diff --git a/demo01-kafka-ui3/values.yaml b/demo01-kafka-ui3/values.yaml
new file mode 100644
index 0000000..90e0f87
--- /dev/null
+++ b/demo01-kafka-ui3/values.yaml
@@ -0,0 +1,52 @@
+#version: kafka-ui, 1.5.1
+image:
+  registry: docker.io
+  repository: wbsong111/kafka-ui
+  tag: "v1.3.0"
+  pullPolicy: IfNotPresent
+yamlApplicationConfig:
+  kafka:
+    clusters:
+    - name: kafka-cluster
+      bootstrapServers: SASL_PLAINTEXT://kafka-cluster-kafka-tls-bootstrap.kafka-cluster.svc.cluster.local:9093
+      properties:
+        security.protocol: SASL_PLAINTEXT
+        sasl.mechanism: OAUTHBEARER
+        sasl.jaas.config: |
+          org.apache.kafka.common.security.oauthbearer.OAuthBearerLoginModule required 
+          oauth.token.endpoint.uri="https://keycloak.gke.paasup.io/realms/paasup/protocol/openid-connect/token" 
+          oauth.client.id="service-demo01-kafka-common" 
+          oauth.client.secret="e1eab0a7-ac78-460f-9477-73a910d8871b"
+          oauth.ssl.truststore.location="/etc/kafka/secrets/truststore.jks"
+          oauth.ssl.truststore.password="kafka";
+        sasl.login.callback.handler.class: "io.strimzi.kafka.oauth.client.JaasClientOauthLoginCallbackHandler"
+  auth:
+    type: disabled
+
+  management:
+    health:
+      ldap:
+        enabled: false
+
+volumes:
+  - name: truststore
+    secret:
+      secretName: truststore
+
+volumeMounts:
+  - name: truststore
+    mountPath: /etc/kafka/secrets
+    readOnly: true    
+
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: "root-ca-issuer"
+    cert-manager.io/duration: 8760h
+    cert-manager.io/renew-before: 720h
+    kubernetes.io/ingress.class: kong
+    konghq.com/protocols: https
+  host: "demo01-kafka-ui3.gke.paasup.io"
+  tls:
+    enabled: true
+    secretName: "demo01-kafka-ui3-tls-secret"
\ No newline at end of file