diff --git a/unleash/helm/unleash/Chart.lock b/unleash/helm/unleash/Chart.lock
index 4a5f09bb2..f0a335fb7 100644
--- a/unleash/helm/unleash/Chart.lock
+++ b/unleash/helm/unleash/Chart.lock
@@ -5,5 +5,8 @@ dependencies:
 - name: unleash
   repository: https://docs.getunleash.io/helm-charts
   version: 2.8.0
-digest: sha256:552bc226be5e707e130af94d16402b37a8588fe3be7c7eca90dd275ffa3a2cd3
-generated: "2023-04-15T05:20:25.085317+02:00"
+- name: oidc-config
+  repository: https://pluralsh.github.io/module-library
+  version: 0.1.6
+digest: sha256:e72b181785ed4af17a09f15eb96d8ed5eb97de0017d026e0847f2fc521317e01
+generated: "2023-04-15T13:09:41.222634+02:00"
diff --git a/unleash/helm/unleash/Chart.yaml b/unleash/helm/unleash/Chart.yaml
index cab5a7b3a..1c47b01d9 100644
--- a/unleash/helm/unleash/Chart.yaml
+++ b/unleash/helm/unleash/Chart.yaml
@@ -10,4 +10,8 @@ dependencies:
   repository: https://pluralsh.github.io/module-library
 - name: unleash
   version: 2.8.0
-  repository: https://docs.getunleash.io/helm-charts
\ No newline at end of file
+  repository: https://docs.getunleash.io/helm-charts
+- name: oidc-config
+  version: 0.1.6
+  repository: https://pluralsh.github.io/module-library
+  condition: oidc-config.enabled
\ No newline at end of file
diff --git a/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz b/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz
new file mode 100644
index 000000000..6369d78af
Binary files /dev/null and b/unleash/helm/unleash/charts/oidc-config-0.1.6.tgz differ
diff --git a/unleash/helm/unleash/templates/ingress.yaml b/unleash/helm/unleash/templates/ingress.yaml
new file mode 100644
index 000000000..8a13fb344
--- /dev/null
+++ b/unleash/helm/unleash/templates/ingress.yaml
@@ -0,0 +1,61 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := index .Values "oidc-config" "service" "name" -}}
+{{- $svcPort := index .Values "oidc-config" "service" "webPort" -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "unleash-plural.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}
diff --git a/unleash/helm/unleash/values.yaml b/unleash/helm/unleash/values.yaml
index b5c0e4a2e..3978eb6fb 100644
--- a/unleash/helm/unleash/values.yaml
+++ b/unleash/helm/unleash/values.yaml
@@ -26,3 +26,17 @@ unleash:
       key: password
     ssl: '{\"rejectUnauthorized\": false}'
 
+oidc-config:
+  enabled: false
+  service:
+    name: unleash-oauth2-proxy
+    selector:
+      app.kubernetes.io/instance: unleash
+      app.kubernetes.io/name: unleash
+  secret:
+    upstream: http://localhost:4242
+    env:
+      OAUTH2_PROXY_UPSTREAM_TIMEOUT: '120s'
+
+ingress:
+  enabled: false
\ No newline at end of file
diff --git a/unleash/helm/unleash/values.yaml.tpl b/unleash/helm/unleash/values.yaml.tpl
index 546f9b309..0a2dcf593 100644
--- a/unleash/helm/unleash/values.yaml.tpl
+++ b/unleash/helm/unleash/values.yaml.tpl
@@ -1,4 +1,8 @@
 unleash:
+  {{- if .OIDC }}
+  ingress:
+    enabled: false
+  {{ else }}
   ingress:
     enabled: true
     className: "nginx"
@@ -14,10 +18,11 @@ unleash:
     - secretName: unleash-tls
       hosts:
         - {{ .Values.hostname }}
+  {{ end }}
   env:
     - name: UNLEASH_URL
       value: {{ .Values.hostname }}
-  {{ if .SMTP }}
+    {{ if .SMTP }}
     - name: EMAIL_SERVER_HOST
       value: {{ .SMTP.Server }}
     - name: EMAIL_SERVER_USER
@@ -28,4 +33,43 @@ unleash:
       value: {{ .SMTP.Port }}
     - name: EMAIL_FROM
       value: {{ .SMTP.Sender }}
-  {{ end }}
\ No newline at end of file
+    {{ end }}
+{{ if .OIDC }}
+    - name: AUTH_TYPE
+      value: none
+  podLabels:
+    security.plural.sh/inject-oauth-sidecar: "true"
+  podAnnotations:
+    security.plural.sh/oauth-env-secret: "unleash-proxy-config"
+  {{ if .Values.users }}
+    security.plural.sh/htpasswd-secret: httpaswd-users
+  {{ end }}
+{{ $prevSecret := dedupe . "unleash.oidc-config.cookieSecret" (randAlphaNum 32) }}
+oidc-config:
+  enabled: true
+  secret:
+    name: unleash-proxy-config
+    issuer: {{ .OIDC.Configuration.Issuer }}
+    clientID: {{ .OIDC.ClientId }}
+    clientSecret: {{ .OIDC.ClientSecret }}
+    cookieSecret: {{ dedupe . "unleash.oidc-config.secret.cookieSecret" $prevSecret }}
+  {{ if .Values.users }}
+  users:
+  {{ toYaml .Values.users | nindent 4 }}
+  {{ end }}
+ingress:
+  enabled: true
+  className: "nginx"
+  annotations:
+    kubernetes.io/tls-acme: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  hosts:
+  - host: {{ .Values.hostname }}
+    paths:
+      - path: '/'
+        pathType: ImplementationSpecific
+  tls:
+  - secretName: unleash-tls
+    hosts:
+      - {{ .Values.hostname }}
+{{ end }}
\ No newline at end of file
diff --git a/unleash/plural/notes.tpl b/unleash/plural/notes.tpl
index 100e842a3..ebb0f52e9 100644
--- a/unleash/plural/notes.tpl
+++ b/unleash/plural/notes.tpl
@@ -1,3 +1,8 @@
 Your unleash installation is available at https://{{ .Values.hostname }}
-The default login is admin/unleash4all.
-We strongly recommend you change it at https://{{ .Values.hostname }}/profile/change-password
\ No newline at end of file
+{{ if .OIDC }}
+Your directus has been configured with OAuth against your plural account!
+{{ else }}
+You are using standard username/password authentication, so user management will be manual.
+The default login is admin/unleash4all. We recommend to change it at https://{{ .Values.hostname }}/profile/change-password
+We strongly recommend that you consider installing with OIDC enabled.
+{{ end }}