diff --git a/deploy/asapo_helm_chart/asapo/.helmignore b/deploy/asapo_helm_chart/asapo/.helmignore
new file mode 100644
index 0000000000000000000000000000000000000000..0e8a0eb36f4ca2c939201c0d54b5d82a1ea34778
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/asapo_helm_chart/asapo/Chart.yaml b/deploy/asapo_helm_chart/asapo/Chart.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b73e5145fdc355c61dabf6e9264b0a5e946dbaa9
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: asapo
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application.
+appVersion: 1.16.0
diff --git a/deploy/asapo_helm_chart/asapo/configs/authorizer.json b/deploy/asapo_helm_chart/asapo/configs/authorizer.json
new file mode 100644
index 0000000000000000000000000000000000000000..3a6784d5b25e540dfe811deb8df95bbe5a6d983c
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/configs/authorizer.json
@@ -0,0 +1,12 @@
+{
+  "Port": 5007,
+  "LogLevel":"debug",
+  "AlwaysAllowedBeamtimes":[{"beamtimeId":"asapo_test","beamline":"test","core-path":"{{ .Values.common.offlineDir }}/test_facility/gpfs/test/2019/data/asapo_test"},
+  {"beamtimeId":"asapo_test1","beamline":"test1","core-path":"{{ .Values.common.offlineDir }}/test_facility/gpfs/test1/2019/data/asapo_test1"},
+  {"beamtimeId":"asapo_test2","beamline":"test2","core-path":"{{ .Values.common.offlineDir }}/test_facility/gpfs/test2/2019/data/asapo_test2"}],
+  "RootBeamtimesFolder":"{{ .Values.common.offlineDir }}",
+  "CurrentBeamlinesFolder":"{{ .Values.common.onlineDir }}",
+  "SecretFile":"/etc/authorizer/auth_secret.key",
+  "TokenDurationMin":600
+}
+
diff --git a/deploy/asapo_helm_chart/asapo/templates/NOTES.txt b/deploy/asapo_helm_chart/asapo/templates/NOTES.txt
new file mode 100644
index 0000000000000000000000000000000000000000..8b137891791fe96927ad78e64b0aad7bded08bdc
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/templates/NOTES.txt
@@ -0,0 +1 @@
+
diff --git a/deploy/asapo_helm_chart/asapo/templates/_helpers.tpl b/deploy/asapo_helm_chart/asapo/templates/_helpers.tpl
new file mode 100644
index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391
diff --git a/deploy/asapo_helm_chart/asapo/templates/auth-secret.yaml b/deploy/asapo_helm_chart/asapo/templates/auth-secret.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..b90f8bf216f66deb745bc042d044c9e1302bae49
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/templates/auth-secret.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: auth-secret
+type: Opaque
+data:
+  auth_secret.key: {{ .Values.common.authSecret | b64enc | quote }}
diff --git a/deploy/asapo_helm_chart/asapo/templates/authorizer-config.yaml b/deploy/asapo_helm_chart/asapo/templates/authorizer-config.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a20024084eccb1a73c4d17d597872e98a7c413f6
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/templates/authorizer-config.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: authorizer-config
+data:
+  authorizer.json:  {{ tpl (.Files.Get "configs/authorizer.json") . | quote }}
diff --git a/deploy/asapo_services_kubernetes/deployments/authorizer.yaml b/deploy/asapo_helm_chart/asapo/templates/authorizer-deployment.yaml
similarity index 56%
rename from deploy/asapo_services_kubernetes/deployments/authorizer.yaml
rename to deploy/asapo_helm_chart/asapo/templates/authorizer-deployment.yaml
index d9e66c0cf554c3889a10e38a0d9738f005198e00..5d10a256e51adb58a5e78e030d77be6839094ead 100644
--- a/deploy/asapo_services_kubernetes/deployments/authorizer.yaml
+++ b/deploy/asapo_helm_chart/asapo/templates/authorizer-deployment.yaml
@@ -1,34 +1,3 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: authorizer
-spec:
-  type: NodePort
-  ports:
-    - protocol: TCP
-      port: 5007
-  selector:
-    app: authorizer
-
----
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-  name: ingress-authorizer
-  annotations:
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    nginx.ingress.kubernetes.io/whitelist-source-range: 131.169.0.0/16
-spec:
-  rules:
-    - host: "*.desy.de"
-      http:
-        paths:
-          - path: /authorizer(/|$)(.*)
-            backend:
-              serviceName: authorizer
-              servicePort: 5007
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -36,7 +5,7 @@ metadata:
   labels:
     app: authorizer
 spec:
-  replicas: 1
+  replicas: {{ .Values.authorizer.replicaCount }}
   selector:
     matchLabels:
       app: authorizer
@@ -44,6 +13,9 @@ spec:
     metadata:
       labels:
         app: authorizer
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/authorizer-config.yaml") . | sha256sum }}
+        checksum/secret: {{ include (print $.Template.BasePath "/auth-secret.yaml") . | sha256sum }}
     spec:
       volumes:
         - name: all-in-one
diff --git a/deploy/asapo_helm_chart/asapo/templates/authorizer-ingress.yaml b/deploy/asapo_helm_chart/asapo/templates/authorizer-ingress.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..05ab95cee6cda1198473465f69f26624c90fe325
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/templates/authorizer-ingress.yaml
@@ -0,0 +1,17 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: ingress-authorizer
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/whitelist-source-range: 131.169.0.0/16
+spec:
+  rules:
+    - host: "*.desy.de"
+      http:
+        paths:
+          - path: /authorizer(/|$)(.*)
+            backend:
+              serviceName: authorizer
+              servicePort: 5007
diff --git a/deploy/asapo_helm_chart/asapo/templates/authorizer-service.yaml b/deploy/asapo_helm_chart/asapo/templates/authorizer-service.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..a67faa7a1491206aa7be8c6732ba97a4ac85d3d1
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/templates/authorizer-service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: authorizer
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 5007
+  selector:
+    app: authorizer
diff --git a/deploy/asapo_helm_chart/asapo/values.yaml b/deploy/asapo_helm_chart/asapo/values.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..93881838d848daf35cc7046354ac28a3b98cb64f
--- /dev/null
+++ b/deploy/asapo_helm_chart/asapo/values.yaml
@@ -0,0 +1,7 @@
+authorizer:
+  replicaCount: 1
+
+common:
+  authSecret: "blabla"
+  offlineDir: "/test_offline1"
+  onlineDir: "/test_online"
diff --git a/deploy/asapo_services_kubernetes/deployments/auth_secret.key b/deploy/asapo_services_kubernetes/deployments/auth_secret.key
deleted file mode 100644
index 5055920bec9ad5cd4c48cd6de6bf153ce9693b9c..0000000000000000000000000000000000000000
--- a/deploy/asapo_services_kubernetes/deployments/auth_secret.key
+++ /dev/null
@@ -1 +0,0 @@
-sadhfi334yxan123
\ No newline at end of file
diff --git a/deploy/asapo_services_kubernetes/deployments/authorizer.json b/deploy/asapo_services_kubernetes/deployments/authorizer.json
deleted file mode 100644
index cd622cf1de8d44e8a1dfd23f3ebdda34ae4e397e..0000000000000000000000000000000000000000
--- a/deploy/asapo_services_kubernetes/deployments/authorizer.json
+++ /dev/null
@@ -1,11 +0,0 @@
-{
-  "Port": 5007,
-  "LogLevel":"debug",
-  "AlwaysAllowedBeamtimes":[{"beamtimeId":"asapo_test","beamline":"test","core-path":"/offline_dir/test_facility/gpfs/test/2019/data/asapo_test"},
-  {"beamtimeId":"asapo_test1","beamline":"test1","core-path":"/offline_dir/test_facility/gpfs/test1/2019/data/asapo_test1"},
-  {"beamtimeId":"asapo_test2","beamline":"test2","core-path":"/offline_dir/test_facility/gpfs/test2/2019/data/asapo_test2"}],
-  "RootBeamtimesFolder":"/offline_dir",
-  "CurrentBeamlinesFolder":"/online_dir",
-  "SecretFile":"/etc/authorizer/auth_secret.key",
-  "TokenDurationMin":600
-}
diff --git a/deploy/asapo_services_kubernetes/deployments/kustomization.yaml b/deploy/asapo_services_kubernetes/deployments/kustomization.yaml
deleted file mode 100644
index a1d03be1d455b332e1751436ce24533cb45ddb35..0000000000000000000000000000000000000000
--- a/deploy/asapo_services_kubernetes/deployments/kustomization.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-configMapGenerator:
-  - name: authorizer-config
-    files:
-      - authorizer.json
-
-secretGenerator:
-  - name: auth-secret
-    files:
-      - auth_secret.key
-
-resources:
-  - authorizer.yaml