}
+{{   if $realm.themes.email }}emailTheme: {{ $realm.themes.email }}{{ end }}
+{{- end }}
+{{- if $realm.accessControl }}
+{{ include "auth._roles" $realm }}
+{{- end }}
+{{ include "auth._clients" (dict "dot" $dot "realm" $realm) }}
+{{ include "auth._clientScopes" $realm }}
+{{ include "auth._defaultClientScopes" $realm }}
+{{ include "auth._groups" $realm }}
+{{ include "auth._users" $realm }}
+{{ include "auth._identity" $realm }}
+{{ include "auth._identityMapper" $realm }}
+{{ include "auth._attributes" (dict "dot" $dot "realm" $realm) }}
+{{- end -}}
+
+{{/*
+Renders the roles section in a realm.
+Usage:
+{{ include "auth._roles" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._roles" -}}
+{{- $realm := default . .dot -}}
+roles:
+  realm:
+    {{- range $index, $role := $realm.accessControl.assignableRoles }}
+    - name: "{{ $role.name }}"
+      description: "{{ $role.description }}"
+      {{- if $role.associatedAccessRoles }}
+      composite: true
+      composites:
+        client:
+          {{- range $key, $accessRole := $realm.accessControl.accessRoles }}
+          {{ $client := index $realm.clients $key -}}
+          {{ $client.clientId }}:
+            {{- range $index2, $associatedRole := $role.associatedAccessRoles }}
+            - {{ $associatedRole }}
+            {{- end }}
+          {{- end }}
+      {{- else }}
+      composite: false
+      {{- end }}
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+    {{- end }}
+    - name: "user"
+      composite: false
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+    - name: "admin"
+      composite: false
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+    - name: "offline_access"
+      description: "${role_offline-access}"
+      composite: false
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+    - name: "uma_authorization"
+      description: "${role_uma_authorization}"
+      composite: false
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+    - name: "default-roles-{{ $realm.name }}"
+      description: "${role_default-roles}"
+      composite: true
+      composites:
+        realm:
+          - "offline_access"
+          - "uma_authorization"
+        client:
+          account:
+            - "view-profile"
+            - "manage-account"
+      clientRole: false
+      containerId: "{{ $realm.name }}"
+      attributes: {}
+  {{- if $realm.accessControl.accessRoles }}
+  client:
+    {{- range $key, $accessRole := $realm.accessControl.accessRoles }}
+    {{ $client := index $realm.clients $key -}}
+    {{ $client.clientId }}:
+    {{- range $index, $role := get $realm.accessControl.accessRoles $key }}
+      - name: "{{ $role.name }}"
+        description: "Allows to perform {{ $role.methodsAllowed }} operations for {{ $role.name }} component"
+        composite: false
+        clientRole: false
+        containerId: "{{ $client.clientId }}"
+        attributes: {}
+    {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Renders the clients section in a realm.
+Usage:
+{{ include "auth._clients" ( dict "dot" . "realm" $realm ) }}
+*/}}
+{{- define "auth._clients" -}}
+{{- $dot := default . .dot -}}
+{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
+clients:
+  {{- range $index, $client := $realm.clients }}
+  - clientId: "{{ $client.clientId }}"
+    name: "{{ $client.name }}"
+    description: "{{ default "" $client.description }}"
+    {{- if $client.rootUrl }}
+    rootUrl: {{ tpl $client.rootUrl $dot }}
+    {{- else }}
+    rootUrl: ""
+    {{- end }}
+    {{- if $client.adminUrl }}
+    adminUrl: {{ tpl $client.adminUrl $dot }}
+    {{- else }}
+    adminUrl: ""
+    {{- end }}
+    {{- if $client.baseUrl }}
+    baseUrl: {{ tpl $client.baseUrl $dot }}
+    {{- else }}
+    baseUrl: ""
+    {{- end }}
+    surrogateAuthRequired: false
+    enabled: true
+    alwaysDisplayInConsole: false
+    clientAuthenticatorType: "client-secret"
+    secret: "{{ default "" $client.secret }}"
+    redirectUris:
+      {{- if $client.redirectUris }}
+      {{- range $index2, $url := $client.redirectUris }}
+      - {{ tpl $url $dot }}
+      {{- end }}
+      {{- else }}
+      - "*"
+      {{- end }}
+      {{- if $client.webOrigins }}
+    webOrigins:
+      {{- range $index3, $web := $client.webOrigins }}
+      - {{ $web }}
+      {{- end }}
+      {{- else }}
+    webOrigins: []
+      {{- end }}
+    notBefore: 0
+    bearerOnly: false
+    consentRequired: false
+    standardFlowEnabled: true
+    implicitFlowEnabled: false
+    directAccessGrantsEnabled: true
+    serviceAccountsEnabled: false
+    publicClient: false
+    frontchannelLogout: true
+    protocol: "{{ $client.protocol }}"
+    attributes:
+      id.token.as.detached.signature: "false"
+      saml.assertion.signature: "false"
+      saml.force.post.binding: "false"
+      saml.multivalued.roles: "false"
+      saml.encrypt: "false"
+      saml.server.signature: "false"
+      saml.server.signature.keyinfo.ext: "false"
+      exclude.session.state.from.auth.response: "false"
+      saml.artifact.binding: "false"
+      saml_force_name_id_format: "false"
+      saml.client.signature: "false"
+      saml.authnstatement: "false"
+      saml.onetimeuse.condition: "false"
+      tls-client-certificate-bound-access-tokens: "false"
+      oidc.ciba.grant.enabled: "false"
+      backchannel.logout.session.required: "true"
+      client_credentials.use_refresh_token: "false"
+      acr.loa.map: "{}"
+      require.pushed.authorization.requests: "false"
+      oauth2.device.authorization.grant.enabled: "false"
+      display.on.consent.screen: "false"
+      backchannel.logout.revoke.offline.tokens: "false"
+      token.response.type.bearer.lower-case: "false"
+      use.refresh.tokens: "true"
+      {{- if $client.additionalAttributes }}
+      {{-   range $key,$value := $client.additionalAttributes }}
+      {{ $key }}: {{ tpl $value $dot }}
+      {{-   end }}
+      {{- end }}
+    authenticationFlowBindingOverrides: {}
+    fullScopeAllowed: true
+    nodeReRegistrationTimeout: -1
+    protocolMappers:
+      {{- if $client.protocolMappers }}
+      {{- range $index2, $mapper := $client.protocolMappers }}
+      - name: {{ $mapper.name }}
+        protocol: "openid-connect"
+        protocolMapper: {{ $mapper.protocolMapper }}
+        consentRequired: false
+        config:
+          {{ toYaml $mapper.config | nindent 10 }}
+      {{- end }}
+      {{- end }}
+    defaultClientScopes:
+      - web-origins
+      - acr
+      - profile
+      - email
+      {{- if $client.additionalDefaultScopes }}
+      {{-   range $index2, $scope := $client.additionalDefaultScopes }}
+      - {{ $scope }}
+      {{-   end }}
+      {{- end }}
+    optionalClientScopes:
+      - address
+      - phone
+      - offline_access
+      - groups
+      - microprofile-jwt
+  {{- end }}
+{{- end }}
+
+{{/*
+Renders the defaulDefaultClientScopes section in a realm.
+Usage:
+{{ include "auth._defaultClientScopes" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._defaultClientScopes" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.defaultClientScopes }}
+defaultDefaultClientScopes:
+  {{- range $index, $scope := $dot.defaultClientScopes }}
+  - {{ $scope }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders the clientScopes section in a realm.
+Usage:
+{{ include "auth._clientScopes" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._clientScopes" -}}
+{{- $dot := default . .dot -}}
+clientScopes:
+{{- if $dot.additionalClientScopes }}
+{{-   range $index, $scope := $dot.additionalClientScopes }}
+- name: {{ $scope.name }}
+  description: "{{ default "" $scope.description }}"
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'false'
+    display.on.consent.screen: 'true'
+    gui.order: ''
+    consent.screen.text: "${rolesScopeConsentText}"
+  protocolMappers:
+    {{- if $scope.protocolMappers }}
+    {{- range $index2, $mapper := $scope.protocolMappers }}
+    - name: {{ $mapper.name }}
+      protocol: "openid-connect"
+      protocolMapper: {{ $mapper.protocolMapper }}
+      consentRequired: false
+      config:
+        {{ toYaml $mapper.config | nindent 8 }}
+    {{- end }}
+    {{- end }}
+
+{{-   end }}
+{{- end }}
+- name: roles
+  description: OpenID Connect scope for add user roles to the access token
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'false'
+    display.on.consent.screen: 'true'
+    consent.screen.text: "${rolesScopeConsentText}"
+  protocolMappers:
+  - name: audience resolve
+    protocol: openid-connect
+    protocolMapper: oidc-audience-resolve-mapper
+    consentRequired: false
+    config: {}
+  - name: realm roles
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-realm-role-mapper
+    consentRequired: false
+    config:
+      user.attribute: foo
+      access.token.claim: 'true'
+      claim.name: realm_access.roles
+      jsonType.label: String
+      multivalued: 'true'
+  - name: client roles
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-client-role-mapper
+    consentRequired: false
+    config:
+      user.attribute: foo
+      access.token.claim: 'true'
+      claim.name: resource_access.${client_id}.roles
+      jsonType.label: String
+      multivalued: 'true'
+- name: groups
+  description: Membership to a group
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'true'
+    gui.order: ''
+    consent.screen.text: ''
+  protocolMappers:
+  - name: groups
+    protocol: openid-connect
+    protocolMapper: oidc-group-membership-mapper
+    consentRequired: false
+    config:
+      full.path: 'false'
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: groups
+      userinfo.token.claim: 'true'
+- name: acr
+  description: OpenID Connect scope for add acr (authentication context class reference)
+    to the token
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'false'
+    display.on.consent.screen: 'false'
+  protocolMappers:
+  - name: acr loa level
+    protocol: openid-connect
+    protocolMapper: oidc-acr-mapper
+    consentRequired: false
+    config:
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+- name: profile
+  description: 'OpenID Connect built-in scope: profile'
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'true'
+    consent.screen.text: "${profileScopeConsentText}"
+  protocolMappers:
+  - name: profile
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: profile
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: profile
+      jsonType.label: String
+  - name: given name
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: firstName
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: given_name
+      jsonType.label: String
+  - name: website
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: website
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: website
+      jsonType.label: String
+  - name: zoneinfo
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: zoneinfo
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: zoneinfo
+      jsonType.label: String
+  - name: locale
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: locale
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: locale
+      jsonType.label: String
+  - name: gender
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: gender
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: gender
+      jsonType.label: String
+  - name: family name
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: lastName
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: family_name
+      jsonType.label: String
+  - name: username
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: username
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: preferred_username
+      jsonType.label: String
+  - name: middle name
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: middleName
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: middle_name
+      jsonType.label: String
+  - name: birthdate
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: birthdate
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: birthdate
+      jsonType.label: String
+  - name: updated at
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: updatedAt
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: updated_at
+      jsonType.label: long
+  - name: full name
+    protocol: openid-connect
+    protocolMapper: oidc-full-name-mapper
+    consentRequired: false
+    config:
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      userinfo.token.claim: 'true'
+  - name: nickname
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: nickname
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: nickname
+      jsonType.label: String
+  - name: picture
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: picture
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: picture
+      jsonType.label: String
+- name: address
+  description: 'OpenID Connect built-in scope: address'
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'true'
+    consent.screen.text: "${addressScopeConsentText}"
+  protocolMappers:
+  - name: address
+    protocol: openid-connect
+    protocolMapper: oidc-address-mapper
+    consentRequired: false
+    config:
+      user.attribute.formatted: formatted
+      user.attribute.country: country
+      user.attribute.postal_code: postal_code
+      userinfo.token.claim: 'true'
+      user.attribute.street: street
+      id.token.claim: 'true'
+      user.attribute.region: region
+      access.token.claim: 'true'
+      user.attribute.locality: locality
+- name: web-origins
+  description: OpenID Connect scope for add allowed web origins to the access token
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'false'
+    display.on.consent.screen: 'false'
+    consent.screen.text: ''
+  protocolMappers:
+  - name: allowed web origins
+    protocol: openid-connect
+    protocolMapper: oidc-allowed-origins-mapper
+    consentRequired: false
+    config: {}
+- name: phone
+  description: 'OpenID Connect built-in scope: phone'
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'true'
+    consent.screen.text: "${phoneScopeConsentText}"
+  protocolMappers:
+  - name: phone number verified
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: phoneNumberVerified
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: phone_number_verified
+      jsonType.label: boolean
+  - name: phone number
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-attribute-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: phoneNumber
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: phone_number
+      jsonType.label: String
+- name: offline_access
+  description: 'OpenID Connect built-in scope: offline_access'
+  protocol: openid-connect
+  attributes:
+    consent.screen.text: "${offlineAccessScopeConsentText}"
+    display.on.consent.screen: 'true'
+- name: role_list
+  description: SAML role list
+  protocol: saml
+  attributes:
+    consent.screen.text: "${samlRoleListScopeConsentText}"
+    display.on.consent.screen: 'true'
+  protocolMappers:
+  - name: role list
+    protocol: saml
+    protocolMapper: saml-role-list-mapper
+    consentRequired: false
+    config:
+      single: 'false'
+      attribute.nameformat: Basic
+      attribute.name: Role
+- name: microprofile-jwt
+  description: Microprofile - JWT built-in scope
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'false'
+  protocolMappers:
+  - name: upn
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: username
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: upn
+      jsonType.label: String
+  - name: groups
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-realm-role-mapper
+    consentRequired: false
+    config:
+      multivalued: 'true'
+      user.attribute: foo
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: groups
+      jsonType.label: String
+- name: email
+  description: 'OpenID Connect built-in scope: email'
+  protocol: openid-connect
+  attributes:
+    include.in.token.scope: 'true'
+    display.on.consent.screen: 'true'
+    consent.screen.text: "${emailScopeConsentText}"
+  protocolMappers:
+  - name: email
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: email
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: email
+      jsonType.label: String
+  - name: email verified
+    protocol: openid-connect
+    protocolMapper: oidc-usermodel-property-mapper
+    consentRequired: false
+    config:
+      userinfo.token.claim: 'true'
+      user.attribute: emailVerified
+      id.token.claim: 'true'
+      access.token.claim: 'true'
+      claim.name: email_verified
+      jsonType.label: boolean
+{{- end }}
+
+{{/*
+Renders the groups section in a realm.
+Usage:
+{{ include "auth._groups" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._groups" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.groups }}
+groups:
+{{-   range $index, $group := $dot.groups }}
+  - name: "{{ $group.name }}"
+    path: "{{ $group.path }}"
+    attributes: {}
+    {{- if $group.roles }}
+    realmRoles:
+      {{- range $index2, $groupRole := $group.roles }}
+      - "{{ $groupRole }}"
+      {{- end }}
+    {{- else }}
+    realmRoles: []
+    {{- end }}
+    clientRoles: {}
+    subGroups: []
+{{-   end }}
+{{- else }}
+groups: []
+{{- end }}
+{{- end }}
+
+{{/*
+Renders the users section in a realm.
+Usage:
+{{ include "auth._users" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._users" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.initialUsers }}
+users:
+  {{- range $index, $user := $dot.initialUsers }}
+  - username: "{{ $user.username }}"
+    enabled: true
+    totp: false
+    email: "{{ default "" $user.email }}"
+    emailVerified: true
+    {{- if $user.attributes }}
+    attributes:
+      {{ toYaml $user.attributes | nindent 6 }}
+    {{- else }}
+    attributes: {}
+    {{- end }}
+    {{- if $user.password }}
+    credentials:
+      - type: "password"
+        temporary: false
+        value: "{{ $user.password }}"
+    {{- end }}
+    {{- if $user.credentials }}
+    credentials:
+      {{ toYaml $user.credentials | nindent 6 }}
+    {{- end }}
+    disableableCredentialTypes: []
+    requiredActions: []
+    {{- if $user.realmRoles }}
+    realmRoles:
+      {{- range $index2, $realmRole := $user.realmRoles }}
+      - "{{ $realmRole }}"
+      {{- end }}
+    {{- else }}
+    realmRoles: [ "default-roles-{{ $dot.name }}" ]
+    {{- end }}
+    {{- if $user.clientRoles }}
+    clientRoles:
+      {{ toYaml $user.clientRoles | nindent 6 }}
+    {{- end }}
+    notBefore: 0
+    groups: {{ $user.groups | toJson  }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders the identityProviders section in a realm.
+Usage:
+{{ include "auth._identity" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._identity" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.identityProviders }}
+identityProviders:
+{{-  range $index, $provider := $dot.identityProviders }}
+  - alias: {{ $provider.name }}
+    displayName: {{ $provider.displayName }}
+    providerId: oidc
+    enabled: true
+    updateProfileFirstLoginMode: "on"
+    trustEmail: true
+    storeToken: true
+    addReadTokenRoleOnCreate: true
+    authenticateByDefault: false
+    linkOnly: false
+    firstBrokerLoginFlowAlias: "first broker login"
+    config:
+      {{ toYaml $provider.config | nindent 6 }}
+{{-   end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders the identityProviderMappers section in a realm.
+Usage:
+{{ include "auth._identityMapper" ( dict "dot" .Values) }}
+*/}}
+{{- define "auth._identityMapper" -}}
+{{- $dot := default . .dot -}}
+{{- if $dot.identityProviderMappers }}
+identityProviderMappers:
+{{-  range $index, $mapper := $dot.identityProviderMappers }}
+  - name: {{ $mapper.name }}
+    identityProviderAlias: {{ $mapper.identityProviderAlias }}
+    identityProviderMapper: {{ $mapper.identityProviderMapper }}
+    config:
+      {{ toYaml $mapper.config | nindent 6 }}
+{{-   end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Renders the attributes section in a realm.
+Usage:
+{{ include "auth._attributes" ( dict "dot" . "realm" $realm ) }}
+*/}}
+{{- define "auth._attributes" -}}
+{{- $dot := default . .dot -}}
+{{- $realm := (required "'realm' param, set to the specific service, is required." .realm) -}}
+attributes:
+  frontentUrl: {{ tpl $realm.attributes.frontendUrl $dot }}
+  acr.loa.map: "{\"ABC\":\"5\"}"
+{{- end }}
diff --git a/kubernetes/authentication/templates/authorizationpolicy.yaml b/kubernetes/authentication/templates/authorizationpolicy.yaml
new file mode 100644
index 0000000000..f4857bdbac
--- /dev/null
+++ b/kubernetes/authentication/templates/authorizationpolicy.yaml
@@ -0,0 +1,90 @@
+{{/*
+# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.ingressAuthentication.enabled }}
+---
+{{- $dot := . }}
+{{- range $index, $realm := .Values.realmSettings }}
+{{-   range $key, $accessRole := $realm.accessControl.accessRoles }}
+{{-     range $index, $role := get $realm.accessControl.accessRoles $key }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ $key }}-{{ $role.name }}-jwt
+  namespace: istio-ingress
+spec:
+  action: ALLOW
+  rules:
+  - to:
+    - operation:
+        hosts:
+        - {{ include "ingress.config.host" (dict "dot" $dot "baseaddr" $role.servicePrefix) }}
+        methods:
+        {{- range $role.methodsAllowed }}
+        - {{ . }}
+        {{- end }}
+    when:
+    - key: request.auth.claims[onap_roles]
+      values:
+      - {{ $role.name }}
+  selector:
+    matchLabels:
+      istio: ingress
+---
+{{-     end }}
+{{-   end }}
+{{- end }}
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-custom-action
+  namespace: istio-ingress
+spec:
+  action: CUSTOM
+  provider:
+    name: oauth2-proxy
+  rules:
+  - to:
+    - operation:
+        notHosts:
+          {{- if .Values.ingressAuthentication.exceptions }}
+          {{- range $index, $url := .Values.ingressAuthentication.exceptions }}
+          - {{ tpl $url $dot }}
+          {{- end }}
+          {{- end }}
+  selector:
+    matchLabels:
+      istio: ingress
+---
+apiVersion: security.istio.io/v1
+kind: AuthorizationPolicy
+metadata:
+  name: {{ .Release.Name }}-allowed-exceptions
+  namespace: istio-ingress
+spec:
+  action: ALLOW
+  rules:
+  - to:
+    - operation:
+        hosts:
+          {{- if .Values.ingressAuthentication.exceptions }}
+          {{- range $index, $url := .Values.ingressAuthentication.exceptions }}
+          - {{ tpl $url $dot }}
+          {{- end }}
+          {{- end }}
+  selector:
+    matchLabels:
+      istio: ingress
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/authentication/templates/configmap.yaml b/kubernetes/authentication/templates/configmap.yaml
new file mode 100644
index 0000000000..f373754379
--- /dev/null
+++ b/kubernetes/authentication/templates/configmap.yaml
@@ -0,0 +1,23 @@
+{{/*
+# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: oauth2-onap-config
+  namespace: {{ include "common.namespace" . }}
+data:
+{{ tpl (.Files.Glob "resources/oauth2_proxy.cfg").AsConfig . | indent 2 }}
diff --git a/kubernetes/authentication/templates/requestauthentication.yaml b/kubernetes/authentication/templates/requestauthentication.yaml
new file mode 100644
index 0000000000..036680d7cb
--- /dev/null
+++ b/kubernetes/authentication/templates/requestauthentication.yaml
@@ -0,0 +1,36 @@
+{{/*
+# Copyright © 2024 Tata Communication Limited (TCL), Deutsche Telekom AG
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+*/}}
+{{- if .Values.ingressAuthentication.enabled }}
+---
+apiVersion: security.istio.io/v1beta1
+kind: RequestAuthentication
+metadata:
+  name: {{ .Release.Name }}-request-auth
+  namespace: istio-ingress
+spec:
+  selector:
+    matchLabels:
+      istio: ingress
+  jwtRules:
+  {{- $dot := . }}
+  {{- range $index, $realm := .Values.realmSettings }}
+  - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ $dot.Values.keycloak.relativePath }}realms/{{ $realm.name }}"
+    jwksUri: {{ $dot.Values.keycloak.intURL }}realms/{{ $realm.name }}/protocol/openid-connect/certs
+  {{- end }}
+  - issuer: "https://{{ include "ingress.config.host" (dict "dot" $dot "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}realms/master"
+    jwksUri: {{ .Values.keycloak.intURL }}realms/master/protocol/openid-connect/certs
+    forwardOriginalToken: true
+{{- end }}
\ No newline at end of file
diff --git a/kubernetes/platform/components/keycloak-init/templates/secret.yaml b/kubernetes/authentication/templates/secret.yaml
index 0d9b387dfa..1488be6969 100644
--- a/kubernetes/platform/components/keycloak-init/templates/secret.yaml
+++ b/kubernetes/authentication/templates/secret.yaml
@@ -9,9 +9,8 @@ metadata:
     chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
     release: {{ include "common.release" . }}
     heritage: {{ .Release.Service }}
-{{- with .Files.Glob "resources/realms/*json" }}
 data:
-{{- range $path, $bytes := . }}
-  {{ base $path }}: {{ tpl ($.Files.Get $path) $ | b64enc | quote }}
-{{- end }}
-{{- end }}
+{{- $dot := . }}
+{{- range $realm := .Values.realmSettings }}
+  {{ $realm.name }}: {{ include "auth.realm" (dict "dot" $dot "realm" $realm) | fromYaml | toPrettyJson | indent 2 | b64enc | quote }}
+{{- end -}}
diff --git a/kubernetes/authentication/values.yaml b/kubernetes/authentication/values.yaml
new file mode 100644
index 0000000000..94e9f7031c
--- /dev/null
+++ b/kubernetes/authentication/values.yaml
@@ -0,0 +1,585 @@
+# Copyright © 2024, Deutsche Telekom
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#       http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+global:
+  # Global ingress configuration
+  ingress:
+    enabled: false
+    virtualhost:
+      baseurl: "simpledemo.onap.org"
+      # prefix for baseaddr
+      # can be overwritten in component by setting ingress.preaddrOverride
+      preaddr: ""
+      # postfix for baseaddr
+      # can be overwritten in component by setting ingress.postaddrOverride
+      postaddr: ""
+
+keycloak:
+  intURL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/"
+  relativePath: "auth/"
+ingressAuthentication:
+  enabled: false
+  exceptions:
+    - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}'
+    - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ui") }}'
+    - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "minio-console") }}'
+    - '{{ include "ingress.config.host" (dict "dot" . "baseaddr" "uui-server") }}'
+
+onap-keycloak-config-cli:
+  image:
+    pullSecrets:
+      - name: onap-docker-registry-key
+  #existingSecret: "keycloak-keycloakx-admin-creds"
+  env:
+    # internal KC URL plus relative path
+    KEYCLOAK_URL: "http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/"
+    KEYCLOAK_SSLVERIFY: "false"
+    KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
+  secrets:
+    KEYCLOAK_PASSWORD: secret
+  existingConfigSecret: "keycloak-config-cli-config-realms"
+
+onap-oauth2-proxy:
+  # Oauth client configuration specifics
+  config:
+    # Create a new secret with the following command
+    # openssl rand -base64 32 | head -c 32 | base64
+    cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA="
+    clientID: &clientID "oauth2-proxy-onap"
+    # To be set in helmfile
+    clientSecret: &clientSecret "5YSOkJz99WHv8enDZPknzJuGqVSerELp"
+    # To be set in helmfile
+    cookieName: "onap-cookie"
+    # settings see https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/docs/configuration/overview.md
+    existingConfig: "oauth2-onap-config"
+
+  # Configure the session storage type, between cookie and redis
+  sessionStorage:
+    # Can be one of the supported session storage cookie|redis
+    type: redis
+    redis:
+      # Name of the Kubernetes secret containing the redis & redis sentinel password values (see also `sessionStorage.redis.passwordKey`)
+      existingSecret: "onap-authentication-redis"
+      # Redis password value. Applicable for all Redis configurations. Taken from redis subchart secret if not set. `sessionStorage.redis.existingSecret` takes precedence
+      password: ""
+      # Key of the Kubernetes secret data containing the redis password value
+      passwordKey: "redis-password"
+      # Can be one of standalone|cluster|sentinel
+      clientType: "sentinel"
+      standalone:
+        # URL of redis standalone server for redis session storage (e.g. `redis://HOST[:PORT]`). Automatically generated if not set
+        connectionUrl: ""
+      cluster:
+        # List of Redis cluster connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+        connectionUrls: []
+      sentinel:
+        # Name of the Kubernetes secret containing the redis sentinel password value (see also `sessionStorage.redis.sentinel.passwordKey`). Default: `sessionStorage.redis.existingSecret`
+        existingSecret: ""
+        # Redis sentinel password. Used only for sentinel connection; any redis node passwords need to use `sessionStorage.redis.password`
+        password: ""
+        # Key of the Kubernetes secret data containing the redis sentinel password value
+        passwordKey: "redis-password"
+        # Redis sentinel master name
+        masterName: "mymaster"
+        # List of Redis sentinel connection URLs (e.g. `["redis://127.0.0.1:8000", "redis://127.0.0.1:8000"]`)
+        connectionUrls: "redis://onap-authentication-redis-node-0.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-1.onap-authentication-redis-headless.onap:26379,redis://onap-authentication-redis-node-2.onap-authentication-redis-headless.onap:26379"
+
+  # Enables and configure the automatic deployment of the redis subchart
+  redis:
+    # provision an instance of the redis sub-chart
+    enabled: true
+    sentinel:
+      enabled: true
+
+serviceAccount:
+  nameOverride: keycloak-init
+  roles:
+    - read
+
+realmSettings:
+  - name: onap
+    displayName: "ONAP Realm"
+    attributes:
+      frontendUrl: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "keycloak-ui") }}/{{ .Values.keycloak.relativePath }}'
+    themes:
+      login: "base"
+      admin: "base"
+      account: "base"
+      email: "base"
+    groups:
+      - name: admins
+        path: /admins
+        roles: [ "platform-all-full" ]
+      - name: contributors
+        path: /contributors
+        roles: [ "platform-all-write" ]
+      - name: readers
+        path: /readers
+        roles: [ "platform-all-read" ]
+    initialUsers:
+      - username: "onap-admin"
+        credentials:
+          - type: password
+            secretData: "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}"
+            credentialData : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        attributes:
+          sdc_user:
+            - "cs0008"
+        realmRoles:
+          - default-roles-onap
+          - portal_admin
+        groups: []
+      - username: "onap-designer"
+        credentials: []
+        attributes:
+          sdc_user:
+            - "cs0008"
+        realmRoles:
+          - default-roles-onap
+          - portal_designer
+        groups: []
+      - username: "onap-operator"
+        credentials: []
+        attributes:
+          sdc_user:
+            - "cs0008"
+        realmRoles:
+          - default-roles-onap
+          - portal_operator
+        groups: []
+      - username: "service-account-portal-bff"
+        serviceAccountClientId: "portal-bff"
+        credentials: []
+        clientRoles:
+          realm-management:
+            - manage-realm
+            - manage-users
+        groups: []
+      - username: adminek
+        password: Adminek
+        email: "onap-admin@amartus.com"
+        groups:
+          - admins
+      - username: onapadmin
+        password: ONAPAdmin
+        email: "onap-admin1@amartus.com"
+        groups:
+          - admins
+      - username: contributor
+        password: Contributor
+        email: "onap-contributor@amartus.com"
+        groups:
+          - contributors
+      - username: reader
+        password: Reader
+        email: "onap-reader@amartus.com"
+        groups:
+          - readers
+    clients:
+      oauth2_proxy:
+        clientId: *clientID
+        name: "Oauth2 Proxy"
+        secret: *clientSecret
+        protocol: openid-connect
+        protocolMappers:
+          - name: "Audience for Oauth2Proxy"
+            protocolMapper: "oidc-audience-mapper"
+            config:
+              included.client.audience: "oauth2-proxy-onap"
+              id.token.claim: "false"
+              access.token.claim: "true"
+              included.custom.audience: "oauth2-proxy-onap"
+          - name: "SDC-User"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            config:
+              multivalued: "false"
+              userinfo.token.claim: "true"
+              user.attribute: "sdc_user"
+              id.token.claim: "true"
+              access.token.claim: "true"
+              claim.name: "sdc_user"
+              jsonType.label: "String"
+        additionalDefaultScopes:
+          - "onap_roles"
+      portal_app:
+        clientId: "portal-app"
+        redirectUris:
+          - 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*'
+          - 'http://localhost/*'
+        protocol: openid-connect
+        additionalAttributes:
+          post.logout.redirect.uris: 'https://{{ include "ingress.config.host" (dict "dot" . "baseaddr" "portal-ng-ui") }}/*'
+        protocolMappers:
+          - name: "User-Roles"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            config:
+              userinfo.token.claim: "true"
+              id.token.claim: "true"
+              access.token.claim: "true"
+              claim.name: "roles"
+              multivalued: "true"
+          - name: "SDC-User"
+            protocolMapper: "oidc-usermodel-attribute-mapper"
+            config:
+              userinfo.token.claim: "true"
+              user.attribute: "sdc_user"
+              id.token.claim: "true"
+              access.token.claim: "true"
+              claim.name: "sdc_user"
+              jsonType.label: "String"
+      portal_bff:
+        clientId: "portal-bff"
+        protocol: openid-connect
+        secret : pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr
+        protocolMappers:
+          - name: "Client Host"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            config:
+              user.session.note : "clientHost"
+              id.token.claim : "true"
+              access.token.claim : "true"
+              claim.name : "clientHost"
+              jsonType.label : "String"
+          - name: "Client IP Address"
+            protocolMapper: "oidc-usersessionmodel-note-mapper"
+            config:
+              user.session.note : "clientAddress"
+              id.token.claim : "true"
+              access.token.claim : "true"
+              claim.name : "clientAddress"
+              jsonType.label : "String"
+    defaultClientScopes:
+      - "onap_roles"
+    additionalClientScopes:
+      - name: onap_roles
+        description: OpenID Connect scope for add user onap roles to the access token
+        protocolMappers:
+        - name: aud
+          protocol: openid-connect
+          protocolMapper: oidc-audience-mapper
+          consentRequired: false
+          config:
+            included.client.audience: oauth2-proxy
+            id.token.claim: 'false'
+            access.token.claim: 'true'
+        - name: client roles
+          protocol: openid-connect
+          protocolMapper: oidc-usermodel-client-role-mapper
+          consentRequired: false
+          config:
+            multivalued: 'true'
+            userinfo.token.claim: 'false'
+            id.token.claim: 'true'
+            access.token.claim: 'true'
+            claim.name: onap_roles
+            jsonType.label: String
+            usermodel.clientRoleMapping.clientId: oauth2-proxy
+    accessControl:
+      assignableRoles:
+        - name: portal_admin
+          description: "User role for administration tasks in the portal."
+        - name: portal_designer
+          description: "User role for designer tasks in the portal."
+        - name: portal_operator
+          description: "User role for operator tasks in the portal."
+        - name: onap-operator-read
+          description: "Allows to perform GET operations for all ONAP components"
+          associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ]
+        - name: onap-operator-write
+          description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components"
+          associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write",  "uui-server-write" ]
+        - name: onap-operator-full
+          description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components"
+          associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ]
+        - name: platform-operator-read
+          description: "Allows to perform GET operations for all ONAP components"
+          associatedAccessRoles: [ "grafana-read", "kibana-read" ]
+        - name: platform-operator-write
+          description: "Allows to perform GET, POST, PUT, PATCH operations for all ONAP components"
+          associatedAccessRoles: [ "grafana-write", "kibana-write" ]
+        - name: platform-operator-full
+          description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all ONAP components"
+          associatedAccessRoles: [ "grafana-full", "kibana-full" ]
+        - name: platform-all-read
+          description: "Allows to perform GET operations for all PLATFORM components"
+          associatedAccessRoles: [ "dmaap-bc-api-read", "dmaap-dr-node-api-read", "dmaap-dr-prov-api-read", "dmaap-mr-api-read", "msb-consul-api-read", "msb-discovery-api-read", "msb-eag-ui-read", "msb-iag-ui-read", "nbi-api-read", "aai-api-read", "aai-babel-api-read", "aai-sparkybe-api-read", "cds-blueprintsprocessor-api-read", "cds-ui-read", "cps-core-api-read", "cps-ncmp-dmi-plugin-api-read", "cps-temporal-api-read", "grafana-read", "kibana-read", "reaper-dc1-read", "sdc-be-api-read", "sdc-fe-ui-read", "sdc-wfd-be-api-read", "sdc-wfd-fe-ui-read", "so-admin-cockpit-ui-read", "so-api-read", "usecase-ui-read", "uui-server-read" ]
+        - name: platform-all-write
+          description: "Allows to perform GET, POST, PUT, PATCH operations for all PLATFORM components"
+          associatedAccessRoles: [ "dmaap-bc-api-write", "dmaap-dr-node-api-write", "dmaap-dr-prov-api-write", "dmaap-mr-api-write", "msb-consul-api-write", "msb-discovery-api-write", "msb-eag-ui-write", "msb-iag-ui-write", "nbi-api-write", "aai-api-write", "aai-babel-api-write", "aai-sparkybe-api-write", "cds-blueprintsprocessor-api-write", "cds-ui-write", "cps-core-api-write", "cps-ncmp-dmi-plugin-api-write", "cps-temporal-api-write", "grafana-write", "kibana-write", "reaper-dc1-write", "sdc-be-api-write", "sdc-fe-ui-write", "sdc-wfd-be-api-write", "sdc-wfd-fe-ui-write", "so-admin-cockpit-ui-write", "so-api-write", "usecase-ui-write",  "uui-server-write" ]
+        - name: platform-all-full
+          description: "Allows to perform GET, POST, PUT, PATCH, DELETE operations for all PLATFORM components"
+          associatedAccessRoles: [ "dmaap-bc-api-full", "dmaap-dr-node-api-full", "dmaap-dr-prov-api-full", "dmaap-mr-api-full", "msb-consul-api-full", "msb-discovery-api-full", "msb-eag-ui-full", "msb-iag-ui-full", "nbi-api-full", "aai-api-full", "aai-babel-api-full", "aai-sparkybe-api-full", "cds-blueprintsprocessor-api-full", "cds-ui-full", "cps-core-api-full", "cps-ncmp-dmi-plugin-api-full", "cps-temporal-api-full", "grafana-full", "kibana-full", "reaper-dc1-full", "sdc-be-api-full", "sdc-fe-ui-full", "sdc-wfd-be-api-full", "sdc-wfd-fe-ui-full", "so-admin-cockpit-ui-full", "so-api-full", "usecase-ui-full", "uui-server-full" ]
+      accessRoles:
+        "oauth2_proxy":
+        - name: dmaap-bc-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: dmaap-bc-api
+        - name: dmaap-bc-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: dmaap-bc-api
+        - name: dmaap-bc-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: dmaap-bc-api
+        - name: dmaap-dr-node-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: dmaap-dr-node-api
+        - name: dmaap-dr-node-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: dmaap-dr-node-api
+        - name: dmaap-dr-node-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: dmaap-dr-node-api
+        - name: dmaap-dr-prov-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: dmaap-dr-prov-api
+        - name: dmaap-dr-prov-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: dmaap-dr-prov-api
+        - name: dmaap-dr-prov-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: dmaap-dr-prov-api
+        - name: dmaap-mr-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: dmaap-mr-api
+        - name: dmaap-mr-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: dmaap-mr-api
+        - name: dmaap-mr-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: dmaap-mr-api
+        - name: msb-consul-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: msb-consul-api
+        - name: msb-consul-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: msb-consul-api
+        - name: msb-consul-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: msb-consul-api
+        - name: msb-discovery-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: msb-discovery-api
+        - name: msb-discovery-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: msb-discovery-api
+        - name: msb-discovery-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: msb-discovery-api
+        - name: msb-eag-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: msb-eag-ui
+        - name: msb-eag-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: msb-eag-ui
+        - name: msb-eag-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: msb-eag-ui
+        - name: msb-iag-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: msb-iag-ui
+        - name: msb-iag-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: msb-iag-ui
+        - name: msb-iag-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: msb-iag-ui
+        - name: nbi-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: nbi-api
+        - name: nbi-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: nbi-api
+        - name: nbi-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: nbi-api
+        - name: aai-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: aai-api
+        - name: aai-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: aai-api
+        - name: aai-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: aai-api
+        - name: aai-babel-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: aai-babel-api
+        - name: aai-babel-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: aai-babel-api
+        - name: aai-babel-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: aai-babel-api
+        - name: aai-sparkybe-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: aai-sparkybe-api
+        - name: aai-sparkybe-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: aai-sparkybe-api
+        - name: aai-sparkybe-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: aai-sparkybe-api
+        - name: cds-blueprintsprocessor-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: cds-blueprintsprocessor-api
+        - name: cds-blueprintsprocessor-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: cds-blueprintsprocessor-api
+        - name: cds-blueprintsprocessor-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: cds-blueprintsprocessor-api
+        - name: cds-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: cds-ui
+        - name: cds-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: cds-ui
+        - name: cds-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: cds-ui
+        - name: cps-core-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: cps-core-api
+        - name: cps-core-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: cps-core-api
+        - name: cps-core-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: cps-core-api
+        - name: cps-ncmp-dmi-plugin-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: cps-ncmp-dmi-plugin-api
+        - name: cps-ncmp-dmi-plugin-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: cps-ncmp-dmi-plugin-api
+        - name: cps-ncmp-dmi-plugin-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: cps-ncmp-dmi-plugin-api
+        - name: cps-temporal-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: cps-temporal-api
+        - name: cps-temporal-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: cps-temporal-api
+        - name: cps-temporal-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: cps-temporal-api
+        - name: grafana-read
+          methodsAllowed: ["GET"]
+          servicePrefix: grafana
+        - name: grafana-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: grafana
+        - name: grafana-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: grafana
+        - name: kibana-read
+          methodsAllowed: ["GET"]
+          servicePrefix: kibana
+        - name: kibana-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: kibana
+        - name: kibana-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: kibana
+        - name: minio-read
+          methodsAllowed: ["GET"]
+          servicePrefix: minio-console
+        - name: minio-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: minio-console
+        - name: minio-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: minio-console
+        - name: reaper-dc1-read
+          methodsAllowed: ["GET"]
+          servicePrefix: reaper-dc1
+        - name: reaper-dc1-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: reaper-dc1
+        - name: reaper-dc1-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: reaper-dc1
+        - name: sdc-be-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: sdc-be-api
+        - name: sdc-be-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: sdc-be-api
+        - name: sdc-be-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: sdc-be-api
+        - name: sdc-fe-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: sdc-fe-ui
+        - name: sdc-fe-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: sdc-fe-ui
+        - name: sdc-fe-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: sdc-fe-ui
+        - name: sdc-wfd-be-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: sdc-wfd-be-api
+        - name: sdc-wfd-be-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: sdc-wfd-be-api
+        - name: sdc-wfd-be-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: sdc-wfd-be-api
+        - name: sdc-wfd-fe-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: sdc-wfd-fe-ui
+        - name: sdc-wfd-fe-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: sdc-wfd-fe-ui
+        - name: sdc-wfd-fe-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: sdc-wfd-fe-ui
+        - name: so-admin-cockpit-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: so-admin-cockpit-ui
+        - name: so-admin-cockpit-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: so-admin-cockpit-ui
+        - name: so-admin-cockpit-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: so-admin-cockpit-ui
+        - name: so-api-read
+          methodsAllowed: ["GET"]
+          servicePrefix: so-api
+        - name: so-api-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: so-api
+        - name: so-api-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: so-api
+        - name: usecase-ui-read
+          methodsAllowed: ["GET"]
+          servicePrefix: usecase-ui
+        - name: usecase-ui-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: usecase-ui
+        - name: usecase-ui-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: usecase-ui
+        - name: uui-server-read
+          methodsAllowed: ["GET"]
+          servicePrefix: uui-server
+        - name: uui-server-write
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH"]
+          servicePrefix: uui-server
+        - name: uui-server-full
+          methodsAllowed: ["GET", "POST", "PUT", "PATCH", "DELETE"]
+          servicePrefix: uui-server
diff --git a/kubernetes/onap/Chart.yaml b/kubernetes/onap/Chart.yaml
index 45d8da170b..bb3d95c69f 100644
--- a/kubernetes/onap/Chart.yaml
+++ b/kubernetes/onap/Chart.yaml
@@ -25,6 +25,10 @@ icon: https://wiki.onap.org/download/thumbnails/1015829/onap_704x271%20copy.png?
 kubeVersion: ">=1.19.11-0"
 
 dependencies:
+  - name: authentication
+    version: ~14.x-0
+    repository: '@local'
+    condition: authentication:enabled
   - name: aai
     version: ~13.x-0
     repository: '@local'
diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml
index ba7b50e53c..1b47045e84 100644
--- a/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml
+++ b/kubernetes/onap/resources/overrides/onap-all-ingress-gatewayapi.yaml
@@ -62,6 +62,8 @@ mariadb-galera:
   enabled: true
 postgres:
   enabled: true
+authentication:
+  enabled: true
 aai:
   enabled: true
 cds:
diff --git a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
index cc830424e2..8f69a08b2a 100644
--- a/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
+++ b/kubernetes/onap/resources/overrides/onap-all-ingress-istio.yaml
@@ -63,6 +63,8 @@ mariadb-galera:
   enabled: true
 postgres:
   enabled: true
+authentication:
+  enabled: true
 aai:
   enabled: true
 cds:
diff --git a/kubernetes/onap/resources/overrides/onap-all.yaml b/kubernetes/onap/resources/overrides/onap-all.yaml
index 027f8b3225..afb7e6b720 100644
--- a/kubernetes/onap/resources/overrides/onap-all.yaml
+++ b/kubernetes/onap/resources/overrides/onap-all.yaml
@@ -25,6 +25,8 @@ mariadb-galera:
   enabled: true
 postgres:
   enabled: true
+authentication:
+  enabled: true
 aai:
   enabled: true
 cds:
diff --git a/kubernetes/onap/values.yaml b/kubernetes/onap/values.yaml
index 5f48a5e2ed..c37b0fcdbc 100755
--- a/kubernetes/onap/values.yaml
+++ b/kubernetes/onap/values.yaml
@@ -297,6 +297,8 @@ global:
 # to customize the ONAP deployment.
 #################################################################
 
+authentication:
+  enabled: false
 aai:
   enabled: false
 cassandra:
diff --git a/kubernetes/platform/Chart.yaml b/kubernetes/platform/Chart.yaml
index aec56cf9a1..c3f776803e 100644
--- a/kubernetes/platform/Chart.yaml
+++ b/kubernetes/platform/Chart.yaml
@@ -3,6 +3,7 @@
 # Modifications Copyright © 2020 Nokia
 # Modifications Copyright © 2021 Orange
 # Modifications Copyright © 2021 Nordix Foundation
+# Modifications Copyright © 2024 Deutsche Telekom AG
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -34,11 +35,3 @@ dependencies:
     version: ~13.x-0
     repository: '@local'
     condition: chartmuseum.enabled
-  - name: keycloak-init
-    version: ~13.x-0
-    repository: '@local'
-    condition: keycloak-init.enabled
-  - name: oauth2-proxy
-    version: ~13.x-0
-    repository: '@local'
-    condition: oauth2-proxy.enabled
diff --git a/kubernetes/platform/components/keycloak-init/Makefile b/kubernetes/platform/components/keycloak-init/Makefile
deleted file mode 100644
index 5970a97115..0000000000
--- a/kubernetes/platform/components/keycloak-init/Makefile
+++ /dev/null
@@ -1,60 +0,0 @@
-# Copyright © 2020 Samsung Electronics
-# Modifications Copyright © 2020 Nokia
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
-OUTPUT_DIR := $(ROOT_DIR)/../../dist
-PACKAGE_DIR := $(OUTPUT_DIR)/packages
-SECRET_DIR := $(OUTPUT_DIR)/secrets
-
-EXCLUDES :=
-HELM_BIN := helm
-ifneq ($(SKIP_LINT),TRUE)
-	HELM_LINT_CMD := $(HELM_BIN) lint
-else
-	HELM_LINT_CMD := echo "Skipping linting of"
-endif
-
-HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.))))
-HELM_VER := $(shell $(HELM_BIN) version --template "{{.Version}}")
-
-.PHONY: $(EXCLUDES) $(HELM_CHARTS)
-
-all: $(HELM_CHARTS)
-
-$(HELM_CHARTS):
-	@echo "\n[$@]"
-	@make package-$@
-
-make-%:
-	@if [ -f $*/Makefile ]; then make -C $*; fi
-
-dep-%: make-%
-	@if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi
-
-lint-%: dep-%
-	@if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi
-
-package-%: lint-%
-	@mkdir -p $(PACKAGE_DIR)
-	@if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi
-	@sleep 3
-	#@$(HELM_BIN) repo index $(PACKAGE_DIR)
-
-clean:
-	@rm -f */Chart.lock
-	@rm -f *tgz */charts/*tgz
-	@rm -rf $(PACKAGE_DIR)
-%:
-	@:
diff --git a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json b/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json
deleted file mode 100644
index d845c60cfb..0000000000
--- a/kubernetes/platform/components/keycloak-init/resources/realms/onap-realm.json
+++ /dev/null
@@ -1,426 +0,0 @@
-{
-  "id": "ONAP",
-  "realm": "ONAP",
-  "enabled": true,
-  "roles": {
-    "realm": [
-      {
-        "name": "onap_admin",
-        "description": "User role for administration tasks in the portal.",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "user",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "admin",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "onap_designer",
-        "description": "User role for designer tasks in the portal.",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "offline_access",
-        "description": "${role_offline-access}",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "onap_operator",
-        "description": "User role for operator tasks in the portal.",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "uma_authorization",
-        "description": "${role_uma_authorization}",
-        "composite": false,
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      },
-      {
-        "name": "default-roles-onap",
-        "description": "${role_default-roles}",
-        "composite": true,
-        "composites": {
-          "realm": [
-            "offline_access",
-            "uma_authorization"
-          ],
-          "client": {
-            "account": [
-              "view-profile",
-              "manage-account"
-            ]
-          }
-        },
-        "clientRole": false,
-        "containerId": "onap",
-        "attributes": {}
-      }
-    ]
-  },
-  "groups": [
-    {
-      "name": "admins",
-      "path": "/admins",
-      "attributes": {},
-      "realmRoles": [],
-      "clientRoles": {},
-      "subGroups": []
-    }
-  ],
-  "clients": [
-    {
-      "clientId": "oauth2-proxy",
-      "name": "Oauth2 Proxy",
-      "description": "",
-      "rootUrl": "",
-      "adminUrl": "",
-      "baseUrl": "",
-      "surrogateAuthRequired": false,
-      "enabled": true,
-      "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "secret": "5YSOkJz99WHv8enDZPknzJuGqVSerELp",
-      "redirectUris": [
-        "*"
-      ],
-      "webOrigins": [],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
-      "standardFlowEnabled": true,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
-      "frontchannelLogout": true,
-      "protocol": "openid-connect",
-      "attributes": {
-        "tls-client-certificate-bound-access-tokens": "false",
-        "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "client_credentials.use_refresh_token": "false",
-        "acr.loa.map": "{}",
-        "require.pushed.authorization.requests": "false",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "display.on.consent.screen": "false",
-        "backchannel.logout.revoke.offline.tokens": "false",
-        "token.response.type.bearer.lower-case": "false",
-        "use.refresh.tokens": "true"
-      },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "SDC-User",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-attribute-mapper",
-          "consentRequired": false,
-          "config": {
-            "multivalued": "false",
-            "userinfo.token.claim": "true",
-            "user.attribute": "sdc_user",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "sdc_user",
-            "jsonType.label": "String"
-          }
-        }
-      ],
-      "defaultClientScopes": [
-        "web-origins",
-        "acr",
-        "profile",
-        "roles",
-        "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "offline_access",
-        "groups",
-        "microprofile-jwt"
-      ]
-    },
-    {
-      "clientId": "portal-app",
-      "surrogateAuthRequired": false,
-      "enabled": true,
-      "alwaysDisplayInConsole": false,
-      "clientAuthenticatorType": "client-secret",
-      "redirectUris": [
-        "{{ .Values.portalUrl }}/*",
-        "http://localhost/*"
-      ],
-      "webOrigins": [
-        "*"
-      ],
-      "notBefore": 0,
-      "bearerOnly": false,
-      "consentRequired": false,
-      "standardFlowEnabled": true,
-      "implicitFlowEnabled": false,
-      "directAccessGrantsEnabled": true,
-      "serviceAccountsEnabled": false,
-      "publicClient": true,
-      "frontchannelLogout": false,
-      "protocol": "openid-connect",
-      "attributes": {
-        "oidc.ciba.grant.enabled": "false",
-        "backchannel.logout.session.required": "true",
-        "post.logout.redirect.uris": "{{ .Values.portalUrl }}/*",
-        "oauth2.device.authorization.grant.enabled": "false",
-        "display.on.consent.screen": "false",
-        "backchannel.logout.revoke.offline.tokens": "false"
-      },
-      "authenticationFlowBindingOverrides": {},
-      "fullScopeAllowed": true,
-      "nodeReRegistrationTimeout": -1,
-      "protocolMappers": [
-        {
-          "name": "User-Roles",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-realm-role-mapper",
-          "consentRequired": false,
-          "config": {
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "roles",
-            "multivalued": "true",
-            "userinfo.token.claim": "true"
-          }
-        },
-        {
-          "name": "SDC-User",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-usermodel-attribute-mapper",
-          "consentRequired": false,
-          "config": {
-            "userinfo.token.claim": "true",
-            "user.attribute": "sdc_user",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "sdc_user",
-            "jsonType.label": "String"
-          }
-        }
-      ],
-      "defaultClientScopes": [
-        "web-origins",
-        "acr",
-        "profile",
-        "roles",
-        "email"
-      ],
-      "optionalClientScopes": [
-        "address",
-        "phone",
-        "offline_access",
-        "microprofile-jwt"
-      ]
-    },
-    {
-      "clientId" : "portal-bff",
-      "surrogateAuthRequired" : false,
-      "enabled" : true,
-      "alwaysDisplayInConsole" : false,
-      "clientAuthenticatorType" : "client-secret",
-      "secret" : "pKOuVH1bwRZoNzp5P5t4GV8CqcCJYVtr",
-      "redirectUris" : [ ],
-      "webOrigins" : [ ],
-      "notBefore" : 0,
-      "bearerOnly" : false,
-      "consentRequired" : false,
-      "standardFlowEnabled" : false,
-      "implicitFlowEnabled" : false,
-      "directAccessGrantsEnabled" : false,
-      "serviceAccountsEnabled" : true,
-      "publicClient" : false,
-      "frontchannelLogout" : false,
-      "protocol" : "openid-connect",
-      "attributes" : {
-        "saml.force.post.binding" : "false",
-        "saml.multivalued.roles" : "false",
-        "frontchannel.logout.session.required" : "false",
-        "oauth2.device.authorization.grant.enabled" : "false",
-        "backchannel.logout.revoke.offline.tokens" : "false",
-        "saml.server.signature.keyinfo.ext" : "false",
-        "use.refresh.tokens" : "true",
-        "oidc.ciba.grant.enabled" : "false",
-        "backchannel.logout.session.required" : "true",
-        "client_credentials.use_refresh_token" : "false",
-        "require.pushed.authorization.requests" : "false",
-        "saml.client.signature" : "false",
-        "saml.allow.ecp.flow" : "false",
-        "id.token.as.detached.signature" : "false",
-        "saml.assertion.signature" : "false",
-        "client.secret.creation.time" : "1665048112",
-        "saml.encrypt" : "false",
-        "saml.server.signature" : "false",
-        "exclude.session.state.from.auth.response" : "false",
-        "saml.artifact.binding" : "false",
-        "saml_force_name_id_format" : "false",
-        "acr.loa.map" : "{}",
-        "tls.client.certificate.bound.access.tokens" : "false",
-        "saml.authnstatement" : "false",
-        "display.on.consent.screen" : "false",
-        "token.response.type.bearer.lower-case" : "false",
-        "saml.onetimeuse.condition" : "false"
-      },
-      "authenticationFlowBindingOverrides" : { },
-      "fullScopeAllowed" : true,
-      "nodeReRegistrationTimeout" : -1,
-      "protocolMappers" : [ {
-        "name" : "Client Host",
-        "protocol" : "openid-connect",
-        "protocolMapper" : "oidc-usersessionmodel-note-mapper",
-        "consentRequired" : false,
-        "config" : {
-          "user.session.note" : "clientHost",
-          "id.token.claim" : "true",
-          "access.token.claim" : "true",
-          "claim.name" : "clientHost",
-          "jsonType.label" : "String"
-        }
-      }, {
-        "name" : "Client IP Address",
-        "protocol" : "openid-connect",
-        "protocolMapper" : "oidc-usersessionmodel-note-mapper",
-        "consentRequired" : false,
-        "config" : {
-          "user.session.note" : "clientAddress",
-          "id.token.claim" : "true",
-          "access.token.claim" : "true",
-          "claim.name" : "clientAddress",
-          "jsonType.label" : "String"
-        }
-      } ],
-      "defaultClientScopes" : [ "web-origins", "acr", "profile", "roles", "email" ],
-      "optionalClientScopes" : [ "address", "phone", "offline_access", "microprofile-jwt" ]
-    }
-  ],
-  "users": [
-    {
-      "createdTimestamp" : 1664965113698,
-      "username" : "onap-admin",
-      "enabled" : true,
-      "totp" : false,
-      "emailVerified" : false,
-      "attributes" : {
-        "sdc_user" : [ "cs0008" ]
-      },
-      "credentials" : [ {
-        "type" : "password",
-        "createdDate" : 1664965134586,
-        "secretData" : "{\"value\":\"nD4K4x8HEgk6xlWIAgzZOE+EOjdbovJfEa7N3WXwIMCWCfdXpn7Riys7hZhI1NbKcc9QPI9j8LQB/JSuZVcXKA==\",\"salt\":\"T8X9A9tT2cyLvEjHFo+zuQ==\",\"additionalParameters\":{}}",
-        "credentialData" : "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
-      } ],
-      "disableableCredentialTypes" : [ ],
-      "requiredActions" : [ ],
-      "realmRoles" : [ "default-roles-onap", "onap_admin" ],
-      "notBefore" : 0,
-      "groups" : [ ]
-    }, {
-      "createdTimestamp" : 1665048354760,
-      "username" : "onap-designer",
-      "enabled" : true,
-      "totp" : false,
-      "emailVerified" : false,
-      "attributes" : {
-        "sec_user" : [ "cs0008" ]
-      },
-      "credentials" : [ ],
-      "disableableCredentialTypes" : [ ],
-      "requiredActions" : [ ],
-      "realmRoles" : [ "default-roles-onap", "onap_designer" ],
-      "notBefore" : 0,
-      "groups" : [ ]
-    }, {
-      "createdTimestamp" : 1665048547054,
-      "username" : "onap-operator",
-      "enabled" : true,
-      "totp" : false,
-      "emailVerified" : false,
-      "attributes" : {
-        "sdc_user" : [ "cs0008" ]
-      },
-      "credentials" : [ ],
-      "disableableCredentialTypes" : [ ],
-      "requiredActions" : [ ],
-      "realmRoles" : [ "default-roles-onap", "onap_operator" ],
-      "notBefore" : 0,
-      "groups" : [ ]
-    }, {
-      "createdTimestamp" : 1665048112458,
-      "username" : "service-account-portal-bff",
-      "enabled" : true,
-      "totp" : false,
-      "emailVerified" : false,
-      "serviceAccountClientId" : "portal-bff",
-      "credentials" : [ ],
-      "disableableCredentialTypes" : [ ],
-      "requiredActions" : [ ],
-      "realmRoles" : [ "default-roles-onap" ],
-      "clientRoles" : {
-        "realm-management" : [ "manage-realm", "manage-users" ]
-      },
-      "notBefore" : 0,
-      "groups" : [ ]
-    }
-  ],
-  "clientScopes": [
-    {
-      "name": "groups",
-      "description": "Membership to a group",
-      "protocol": "openid-connect",
-      "attributes": {
-        "include.in.token.scope": "true",
-        "display.on.consent.screen": "true",
-        "gui.order": "",
-        "consent.screen.text": ""
-      },
-      "protocolMappers": [
-        {
-          "name": "groups",
-          "protocol": "openid-connect",
-          "protocolMapper": "oidc-group-membership-mapper",
-          "consentRequired": false,
-          "config": {
-            "full.path": "false",
-            "id.token.claim": "true",
-            "access.token.claim": "true",
-            "claim.name": "groups",
-            "userinfo.token.claim": "true"
-          }
-        }
-      ]
-    }
-  ],
-  "attributes": {
-    "frontendUrl": "{{ .Values.KEYCLOAK_URL }}",
-    "acr.loa.map": "{\"ABC\":\"5\"}"
-  }
-}
diff --git a/kubernetes/platform/components/keycloak-init/values.yaml b/kubernetes/platform/components/keycloak-init/values.yaml
deleted file mode 100644
index a33ef2c932..0000000000
--- a/kubernetes/platform/components/keycloak-init/values.yaml
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright © 2022, Deutsche Telekom
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-global:
-  # Global ingress configuration
-  ingress:
-    enabled: false
-    virtualhost:
-      baseurl: "simpledemo.onap.org"
-
-KEYCLOAK_URL: &kc-url "https://keycloak-ui.simpledemo.onap.org/auth/"
-PORTAL_URL: "https://portal-ui.simpledemo.onap.org"
-
-onap-keycloak-config-cli:
-  image:
-    pullSecrets:
-      - name: onap-docker-registry-key
-  #existingSecret: "keycloak-keycloakx-admin-creds"
-  env:
-    KEYCLOAK_URL: http://keycloak-keycloakx-http.keycloak.svc.cluster.local/auth/
-    KEYCLOAK_SSLVERIFY: "false"
-    KEYCLOAK_AVAILABILITYCHECK_ENABLED: "true"
-  secrets:
-    KEYCLOAK_PASSWORD: secret
-  existingConfigSecret: "keycloak-config-cli-config-realms"
-
-serviceAccount:
-  nameOverride: keycloak-init
-  roles:
-    - read
diff --git a/kubernetes/platform/components/oauth2-proxy/Chart.yaml b/kubernetes/platform/components/oauth2-proxy/Chart.yaml
deleted file mode 100644
index 13da57793c..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/Chart.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
-#============LICENSE_START========================================================
-# ================================================================================
-# Copyright © 2022 Deutsche Telekom
-# ================================================================================
-# Original licence (https://github.com/codecentric/helm-charts/blob/master/LICENSE)
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-# ============LICENSE_END=========================================================
-apiVersion: v2
-version: 13.0.0
-description: ONAP Oauth2-proxy
-name: oauth2-proxy
-sources:
-- https://github.com/oauth2-proxy/manifests
-
-dependencies:
-  - name: common
-    version: ~13.x-0
-    repository: '@local'
-  - name: serviceAccount
-    version: ~13.x-0
-    repository: '@local'
-  - name: onap-oauth2-proxy
-    version: 6.10.1
-    repository: 'file://components/oauth2-proxy'
\ No newline at end of file
diff --git a/kubernetes/platform/components/oauth2-proxy/components/Makefile b/kubernetes/platform/components/oauth2-proxy/components/Makefile
deleted file mode 100755
index 9544d70f33..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/Makefile
+++ /dev/null
@@ -1,58 +0,0 @@
-# Copyright © 2020 Samsung Electronics
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#       http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-
-ROOT_DIR := $(shell dirname $(realpath $(lastword $(MAKEFILE_LIST))))
-OUTPUT_DIR := $(ROOT_DIR)/../../dist
-PACKAGE_DIR := $(OUTPUT_DIR)/packages
-SECRET_DIR := $(OUTPUT_DIR)/secrets
-
-EXCLUDES :=
-HELM_BIN := helm
-ifneq ($(SKIP_LINT),TRUE)
-	HELM_LINT_CMD := $(HELM_BIN) lint
-else
-	HELM_LINT_CMD := echo "Skipping linting of"
-endif
-
-HELM_CHARTS := $(filter-out $(EXCLUDES), $(sort $(patsubst %/.,%,$(wildcard */.))))
-
-.PHONY: $(EXCLUDES) $(HELM_CHARTS)
-
-all: $(HELM_CHARTS)
-
-$(HELM_CHARTS):
-	@echo "\n[$@]"
-	@make package-$@
-
-make-%:
-	@if [ -f $*/Makefile ]; then make -C $*; fi
-
-dep-%: make-%
-	@if [ -f $*/Chart.yaml ]; then $(HELM_BIN) dep up $*; fi
-
-lint-%: dep-%
-	@if [ -f $*/Chart.yaml ]; then $(HELM_LINT_CMD) $*; fi
-
-package-%: lint-%
-	@mkdir -p $(PACKAGE_DIR)
-	@if [ -f $*/Chart.yaml ]; then PACKAGE_NAME=$$($(HELM_BIN) package -d $(PACKAGE_DIR) $* | cut -d":" -f2) && $(HELM_BIN) cm-push -f $$PACKAGE_NAME local; fi
-	@sleep 3
-	#@$(HELM_BIN) repo index $(PACKAGE_DIR)
-
-clean:
-	@rm -f */Chart.lock
-	@rm -f *tgz */charts/*tgz
-	@rm -rf $(PACKAGE_DIR)
-%:
-	@:
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore
deleted file mode 100644
index 825c007791..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/.helmignore
+++ /dev/null
@@ -1,23 +0,0 @@
-# Patterns to ignore when building packages.
-# This supports shell glob matching, relative path matching, and
-# negation (prefixed with !). Only one pattern per line.
-.DS_Store
-# Common VCS dirs
-.git/
-.gitignore
-.bzr/
-.bzrignore
-.hg/
-.hgignore
-.svn/
-# Common backup files
-*.swp
-*.bak
-*.tmp
-*~
-# Various IDEs
-.project
-.idea/
-*.tmproj
-
-OWNERS
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml
deleted file mode 100644
index 9d31c28541..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/ci/servicemonitor-values.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-metrics:
-  enabled: true
-  serviceMonitor:
-    enabled: true
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt
deleted file mode 100644
index aa749e0b9d..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/NOTES.txt
+++ /dev/null
@@ -1,3 +0,0 @@
-To verify that oauth2-proxy has started, run:
-
-  kubectl --namespace={{ .Release.Namespace }} get pods -l "app={{ template "oauth2-proxy.name" . }}"
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml
deleted file mode 100644
index 7ba0273ab2..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/configmap-alpha.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-{{- if .Values.alphaConfig.enabled }}
-{{- if not .Values.alphaConfig.existingConfig }}
-apiVersion: v1
-kind: ConfigMap
-metadata:
-{{- if .Values.alphaConfig.annotations }}
-  annotations: {{- toYaml .Values.alphaConfig.annotations | nindent 4 }}
-{{- end }}
-  labels:
-    app: {{ template "oauth2-proxy.name" . }}
-    {{- include "oauth2-proxy.labels" . | indent 4 }}
-  name: {{ template "oauth2-proxy.fullname" . }}-alpha
-data:
-  oauth2_proxy.yml: |
-    ---
-    server:
-      BindAddress: '0.0.0.0:4180'
-    {{- if .Values.alphaConfig.serverConfigData }}
-    {{- toYaml .Values.alphaConfig.serverConfigData | nindent 6 }}
-    {{- end }}
-    {{- if .Values.metrics.enabled }}
-    metricsServer:
-      BindAddress: '0.0.0.0:44180'
-    {{- if .Values.alphaConfig.metricsConfigData }}
-    {{- toYaml .Values.alphaConfig.metricsConfigData | nindent 6 }}
-    {{- end }}
-    {{- end }}
-    {{- if .Values.alphaConfig.configData }}
-    {{- toYaml .Values.alphaConfig.configData | nindent 4 }}
-    {{- end }}
-{{- end }}
-{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml
deleted file mode 100644
index 6d0a9d7c59..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/serviceaccount.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-{{- if or .Values.serviceAccount.enabled -}}
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  {{- with .Values.serviceAccount.annotations }}
-  annotations:
-    {{- toYaml . | nindent 4 }}
-  {{- end }}
-  labels:
-    app: {{ template "oauth2-proxy.name" . }}
-{{- include "oauth2-proxy.labels" . | indent 4 }}
-  name: {{ template "oauth2-proxy.serviceAccountName" . }}
-automountServiceAccountToken : {{ .Values.serviceAccount.automountServiceAccountToken }}
-{{- end -}}
diff --git a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml b/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml
deleted file mode 100644
index 9c29d1bfd1..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/components/oauth2-proxy/templates/servicemonitor.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-{{- if and .Values.metrics.enabled .Values.metrics.servicemonitor.enabled }}
-apiVersion: monitoring.coreos.com/v1
-kind: ServiceMonitor
-metadata:
-  name: {{ template "oauth2-proxy.fullname" . }}
-{{- if .Values.metrics.servicemonitor.namespace }}
-  namespace: {{ .Values.metrics.servicemonitor.namespace }}
-{{- else }}
-  namespace: {{ .Release.Namespace | quote }}
-{{- end }}
-  labels:
-    prometheus: {{ .Values.metrics.servicemonitor.prometheusInstance }}
-    app: {{ template "oauth2-proxy.name" . }}
-{{- include "oauth2-proxy.labels" . | indent 4 }}
-{{- if .Values.metrics.servicemonitor.labels }}
-{{ toYaml .Values.metrics.servicemonitor.labels | indent 4}}
-{{- end }}
-spec:
-  jobLabel: {{ template "oauth2-proxy.fullname" . }}
-  selector:
-    matchLabels:
-      {{- include "oauth2-proxy.selectorLabels" . | indent 6 }}
-  namespaceSelector:
-    matchNames:
-      - {{ .Release.Namespace }}
-  endpoints:
-  - port: metrics
-    path: "/metrics"
-    interval: {{ .Values.metrics.servicemonitor.interval }}
-    scrapeTimeout: {{ .Values.metrics.servicemonitor.scrapeTimeout }}
-{{- end }}
diff --git a/kubernetes/platform/components/oauth2-proxy/values.yaml b/kubernetes/platform/components/oauth2-proxy/values.yaml
deleted file mode 100644
index 81a9986d3d..0000000000
--- a/kubernetes/platform/components/oauth2-proxy/values.yaml
+++ /dev/null
@@ -1,74 +0,0 @@
-onap-oauth2-proxy:
-  # Oauth client configuration specifics
-  config:
-    cookieSecret: "CbgXFXDJ16laaCfChtFBpKy1trNEmJZDIjaiaIMLyRA="
-    configFile: |-
-      email_domains = [ "*" ]        # Restrict to these E-Mail Domains, a wildcard "*" allows any email
-
-  alphaConfig:
-    enabled: true
-    configData:
-      providers:
-      - clientID: "oauth2-proxy"
-        clientSecret: "5YSOkJz99WHv8enDZPknzJuGqVSerELp"
-        id: oidc-istio
-        provider: oidc   # We use the generic 'oidc' provider
-        loginURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/auth
-        #redeemURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/token
-        redeemURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/token
-        profileURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
-        validateURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP/protocol/openid-connect/userinfo
-        scope: "openid email profile groups"
-        #allowedGroups:
-        # - admins # List all groups managed at our your IdP which should be allowed access
-        # - infrateam
-        # - anothergroup
-        oidcConfig:
-          emailClaim: email  # Name of the clain in JWT containing the E-Mail
-          groupsClaim: groups # Name of the claim in JWT containing the Groups
-          userIDClaim: email  # Name of the claim in JWT containing the User ID
-          audienceClaims: ["aud"]
-          insecureAllowUnverifiedEmail: true
-          insecureSkipIssuerVerification: true
-          skipDiscovery: true # You can try using the well-knwon endpoint directly for auto discovery, here we won't use it
-          issuerURL: https://keycloak-ui.simpledemo.onap.org/auth/realms/ONAP
-          jwksURL: http://keycloak-http.keycloak/auth/realms/ONAP/protocol/openid-connect/certs
-      upstreamConfig:
-        upstreams:
-          - id: static_200
-            path: /
-            static: true
-            staticCode: 200
-      # Headers that should be added to responses from the proxy
-      injectResponseHeaders: # Send this headers in responses from oauth2-proxy
-        - name: X-Auth-Request-Preferred-Username
-          values:
-            - claim: preferred_username
-        - name: X-Auth-Request-Email
-          values:
-            - claim: email
-
-  extraArgs:
-    cookie-secure: "false"
-    cookie-domain: ".simpledemo.onap.org"    # Replace with your base domain
-    cookie-samesite: lax
-    cookie-expire: 12h               # How long our Cookie is valid
-    auth-logging: true               # Enable / Disable auth logs
-    request-logging: true            # Enable / Disable request logs
-    standard-logging: true           # Enable / Disable the standart logs
-    show-debug-on-error: true        # Disable in production setups
-    skip-provider-button: true       # We only have one provider configured (Keycloak)
-    silence-ping-logging: true       # Keeps our logs clean
-    whitelist-domain: ".simpledemo.onap.org" # Replace with your base domain
-
-  # Enables and configure the automatic deployment of the redis subchart
-  redis:
-    # provision an instance of the redis sub-chart
-    enabled: false
-
-
-serviceAccount:
-  nameOverride: oauth2-proxy
-  roles:
-    - read
-
diff --git a/kubernetes/platform/values.yaml b/kubernetes/platform/values.yaml
index 5cc7612473..95c98f6eb4 100644
--- a/kubernetes/platform/values.yaml
+++ b/kubernetes/platform/values.yaml
@@ -34,15 +34,11 @@ global:
 
 # Control deployment of Platform services at ONAP installation time
 chartmuseum:
-  enabled: true
+  enabled: false
 cmpv2-cert-provider:
   enabled: true
 oom-cert-service:
   enabled: true
-keycloak-init:
-  enabled: false
-oauth2-proxy:
-  enabled: false
 
 flavor: small
 # default number of instances