This recipe can wrap a workload with JWT protections.

+OAUTH2_PROXY_PROVIDER=keycloak-oidc
+#OAUTH2_PROXY_COOKIE_SAMESITE=none
+#OAUTH2_PROXY_COOKIE_SECURE='true'
+#OAUTH2_PROXY_COOKIE_HTTPONLY='false'
+OAUTH2_PROXY_EMAIL_DOMAINS='*'
+##OAUTH2_PROXY_COOKIE_DOMAIN=.alyvr.local
+##OAUTH2_PROXY_COOKIE_SECRET=CHANGEME
+OAUTH2_PROXY_COOKIE_EXPIRE=1h
+OAUTH2_PROXY_COOKIE_REFRESH=4m
+##OAUTH2_PROXY_CLIENT_ID=CHANGEME
+##OAUTH2_PROXY_CLIENT_SECRET=CHANGEME
+##OAUTH2_PROXY_LOGIN_URL=''
+##OAUTH2_PROXY_REDEEM_URL=''
+##OAUTH2_PROXY_VALIDATE_URL=''
+OAUTH2_PROXY_SCOPE=openid profile
+OAUTH2_PROXY_REVERSE_PROXY=true
+#OAUTH2_PROXY_PROVIDER_CA_FILE=/srv/alyvr-ca/tls.crt
+##OAUTH2_PROXY_WHITELIST_DOMAIN=
+OAUTH2_PROXY_SET_AUTHORIZATION_HEADER=true
+OAUTH2_PROXY_SET_XAUTHREQUEST=true
+OAUTH2_PROXY_PASS_USER_HEADERS=true
+#OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER=true
+
+OAUTH2_PROXY_WEBSOCKETS=true
+#OAUTH2_PROXY_SKIP_AUTH_REGEX=
+OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS=true
+OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true
+OAUTH2_PROXY_SSL_INSECURE_SKIP_VERIFY=true
+
+# new
+OAUTH2_AUTH_LOGGING=true
+OAUTH2_SHOW_DEBUG_ON_ERROR=true
+
+
+#            - --upstream=http://nginx-hello-status:80/
+
+OAUTH2_PROXY_UPSTREAMS
+OAUTH2_PROXY_HTTP_ADDRESS
+OAUTH2_PROXY_COOKIE_DOMAINS
+OAUTH2_PROXY_COOKIE_SECRET
+OAUTH2_PROXY_CLIENT_ID
+OAUTH2_PROXY_ALLOWED_ROLES
+OAUTH2_PROXY_OIDC_ISSUER_URL
+OAUTH2_PROXY_WHITELIST_DOMAINS

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - oauth2-proxy.yaml
+secretGenerator:
+  - name: oauth2-proxy
+    options:
+      disableNameSuffixHash: true
+    envs:
+      - secret.env
+configMapGenerator:
+  - name: oauth2-proxy
+    options:
+      disableNameSuffixHash: true
+    envs:
+      - configmap.env

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oauth2-proxy
+spec:
+  selector:
+    app: oauth2-proxy
+  ports:
+    - name: http-oauth2
+      protocol: TCP
+      port: 80
+      targetPort: 9876
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oauth2-proxy
+  labels:
+    app: oauth2-proxy
+spec:
+  replicas: 1
+  progressDeadlineSeconds: 600
+  selector:
+    matchLabels:
+      app: oauth2-proxy
+  template:
+    metadata:
+      labels:
+        app: oauth2-proxy
+    spec:
+      containers:
+        - name: oauth2-proxy
+          image: "quay.io/oauth2-proxy/oauth2-proxy:v7.2.1"
+          imagePullPolicy: "IfNotPresent"
+          envFrom:
+            - configMapRef:
+                name: oauth2-proxy
+            - secretRef:
+                name: oauth2-proxy
+          ports:
+            - containerPort: 9876
+              protocol: TCP
+
+          readinessProbe:
+            httpGet:
+              path: /ping
+              port: 9876
+              scheme: HTTP
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+          livenessProbe:
+            httpGet:
+              path: /ping
+              port: 9876
+              scheme: HTTP
+            failureThreshold: 3
+            periodSeconds: 10
+            successThreshold: 1
+            timeoutSeconds: 1
+
+---

+OAUTH2_PROXY_CLIENT_SECRET

+oauth2_proxy:
+  enabled: true
+  name: ""
+  config:
+    OAUTH2_PROXY_UPSTREAMS: ""
+    OAUTH2_PROXY_HTTP_ADDRESS: ""
+    OAUTH2_PROXY_COOKIE_DOMAINS: ""
+    OAUTH2_PROXY_COOKIE_SECRET: ""
+    OAUTH2_PROXY_CLIENT_ID: ""
+    OAUTH2_PROXY_ALLOWED_ROLES: ""
+    OAUTH2_PROXY_OIDC_ISSUER_URL: ""
+    OAUTH2_PROXY_WHITELIST_DOMAINS: ""
+    OAUTH2_PROXY_CLIENT_SECRET: ""
+  secret:
+    OAUTH2_PROXY_CLIENT_SECRET: ""

+bases:
+  - ../common/environments.yaml
+
+---
+releases:
+  - name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+    namespace: oauth2-proxy
+    chart: charts/oauth2-proxy
+    condition: oauth2_proxy.enabled
+    values:
+      - nameSuffix: -{{ $.Values.oauth2_proxy.name }}
+      - {{ .Values.oauth2_proxy.config | toYaml | nindent 8 }}
+    jsonPatches:
+      - target:
+          version: v1
+          group: apps
+          kind: Deployment
+          namespace: oauth2-proxy
+          name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+        patch:
+          - op: replace
+            path: /metadata/labels/app
+            value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+          - op: replace
+            path: /spec/selector/matchLabels/app
+            value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+          - op: replace
+            path: /spec/template/metadata/labels/app
+            value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+      - target:
+          version: v1
+          kind: Service
+          namespace: oauth2-proxy
+          name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+        patch:
+          - op: replace
+            path: /spec/selector/app
+            value: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+    strategicMergePatches:
+      - apiVersion: v1
+        kind: ConfigMap
+        metadata:
+          namespace: oauth2-proxy
+          name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+        data:
+          {{ $.Values.oauth2_proxy.config | toYaml | nindent 12 }}
+      - apiVersion: v1
+        kind: Secret
+        metadata:
+          namespace: oauth2-proxy
+          name: oauth2-proxy-{{ $.Values.oauth2_proxy.name }}
+        data:
+          {{ $.Values.oauth2_proxy.secret | toYaml | nindent 12 }}
+