diff --git a/infra/app/Chart.yaml b/infra/app/Chart.yaml
index 2c2941e8b..70cbb5edd 100644
--- a/infra/app/Chart.yaml
+++ b/infra/app/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 1.0.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/infra/app/templates/ingress.yaml b/infra/app/templates/ingress.yaml
index 3ee6b0520..3acd45dea 100644
--- a/infra/app/templates/ingress.yaml
+++ b/infra/app/templates/ingress.yaml
@@ -1,3 +1,36 @@
+# staff.berkeleytime.com ingress with oauth2 proxy
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}-staff-ingress
+  labels:
+    {{- include "bt-app.labels" . | nindent 4 }}
+  annotations:
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/issuer: {{ .Values.issuerName }}
+    nginx.ingress.kubernetes.io/auth-url: "https://staff.{{ .Values.host }}/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://staff.{{ .Values.host }}/oauth2/start?rd=$escaped_request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "Authorization"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - staff.{{ .Values.host }}
+      secretName: bt-tls
+  rules:
+    - host: staff.{{ .Values.host }}
+      http:
+        paths:
+          - path: {{ .Values.frontend.path }}
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "bt-app.frontendName" . }}-svc
+                port:
+                  number: {{ .Values.port }}
+
+---
+# berkeleytime.com ingress
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
diff --git a/infra/base/Chart.yaml b/infra/base/Chart.yaml
index 96188278b..ed95479dc 100644
--- a/infra/base/Chart.yaml
+++ b/infra/base/Chart.yaml
@@ -22,3 +22,7 @@ version: 0.1.0
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
 appVersion: "2.0.0-alpha"
+dependencies:
+  - name: "oauth2-proxy"
+    version: "7.11.0"
+    repository: "https://oauth2-proxy.github.io/manifests"
diff --git a/infra/base/templates/github-oauth-sealed-secret.yaml b/infra/base/templates/github-oauth-sealed-secret.yaml
new file mode 100644
index 000000000..e11edd727
--- /dev/null
+++ b/infra/base/templates/github-oauth-sealed-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: '{{ index .Values "oauth2-proxy" "config" "existingSecret" }}'
+spec:
+  encryptedData:
+    client-id: AgBhDLHp/kE6BWH+e8hC+YffEHgquzGtXzOtlRIuGjk00nHrWOblfyIJAMUpt67sSOgglTmER83MBp3o8KZinV8sHWigPcmnbnUA7jSaNnbSAG8a9HudVOEBH4WrMdsEIHuQvoN0Bj0OE4X3xc3tB7eWGW+LgISuT6NBiZu+aCTDOHR5oKkLS1rfkkFVooNXVxKq/lDugAVayIJtk918syrTGskfcovnVXYQvY88HGK8qmmeZJSORqq0l5Usc+P2ExC7kfn6UusZQzVrv7X+tWVas9i0IcsfMLboVu/Xk7edeSCDORwWIdBeisTRumQFGiqaNZuBKBA9PQR0JVtMz/a386WCxmOpI8tulEPOJF8D0IqKuIaGDxf142cWAd+N4pGoFzZ8za8lPLAqZvMUyXX67MgyprKjbFJ8rq76ZoPTkRAsW/bLUzJ86nznc7yXL4/eF8cC/cgY6x7HYA80Tb9MTCLcxusEQNHJOtf0fjOQTB7dgqSbIOUaJjf+vOmqDoDlwUAcZJZlARn9NhihwMNcfvE+wt73nJePO67iiTgj4Rt9FJusHWN/TzHGg+FtA6IOscefBGwN05aH9bhoE7jnI7HwhsX9ENnsnK9UdBSjLLCADFaogVyN9PevOiCEgehDhbcYlg2USP2T75GXhEFJxxWxIM7o0Jw+p8zKB/T+wVQ6/slbfpFBPwdL+GHnjFCl1qTUJu65W7wBF1m5Psg42kdhpg==
+    client-secret: AgBMW2CPrJWMUO2aH8CzqkQqaMrXnFsokjYAhHf3ieMvnSLoGjt1vxpekHjGIxHN/VKRLJP5vfk4u7zPFJUPBgPa4+aMdqCqrWo3Zmxi1wRMz5F3N0HwCCi+FT7K1nUev0X3dQNTCNoZbdB+ggJFwaC0CmfqXFNFob62mYcvR4l5EFwH9Ol0oqF5u6jAuB5hZ0KozA1seeEmIxuvNZeq5PC/AEYDtQNLam01uF/GWFi4yza7xULt3WfzPFRdGaUS2G6S1/yYOSs7V0qxxjMCzkUQorm4RgppbMLIE1sBkA6ZfSQ+vTFD4AFm3DnQ36KM1qQxqtD62NKDrjHMtmOMO3/LHkkm/KmcoY2HpVEvV60pm6nXRaGWR0Z/XLJFrdXg4ovhxNw3irsaXRkmCjBEy82GBfJ5irwGcx3Q4uZu8pKYTNUp+Ks7MTa4Y+p6IS6xYahff4czbwcJpJaGD8KoBOh88QVP69lsSnfLHbrhVs6J3dmh8rdPoCr7C7pOUNS3yPc50WAy4K3uV3r2CyAnOhB0riEwmzGEEu3/eicYzUshMzofWhJc5DiybAoQDrynUm5rhbk3IakK6bIjGFN5fBYXw4Zs8ldH5RB5Wj9ePtLtOCnT8KOvUZzXc533iMoQidHex8Q29nZCckrRXkUc1kgOFSE57RyCnbG08z+vQZleBH0RdsCPACcWGEAPUxcKnTW4QD0EOAL/PNAIVLdSwQjAy3ThrfINFALzkug87ZxNyhXY3l1gNLu9
+    cookie-secret: AgAsLPL8n2m06jbupXxX8Jj0uPusQwG7W366hqj8G4k7vO3JfbHQXPxju9PZzWIN+5TSlUAK3HVuS1LE6dPjsawS2wQXDzjGWiADNlud4BrQajc8X4DfMBciAASv0W8ExGSgUI0VtdCGzs5IFtikDhsRvu6T5z1aC+6n97Uik5gA+1cNOoCEyJjvy/Gc4VhAgTp9Yz0GyfruU90P5YDNLjZOXZGG1AkmhzOTQhX4q1qRxn3vl84EQJrUzgR93MvzaQ6qZg4rbIc3DRNsTlxwcmf1LnbHFiet1zxojKnzBxULMuPLftMx61wlr+Xq18CKDZPq9uAQ2Rm0yKpWGKFd9jCrErIvZ1p2xlTT86P7InJu798rGkcRxsrXlNOMuNXI3pnQJKQeV2jXmUlo0JjlmBWPuCn7iUKI12mqh7vwSkuQ+k3HLccJLaSQt9VJQ46WLtTFFowxii0kGxdl20U+dsm/EA8P1axtkwSdpTE0xqHDRSkxHjDWiL7oxPf2aFbJjTGfa3nj9B8Pi0y2MmRM5AiU6KTuv4RlwHBjdWQ4p+a2Qzk3ttNVgFcRiMsGdLJrdoP2vlT6Tr/JUnl12BAzweYQPBM0/Q8Tn34sPpThUD/st6hFuA8YcrEDNdQzpWwT9O3KmRzaDHTfJqpX5/ZCBvRgZ2S2PbmldXqK2lxzNtCBcBVC85V8og2AJTx0I0qfZ2NH/JAE3ykkgQsW3O0giWz7BzkUo8Ev8FmMVoGuw8kMu2gTM9NnZNTOHnQHZf7sAPzPQcEGv+LHjVLZjfs1UV6z
\ No newline at end of file
diff --git a/infra/base/values.yaml b/infra/base/values.yaml
index 625369b55..0adb4d7ef 100644
--- a/infra/base/values.yaml
+++ b/infra/base/values.yaml
@@ -4,3 +4,20 @@ acme:
   server: https://acme-v02.api.letsencrypt.org/directory
   cfApiTokenSecretName: cloudflare-api-token-stanfurdtime-secret
 ipAddressRange: 169.229.226.51-169.229.226.51
+
+oauth2-proxy:
+  config:
+    existingSecret: bt-github-oauth-secret
+    clientID: client-id
+    clientSecret: client-secret
+    cookieSecret: cookie-secret
+    provider: "github"
+    githubOrg: "asuc-octo"
+    githubTeam: "Berkeleytime"
+    emailDomains: ["*"]
+    upstreamTimeout: "30s"
+    cookie:
+      name: "_oauth2_proxy"
+      secure: true
+      httpOnly: true
+      expire: "4h"
\ No newline at end of file
diff --git a/infra/init.sh b/infra/init.sh
index 67dd9aee4..3b589effb 100755
--- a/infra/init.sh
+++ b/infra/init.sh
@@ -8,6 +8,7 @@ helm repo add bitnami-labs https://bitnami-labs.github.io/sealed-secrets/
 helm repo add cert-manager https://charts.jetstack.io
 helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
 helm repo add metallb https://metallb.github.io/metallb
+helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests
 
 # ===================
 # BASE INFRASTRUCTURE
@@ -16,13 +17,17 @@ helm repo add metallb https://metallb.github.io/metallb
 helm install bt-sealed-secrets bitnami-labs/sealed-secrets --version 2.17.0 --namespace=bt --create-namespace
 helm install bt-metallb metallb/metallb --version 0.14.9 --namespace=bt
 helm install bt-cert-manager cert-manager/cert-manager --set crds.enabled=true --version 1.16.2 --namespace=bt
-helm install bt-ingress-nginx ingress-nginx/ingress-nginx --version 4.12.0 --namespace=bt
 
 helm package ./infra/base --version 1.0.0 --dependency-update
 helm push ./bt-base-1.0.0.tgz oci://registry-1.docker.io/octoberkeleytime
 helm install bt-base oci://registry-1.docker.io/octoberkeleytime/bt-base --namespace=bt \
     --version=1.0.0
 
+# Install OAuth2 Proxy with values from base chart
+helm install bt-oauth2-proxy oauth2-proxy/oauth2-proxy \
+  --namespace=bt \
+  --values ./infra/base/values.yaml
+
 # ==========
 # BUILD CHARTS AND PUSH TO REGISTRY
 # ==========