feat: Add helm README.md and unit tests

.github/workflows/cicd.yaml

@@ -50,3 +50,19 @@ jobs:
           path: |
             htmlcov/
             coverage.xml
+
+  helm-test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Helm install
+        uses: azure/setup-helm@v4
+        with:
+          version: latest
+      - run: helm lint helm
+      - name: Helm unit tests
+        uses: d3adb5/helm-unittest-action@v2
+        with:
+          helm-version: latest
+          charts: helm/

helm/README.md

@@ -0,0 +1,96 @@
+# STAC Auth Proxy Helm Chart
+
+A Helm chart for deploying [STAC Auth Proxy](https://developmentseed.org/stac-auth-proxy) on Kubernetes.
+
+## Overview
+
+This chart deploys a reverse proxy that adds authentication and authorization capabilities to your STAC API using OpenID Connect (OIDC).
+
+## Prerequisites
+
+- Kubernetes 1.19+
+- Helm 3.0+
+- An OIDC provider (e.g., Keycloak, Auth0, Google, etc.)
+- A STAC API backend
+
+## Installation
+
+```bash
+helm install stac-auth-proxy ./stac-auth-proxy \
+  --set env.UPSTREAM_URL=https://your-stac-api.example.com \
+  --set env.OIDC_DISCOVERY_URL=https://your-oidc-provider.example.com/.well-known/openid-configuration \
+  --set ingress.host=stac-proxy.example.com
+```
+
+## Configuration
+
+### Required Values
+
+| Parameter | Description |
+|-----------|-------------|
+| `env.UPSTREAM_URL` | URL of the upstream STAC API |
+| `env.OIDC_DISCOVERY_URL` | OpenID Connect discovery URL |
+| `ingress.host` | Hostname for the ingress |
+
+### Common Configurations
+
+See [`values.yaml`](./values.yaml) for all available configuration options, including:
+
+- **Authentication**: Configure OIDC settings and endpoint protection
+- **Resources**: Set CPU/memory limits and requests
+- **Ingress**: Configure TLS, annotations, and hostname
+- **Security**: Pod and container security contexts
+
+### Example: Custom Values File
+
+```yaml
+# custom-values.yaml
+image:
+  tag: "v1.0.0"
+
+ingress:
+  host: "my-stac-api.example.com"
+
+env:
+  UPSTREAM_URL: "https://stac-api.internal:8080"
+  OIDC_DISCOVERY_URL: "https://my-auth.example.com/.well-known/openid-configuration"
+  DEFAULT_PUBLIC: false
+```
+
+Install with custom values:
+
+```bash
+helm install stac-auth-proxy ./stac-auth-proxy -f custom-values.yaml
+```
+
+## Upgrading
+
+```bash
+helm upgrade stac-auth-proxy ./stac-auth-proxy -f custom-values.yaml
+```
+
+## Uninstalling
+
+```bash
+helm uninstall stac-auth-proxy
+```
+
+## Testing
+
+Run unit tests to validate chart templates:
+
+```bash
+helm unittest helm/
+```
+
+Requires the [helm-unittest](https://github.com/helm-unittest/helm-unittest) plugin:
+
+```bash
+helm plugin install https://github.com/helm-unittest/helm-unittest
+```
+
+## Documentation
+
+For more information about STAC Auth Proxy features and configuration:
+- [Project Documentation](https://developmentseed.org/stac-auth-proxy)
+- [GitHub Repository](https://github.com/developmentseed/stac-auth-proxy)

helm/tests/deployment_test.yaml

@@ -0,0 +1,51 @@
+suite: test deployment
+templates:
+  - deployment.yaml
+tests:
+  - it: should create deployment with correct name
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - isKind:
+          of: Deployment
+      - matchRegex:
+          path: metadata.name
+          pattern: ^RELEASE-NAME-stac-auth-proxy$
+
+  - it: should set replica count
+    set:
+      replicaCount: 3
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.replicas
+          value: 3
+
+  - it: should set required environment variables
+    set:
+      env.UPSTREAM_URL: "https://stac-api.example.com"
+      env.OIDC_DISCOVERY_URL: "https://auth.example.com/.well-known/openid-configuration"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: UPSTREAM_URL
+            value: "https://stac-api.example.com"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: OIDC_DISCOVERY_URL
+            value: "https://auth.example.com/.well-known/openid-configuration"
+
+  - it: should use correct image
+    set:
+      image.repository: "custom/repo"
+      image.tag: "v1.2.3"
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: "custom/repo:v1.2.3"

helm/tests/service_test.yaml

@@ -0,0 +1,36 @@
+suite: test service
+templates:
+  - service.yaml
+tests:
+  - it: should create service with correct name
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - isKind:
+          of: Service
+      - matchRegex:
+          path: metadata.name
+          pattern: ^RELEASE-NAME-stac-auth-proxy$
+
+  - it: should use ClusterIP by default
+    set:
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.type
+          value: ClusterIP
+
+  - it: should expose correct port
+    set:
+      service.port: 8000
+      env.UPSTREAM_URL: "https://example.com"
+      env.OIDC_DISCOVERY_URL: "https://example.com/.well-known/openid-configuration"
+    asserts:
+      - equal:
+          path: spec.ports[0].port
+          value: 8000
+      - equal:
+          path: spec.ports[0].targetPort
+          value: http