Chg: update image tag in helm values to v3.2.0-RC1

Merge pull request #282 from Telecominfraproject/WIFI-14014-upgrade-kafka-wo-zookeeper
Wifi 14014 upgrade kafka wo zookeeper
2026-03-20 03:40:49 +00:00 · 2024-09-11 17:51:03 +00:00 · 2024-08-06 09:43:35 -04:00 · 2024-08-06 09:37:20 -04:00 · 2024-08-02 14:07:01 -04:00 · 2024-08-02 12:57:46 -04:00
73 changed files with 3195 additions and 806 deletions
--- a/.github/git-release-tool/git-release-tool.sh
+++ b/.github/git-release-tool/git-release-tool.sh
@@ -51,7 +51,7 @@ usage() {
  echo "    docker_compose_name: OWPROVUI # name of environment variable in docker-compose .env file containing image tag for the service"
  log_notice
  log_notice "List of required environment variables:"
-  log_notice "- RELEASE_VERSION - release version that should be applied to repositories. Should comply release nameing policy (valid example - 'v2.0.0')"
+  log_notice "- RELEASE_VERSION - release version that should be applied to repositories. Should comply release nameing policy (valid example - 'v2.0.0' or 'v2.0.1')"
  log_notice "- TAG_TYPE - type of tag that should be created for release (supported values - RC / FINAL)"
  log_notice "- GIT_PUSH_CONFIRMED - confirmation that any changes should be pushed to git (dry-run if unset, set to 'true' to enable)"
  log_notice
@@ -86,20 +86,21 @@ set_log_verbosity_number() {
 modify_deploy_repo_values() {
  NEW_RELEASE_TAG=$1
  log_debug "NEW_RELEASE_TAG - $NEW_RELEASE_TAG"
-  REPOSITORIES_AMOUNT=$(cat ../repositories.yaml | yq ".repositories[].name" -r | wc -l)
+  REPOSITORIES_AMOUNT=$(cat ../release.repositories.yaml | yq ".repositories[].name" -r | wc -l)
  for REPO_INDEX in $(seq 0 $(expr $REPOSITORIES_AMOUNT - 1)); do
-    REPO_URL=$(cat ../repositories.yaml | yq ".repositories[$REPO_INDEX].url" -r)
+    REPO_URL=$(cat ../release.repositories.yaml | yq ".repositories[$REPO_INDEX].url" -r)
    REPO_NAME_SUFFIXED=$(echo $REPO_URL | awk -F '/' '{print $NF}')
    REPO_NAME_WITHOUT_SUFFIX=${REPO_NAME_SUFFIXED%.git}
-    REPO_DOCKER_COMPOSE_NAME=$(cat ../repositories.yaml | yq ".repositories[$REPO_INDEX].docker_compose_name" -r)
+    REPO_DOCKER_COMPOSE_NAME=$(cat ../release.repositories.yaml | yq ".repositories[$REPO_INDEX].docker_compose_name" -r)
    SERVICE_TAG="${REPO_TAGS_ARRAY[$REPO_INDEX]}"
    log_debug "REPO_NAME_WITHOUT_SUFFIX - $REPO_NAME_WITHOUT_SUFFIX"
    sed "s/$REPO_DOCKER_COMPOSE_NAME=.*/$REPO_DOCKER_COMPOSE_NAME=$SERVICE_TAG/" -i docker-compose/.env
    sed "s/$REPO_DOCKER_COMPOSE_NAME=.*/$REPO_DOCKER_COMPOSE_NAME=$SERVICE_TAG/" -i docker-compose/.env.letsencrypt
    sed "s/$REPO_DOCKER_COMPOSE_NAME=.*/$REPO_DOCKER_COMPOSE_NAME=$SERVICE_TAG/" -i docker-compose/.env.selfsigned
    sed "/${REPO_NAME_WITHOUT_SUFFIX#*/}@/s/ref=.*/ref=$SERVICE_TAG\"/g" -i chart/Chart.yaml
+    sed "/repository: tip-tip-wlan-cloud-ucentral.jfrog.io\/clustersysteminfo/!b;n;s/tag: .*/tag: $NEW_RELEASE_TAG/" -i chart/values.yaml
  done
-  LATEST_RELEASE_TAG=$(git tag | grep $CURRENT_RELEASE_VERSION | tail -1)
+  LATEST_RELEASE_TAG=$(git tag | grep $RELEASE_VERSION | tail -1)
  if [[ "$(git diff | wc -l)" -eq "0" ]] && [[ "$(git diff $LATEST_RELEASE_TAG)" -eq "0" ]]; then
    log_info "No changes in microservices and since the latest tag are found, new release is not required"
  else
@@ -135,21 +136,20 @@ push_changes() {
 }

 create_tag() {
-  CURRENT_RELEASE_VERSION=$(git rev-parse --abbrev-ref HEAD | awk -F 'release/' '{print $2}')
  TAG_TYPE_LOWERED=$(echo $TAG_TYPE | tr '[:upper:]' '[:lower:]')
  if [[ "$TAG_TYPE_LOWERED" == "final" ]]; then
    log_debug "Creating final tag"
-    modify_values $CURRENT_RELEASE_VERSION
-    git tag $CURRENT_RELEASE_VERSION
+    modify_values $RELEASE_VERSION
+    git tag $RELEASE_VERSION
    push_changes
-    REPO_TAGS_ARRAY+=($CURRENT_RELEASE_VERSION)
+    REPO_TAGS_ARRAY+=($RELEASE_VERSION)
  else
    log_debug "Checking if there are tags in the current release branch"
-    LATEST_RELEASE_TAG=$(git tag | grep $CURRENT_RELEASE_VERSION | tail -1)
+    LATEST_RELEASE_TAG=$(git tag | grep $RELEASE_VERSION | tail -1)
    log_debug "Latest release tag found - '$LATEST_RELEASE_TAG'"
    if [[ -z "$LATEST_RELEASE_TAG" ]]; then
      log_info "There are no tags in the release branch, creating the first one"
-      NEW_RELEASE_TAG=$CURRENT_RELEASE_VERSION-RC1
+      NEW_RELEASE_TAG=$RELEASE_VERSION-RC1
      log_debug "New tag - $NEW_RELEASE_TAG"
      modify_values $NEW_RELEASE_TAG
      git tag $NEW_RELEASE_TAG
@@ -160,7 +160,7 @@ create_tag() {
        NEW_RC=$(echo $LATEST_RELEASE_TAG | awk -F 'RC' '{print $2}')
        NEW_RC=$(expr $NEW_RC + 1)
        log_debug "New RC to create - $NEW_RC"
-        NEW_RELEASE_TAG=$CURRENT_RELEASE_VERSION-RC$NEW_RC
+        NEW_RELEASE_TAG=$RELEASE_VERSION-RC$NEW_RC
        modify_deploy_repo_values $NEW_RELEASE_TAG
        if [[ "v$(cat chart/Chart.yaml | yq '.version' -r)" == "$NEW_RELEASE_TAG" ]]; then
          git add .
@@ -186,7 +186,7 @@ create_tag() {
          NEW_RC=$(echo $LATEST_RELEASE_TAG | awk -F 'RC' '{print $2}')
          NEW_RC=$(expr $NEW_RC + 1)
          log_debug "New RC to create - $NEW_RC"
-          NEW_RELEASE_TAG=$CURRENT_RELEASE_VERSION-RC$NEW_RC
+          NEW_RELEASE_TAG=$RELEASE_VERSION-RC$NEW_RC
          modify_values $NEW_RELEASE_TAG
          git tag $NEW_RELEASE_TAG
          push_changes
@@ -199,22 +199,51 @@ create_tag() {
 }

 check_final_tag() {
-  CURRENT_RELEASE_VERSION=$(git rev-parse --abbrev-ref HEAD | awk -F 'release/' '{print $2}')
-  log_debug "Amount of final tags found - $(git tag | grep -x $CURRENT_RELEASE_VERSION | wc -l)"
-  if [[ "$(git tag | grep -x $CURRENT_RELEASE_VERSION | wc -l)" -gt "0" ]]; then
-    log_error "Final tag $CURRENT_RELEASE_VERSION already exists in release branch"
+  log_debug "Amount of final tags found - $(git tag | grep -x $RELEASE_VERSION | wc -l)"
+  if [[ "$(git tag | grep -x $RELEASE_VERSION | wc -l)" -gt "0" ]]; then
+    log_error "Final tag $RELEASE_VERSION already exists in release branch"
    exit 1
  fi
 }

 check_git_tags() {
-  CURRENT_RELEASE_VERSION=$(git rev-parse --abbrev-ref HEAD | awk -F 'release/' '{print $2}')
-  RELEASE_TAGS_AMOUNT=$(git tag | grep $CURRENT_RELEASE_VERSION | wc -l)
-  log_debug "Amount of tags linked with the release - $RELEASE_TAGS_AMOUNT"
-  if [[ "$RELEASE_TAGS_AMOUNT" -gt "0" ]]; then
-    check_final_tag
+  if [[ "${#REPO_TAGS_ARRAY[@]}" -eq "0" ]] && [[ "$(basename $PWD)" == "deploy" ]]; then
+    log_info "This deploy clone run is required to get repositories tied to the release, we will make changes later."
+  else
+    RELEASE_TAGS_AMOUNT=$(git tag | grep $RELEASE_VERSION | wc -l)
+    log_info "Checking if there are any tags for current version ($RELEASE_VERSION)"
+    log_debug "Amount of tags linked with the release - $RELEASE_TAGS_AMOUNT"
+    if [[ "$RELEASE_TAGS_AMOUNT" -gt "0" ]]; then
+      log_info "Tags for release $RELEASE_VERSION are found, checking if final tag exist"
+      check_final_tag
+      create_tag
+    else
+      log_info "No tags found for current version, checking if there are any tags for release branch ($RELEASE_BRANCH_VERSION_BASE)"
+      RELEASE_BRANCH_TAGS_AMOUNT=$(git tag | grep $RELEASE_BRANCH_VERSION_BASE | wc -l)
+      log_debug "Amount of tags linked with the release branch - $RELEASE_BRANCH_TAGS_AMOUNT"
+      if [[ "$RELEASE_BRANCH_TAGS_AMOUNT" -gt "0" ]]; then
+        log_info "Tags for $RELEASE_BRANCH_VERSION_BASE are found, finding the latest one"
+        RELEASE_BRANCH_TAG_FINAL=$(git tag | grep $RELEASE_BRANCH_VERSION_BASE | grep -v 'RC' | tail -1)
+        if [[ ! -z "$RELEASE_BRANCH_TAG_FINAL" ]]; then
+          RELEASE_BRANCH_TAG=$RELEASE_BRANCH_TAG_FINAL
+        else
+          RELEASE_BRANCH_TAG=$(git tag | grep $RELEASE_BRANCH_VERSION_BASE | tail -1)
+        fi
+        log_info "Latest release tag in $RELEASE_BRANCH_VERSION_BASE - $RELEASE_BRANCH_TAG. Checking if there are changes since then"
+        DIFF_LINES_AMOUNT=$(git diff $RELEASE_BRANCH_TAG | wc -l)
+        if [[ "$DIFF_LINES_AMOUNT" -eq "0" ]]; then
+          log_info "No changes found since the latest release tag ($RELEASE_BRANCH_TAG), using it for new version"
+          REPO_TAGS_ARRAY+=($RELEASE_BRANCH_TAG)
+        else
+          log_info "Changes are found in the branch, creating a new tag"
+          create_tag
+        fi
+      else
+        log_info "Tags for $RELEASE_BRANCH_VERSION_BASE not found, creating new one"
+        create_tag
+      fi
+    fi
  fi
-  create_tag
 }

 check_release_branch() {
@@ -224,8 +253,8 @@ check_release_branch() {
 }

 create_release_branch() {
-  git checkout -b release/$RELEASE_VERSION -q
-  check_release_branch release/$RELEASE_VERSION
+  git checkout -b release/$RELEASE_BRANCH_VERSION -q
+  check_release_branch release/$RELEASE_BRANCH_VERSION
 }

 check_if_release_branch_required() {
@@ -233,13 +262,22 @@ check_if_release_branch_required() {
  log_debug "Latest release branch available - $LATEST_RELEASE_BRANCH"
  if [[ -z "$LATEST_RELEASE_BRANCH" ]]; then
    log_info "Could not find a single release branch, creating it"
-    create_release_branch $RELEASE_VERSION
+    create_release_branch $RELEASE_BRANCH_VERSION
  else
    LAST_RELEASE_DIFF_LINES_AMOUNT=$(git diff $LATEST_RELEASE_BRANCH ':(exclude)helm/values.yaml' | wc -l)
    if [[ "$LAST_RELEASE_DIFF_LINES_AMOUNT" -eq "0" ]]; then
      log_info "There are no changes in project since the latest release branch $LATEST_RELEASE_BRANCH so we will use tag from it"
-      LATEST_RELEASE=$(echo $LATEST_RELEASE_BRANCH | awk -F 'origin/' '{print $2}')
-      LATEST_RELEASE_TAG=$(git tag | grep -x $LATEST_RELEASE | tail -1)
+      LATEST_RELEASE=$(echo $LATEST_RELEASE_BRANCH | awk -F 'origin/release/' '{print $2}')
+      LATEST_RELEASE_BASE=$(echo $LATEST_RELEASE | cut -f 1,2 -d '.')
+      LATEST_RELEASE_TAG_FINAL=$(git tag | grep $LATEST_RELEASE_BASE | grep -v 'RC' | tail -1)
+      if [[ ! -z "$LATEST_RELEASE_TAG_FINAL" ]]; then
+        LATEST_RELEASE_TAG=$LATEST_RELEASE_TAG_FINAL
+      else
+        LATEST_RELEASE=$(git tag | grep $LATEST_RELEASE_BASE | tail -1)
+      fi
+      log_debug "Latest release - $LATEST_RELEASE"
+      log_debug "Latest release base - $LATEST_RELEASE_BASE"
+      log_debug "Latest release tag - $LATEST_RELEASE_TAG"
      if [[ -z "$LATEST_RELEASE_TAG" ]]; then
        log_info "Could not find any tags for $LATEST_RELEASE release, creating it"
        check_release_branch $LATEST_RELEASE
@@ -248,11 +286,20 @@ check_if_release_branch_required() {
        REPO_TAGS_ARRAY+=($LATEST_RELEASE_TAG)
      fi 
    else
-      create_release_branch $RELEASE_VERSION
+      log_info "New release branch for $RELEASE_BRANCH_VERSION is required, creating it"
+      create_release_branch $RELEASE_BRANCH_VERSION
    fi
  fi
 }

+get_release_branch_version() {
+  RELEASE_BRANCH_VERSION_BASE=$(echo $RELEASE_VERSION | cut -f 1,2 -d '.')
+  RELEASE_BRANCH_VERSION="$RELEASE_BRANCH_VERSION_BASE.0"
+  if [[ "$RELEASE_BRANCH_VERSION" != "$RELEASE_VERSION" ]]; then
+    log_info "Minor release version ($RELEASE_VERSION) deployment is detected, work will be checked in branch for $RELEASE_BRANCH_VERSION"
+  fi
+}
+
 create_repo_version() {
  CWD=$PWD
  REPO_NAME=$1
@@ -260,8 +307,10 @@ create_repo_version() {
  rm -rf $REPO_NAME
  git clone -q $REPO_URL $REPO_NAME
  cd $REPO_NAME
+  get_release_branch_version
+  log_debug "Release branch version - $RELEASE_BRANCH_VERSION"
  DEFAULT_BRANCH=$(git rev-parse --abbrev-ref HEAD)
-  RELEASE_BRANCH=$(git branch -r | grep $RELEASE_VERSION | awk -F 'origin/' '{print $2}' | xargs)
+  RELEASE_BRANCH=$(git branch -r | grep $RELEASE_BRANCH_VERSION | awk -F 'origin/' '{print $2}' | xargs)
  log_debug "Release branch to check - '$RELEASE_BRANCH'"
  if [[ ! -z "$RELEASE_BRANCH" ]]; then
    log_info "Release branch $RELEASE_BRANCH exists in the repository, checking if it has tags"
@@ -273,7 +322,6 @@ create_repo_version() {
  log_info "Release commit info:"
  git show
  cd $CWD
-  rm -rf $REPO_NAME
 }

 # Log level setup
@@ -304,28 +352,34 @@ fi
 # Check variables
 log_debug "Release version: ${RELEASE_VERSION}"
 [ -z ${RELEASE_VERSION+x} ] && echo "RELEASE_VERSION is unset" && usage && exit 3
-echo "${RELEASE_VERSION}" | grep -xP "v(\d)+\.(\d)+\.\d+" >/dev/null || (log_error "RELEASE_VERSION is not in the right notation (correct example - v2.2.0)" && usage && exit 3)
+echo "${RELEASE_VERSION}" | grep -xP "v(\d)+\.(\d)+\.\d+" >/dev/null || (log_error "RELEASE_VERSION is not in the right notation (correct example - v2.2.0 or v2.2.2)" && usage && exit 3)
 log_debug "Tag type: ${TAG_TYPE}"
 [ -z ${TAG_TYPE+x} ] && echo "TAG_TYPE is unset" && usage && exit 3
 echo "${TAG_TYPE}" | tr '[:upper:]' '[:lower:]' | grep -xP "(rc|final)" >/dev/null || (log_error "TAG_TYPE is not in the supported values ('rc' or 'final', case insensitive)" && usage && exit 3)

 # Main body
-REPOSITORIES_AMOUNT=$(cat repositories.yaml | yq ".repositories[].name" -r | wc -l)
 DEPLOY_REPO_URL=$(cat repositories.yaml | yq ".deploy_repo_url" -r)
 log_debug "DEPLOY_REPO_URL - $DEPLOY_REPO_URL"

+log_info "First we need to get repository list for tied deployment version"
+create_repo_version "deploy" $DEPLOY_REPO_URL
+cp deploy/.github/git-release-tool/repositories.yaml release.repositories.yaml
+rm -rf deploy
+
 log_info "Checking repositories"
+REPOSITORIES_AMOUNT=$(cat release.repositories.yaml | yq ".repositories[].name" -r | wc -l)
 log_info "Found $REPOSITORIES_AMOUNT repos to process"
 for REPO_INDEX in $(seq 0 $(expr $REPOSITORIES_AMOUNT - 1)); do
  echo
-  REPO_NAME=$(cat repositories.yaml | yq ".repositories[$REPO_INDEX].name" -r)
-  REPO_URL=$(cat repositories.yaml | yq ".repositories[$REPO_INDEX].url" -r)
-  REPO_DOCKER_COMPOSE_NAME=$(cat repositories.yaml | yq ".repositories[$REPO_INDEX].docker_compose_name" -r)
+  REPO_NAME=$(cat release.repositories.yaml | yq ".repositories[$REPO_INDEX].name" -r)
+  REPO_URL=$(cat release.repositories.yaml | yq ".repositories[$REPO_INDEX].url" -r)
+  REPO_DOCKER_COMPOSE_NAME=$(cat release.repositories.yaml | yq ".repositories[$REPO_INDEX].docker_compose_name" -r)
  log_debug "REPO_NAME - $REPO_NAME"
  log_debug "REPO_URL - $REPO_URL"
  log_debug "REPO_DOCKER_COMPOSE_NAME - $REPO_DOCKER_COMPOSE_NAME"
  log_info "Processing repository '$REPO_NAME'"
  create_repo_version $REPO_NAME $REPO_URL
+  rm -rf $REPO_NAME
 done
 log_debug "Tags per project: ${REPO_TAGS_ARRAY[*]}"

@@ -336,10 +390,11 @@ create_repo_version "deploy" $DEPLOY_REPO_URL
 echo
 log_info "Services versions:"
 for REPO_INDEX in $(seq 0 $(expr $REPOSITORIES_AMOUNT - 1)); do
-  REPO_NAME=$(cat repositories.yaml | yq ".repositories[$REPO_INDEX].name" -r)
+  REPO_NAME=$(cat release.repositories.yaml | yq ".repositories[$REPO_INDEX].name" -r)
  log_info "- $REPO_NAME - ${REPO_TAGS_ARRAY[$REPO_INDEX]}"
 done
 log_info "Deployment repo version - ${REPO_TAGS_ARRAY[-1]}"
+rm release.repositories.yaml
 if [[ "$GIT_PUSH_CONFIRMED" != "true" ]]; then
  log_info "To apply changes described above, set GIT_PUSH_CONFIRMED to 'true' and rerun this script"
 fi
--- a/.github/git-release-tool/repositories.yaml
+++ b/.github/git-release-tool/repositories.yaml
@@ -24,3 +24,6 @@ repositories:
  - name: owsub
    url: https://github.com/Telecominfraproject/wlan-cloud-userportal.git
    docker_compose_name: OWSUB_TAG
+  - name: owrrm
+    url: https://github.com/Telecominfraproject/wlan-cloud-rrm.git
+    docker_compose_name: OWRRM_TAG
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,7 @@ on:
    branches:
      - main
      - 'release/*'
+  workflow_dispatch: {}

 defaults:
  run:
@@ -28,19 +29,19 @@ jobs:
      id: get_branch_names
      if: startsWith(github.ref, 'refs/pull/')
      run: |
-        echo ::set-output name=pr_branch::$(echo ${GITHUB_HEAD_REF})
+        echo "pr_branch=$(echo ${GITHUB_HEAD_REF})" >> $GITHUB_OUTPUT

    - name: Get created deployment tag and set as output
      id: get_deployment_upgrade_tag
      if: startsWith(github.ref, 'refs/tags/v')
      run: |
-        echo ::set-output name=tag::$(echo ${GITHUB_REF#refs/tags/})
+        echo "tag=$(echo ${GITHUB_REF#refs/tags/})" >> $GITHUB_OUTPUT

    - name: Get previous deployment tag
      id: get_deployment_tag
      if: startsWith(github.ref, 'refs/tags/v')
      run: |
-        echo ::set-output name=tag::$(git tag | grep -v RC | tail -2 | head -1)
+        echo "tag=$(git tag | grep -v RC | tail -2 | head -1)" >> $GITHUB_OUTPUT

  trigger-docker-compose-testing:
    if: startsWith(github.ref, 'refs/pull/')
@@ -48,7 +49,7 @@ jobs:
    needs: envs
    steps:
    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
      with:
        repository: Telecominfraproject/.github
        path: github
@@ -71,7 +72,7 @@ jobs:
    needs: envs
    steps:
    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
      with:
        repository: Telecominfraproject/.github
        path: github
@@ -94,7 +95,7 @@ jobs:
    needs: envs
    steps:
    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
      with:
        repository: Telecominfraproject/.github
        path: github
--- a/.github/workflows/clustersysteminfo_image_ci.yml
+++ b/.github/workflows/clustersysteminfo_image_ci.yml
@@ -22,7 +22,7 @@ jobs:
      DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
      DOCKER_REGISTRY_USERNAME: ucentral
    steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4

    - name: Build Docker image
      working-directory: chart/docker
@@ -55,7 +55,7 @@ jobs:

    - name: Log into Docker registry
      if: startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') || github.ref == 'refs/heads/main'
-      uses: docker/login-action@v1
+      uses: docker/login-action@v2
      with:
        registry: ${{ env.DOCKER_REGISTRY_URL }}
        username: ${{ env.DOCKER_REGISTRY_USERNAME }}
--- a/.github/workflows/enforce-jira-issue-key.yml
+++ b/.github/workflows/enforce-jira-issue-key.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout actions repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          repository: Telecominfraproject/.github
          path: github
--- a/.github/workflows/git-release.yml
+++ b/.github/workflows/git-release.yml
@@ -28,7 +28,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v4
      with:
        path: wlan-cloud-ucentral-deploy

@@ -36,7 +36,7 @@ jobs:
      run: |
        pip3 install yq
        helm plugin install https://github.com/databus23/helm-diff
-        helm plugin install https://github.com/aslafy-z/helm-git
+        helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
        ls ~/.local/share/helm/plugins/helm-git/helm-git-plugin.sh || true
        sed 's/--skip-refresh //' -i ~/.local/share/helm/plugins/helm-git/helm-git-plugin.sh

@@ -54,6 +54,6 @@ jobs:
        git config --global credential.helper store
        git config --global user.email "tip-automation@telecominfraproject.com"
        git config --global user.name "TIP Automation User"
-        helm repo add bitnami https://charts.bitnami.com/bitnami
-        helm repo update
+        #helm repo add bitnami https://charts.bitnami.com/bitnami
+        #helm repo update
        ./git-release-tool.sh
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,13 +11,13 @@ defaults:

 jobs:
  helm-package:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    env:
      HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
      HELM_REPO_USERNAME: ucentral
    steps:
      - name: Checkout uCentral assembly chart repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
        with:
          path: wlan-cloud-ucentral-deploy
          repository: Telecominfraproject/wlan-cloud-ucentral-deploy
@@ -42,9 +42,7 @@ jobs:
      - name: Build package
        working-directory: wlan-cloud-ucentral-deploy/chart
        run: |
-          helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0
-          helm repo add bitnami https://charts.bitnami.com/bitnami
-          helm repo update
+          helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
          helm dependency update
          mkdir dist
          helm package . -d dist
@@ -70,7 +68,7 @@ jobs:
          cat Chart.yaml | yq -r '.dependencies[] | "\(.name) - \(.repository) v\(.version)"' >> release.txt

      - name: Create GitHub release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
        with:
          body_path: wlan-cloud-ucentral-deploy/chart/release.txt
          files: wlan-cloud-ucentral-deploy/chart/dist/*
@@ -80,7 +78,7 @@ jobs:
    needs: helm-package
    steps:
    - name: Trigger testing of release
-      uses: peter-evans/repository-dispatch@v1
+      uses: peter-evans/repository-dispatch@v3
      with:
        token: ${{ secrets.WLAN_TESTING_PAT }}
        repository: Telecominfraproject/wlan-testing
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 *.swp
 chart/charts/*
+chart/Chart.lock
+chart/environment-values/wlan-cloud-ucentral-deploy/
 /docker-compose/certs/
 /docker-compose/*_data
 /docker-compose/owls/*_data
-chart/environment-values/wlan-cloud-ucentral-deploy/
--- a/cgw/.gitignore
+++ b/cgw/.gitignore
@@ -0,0 +1,3 @@
+values/certs.device.yaml
+websocket-key.pem
+websocket-cert.pem
--- a/cgw/.sops.yaml
+++ b/cgw/.sops.yaml
@@ -0,0 +1,2 @@
+creation_rules:
+- kms: 'arn:aws:kms:us-east-2:289708231103:alias/helm-secrets'
--- a/cgw/README.md
+++ b/cgw/README.md
@@ -0,0 +1,47 @@
+# CGW Charts
+
+## Pre-requisites
+
+The following binaries are needed:
+- [helmfile](https://github.com/helmfile/helmfile/releases/download/v0.165.0/helmfile_0.165.0_linux_amd64.tar.gz)
+- helm
+- kubectl
+
+The following helm plugins are needed:
+```bash
+helm plugin install https://github.com/aslafy-z/helm-git --version 0.16.0
+helm plugin install https://github.com/databus23/helm-diff
+```
+
+## Configuration
+
+_helmfile.yaml_ contains the configuration for all the environments. External values files are used for secrets or where appropriate. Each environment needs to be created in this file before it can be deployed. The _values/certs.device.yaml_ file is generated in github workflows.
+This file should contain the device cert and key for the domain you are deploying.
+```
+certs:
+  websocket-cert.pem: 5c0lvd0RRWUpLb1pJa...
+  websocket-key.pem: V6WEFqWEhNVFk3RGda...
+```
+To generate (with the two websocket pem files available):
+```
+echo "certs:" > values/certs.device.yaml
+kubectl create secret generic certs --dry-run=client -o yaml \
+    --from-file=websocket-key.pem --from-file=websocket-cert.pem \
+    | grep websocket- >> values/certs.device.yaml
+```
+
+## Installation
+
+To install the entire stack: `helm --environment ENVNAME apply`.
+To install just cgw: `helm --environment ENVNAME -l app=cgw apply`.
+To install just cgw with a specific image tag: `helm --environment ENVNAME -l app=cgw apply --state-values-set "cgw.tag=main"`.
+
+## Removal
+
+To remove the entire stack: `helm --environment ENVNAME delete`.
+To remove just cgw: `helm --environment ENVNAME -l app=cgw delete`.
+Delete the namespace manually if it is no longer required.
+
+# Re-installation
+
+Note that the kafka, postgres and redis charts do not want to be reinstalled so will have to be removed and installed. If you wish to upgrade these then you must follow the respective Bitnami instructions on how to upgrade these charts.
--- a/cgw/helmfile.yaml
+++ b/cgw/helmfile.yaml
@@ -0,0 +1,226 @@
+environments:
+  default:
+    values:
+    - global:
+        name: devcgw
+        namespace: openwifi-devcgw
+        domain: cicd.lab.wlan.tip.build
+        certificateARN: arn:aws:acm:us-east-2:289708231103:certificate/299d7444-acc4-46c2-ae83-40d2cd5f49be
+    - kafka:
+        enabled: true
+    - redis:
+        enabled: true
+    - postgres:
+        enabled: true
+        pgUser:
+          password: postgres
+        cgwUser:
+          name: cgw
+          password: 123
+    - cgw:
+        enabled: true
+        tag: main
+  cgw01:
+    values:
+    - global:
+        name: cgw01
+        namespace: openlan-cgw01
+        domain: cicd.lab.wlan.tip.build
+        certificateARN: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
+    - kafka:
+        enabled: true
+    - redis:
+        enabled: true
+    - postgres:
+        enabled: true
+        pgUser:
+          password: openlancgw
+        cgwUser:
+          name: cgw
+          password: openlancgw
+    - cgw:
+        enabled: true
+        tag: main
+
+---
+
+helmDefaults:
+  force: false
+  timeout: 300
+  createNamespace: true
+
+releases:
+- name: kafka
+  version: 28.3.0
+  namespace: {{ .Environment.Values.global.namespace }}
+  condition: kafka.enabled
+  chart: oci://registry-1.docker.io/bitnamicharts/kafka
+  labels:
+    group: base
+    app: kafka
+  values:
+    - fullnameOverride: kafka
+    - volumePermissions:
+        enabled: true
+    - commonAnnotations:
+        cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+    - readinessProbe:
+        initialDelaySeconds: 45
+    - livenessProbe:
+        initialDelaySeconds: 60
+    - heapOpts: -Xmx1024m -Xms1024m
+    - kraft:
+        enabled: true
+    - zookeeper:
+        enabled: false
+    - provisioning:
+        enabled: true
+        topics:
+          - name: CnC
+            partitions: 1
+            replicationFactor: 1
+          - name: CnC_Res
+            partitions: 1
+            replicationFactor: 1
+    - controller:
+        persistence:
+          size: 80Gi
+        replicaCount: 1
+        extraConfig: |-
+          maxMessageBytes = 1048588
+          offsets.topic.replication.factor = 1
+          transaction.state.log.replication.factor = 1
+        extraEnvVars:
+          - name: ALLOW_PLAINTEXT_LISTENER
+            value: "yes"
+        resources:
+          requests:
+            cpu: 500m
+            memory: 512Mi
+          limits:
+            cpu: 750m
+            memory: 2Gi
+    - listeners:
+        client:
+          protocol: PLAINTEXT
+          containerPort: 9092
+        controller:
+          protocol: "PLAINTEXT"
+    - broker:
+        replicaCount: 0
+        persistence:
+          size: 80Gi
+        resources:
+          requests:
+            cpu: 500m
+            memory: 512Mi
+          limits:
+            cpu: 750m
+            memory: 2Gi
+
+- name: postgres
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: oci://registry-1.docker.io/bitnamicharts/postgresql
+  version: 13.4.3
+  condition: postgres.enabled
+  labels:
+    group: base
+    app: postgres
+  values:
+    - fullnameOverride: pgsql
+    # workaround for: postgresql.conf file not detected. Generating it...
+    # cp: cannot create regular file '/bitnami/postgresql/conf/postgresql.conf': Permission denied
+    - volumePermissions:
+        enabled: true
+    - global:
+        postgresql:
+          auth:
+            postgresPassword: {{ .Environment.Values.postgres.pgUser.password }}
+    - auth:
+        postgresPassword: {{ .Environment.Values.postgres.pgUser.password }}
+    - primary:
+        persistence:
+          size: 40Gi
+        extendedConfiguration: |-
+          max_connections = 550
+          shared_buffers = 128MB
+          log_error_verbosity = verbose
+          tcp_keepalives_idle = 300
+          tcp_keepalives_interval = 30
+          tcp_user_timeout = 300
+        initdb:
+          scripts:
+            initusers.sql: |-
+              CREATE USER {{ .Environment.Values.postgres.cgwUser.name }};
+              ALTER USER cgw WITH ENCRYPTED PASSWORD '{{ .Environment.Values.postgres.cgwUser.password }}';
+              CREATE DATABASE cgw OWNER {{ .Environment.Values.postgres.cgwUser.name }};
+              \c cgw
+              CREATE TABLE infrastructure_groups (id INT PRIMARY KEY, reserved_size INT, actual_size INT);
+              ALTER TABLE infrastructure_groups OWNER TO {{ .Environment.Values.postgres.cgwUser.name }};
+              CREATE TABLE infras (mac MACADDR PRIMARY KEY, infra_group_id INT, FOREIGN KEY(infra_group_id) REFERENCES infrastructure_groups(id) ON DELETE CASCADE);
+              ALTER TABLE infras OWNER TO {{ .Environment.Values.postgres.cgwUser.name }};
+
+- name: redis
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: oci://registry-1.docker.io/bitnamicharts/redis
+  version: 19.5.2
+  condition: redis.enabled
+  labels:
+    group: base
+    app: redis
+  values:
+    - architecture: standalone
+    - auth:
+        enabled: false
+    - master:
+        persistence:
+          size: 20Gi
+        extraEnvVars:
+          - name: ALLOW_EMPTY_PASSWORD
+            value: "yes"
+
+- name: cgw
+  namespace: {{ .Environment.Values.global.namespace }}
+  chart: ../../openlan-cgw/helm
+  #chart: "git+https://github.com/Telecominfraproject/openlan-cgw@helm?ref=main"
+  version: 0.1.0
+  condition: cgw.enabled
+  labels:
+    group: apps
+    app: cgw
+  values:
+    - values/certs.tip.yaml
+    # this one is generated from GH secrets:
+    - values/certs.device.yaml
+    - images:
+        cgw:
+          tag: {{ .Environment.Values.cgw.tag }}
+    - public_env_variables:
+        CGW_DB_HOST: pgsql
+        CGW_DB_PORT: "5432"
+        CGW_DB_USERNAME: "{{ .Environment.Values.postgres.cgwUser.name }}"
+        CGW_KAFKA_HOST: kafka
+        CGW_KAFKA_PORT: "9092"
+        CGW_REDIS_HOST: redis-master
+        CGW_REDIS_PORT: "6379"
+        CGW_ALLOW_CERT_MISMATCH: "yes"
+        # use (#cpus * 2) - 2
+        DEFAULT_WSS_THREAD_NUM: "4"
+        # Useful for debugging:
+        #CGW_LOG_LEVEL: "debug"
+        #RUST_BACKTRACE: "full"
+    - secret_env_variables:
+        CGW_DB_PASSWORD: "{{ .Environment.Values.postgres.cgwUser.password }}"
+    - services:
+        cgw:
+          type: LoadBalancer
+          annotations:
+            external-dns.alpha.kubernetes.io/hostname: cgw-{{ .Environment.Values.global.name }}.{{ .Environment.Values.global.domain }}
+            #service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
+            service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
+            service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
+            service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ .Environment.Values.global.certificateARN }}
+            service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "15003"
+            service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true
+            service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002"
+            alb.ingress.kubernetes.io/healthcheck-path: /health
--- a/cgw/mkcertconfig
+++ b/cgw/mkcertconfig
@@ -0,0 +1,6 @@
+#!/bin/bash
+echo "certs:"
+for f in $* ; do
+    echo "  $f: |"
+    sed -e 's/^/    /' < "$f"
+done
--- a/cgw/secrets/certs.tip.yaml
+++ b/cgw/secrets/certs.tip.yaml
--- a/cgw/secrets/values.postgres.yaml
+++ b/cgw/secrets/values.postgres.yaml
@@ -0,0 +1,21 @@
+postgres:
+    pgUser:
+        password: ENC[AES256_GCM,data:QHV7Y5Jfes4=,iv:QTs0fu7behn1g2CLheoJROFHNYvN6OpS/vcQQC0NrMs=,tag:PeaRcoDsOrEjDN9KgHUEPA==,type:str]
+    cgwUser:
+        name: ENC[AES256_GCM,data:g6J6,iv:H4HxE5orLFXZFDDVD2tAS0PkOqNJ9j6SNu1ief7Snk0=,tag:Tuj9yjBcJzZBBZRtwAY33w==,type:str]
+        password: ENC[AES256_GCM,data:5K0f,iv:+g61dhYOOTbr8TwnwwLHgW17R+6zXpQT2PfgjvofvlI=,tag:1nSVXgkTC41d1AnDDE19Hg==,type:int]
+sops:
+    kms:
+        - arn: arn:aws:kms:us-east-2:289708231103:alias/helm-secrets
+          created_at: "2024-06-12T13:45:13Z"
+          enc: AQICAHiG/4CitJjM31GdYxTw9OLz/Zs5oK+DCq0cU2fAjtAA3AEPrxIAaT+xE4C1IFYmWvmkAAAAfjB8BgkqhkiG9w0BBwagbzBtAgEAMGgGCSqGSIb3DQEHATAeBglghkgBZQMEAS4wEQQMrFaPNxf0atKVKnFsAgEQgDu8uqj035qrcelG0Dq4/Ond4H5bmpUHNRVEj0C8BFxg+a4R3loIk4NBeyuA0yqC0cQeWnA5e+/SjVtGAA==
+          aws_profile: ""
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-06-25T17:29:15Z"
+    mac: ENC[AES256_GCM,data:gbXt2MRhlx9zGcm9ZvXjWuwSPh/QHkNngGx0j0UQ61jZTINRh4ZgERuUj7Vpo1tg/blIFWbl768wB89RAGq3n1C4AcQpX3xvC33QyCT0i4pitQmnec9RnJL0L197mioOikPxl8z56WE1014EV+Vvbk7rf1CQkqrrEIJINoqSdfE=,iv:ThbvKhY0fsaXJz9rORnvxY64vMWyM/IOgSI+kuFFbAQ=,tag:fSF4tdyf3wc5+uIfoYLc5g==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/cgw/values/certs.tip.yaml
+++ b/cgw/values/certs.tip.yaml
@@ -0,0 +1,103 @@
+certs:
+    root.pem: |
+        -----BEGIN CERTIFICATE-----
+        MIIDojCCAoqgAwIBAgIUPVYBpqNbcLYygF6Mx+qxSWwQyFowDQYJKoZIhvcNAQEL
+        BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+        dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+        b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjQyNDRaFw0zMTA0MTMyMjM4NDZaMGkx
+        CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+        Yy4xDDAKBgNVBAsTA1RJUDEmMCQGA1UEAxMdVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+        IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGCibwf5u
+        AAwZ+1H8U0e3u2V+0d2gSctucoK86XwUmfe1V2a/qlCYZd29r80IuN1IIeB0naIm
+        KnK/MzXW87clF6tFd1+HzEvmlY/W4KyIXalVCTEzirFSvBEG2oZpM0yC3AefytAO
+        aOpA00LaM3xTfTqMKIRhJBuLy0I4ANUVG6ixVebbGuc78IodleqiLoWy2Q9QHyEO
+        t/7hZndJhiVogh0PveRhho45EbsACu7ymDY+JhlIleevqwlE3iQoq0YcmYADHno6
+        Eq8vcwLpZFxihupUafkd1T3WJYQAJf9coCjBu2qIhNgrcrGD8R9fGswwNRzMRMpX
+        720+GjcDW3bJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAJG
+        lmB5sVP2qfL3xZ8hQOTpkQH6MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+        AAOCAQEAVjl9dm4epG9NUYnagT9sg7scVQEPfz3Lt6w1NXJXgD8mAUlK0jXmEyvM
+        dCPD4514n+8+lM7US8fh+nxc7jO//LwK17Wm9FblgjNFR7+anv0Q99T9fP19DLlF
+        PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
+        19S6qnHeskRDB8MqRLhKMG82oDVLerSnhD0P6HjySBHgTTU7/tYS/OZr1jI6MPbG
+        L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
+        5IOM7ItsRmen6u3qu+JXros54e4juQ==
+        -----END CERTIFICATE-----
+    cas.pem: |
+        -----BEGIN CERTIFICATE-----
+        MIIEnDCCA4SgAwIBAgIUVpyCUx1MUeUwxg+7I1BvGFTz7HkwDQYJKoZIhvcNAQEL
+        BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+        dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+        b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjUxMjZaFw0yNjA0MTMyMjM4NDZaMGwx
+        CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+        Yy4xDDAKBgNVBAsTA1RJUDEpMCcGA1UEAxMgVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+        IElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtKBrq
+        qd2aKVSk25KfL5xHu8X7/8rJrz3IvyPuVKWhk/N1zabot3suBcGaYNKjnRHxg78R
+        yKwKzajKYWtiQFqztu24g16LQeAnoUxZnF6a0z3JkkRPsz14A2y8TUhdEe1tx+UU
+        4VGsk3n+FMmOQHL+79FO57zQC1LwylgfLSltrI6mF3jowVUQvnwzKhUzT87AJ6EO
+        ndK/q0T/Bgi+aI39zfVOjJjsTJwghvrmYW3iarP1THSKxeib2s02bZKrvvHa5HL4
+        UI8+LvREpVZl4mzt1z6Nl344Y6f+UeJlYa/Ci0jJqaXJmyVnUbAz+c0i5JfwAVn3
+        YQzfC4eLnZCmdF8zAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+        DgQWBBSzG1S44EerPfM4gOQ85f0AYW3R6DAfBgNVHSMEGDAWgBQCRpZgebFT9qny
+        98WfIUDk6ZEB+jAOBgNVHQ8BAf8EBAMCAYYwgYMGCCsGAQUFBwEBBHcwdTAoBggr
+        BgEFBQcwAYYcaHR0cDovL29jc3Aub25lLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcw
+        AoY9aHR0cDovL2NhY2VydHMub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQ
+        cm9qZWN0Um9vdENBLmNydDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY3JsLm9u
+        ZS5kaWdpY2VydC5jb20vVGVsZWNvbUluZnJhUHJvamVjdFJvb3RDQS5jcmwwDQYJ
+        KoZIhvcNAQELBQADggEBAFbz+K94bHIkBMJqps0dApniUmOn0pO6Q6cGh47UP/kX
+        IiPIsnYgG+hqYD/qtsiqJhaWi0hixRWn38UmvZxMRk27aSTGE/TWx0JTC3qDGsSe
+        XkUagumbSfmS0ZyiTwMPeGAjXwyzGorqZWeA95eKfImntMiOf3E7//GK0K7HpCx8
+        IPCnLZsZD2q/mLyBsduImFIRQJbLAhwIxpcd1qYJk+BlGFL+HtBpEbq6JxW2Xy+v
+        DpNWc2WIsUTle0rTc9JNJrLX4ChUJmKqf8obKHap3Xh3//qw/jDB9pOAinA33FLJ
+        EmCnwBvQr9mfNmPBGMYZVU8cPruDQJ57GjmmvdisbJY=
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        MIIDojCCAoqgAwIBAgIUPVYBpqNbcLYygF6Mx+qxSWwQyFowDQYJKoZIhvcNAQEL
+        BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+        dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+        b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjQyNDRaFw0zMTA0MTMyMjM4NDZaMGkx
+        CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+        Yy4xDDAKBgNVBAsTA1RJUDEmMCQGA1UEAxMdVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+        IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGCibwf5u
+        AAwZ+1H8U0e3u2V+0d2gSctucoK86XwUmfe1V2a/qlCYZd29r80IuN1IIeB0naIm
+        KnK/MzXW87clF6tFd1+HzEvmlY/W4KyIXalVCTEzirFSvBEG2oZpM0yC3AefytAO
+        aOpA00LaM3xTfTqMKIRhJBuLy0I4ANUVG6ixVebbGuc78IodleqiLoWy2Q9QHyEO
+        t/7hZndJhiVogh0PveRhho45EbsACu7ymDY+JhlIleevqwlE3iQoq0YcmYADHno6
+        Eq8vcwLpZFxihupUafkd1T3WJYQAJf9coCjBu2qIhNgrcrGD8R9fGswwNRzMRMpX
+        720+GjcDW3bJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAJG
+        lmB5sVP2qfL3xZ8hQOTpkQH6MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+        AAOCAQEAVjl9dm4epG9NUYnagT9sg7scVQEPfz3Lt6w1NXJXgD8mAUlK0jXmEyvM
+        dCPD4514n+8+lM7US8fh+nxc7jO//LwK17Wm9FblgjNFR7+anv0Q99T9fP19DLlF
+        PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
+        19S6qnHeskRDB8MqRLhKMG82oDVLerSnhD0P6HjySBHgTTU7/tYS/OZr1jI6MPbG
+        L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
+        5IOM7ItsRmen6u3qu+JXros54e4juQ==
+        -----END CERTIFICATE-----
+        -----BEGIN CERTIFICATE-----
+        MIIE5DCCAsygAwIBAgIUJdCMN900+sZN4pJmZ4SVd2KRNBowDQYJKoZIhvcNAQEL
+        BQAwDTELMAkGA1UEAwwCQ0EwHhcNMjQwNjEzMTc1ODMwWhcNMjUwNjEzMTc1ODMw
+        WjANMQswCQYDVQQDDAJDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB
+        ALHSZH2fO1ho8aETiRwJZw1dlzk4ny364TdfY35AfhocvCozxmoKTcT69RqMtUIM
+        dStOoHhRenKnEPKHF4SrgrebsYJeXysLVb3UMEkrV6I9sKeBbUq2neAAibv+Xq0X
+        KpgJM8ZSq3WugI7pJ9kRIrRbErm8FycIW+BhBTn5g/thBnwtBn0FJ4QpnBkl38bZ
+        vYoOp77oVSk42hijD56hJwyg9yVo4MbZRhpROkL8/rPrLXDfeM3yXKx+kvNCY01m
+        8IxGUMh/3UuU8wWXaGRIAcWapZpDrDaM8YdDdVfoIv6pqCU6zLhrDm2gyYABkM2q
+        VKNruHDvrcV6BT1ldW59RkRWWW8UqsIUYuvjHMBSgEijiCCmCcrNTdd1dg+9ycdU
+        p2ZHw4g5QwyGrosUMC34Hl7zz+Aj+gA3gBAyeX2Mg9E0WtDoX6as9fRZebP5fYwj
+        Qh4bjv3Rx+a68G8DrPE7CJAJHTmthgyjINLn8/RcPpo0MYh/r47Sy1+nWBCnibYZ
+        vKkDCsRjVd5mDwRAQE0YCEiissgNgVdV6LjW4pnkIsPlHpI15A7PiDRQEKHdmRYL
+        NaIQKrn6x7Tj+o9Bs3VEoyIR1qNEYuuRGeXgTRWT1QWGX+0oN5OMzkcEKtLzPRJR
+        wW+h5C+gyp2KB7pU3umk5pFMVPlT7hbAaCyzuhNWQL5fAgMBAAGjPDA6MAwGA1Ud
+        EwQFMAMBAf8wCwYDVR0PBAQDAgEGMB0GA1UdDgQWBBTEa33fF8DibprD2kyGKfts
+        +Gk2QTANBgkqhkiG9w0BAQsFAAOCAgEAjad+ygI3Cp5wFHyjc9cjkU5+6qQM8qXM
+        g6B9QAqbsejzBC2euFfkLKGPGTxyPoX5fjNGreMFu6bYVS4MdObMPfaEgUdJeTLA
+        t/FGw22/zJDsKceZDFvIGoW2BvyXbqKUXXzonhE1/OXSKI1Me5cJo8GqA8J97VGh
+        TooDNzNXjvOeMMXzvugoFtXGXey/4tus1S1pSYglW/rB/exhBgZVrW5ElOPqLeK4
+        QEiP90jD303Rhw7aogrMVMcQWQ8ONyBEuQdno8/Ypil4uQXh4kYbbhgbrzT6Ux4Y
+        x9KIGbydYkNlqU4M/B1GPDsOfYauJmDpMvoUxPTolaPbIhrPmONudbUZVnrSEgOo
+        NAREI2hWRTnsqb76ugQayr7UQCzX4gQ99UllDLuvoAsc45s2pY3fJlQHkhl1JkGw
+        YlB1lF22Z35aWxkhXaYJHvhtZpt0oJ9vN//JJveBPOSajNsVnY6MIk4numI30BlZ
+        YSKHKYrYvD1yR/MSCeKVGWqsWRGfFk2bZGFjVgdlusFrjZM8JNbZtTVnKzTdoDiW
+        BnVJcd552gsT2yhaIvBoqoq4ufVa1gDGM4qRz0dxTW7850Qp++iWHMbwXRoJ3dow
+        /vreJoe6yYx8dQDw/Adl8SNV5Uo0ws36VUI/Vkuj3vG2oMP0P5DSRVQIzKxZ8FM1
+        0bJQwZgh3Is=
+        -----END CERTIFICATE-----
--- a/chart/.helmignore
+++ b/chart/.helmignore
@@ -20,3 +20,7 @@
 .idea/
 *.tmproj
 .vscode/
+# Chart dependencies
+docker/
+environment-values/
+feature-values/
--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -1,36 +0,0 @@
-dependencies:
- name: owgw
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master
-  version: 0.1.0
- name: owsec
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main
-  version: 0.1.0
- name: owfms
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main
-  version: 0.1.0
- name: owprov
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main
-  version: 0.1.0
- name: owgwui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main
-  version: 0.1.0
- name: owprovui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main
-  version: 0.1.0
- name: rttys
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty@chart?ref=main
-  version: 0.1.0
- name: kafka
-  repository: https://charts.bitnami.com/bitnami
-  version: 13.0.2
- name: owls
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owls@helm?ref=main
-  version: 0.1.0
- name: owlsui
-  repository: git+https://github.com/Telecominfraproject/wlan-cloud-owls-ui@helm?ref=master
-  version: 0.1.0
- name: haproxy
-  repository: https://charts.bitnami.com/bitnami
-  version: 0.2.21
-digest: sha256:ddb5b39b21822bc3e3c6edef60db3cd5140b8126ec7230d58c42cdb75ec9b333
-generated: "2021-12-30T14:44:40.935566071+03:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -2,35 +2,32 @@ apiVersion: v2
 name: openwifi
 appVersion: "1.0"
 description: A Helm chart for Kubernetes
-version: 0.1.0
+version: 3.2.0-RC1
 dependencies:
 - name: owgw
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=master"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw@helm?ref=v3.2.0-RC1"
  version: 0.1.0
 - name: owsec
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralsec@helm?ref=v3.2.0-RC1"
  version: 0.1.0
 - name: owfms
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralfms@helm?ref=v3.1.0"
  version: 0.1.0
 - name: owprov
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov@helm?ref=v3.1.0"
  version: 0.1.0
 - name: owanalytics
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-analytics@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-analytics@helm?ref=v3.2.0-RC1"
  version: 0.1.0
 - name: owgwui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui@helm?ref=v3.1.0"
  version: 0.1.0
 - name: owprovui
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owprov-ui@helm?ref=v3.1.0"
  version: 0.1.0
 - name: owsub
-  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-userportal@helm?ref=main"
+  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-userportal@helm?ref=v3.1.0"
  version: 0.1.0
- name: kafka
-  repository: https://charts.bitnami.com/bitnami
-  version: 13.0.2
 - name: owls
  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls@helm?ref=main"
  version: 0.1.0
@@ -39,7 +36,15 @@ dependencies:
  repository: "git+https://github.com/Telecominfraproject/wlan-cloud-owls-ui@helm?ref=master"
  version: 0.1.0
  condition: owlsui.enabled
+- name: kafka
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 28.2.3
+  condition: kafka.enabled
 - name: haproxy
-  repository: https://charts.bitnami.com/bitnami
-  version: 0.2.21
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 0.13.3
  condition: haproxy.enabled
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 13.4.3
+  condition: postgresql.enabled
--- a/chart/README.md
+++ b/chart/README.md
@@ -1,18 +1,70 @@
 # openwifi

-This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencies to the Kubernetes clusters. Purpose of this chart is to setup correct connections between other microservices and other dependencies with correct Values and other charts as dependencies in [chart definition](Chart.yaml)
+This Helm chart helps to deploy OpenWIFI Cloud SDK with all required dependencies to the Kubernetes clusters. The purpose of this chart is to set up the correct connections between other microservices and other dependencies with correct Values and other charts as dependencies in [chart definition](Chart.yaml)

 ## TL;DR;

-[helm-git](https://github.com/aslafy-z/helm-git) is required for remote the installation as it pull charts from other repositories for the deployment, so intall it if you don't have it already.
+[helm-git](https://github.com/aslafy-z/helm-git) is required for remote the installation as it pull charts from other repositories for the deployment, so install it if you don't have it already.
+
+Using that you can deploy Cloud SDK with 2 setups - without TLS certificates for RESTAPI endpoints and with them.
+
+In both cases Websocket endpoint should be exposed through LoadBalancer. In order to get IP address or DNS FQDN of that endpoint you may refer to `kubectl get svc | grep proxy | awk -F ' ' '{print $4}'`. Used port is 15002, but you would need to disable TLS check on AP side since certificate is issued for `*.wlan.local`.
+
+### Deployment with TLS certificates
+
+This deployment method requires usage of [cert-manager](https://cert-manager.io/docs/) (tested minimal Helm chart version is `v1.6.1`) in your Kubernetes installation in order to issue self-signed PKI for internal communication. In this case you will have to trust the self-signed certificates via your browser. Just like in previous method you still need OWGW Websocket TLS certificate, so you can use the same certificates with another values file using these commands:

 ```bash
 $ helm dependency update
-$ helm install .
+$ kubectl create secret generic openwifi-certs --from-file=../docker-compose/certs/
+$ helm upgrade --install -f environment-values/values.base.secure.yaml openwifi .
 ```

+In order to access the UI and other RESTAPI endpoints you should run the following commands after the deployment:
+
+```
+$ kubectl port-forward deployment/proxy 5912 5913 16001 16002 16003 16004 16005 16006 16009 &
+$ kubectl port-forward deployment/owgwui 8080:80 &
+$ kubectl port-forward deployment/owprovui 8088:80 &
+```
+
+From here Web UI may be accessed using http://localhost:8080 and Provisioning UI may be accessed using http://localhost:8088 .
+
+### Deployment without TLS certificates
+
+**IMPORTANT** Currently this method is not available due to issues in current implementation on microservices side (not being able to use Web UI because of error on Websocket upgrade on OWGW connections), please use TLS method for now.
+
+For this deployment method you will need to disable usage of TLS certificates, yet you will still need a TLS certificate for Websocket endpoint of OWGW. Here are the required steps for the deployment where websocket certificates from [docker-compose certs directory](../docker-compose/certs) and special values file to disable TLS for REST API endpoint will be used:
+
+```bash
+$ helm dependency update
+$ kubectl create secret generic openwifi-certs --from-file=../docker-compose/certs/
+$ helm upgrade --install -f environment-values/values.base.insecure.yaml openwifi .
+```
+
+In order to access the UI and other RESTAPI endpoints you should run the following commands after the deployment:
+
+```
+$ kubectl port-forward deployment/proxy 5912 5913 16001 16002 16003 16004 16005 16006 16009 &
+$ kubectl port-forward deployment/owgwui 8080:80 &
+$ kubectl port-forward deployment/owprovui 8088:80 &
+```
+
+From here Web UI may be accessed using http://localhost:8080 and Provisioning UI may be accessed using http://localhost:8088 .
+
+During the requests through UI errors may happen - that means that you haven't added certificate exception in browser. In order to that open browser dev tools (F12), open Network tab and see what requests are failing, open them and accept the exceptions.
+
+### Default password change
+
 Then change the default password as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password).

+Values files passed in the installation is using default certificates that may be used for initial evaluation (same certificates are used in [docker-compose](../docker-compose/certs) method) using `*.wlan.local` domains. If you want to change those certificates, please set them in Helm values files instead of default certificates (see default values in `values.yaml` file).
+
+If you are using default values without changing [OWSEC config properties](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/blob/939869948f77575ba0e92c0fb12f2197802ffe71/helm/values.yaml#L212-L213) in your values file, you may access the WebUI using following credentials:
+
+> Username: tip@ucentral.com
+> Password: openwifi
+
 ## Introduction

 This chart bootstraps the OpenWIFI Cloud SDK on a [Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager.
@@ -71,20 +123,25 @@ The following table lists the configurable parameters that overrides microservic
 |-----------|------|-------------|---------|
 | `owgw.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Gateway to use Kafka for communication | `'true'` |
 | `owgw.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Gateway to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owgw.certs` | map | Map with multiline string containing TLS certificates and private keys required for service (see [OWGW repo](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/) for details) |  |
+| `owgw.certsCAs` | map | Map with multiline string containing TLS CAs required for service (see [OWGW repo](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/) for details) |  |
 | `owsec.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Security to use Kafka for communication | `'true'` |
+| `owsec.certs` | map | Map with multiline string containing TLS certificates and private keys required for REST API |  |
 | `owsec.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Security to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
 | `owfms.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Firmware to use Kafka for communication | `'true'` |
 | `owfms.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Firmware to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owfms.certs` | map | Map with multiline string containing TLS certificates and private keys required for REST API |  |
 | `owprov.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Provisioning to use Kafka for communication | `'true'` |
 | `owprov.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Provisioning to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owprov.certs` | map | Map with multiline string containing TLS certificates and private keys required for REST API |  |
 | `owanalytics.enabled` | boolean | Install OpenWIFI Analytics in the release | `false` |
 | `owanalytics.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Analytics to use Kafka for communication | `'true'` |
 | `owanalytics.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Analytics to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
-| `rttys.enabled` | boolean | Enables [rttys](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-rtty) deployment | `True` |
-| `rttys.internal` | boolean | Whether to use the built-in rttys server | `True` |
-| `rttys.enabled` | boolean | Enable or disable rttys | `True` |
-| `rttys.config.token` | string | Sets default rttys token |  |
-| `kafka.enabled` | boolean | Enables [kafka](https://github.com/bitnami/charts/blob/master/bitnami/kafka/) deployment | `True` |
+| `owanalytics.certs` | map | Map with multiline string containing TLS certificates and private keys required for REST API |  |
+| `owsub.configProperties."openwifi\.kafka\.enable"` | string | Configures OpenWIFI Subscription to use Kafka for communication | `'true'` |
+| `owsub.configProperties."openwifi\.kafka\.brokerlist"` | string | Sets up Kafka broker list for OpenWIFI Subscription to the predictable Kubernetes service name (see `kafka.fullnameOverride` option description for details) | `'kafka:9092'` |
+| `owsub.certs` | map | Map with multiline string containing TLS certificates and private keys required for REST API |  |
+| `kafka.enabled` | boolean | Enables [kafka](https://github.com/bitnami/charts/blob/master/bitnami/kafka/) deployment | `true` |
 | `kafka.fullnameOverride` | string | Overrides Kafka Kubernetes service name so it could be predictable and set in microservices configs | `'kafka'` |
 | `kafka.image.registry` | string | Kafka Docker image registry | `'docker.io'` |
 | `kafka.image.repository` | string | Kafka Docker image repository | `'bitnami/kafka'` |
@@ -106,7 +163,7 @@ The following table lists the configurable parameters that overrides microservic
 | `restapiCerts.services` | array | List of services that require certificates generation |  |
 | `restapiCerts.clusterDomain` | string | Kubernetes cluster domain | `cluster.local` |

-If required, further overrides may be passed. They will be merged with default values from this chart and other subcharts with priority to values you'll pass.
+If required, further overrides may be passed. They will be merged with default values from this chart and other sub-charts with priority to values you'll pass.

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

@@ -139,7 +196,7 @@ By setting `clusterinfo.enabled` to `true` you may enable job on post-install/po
 1. Change default security credentials from credentials set in OWSEC configuration file (see 'Required password changing on the first startup' block above)
 2. Check if all services started responding correctly after the deployment using systeminfo REST API method

-In order to do that, you need to additionaly set multiple parameters:
+In order to do that, you need to additionally set multiple parameters:

 1. clusterinfo.public_env_variables.OWSEC - OWSEC endpoint to use for CLI tools
 2. clusterinfo.secret_env_variables.OWSEC_DEFAULT_USERNAME - username used for CLI requests (see OWSEC configuration file for details)
@@ -160,17 +217,17 @@ You may see example values to enable this feature in [values.enable-owls.yaml](.

 In order to use single point of entry for all services (may be used for one cloud Load Balancer per installation) HAproxy is installed by default with other services. HAproxy is working in TCP proxy mode, so every TLS certificate is managed by services themself, while it is possible to pass requests from cloud load balancer to services using same ports (configuration of cloud load balancer may vary from cloud provider to provider).

-By default this option is enabled, but you may disable it and make per-service LoadBalancer using values in [values.disable-haproxy.yaml](./feature-values/values.disable-haproxy.yaml).
+By default, this option is enabled, but you may disable it and make per-service LoadBalancer using values in [values.disable-haproxy.yaml](./feature-values/values.disable-haproxy.yaml).

 ### OWGW unsafe sysctls

-By default Linux is using quite adeqate sysctl values for TCP keepalive, but OWGW may keep disconnected APs in stuck state preventing it from connecting back. This may be changed by setting some sysctls to lower values:
+By default, Linux is using quite adequate sysctl values for TCP keepalive, but OWGW may keep disconnected APs in stuck state preventing it from connecting back. This may be changed by setting some sysctls to lower values:

 - net.ipv4.tcp_keepalive_intvl
 - net.ipv4.tcp_keepalive_probes - 2
 - net.ipv4.tcp_keepalive_time - 45

-However this change is [not considered safe by Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls) and it requires to pass additional argument to your Kubelets services in your Kubernetes cluster:
+However, this change is [not considered safe by Kubernetes](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#enabling-unsafe-sysctls), and it requires to pass additional argument to your Kubelets services in your Kubernetes cluster:

 ```
 --allowed-unsafe-sysctls net.ipv4.tcp_keepalive_intvl,net.ipv4.tcp_keepalive_probes,net.ipv4.tcp_keepalive_time
@@ -195,14 +252,18 @@ If you want, you may use configuration property `openwifi.security.restapi.disab

 You may see example values to enable this feature in [values.restapi-disable-tls.yaml](./feature-values/values.restapi-disable-tls.yaml).

+### PostgreSQL storage option for services
+
+By default, all microservices use SQLite as default storage driver, but it is possible to use PostgreSQL for that purpose. Both [cluster-per-microservice](environment-values/values.openwifi-qa.external-db.yaml) and [cluster per installation](environment-values/values.openwifi-qa.single-external-db.yaml) deployments method may be used.
+
 ## Environment specific values

-This repository contains values files that may be used in the same manner as feature values above to deploy to specific runtime envionemnts (including different cloud deployments).
+This repository contains values files that may be used in the same manner as feature values above to deploy to specific runtime environments (including different cloud deployments).

 Some environments are using [external-dns](https://github.com/kubernetes-sigs/external-dns) service to dynamically set DNS records, but you may manage your records manually

 ### AWS EKS

-EKS based installation assumes that you are using [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) so that all required ALBs and NLBs are created automatically. Also it is assumed that you have Route53 managed DNS zone and you've issued wildcard certificate for one of your zones that may be used by Load Balancers.
+EKS based installation assumes that you are using [AWS Load Balancer controller](https://kubernetes-sigs.github.io/aws-load-balancer-controller) so that all required ALBs and NLBs are created automatically. Also, it is assumed that you have Route53 managed DNS zone, and you've issued wildcard certificate for one of your zones that may be used by Load Balancers.

 You may see example values for this environment in [values.aws.yaml](./environment-values/values.aws.yaml).
--- a/chart/docker/Dockerfile
+++ b/chart/docker/Dockerfile
@@ -40,6 +40,24 @@ RUN git clone https://github.com/Telecominfraproject/wlan-cloud-owprov.git owpro
  && cp owprov/test_scripts/curl/cli owprov_cli \
  && rm -rf owprov

+# OWAnalytics
+ARG OWANALYTICS_VERSION=main
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-analytics.git owanalytics \
+  && cd owanalytics \
+  && git checkout $OWANALYTICS_VERSION \
+  && cd /cli \
+  && cp owanalytics/test_scripts/curl/cli owanalytics_cli \
+  && rm -rf owanalytics
+
+# OWSub
+ARG OWSUB_VERSION=main
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-userportal.git owsub \
+  && cd owsub \
+  && git checkout $OWSUB_VERSION \
+  && cd /cli \
+  && cp owsub/test_scripts/curl/cli owsub_cli \
+  && rm -rf owsub
+
 COPY clustersysteminfo clustersysteminfo
 COPY change_credentials change_credentials

--- a/chart/docker/change_credentials
+++ b/chart/docker/change_credentials
@@ -61,7 +61,7 @@ then
        echo "Logged in with new credentials:"
    fi
 else
-    echo "Credentials check failed with unexpected ErrorCode, please review the responce body:"
+    echo "Credentials check failed with unexpected ErrorCode, please review the response body:"
    jq < ${result_file}
    exit 2
 fi
--- a/chart/docker/clustersysteminfo
+++ b/chart/docker/clustersysteminfo
@@ -94,6 +94,24 @@ do
  let "exit_code_sum+=$(grep ErrorCode result.json | wc -l)"
  sleep 1

+  ./owanalytics_cli systeminfo
+  let "exit_code_sum+=$?"
+  if [[ ! -s result.json ]]
+  then
+    let "exit_code_sum+=1"
+  fi
+  let "exit_code_sum+=$(grep ErrorCode result.json | wc -l)"
+  sleep 1
+
+  ./owsub_cli systeminfo
+  let "exit_code_sum+=$?"
+  if [[ ! -s result.json ]]
+  then
+    let "exit_code_sum+=1"
+  fi
+  let "exit_code_sum+=$(grep ErrorCode result.json | wc -l)"
+  sleep 1
+
  let "CHECK_RETRIES-=1"
  echo "Exit code sum: $exit_code_sum"
  echo "Left retries: $CHECK_RETRIES"
--- a/chart/environment-values/.gitignore
+++ b/chart/environment-values/.gitignore
@@ -0,0 +1,3 @@
+_values.custom-*.yaml
+certs/
+env_*
--- a/chart/environment-values/cleanup.sh
+++ b/chart/environment-values/cleanup.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+[ -z "$NAMESPACE" ] && echo "No NAMESPACE set" && exit 1
+ns="openwifi-$NAMESPACE"
+echo "Cleaning up namespace $ns in 10 seconds..."
+sleep 10
+echo "- delete tip-openwifi helm release in $ns"
+helm -n "$ns" delete tip-openwifi
+if [[ "$1" == "full" ]] ; then
+    echo "- delete $ns namespace in 30 seconds..."
+    sleep 30
+    echo "- delete $ns namespace"
+    kubectl delete ns "$ns"
+fi
+echo "- cleaned up $ns namespace"
+exit 0
--- a/chart/environment-values/deploy.sh
+++ b/chart/environment-values/deploy.sh
@@ -2,78 +2,77 @@
 set -e

 # Usage function
-usage () {
-  echo >&2;
-  echo "This script is indended for OpenWIFI Cloud SDK deployment to TIP QA/Dev environments using assembly Helm chart (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) with configuration through environment variables" >&2;
-  echo >&2;
-  echo "Required environment variables:" >&2;
-  echo >&2;
-  echo "- NAMESPACE - namespace suffix that will used added for the Kubernetes environment (i.e. if you pass 'test', kubernetes namespace will be named 'ucentral-test')" >&2;
-  echo "- DEPLOY_METHOD - deployment method for the chart deployment (supported methods - 'git' (will use helm-git from assembly chart) and 'bundle' (will use chart stored in the Artifactory0" >&2;
-  echo "- CHART_VERSION - version of chart to be deployed from assembly chart (for 'git' method git ref may be passed, for 'bundle' method version of chart may be passed)" >&2;
-  echo >&2;
-  echo "- VALUES_FILE_LOCATION - path to file with override values that may be used for deployment" >&2;
-  echo "- OWGW_AUTH_USERNAME - username to be used for requests to OpenWIFI Security" >&2;
-  echo "- OWGW_AUTH_PASSWORD - hashed password for OpenWIFI Security (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)" >&2;
-  echo "- OWFMS_S3_SECRET - secret key that is used for OpenWIFI Firmware access to firmwares S3 bucket" >&2;
-  echo "- OWFMS_S3_KEY - access key that is used for OpenWIFI Firmware access to firmwares S3 bucket" >&2;
-  echo "- OWSEC_NEW_PASSWORD - password that should be set to default user instead of default password from properties" >&2;
-  echo "- CERT_LOCATION - path to certificate in PEM format that will be used for securing all endpoint in all services" >&2;
-  echo "- KEY_LOCATION - path to private key in PEM format that will be used for securing all endpoint in all services" >&2;
-  echo >&2;
-  echo "Following environmnet variables may be passed, but will be ignored if CHART_VERSION is set to release (i.e. v2.4.0):" >&2;
-  echo >&2;
-  echo "- OWGW_VERSION - OpenWIFI Gateway version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWGWUI_VERSION - OpenWIFI Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWSEC_VERSION - OpenWIFI Security version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWFMS_VERSION - OpenWIFI Firmware version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWPROV_VERSION - OpenWIFI Provisioning version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWPROVUI_VERSION - OpenWIFI Provisioning Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWANALYTICS_VERSION - OpenWIFI Analytics version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo "- OWSUB_VERSION - OpenWIFI Subscription (Userportal) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)" >&2;
-  echo >&2;
-  echo "Optional environment variables:" >&2;
-  echo >&2;
-  echo "- EXTRA_VALUES - extra values that should be passed to Helm deployment separated by comma (,)" >&2;
-  echo "- DEVICE_CERT_LOCATION - path to certificate in PEM format that will be used for load simulator" >&2;
-  echo "- DEVICE_KEY_LOCATION - path to private key in PEM format that will be used for load simulator" >&2;
-  echo "- USE_SEPARATE_OWGW_LB - flag that should change split external DNS for OWGW and other services" >&2;
-  echo "- INTERNAL_RESTAPI_ENDPOINT_SCHEMA - what schema to use for internal RESTAPI endpoints (https by default)" >&2;
-  echo "- IPTOCOUNTRY_IPINFO_TOKEN - token that should be set for IPInfo support (owgw/owprov iptocountry.ipinfo.token properties), ommited if not passed" >&2;
-  echo "- MAILER_USERNAME - SMTP username used for OWSEC mailer" >&2;
-  echo "- MAILER_PASSWORD - SMTP password used for OWSEC mailer (only if both MAILER_PASSWORD and MAILER_USERNAME are set, mailer will be enabled)" >&2;
+function usage()
+{
+    cat <<-EOF >&2
+This script is intended for OpenWIFI Cloud SDK deployment to TIP QA/Dev environments using assembly Helm chart (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart) with configuration through environment variables
+
+Required environment variables:
+- NAMESPACE - namespace suffix that will used added for the Kubernetes environment (i.e. if you pass 'test', kubernetes namespace will be named 'ucentral-test')
+- DEPLOY_METHOD - deployment method for the chart deployment (supported methods - 'git' (will use helm-git from assembly chart), 'bundle' (will use chart stored in the Artifactory) or local
+- CHART_VERSION - version of chart to be deployed from assembly chart (for 'git' method git ref may be passed, for 'bundle' method version of chart may be passed)
+- VALUES_FILE_LOCATION - path to file with override values that may be used for deployment
+- DOMAIN - Domain name. default: cicd.lab.wlan.tip.build
+- OWGW_AUTH_USERNAME - username to be used for requests to OpenWIFI Security
+- OWGW_AUTH_PASSWORD - hashed password for OpenWIFI Security (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)
+- OWFMS_S3_SECRET - secret key that is used for OpenWIFI Firmware access to firmwares S3 bucket
+- OWFMS_S3_KEY - access key that is used for OpenWIFI Firmware access to firmwares S3 bucket
+- OWSEC_NEW_PASSWORD - password that should be set to default user instead of default password from properties
+- CERT_LOCATION - path to certificate in PEM format that will be used for securing all endpoint in all services
+- KEY_LOCATION - path to private key in PEM format that will be used for securing all endpoint in all services
+
+The following environmnet variables may be passed, but will be ignored if CHART_VERSION is set to release (i.e. v2.4.0):
+- OWGW_VERSION - OpenWIFI Gateway version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWGWUI_VERSION - OpenWIFI Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWSEC_VERSION - OpenWIFI Security version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWFMS_VERSION - OpenWIFI Firmware version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWPROV_VERSION - OpenWIFI Provisioning version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWPROVUI_VERSION - OpenWIFI Provisioning Web UI version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWANALYTICS_VERSION - OpenWIFI Analytics version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+- OWSUB_VERSION - OpenWIFI Subscription (Userportal) version to deploy (will be used for Docker image tag and git branch for Helm chart if git deployment is required)
+
+Optional environment variables:
+- EXTRA_VALUES - extra values that should be passed to Helm deployment separated by comma (,)
+- DEVICE_CERT_LOCATION - path to certificate in PEM format that will be used for load simulator
+- DEVICE_KEY_LOCATION - path to private key in PEM format that will be used for load simulator
+- USE_SEPARATE_OWGW_LB - flag that should change split external DNS for OWGW and other services
+- INTERNAL_RESTAPI_ENDPOINT_SCHEMA - what schema to use for internal RESTAPI endpoints (https by default)
+- IPTOCOUNTRY_IPINFO_TOKEN - token that should be set for IPInfo support (owgw/owprov iptocountry.ipinfo.token properties), ommited if not passed
+- MAILER_USERNAME - SMTP username used for OWSEC mailer
+- MAILER_PASSWORD - SMTP password used for OWSEC mailer (only if both MAILER_PASSWORD and MAILER_USERNAME are set, mailer will be enabled)
+- CERTIFICATE_ARN - Certificate ARN (will default to ap-south-1 certificate ARN)
+EOF
 }

 # Global variables
 VALUES_FILE_LOCATION_SPLITTED=()
 EXTRA_VALUES_SPLITTED=()
+DEF_CERT_ARN="arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c"

 # Helper functions
-check_if_chart_version_is_release() {
-  PARSED_CHART_VERSION=$(echo $CHART_VERSION | grep -xP "v\d+\.\d+\.\d+.*")
-  if [[ -z "$PARSED_CHART_VERSION" ]]; then
-    return 1
-  else
-    return 0
-  fi
+function check_if_chart_version_is_release()
+{
+    [[ "$CHART_VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+ ]]
 }

 # Check if required environment variables were passed
 ## Deployment specifics
 [ -z ${DEPLOY_METHOD+x} ] && echo "DEPLOY_METHOD is unset" >&2 && usage && exit 1
 [ -z ${CHART_VERSION+x} ] && echo "CHART_VERSION is unset" >&2 && usage && exit 1
-if check_if_chart_version_is_release; then
-  echo "Chart version ($CHART_VERSION) is release version, ignoring services versions"
-else
-  echo "Chart version ($CHART_VERSION) is not release version, checking if services versions are set"
-  [ -z ${OWGW_VERSION+x} ] && echo "OWGW_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWGWUI_VERSION+x} ] && echo "OWGWUI_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWSEC_VERSION+x} ] && echo "OWSEC_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWFMS_VERSION+x} ] && echo "OWFMS_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWPROV_VERSION+x} ] && echo "OWPROV_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWPROVUI_VERSION+x} ] && echo "OWPROVUI_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWANALYTICS_VERSION+x} ] && echo "OWANALYTICS_VERSION is unset" >&2 && usage && exit 1
-  [ -z ${OWSUB_VERSION+x} ] && echo "OWSUB_VERSION is unset" >&2 && usage && exit 1
+if [[ "$DEPLOY_METHOD" != "local" ]] ; then
+    if check_if_chart_version_is_release ; then
+        echo "Chart version ($CHART_VERSION) is a release version, ignoring services versions"
+    else
+        echo "Chart version ($CHART_VERSION) is not a release version, checking if services versions are set"
+        [ -z ${OWGW_VERSION+x} ] && echo "OWGW_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWGWUI_VERSION+x} ] && echo "OWGWUI_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWSEC_VERSION+x} ] && echo "OWSEC_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWFMS_VERSION+x} ] && echo "OWFMS_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWPROV_VERSION+x} ] && echo "OWPROV_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWPROVUI_VERSION+x} ] && echo "OWPROVUI_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWANALYTICS_VERSION+x} ] && echo "OWANALYTICS_VERSION is unset" >&2 && usage && exit 1
+        [ -z ${OWSUB_VERSION+x} ] && echo "OWSUB_VERSION is unset" >&2 && usage && exit 1
+    fi
 fi
 ## Environment specifics
 [ -z ${NAMESPACE+x} ] && echo "NAMESPACE is unset" >&2 && usage && exit 1
@@ -90,8 +89,11 @@ fi
 [ -z ${DEVICE_CERT_LOCATION+x} ] && echo "DEVICE_CERT_LOCATION is unset, setting it to CERT_LOCATION" && export DEVICE_CERT_LOCATION=$CERT_LOCATION
 [ -z ${DEVICE_KEY_LOCATION+x} ] && echo "DEVICE_KEY_LOCATION is unset, setting it to KEY_LOCATION" && export DEVICE_KEY_LOCATION=$KEY_LOCATION
 [ -z ${INTERNAL_RESTAPI_ENDPOINT_SCHEMA+x} ] && echo "INTERNAL_RESTAPI_ENDPOINT_SCHEMA is unset, setting it to 'https'" && export INTERNAL_RESTAPI_ENDPOINT_SCHEMA=https
+[ -z ${USE_SEPARATE_OWGW_LB+x} ] && echo "USE_SEPARATE_OWGW_LB is unset, setting it to false" && export USE_SEPARATE_OWGW_LB=false
 export MAILER_ENABLED="false"
 [ ! -z ${MAILER_USERNAME+x} ] && [ ! -z ${MAILER_PASSWORD+x} ] && echo "MAILER_USERNAME and MAILER_PASSWORD are set, mailer will be enabled" && export MAILER_ENABLED="true"
+[ -z "${DOMAIN}" ] && echo "DOMAIN is unset, using cicd.lab.wlan.tip.build" && export DOMAIN="cicd.lab.wlan.tip.build"
+[ -z ${CERTIFICATE_ARN+x} ] && export CERTIFICATE_ARN=$DEF_CERT_ARN

 # Transform some environment variables
 export OWGW_VERSION_TAG=$(echo ${OWGW_VERSION} | tr '/' '-')
@@ -103,126 +105,68 @@ export OWPROVUI_VERSION_TAG=$(echo ${OWPROVUI_VERSION} | tr '/' '-')
 export OWANALYTICS_VERSION_TAG=$(echo ${OWANALYTICS_VERSION} | tr '/' '-')
 export OWSUB_VERSION_TAG=$(echo ${OWSUB_VERSION} | tr '/' '-')

-# Debug get bash version
-bash --version >&2
-
 # Check deployment method that's required for this environment
 helm plugin install https://github.com/databus23/helm-diff || true
-if [[ "$DEPLOY_METHOD" == "git" ]]; then
-  helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0 || true
-  rm -rf wlan-cloud-ucentral-deploy || true
-  git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.git
-  cd wlan-cloud-ucentral-deploy
-  git checkout $CHART_VERSION
-  cd chart
-  if ! check_if_chart_version_is_release; then
-    sed -i '/wlan-cloud-ucentralgw@/s/ref=.*/ref='${OWGW_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralgw-ui@/s/ref=.*/ref='${OWGWUI_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralsec@/s/ref=.*/ref='${OWSEC_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-ucentralfms@/s/ref=.*/ref='${OWFMS_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-owprov@/s/ref=.*/ref='${OWPROV_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-owprov-ui@/s/ref=.*/ref='${OWPROVUI_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-analytics@/s/ref=.*/ref='${OWANALYTICS_VERSION}'\"/g' Chart.yaml
-    sed -i '/wlan-cloud-userportal@/s/ref=.*/ref='${OWSUB_VERSION}'\"/g' Chart.yaml
-  fi
-  helm repo add bitnami https://charts.bitnami.com/bitnami
-  helm repo update
-  helm dependency update
-  cd ../..
-  export DEPLOY_SOURCE="wlan-cloud-ucentral-deploy/chart"
-else
-  if [[ "$DEPLOY_METHOD" == "bundle" ]]; then
+if [[ "$DEPLOY_METHOD" == "git" ]] ; then
+    helm plugin list | grep "^helm-git" || helm plugin install https://github.com/aslafy-z/helm-git || true
+    rm -rf wlan-cloud-ucentral-deploy || true
+    git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy.git
+    cd wlan-cloud-ucentral-deploy
+    git checkout $CHART_VERSION
+    cd chart
+    if ! check_if_chart_version_is_release ; then
+        sed -i '/wlan-cloud-ucentralgw@/s/ref=.*/ref='${OWGW_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralgw-ui@/s/ref=.*/ref='${OWGWUI_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralsec@/s/ref=.*/ref='${OWSEC_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-ucentralfms@/s/ref=.*/ref='${OWFMS_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-owprov@/s/ref=.*/ref='${OWPROV_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-owprov-ui@/s/ref=.*/ref='${OWPROVUI_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-analytics@/s/ref=.*/ref='${OWANALYTICS_VERSION}'\"/g' Chart.yaml
+        sed -i '/wlan-cloud-userportal@/s/ref=.*/ref='${OWSUB_VERSION}'\"/g' Chart.yaml
+    fi
+    #helm repo add bitnami https://charts.bitnami.com/bitnami && helm repo update
+    [ -z "$SKIP_DEPS" ] && helm dependency update
+    cd ../..
+    export DEPLOY_SOURCE="wlan-cloud-ucentral-deploy/chart"
+elif [[ "$DEPLOY_METHOD" == "bundle" ]] ; then
    helm repo add tip-wlan-cloud-ucentral-helm https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/ || true
    export DEPLOY_SOURCE="tip-wlan-cloud-ucentral-helm/openwifi --version $CHART_VERSION"
-  else
-    echo "Deploy method is not correct: $DEPLOY_METHOD. Valid value - git or bundle" >&2
+elif [[ "$DEPLOY_METHOD" == "local" ]] ; then
+    export DEPLOY_SOURCE=".."
+    pushd ..
+    [ -z "$SKIP_DEPS" ] && helm dependency update
+    popd
+else
+    echo "Deploy method is not correct: $DEPLOY_METHOD. Valid values: git, bundle or local" >&2
    exit 1
-  fi
 fi

 VALUES_FILES_FLAGS=()
 IFS=',' read -ra VALUES_FILE_LOCATION_SPLITTED <<< "$VALUES_FILE_LOCATION"
 for VALUE_FILE in ${VALUES_FILE_LOCATION_SPLITTED[*]}; do
-  VALUES_FILES_FLAGS+=("-f" $VALUE_FILE)
+    VALUES_FILES_FLAGS+=("-f" $VALUE_FILE)
 done
 EXTRA_VALUES_FLAGS=()
 IFS=',' read -ra EXTRA_VALUES_SPLITTED <<< "$EXTRA_VALUES"
 for EXTRA_VALUE in ${EXTRA_VALUES_SPLITTED[*]}; do
-  EXTRA_VALUES_FLAGS+=("--set" $EXTRA_VALUE)
+    EXTRA_VALUES_FLAGS+=("--set" $EXTRA_VALUE)
 done

-if [[ "$USE_SEPARATE_OWGW_LB" == "true" ]]; then
-  export HAPROXY_SERVICE_DNS_RECORDS="sec-${NAMESPACE}.cicd.lab.wlan.tip.build\,fms-${NAMESPACE}.cicd.lab.wlan.tip.build\,prov-${NAMESPACE}.cicd.lab.wlan.tip.build\,analytics-${NAMESPACE}.cicd.lab.wlan.tip.build\,sub-${NAMESPACE}.cicd.lab.wlan.tip.build"
-  export OWGW_SERVICE_DNS_RECORDS="gw-${NAMESPACE}.cicd.lab.wlan.tip.build"
+if [[ "$USE_SEPARATE_OWGW_LB" == "true" ]] ; then
+  export HAPROXY_SERVICE_DNS_RECORDS="sec-${NAMESPACE}.${DOMAIN},fms-${NAMESPACE}.${DOMAIN},prov-${NAMESPACE}.${DOMAIN},analytics-${NAMESPACE}.${DOMAIN},sub-${NAMESPACE}.${DOMAIN}"
+  export OWGW_SERVICE_DNS_RECORDS="gw-${NAMESPACE}.${DOMAIN}"
 else
-  export HAPROXY_SERVICE_DNS_RECORDS="gw-${NAMESPACE}.cicd.lab.wlan.tip.build\,sec-${NAMESPACE}.cicd.lab.wlan.tip.build\,fms-${NAMESPACE}.cicd.lab.wlan.tip.build\,prov-${NAMESPACE}.cicd.lab.wlan.tip.build\,analytics-${NAMESPACE}.cicd.lab.wlan.tip.build\,sub-${NAMESPACE}.cicd.lab.wlan.tip.build"
+  export HAPROXY_SERVICE_DNS_RECORDS="gw-${NAMESPACE}.${DOMAIN},sec-${NAMESPACE}.${DOMAIN},fms-${NAMESPACE}.${DOMAIN},prov-${NAMESPACE}.${DOMAIN},analytics-${NAMESPACE}.${DOMAIN},sub-${NAMESPACE}.${DOMAIN}"
  export OWGW_SERVICE_DNS_RECORDS=""
 fi

-# Run the deployment
+envsubst < values.custom.tpl.yaml > _values.custom-${NAMESPACE}.yaml
+
 helm upgrade --install --create-namespace --wait --timeout 60m \
  --namespace openwifi-${NAMESPACE} \
  ${VALUES_FILES_FLAGS[*]} \
-  --set owgw.services.owgw.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=gw-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owgw.configProperties."openwifi\.fileuploader\.host\.0\.name"=gw-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owgw.configProperties."rtty\.server"=gw-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owgw.configProperties."openwifi\.system\.uri\.public"=https://gw-${NAMESPACE}.cicd.lab.wlan.tip.build:16002 \
-  --set owgw.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owgw-owgw:17002 \
-  --set owgw.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owgw.configProperties."iptocountry\.ipinfo\.token"="${IPTOCOUNTRY_IPINFO_TOKEN}" \
-  --set owgw.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owsec.configProperties."authentication\.default\.username"=${OWGW_AUTH_USERNAME} \
-  --set owsec.configProperties."authentication\.default\.password"=${OWGW_AUTH_PASSWORD} \
-  --set owsec.services.owsec.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=sec-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owsec.configProperties."openwifi\.system\.uri\.public"=https://sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owsec.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owsec-owsec:17001 \
-  --set owsec.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owsec.configProperties."mailer\.sender"=sec-${NAMESPACE}@cicd.lab.wlan.tip.build \
-  --set owsec.configProperties."mailer\.enabled"=$MAILER_ENABLED \
-  --set owsec.configProperties."mailer\.username"=$MAILER_USERNAME \
-  --set owsec.configProperties."mailer\.password"=$MAILER_PASSWORD \
-  --set owfms.configProperties."s3\.secret"=${OWFMS_S3_SECRET} \
-  --set owfms.configProperties."s3\.key"=${OWFMS_S3_KEY} \
-  --set owfms.services.owfms.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=fms-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owfms.configProperties."openwifi\.system\.uri\.public"=https://fms-${NAMESPACE}.cicd.lab.wlan.tip.build:16004 \
-  --set owfms.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owfms-owfms:17004 \
-  --set owfms.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owfms.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owgwui.ingresses.default.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owgwui.ingresses.default.hosts={webui-${NAMESPACE}.cicd.lab.wlan.tip.build} \
-  --set owgwui.public_env_variables.DEFAULT_UCENTRALSEC_URL=https://sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owprov.services.owprov.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=prov-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owprov.configProperties."openwifi\.system\.uri\.public"=https://prov-${NAMESPACE}.cicd.lab.wlan.tip.build:16005 \
-  --set owprov.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owprov-owprov:17005 \
-  --set owprov.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owprov.configProperties."iptocountry\.ipinfo\.token"="${IPTOCOUNTRY_IPINFO_TOKEN}" \
-  --set owprov.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owprovui.ingresses.default.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=provui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owprovui.ingresses.default.hosts={provui-${NAMESPACE}.cicd.lab.wlan.tip.build} \
-  --set owprovui.public_env_variables.DEFAULT_UCENTRALSEC_URL=https://sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owprovui.public_env_variables.REACT_APP_UCENTRALSEC_URL=https://sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owanalytics.services.owanalytics.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=analytics-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owanalytics.configProperties."openwifi\.system\.uri\.public"=https://analytics-${NAMESPACE}.cicd.lab.wlan.tip.build:16009 \
-  --set owanalytics.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owanalytics-owanalytics:17009 \
-  --set owanalytics.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owanalytics.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set owsub.services.owsub.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=sub-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owsub.configProperties."openwifi\.system\.uri\.public"=https://sub-${NAMESPACE}.cicd.lab.wlan.tip.build:16006 \
-  --set owsub.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owsub-owsub:17006 \
-  --set owsub.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owsub.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set clustersysteminfo.public_env_variables.OWSEC=sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set clustersysteminfo.secret_env_variables.OWSEC_NEW_PASSWORD=${OWSEC_NEW_PASSWORD} \
-  --set owls.services.owls.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=ls-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owls.configProperties."openwifi\.system\.uri\.public"=https://ls-${NAMESPACE}.cicd.lab.wlan.tip.build:16007 \
-  --set owls.configProperties."openwifi\.system\.uri\.private"=$INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owls-owls:17007 \
-  --set owls.configProperties."openwifi\.system\.uri\.ui"=https://webui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owlsui.ingresses.default.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=lsui-${NAMESPACE}.cicd.lab.wlan.tip.build \
-  --set owlsui.ingresses.default.hosts={lsui-${NAMESPACE}.cicd.lab.wlan.tip.build} \
-  --set owlsui.public_env_variables.DEFAULT_UCENTRALSEC_URL=https://sec-${NAMESPACE}.cicd.lab.wlan.tip.build:16001 \
-  --set haproxy.service.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=$HAPROXY_SERVICE_DNS_RECORDS \
-  --set owgw.services.owgw.annotations."external-dns\.alpha\.kubernetes\.io/hostname"=$OWGW_SERVICE_DNS_RECORDS \
  ${EXTRA_VALUES_FLAGS[*]} \
+  -f _values.custom-${NAMESPACE}.yaml \
  --set-file owgw.certs."restapi-cert\.pem"=$CERT_LOCATION \
  --set-file owgw.certs."restapi-key\.pem"=$KEY_LOCATION \
  --set-file owgw.certs."websocket-cert\.pem"=$CERT_LOCATION \
--- a/chart/environment-values/values.aws.yaml
+++ b/chart/environment-values/values.aws.yaml
@@ -15,11 +15,11 @@ owgwui:
  ingresses:
    default:
      enabled: true
+      className: alb
      annotations:
-        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/group.name: wlan-cicd
-        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
        external-dns.alpha.kubernetes.io/hostname: webui.cicd.lab.wlan.tip.build # TODO change FQDN
@@ -29,7 +29,7 @@ owgwui:
        servicePort: http

  public_env_variables:
-    DEFAULT_UCENTRALSEC_URL: https://sec.cicd.lab.wlan.tip.build:16001 # TODO change to OWSEC RESTAPI url
+    REACT_APP_UCENTRALSEC_URL: https://sec.cicd.lab.wlan.tip.build:16001 # TODO change to OWSEC RESTAPI url

 owsec:
  configProperties: # TODO change FQDNs and credentials
@@ -65,11 +65,11 @@ owprovui:
  ingresses:
    default:
      enabled: true
+      className: alb
      annotations:
-        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/group.name: wlan-cicd
-        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
        external-dns.alpha.kubernetes.io/hostname: provui.cicd.lab.wlan.tip.build # TODO change FQDN
@@ -99,7 +99,6 @@ haproxy:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8080"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285 # TODO change certificate
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16004,17004,16002,16003,17002,16005,17005,16001,17001,5912,5913,16009,16007"
      service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip
      external-dns.alpha.kubernetes.io/hostname: "gw.cicd.lab.wlan.tip.build,sec.cicd.lab.wlan.tip.build,fms.cicd.lab.wlan.tip.build,prov.cicd.lab.wlan.tip.build,rtty.cicd.lab.wlan.tip.build,sub.cicd.lab.wlan.tip.build,analytics.cicd.lab.wlan.tip.build" # TODO change FQDNs
--- a/chart/environment-values/values.base.insecure.yaml
+++ b/chart/environment-values/values.base.insecure.yaml
@@ -0,0 +1,95 @@
+owgw:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16002
+    openwifi.system.uri.private: http://owgw-owgw:17002
+    openwifi.system.uri.ui: http://localhost
+
+owsec:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16001
+    openwifi.system.uri.private: http://owsec-owsec:17001
+    openwifi.system.uri.ui: http://localhost
+
+owfms:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16004
+    openwifi.system.uri.private: http://owfms-owfms:17004
+    openwifi.system.uri.ui: http://localhost
+
+owprov:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16005
+    openwifi.system.uri.private: http://owprov-owprov:17005
+    openwifi.system.uri.ui: http://localhost
+
+owanalytics:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16009
+    openwifi.system.uri.private: http://owanalytics-owanalytics:17009
+    openwifi.system.uri.ui: http://localhost
+
+owsub:
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.security.restapi.disable: "true"
+    openwifi.system.uri.public: http://localhost:16006
+    openwifi.system.uri.private: http://owsub-owsub:17006
+    openwifi.system.uri.ui: http://localhost
+
+owgwui:
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: http://localhost:16001
+
+owprovui:
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: http://localhost:16001
+
+kafka:
+  volumePermissions:
+    enabled: true
+  commonAnnotations:
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+  readinessProbe:
+    initialDelaySeconds: 45
+  livenessProbe:
+    initialDelaySeconds: 60
+  kraft:
+    enabled: true
+  heapOpts: -Xmx1024m -Xms1024m
+  zookeeper:
+    enabled: false
+  controller:
+    replicaCount: 1
+    extraConfig: |-
+      maxMessageBytes = 1048588
+      offsets.topic.replication.factor = 1
+      transaction.state.log.replication.factor = 1
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 0
--- a/chart/environment-values/values.base.secure.yaml
+++ b/chart/environment-values/values.base.secure.yaml
@@ -0,0 +1,351 @@
+owgw:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16002
+    openwifi.system.uri.private: https://owgw-owgw:17002
+    openwifi.system.uri.ui: http://localhost:8443
+    openwifi.internal.restapi.host.0.rootca: $OWGW_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWGW_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWGW_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWGW_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWGW_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWGW_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owgw:
+      - name: config
+        mountPath: /owgw-data/owgw.properties
+        subPath: owgw.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-config
+      - name: certs
+        mountPath: /owgw-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owgw.fullname" . }}-certs{{ end }}
+      - name: certs-cas
+        mountPath: /owgw-data/certs/cas
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-certs-cas
+      - name: persist
+        mountPath: /owgw-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owgw.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owgw-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-owgw-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owgw.fullname" . }}-owgw-restapi-tls
+
+owsec:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16001
+    openwifi.system.uri.private: https://owsec-owsec:17001
+    openwifi.system.uri.ui: http://localhost:8080
+    openwifi.internal.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWSEC_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owsec:
+      - name: config
+        mountPath: /owsec-data/owsec.properties
+        subPath: owsec.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-config
+      - name: certs
+        mountPath: /owsec-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owsec.fullname" . }}-certs{{ end }}
+      - name: persist
+        mountPath: /owsec-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owsec.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owsec-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-owsec-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsec.fullname" . }}-owsec-restapi-tls
+
+owfms:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16004
+    openwifi.system.uri.private: https://owfms-owfms:17004
+    openwifi.system.uri.ui: http://localhost:8080
+    openwifi.internal.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWFMS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWFMS_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWFMS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWFMS_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owfms:
+      - name: config
+        mountPath: /owfms-data/owfms.properties
+        subPath: owfms.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-config
+      - name: certs
+        mountPath: /owfms-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owfms.fullname" . }}-certs{{ end }}
+      - name: persist
+        mountPath: /owfms-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owfms.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owfms-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-owfms-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owfms.fullname" . }}-owfms-restapi-tls
+
+owprov:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16005
+    openwifi.system.uri.private: https://owprov-owprov:17005
+    openwifi.system.uri.ui: http://localhost:8080
+    openwifi.internal.restapi.host.0.rootca: $OWPROV_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWPROV_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWPROV_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWPROV_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWPROV_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWPROV_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owprov:
+      - name: config
+        mountPath: /owprov-data/owprov.properties
+        subPath: owprov.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-config
+      - name: certs
+        mountPath: /owprov-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owprov.fullname" . }}-certs{{ end }}
+      - name: persist
+        mountPath: /owprov-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owprov.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owprov-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-owprov-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owprov.fullname" . }}-owprov-restapi-tls
+
+owanalytics:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16009
+    openwifi.system.uri.private: https://owanalytics-owanalytics:17009
+    openwifi.system.uri.ui: http://localhost:8080
+    openwifi.internal.restapi.host.0.rootca: $OWANALYTICS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWANALYTICS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWANALYTICS_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWANALYTICS_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWANALYTICS_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWANALYTICS_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owanalytics:
+      - name: config
+        mountPath: /owanalytics-data/owanalytics.properties
+        subPath: owanalytics.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owanalytics.fullname" . }}-config
+      - name: certs
+        mountPath: /owanalytics-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owanalytics.fullname" . }}-certs{{ end }}
+      - name: persist
+        mountPath: /owanalytics-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owanalytics.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owanalytics-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owanalytics.fullname" . }}-owanalytics-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owanalytics.fullname" . }}-owanalytics-restapi-tls
+
+
+owsub:
+  public_env_variables:
+    SELFSIGNED_CERTS: "true"
+
+  existingCertsSecret: openwifi-certs
+
+  configProperties:
+    openwifi.system.uri.public: https://localhost:16006
+    openwifi.system.uri.private: https://owsub-owsub:17006
+    openwifi.system.uri.ui: http://localhost:8080
+    openwifi.internal.restapi.host.0.rootca: $OWSUB_ROOT/certs/restapi-certs/ca.crt
+    openwifi.internal.restapi.host.0.cert: $OWSUB_ROOT/certs/restapi-certs/tls.crt
+    openwifi.internal.restapi.host.0.key: $OWSUB_ROOT/certs/restapi-certs/tls.key
+    openwifi.restapi.host.0.rootca: $OWSUB_ROOT/certs/restapi-certs/ca.crt
+    openwifi.restapi.host.0.cert: $OWSUB_ROOT/certs/restapi-certs/tls.crt
+    openwifi.restapi.host.0.key: $OWSUB_ROOT/certs/restapi-certs/tls.key
+
+  volumes:
+    owsub:
+      - name: config
+        mountPath: /owsub-data/owsub.properties
+        subPath: owsub.properties
+        # Template below will be rendered in template
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsub.fullname" . }}-config
+      - name: certs
+        mountPath: /owsub-data/certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owsub.fullname" . }}-certs{{ end }}
+      - name: persist
+        mountPath: /owsub-data/persist
+        volumeDefinition: |
+          persistentVolumeClaim:
+            claimName: {{ template "owsub.fullname" . }}-pvc
+
+      - name: restapi-certs
+        mountPath: /owsub-data/certs/restapi-certs
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsub.fullname" . }}-owsub-restapi-tls
+      - name: restapi-ca
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
+        subPath: ca.crt
+        volumeDefinition: |
+          secret:
+            secretName: {{ include "owsub.fullname" . }}-owsub-restapi-tls
+
+owgwui:
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: https://localhost:16001
+
+owprovui:
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: https://localhost:16001
+
+kafka:
+  volumePermissions:
+    enabled: true
+  commonAnnotations:
+    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
+  #resources:
+  #  requests:
+  #    cpu: 100m
+  #    memory: 512Mi
+  #  limits:
+  #    cpu: 500m
+  #    memory: 1Gi
+  readinessProbe:
+    initialDelaySeconds: 45
+  livenessProbe:
+    initialDelaySeconds: 60
+  kraft:
+    enabled: true
+  heapOpts: -Xmx1024m -Xms1024m
+  zookeeper:
+    enabled: false
+  controller:
+    replicaCount: 1
+    extraConfig: |-
+      maxMessageBytes = 1048588
+      offsets.topic.replication.factor = 1
+      transaction.state.log.replication.factor = 1
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 0
+
+restapiCerts:
+  enabled: true
--- a/chart/environment-values/values.custom.tpl.yaml
+++ b/chart/environment-values/values.custom.tpl.yaml
@@ -0,0 +1,132 @@
+owgw:
+  services:
+    owgw:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: gw-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  configProperties:
+    openwifi.fileuploader.host.0.name: gw-${NAMESPACE}.${DOMAIN}
+    rtty.server: gw-${NAMESPACE}.${DOMAIN}
+    openwifi.system.uri.public: https://gw-${NAMESPACE}.${DOMAIN}:16002
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owgw-owgw:17002
+    openwifi.system.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+    iptocountry.ipinfo.token: "${IPTOCOUNTRY_IPINFO_TOKEN}"
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+owsec:
+  configProperties:
+    authentication.default.username: "${OWGW_AUTH_USERNAME}"
+    authentication.default.password: "${OWGW_AUTH_PASSWORD}"
+    openwifi.system.uri.public: https://sec-${NAMESPACE}.${DOMAIN}:16001
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owsec-owsec:17001
+    openwifi.ystem.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+    mailer.sender: "sec-${NAMESPACE}@${DOMAIN}"
+    mailer.enabled: $MAILER_ENABLED
+    mailer.username: "$MAILER_USERNAME"
+    mailer.password: "$MAILER_PASSWORD"
+  services:
+    owsec:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: sec-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+owfms:
+  configProperties:
+    s3.secret: "${OWFMS_S3_SECRET}"
+    s3.key: "${OWFMS_S3_KEY}"
+    openwifi.system.uri.public: https://fms-${NAMESPACE}.${DOMAIN}:16004
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owfms-owfms:17004
+    openwifi.system.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+  services:
+    owfms:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: fms-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+owprov:
+  services:
+    owprov:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: prov-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  configProperties:
+    openwifi.system.uri.public: https://prov-${NAMESPACE}.${DOMAIN}:16005
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owprov-owprov:17005
+    openwifi.system.uri.ui: https://provui-${NAMESPACE}.${DOMAIN}
+    iptocountry.ipinfo.token: "${IPTOCOUNTRY_IPINFO_TOKEN}"
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+owgwui:
+  ingresses:
+    default:
+      hosts:
+      - webui-${NAMESPACE}.${DOMAIN}
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: webui-${NAMESPACE}.${DOMAIN}
+        alb.ingress.kubernetes.io/certificate-arn: ${CERTIFICATE_ARN}
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: https://sec-${NAMESPACE}.${DOMAIN}:16001
+owprovui:
+  ingresses:
+    default:
+      hosts:
+      - provui-${NAMESPACE}.${DOMAIN}
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: provui-${NAMESPACE}.${DOMAIN}
+        alb.ingress.kubernetes.io/certificate-arn: ${CERTIFICATE_ARN}
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: https://sec-${NAMESPACE}.${DOMAIN}:16001
+owanalytics:
+  services:
+    owanalytics:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: analytics-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  configProperties:
+    openwifi.system.uri.public: https://analytics-${NAMESPACE}.${DOMAIN}:16009
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owanalytics-owanalytics:17009
+    openwifi.system.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+owsub:
+  services:
+    owsub:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: sub-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  configProperties:
+    openwifi.system.uri.public: https://sub-${NAMESPACE}.${DOMAIN}:16006
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owsub-owsub:17006
+    openwifi.system.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+clustersysteminfo:
+  public_env_variables:
+    OWSEC: sec-${NAMESPACE}.${DOMAIN}:16001
+  secret_env_variables:
+    OWSEC_NEW_PASSWORD: "${OWSEC_NEW_PASSWORD}"
+owls:
+  services:
+    owls:
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: ls-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  configProperties:
+    openwifi.system.uri.public: https://ls-${NAMESPACE}.${DOMAIN}:16007
+    openwifi.system.uri.private: $INTERNAL_RESTAPI_ENDPOINT_SCHEMA://owls-owls:17007
+    openwifi.system.uri.ui: https://webui-${NAMESPACE}.${DOMAIN}
+owlsui:
+  ingresses:
+    default:
+      hosts:
+      - lsui-${NAMESPACE}.${DOMAIN}
+      annotations:
+        external-dns.alpha.kubernetes.io/hostname: lsui-${NAMESPACE}.${DOMAIN}
+        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
+  public_env_variables:
+    REACT_APP_UCENTRALSEC_URL: https://sec-${NAMESPACE}.${DOMAIN}:16001
+haproxy:
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: "$HAPROXY_SERVICE_DNS_RECORDS"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ${CERTIFICATE_ARN}
--- a/chart/environment-values/values.openwifi-qa.disable-radiusproxy.yaml
+++ b/chart/environment-values/values.openwifi-qa.disable-radiusproxy.yaml
@@ -0,0 +1,7 @@
+owgw:
+  configProperties:
+    radius.proxy.enable: "false"
+    radius.proxy.accounting.port: 1813
+    radius.proxy.authentication.port: 1812
+    radius.proxy.coa.port: 3799
+    radsec.keepalive: 120
--- a/chart/environment-values/values.openwifi-qa.external-db.yaml
+++ b/chart/environment-values/values.openwifi-qa.external-db.yaml
@@ -8,7 +8,130 @@ owgw:

  postgresql:
    enabled: true
+    nameOverride: owgw-pgsql
    fullnameOverride: owgw-pgsql
    postgresqlDatabase: owgw
    postgresqlUsername: owgw
    postgresqlPassword: owgw
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+
+owsec:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: owsec-pgsql
+    storage.type.postgresql.database: owsec
+    storage.type.postgresql.username: owsec
+    storage.type.postgresql.password: owsec
+
+  postgresql:
+    enabled: true
+    nameOverride: owsec-pgsql
+    fullnameOverride: owsec-pgsql
+    postgresqlDatabase: owsec
+    postgresqlUsername: owsec
+    postgresqlPassword: owsec
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+
+owfms:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: owfms-pgsql
+    storage.type.postgresql.database: owfms
+    storage.type.postgresql.username: owfms
+    storage.type.postgresql.password: owfms
+
+  postgresql:
+    enabled: true
+    nameOverride: owfms-pgsql
+    fullnameOverride: owfms-pgsql
+    postgresqlDatabase: owfms
+    postgresqlUsername: owfms
+    postgresqlPassword: owfms
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+
+owprov:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: owprov-pgsql
+    storage.type.postgresql.database: owprov
+    storage.type.postgresql.username: owprov
+    storage.type.postgresql.password: owprov
+
+  postgresql:
+    enabled: true
+    nameOverride: owprov-pgsql
+    fullnameOverride: owprov-pgsql
+    postgresqlDatabase: owprov
+    postgresqlUsername: owprov
+    postgresqlPassword: owprov
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+
+owanalytics:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: owanalytics-pgsql
+    storage.type.postgresql.database: owanalytics
+    storage.type.postgresql.username: owanalytics
+    storage.type.postgresql.password: owanalytics
+
+  postgresql:
+    enabled: true
+    nameOverride: owanalytics-pgsql
+    fullnameOverride: owanalytics-pgsql
+    postgresqlDatabase: owanalytics
+    postgresqlUsername: owanalytics
+    postgresqlPassword: owanalytics
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+
+owsub:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: owsub-pgsql
+    storage.type.postgresql.database: owsub
+    storage.type.postgresql.username: owsub
+    storage.type.postgresql.password: owsub
+
+  postgresql:
+    enabled: true
+    nameOverride: owsub-pgsql
+    fullnameOverride: owsub-pgsql
+    postgresqlDatabase: owsub
+    postgresqlUsername: owsub
+    postgresqlPassword: owsub
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
--- a/chart/environment-values/values.openwifi-qa.owls-enabled.yaml
+++ b/chart/environment-values/values.openwifi-qa.owls-enabled.yaml
@@ -1,38 +1,18 @@
+# This helm values file is to be used when OWLS is run in the same namespace.
 owgw:
-  services:
-    owgw:
-      type: LoadBalancer
-      annotations:
-        service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
-        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16102"
-        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
-        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002,16003,17002"
-
  configProperties:
    simulatorid: 53494D020202
-    storage.type: postgresql
-    storage.type.postgresql.host: owgw-pgsql
-    storage.type.postgresql.database: owgw
-    storage.type.postgresql.username: owgw
-    storage.type.postgresql.password: owgw
+    storage.type.postgresql.maxsessions: 120
+    # this actually disables websocket logging:
+    logging.websocket: true

  resources:
    requests:
      cpu: 2000m
-      memory: 3000Mi
+      memory: 3Gi
    limits:
      cpu: 2000m
-      memory: 3000Mi
-
-  postgresql:
-    enabled: true
-    fullnameOverride: owgw-pgsql
-
-    postgresqlDatabase: owgw
-    postgresqlUsername: owgw
-    postgresqlPassword: owgw
+      memory: 5Gi

 owls:
  enabled: true
@@ -44,7 +24,6 @@ owls:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16107"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16007,17007"
        external-dns.alpha.kubernetes.io/ttl: "60"

@@ -53,10 +32,10 @@ owls:

  resources:
    requests:
-      cpu: 3000m
+      cpu: 6000m
      memory: 8000Mi
    limits:
-      cpu: 3000m
+      cpu: 6000m
      memory: 8000Mi

  checks:
@@ -113,7 +92,6 @@ owls:
      - name: config
        mountPath: /owls-data/owls.properties
        subPath: owls.properties
-        # Template below will be rendered in template
        volumeDefinition: |
          secret:
            secretName: {{ include "owls.fullname" . }}-config
@@ -127,7 +105,6 @@ owls:
        volumeDefinition: |
          secret:
            secretName: {{ include "owls.fullname" . }}-certs-cas
-      # Change this if you want to use another volume type
      - name: persist
        mountPath: /owls-data/persist
        volumeDefinition: |
@@ -140,19 +117,18 @@ owls:
          secret:
            secretName: {{ include "owls.fullname" . }}-owls-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
            secretName: {{ include "owls.fullname" . }}-owls-restapi-tls

+
 owlsui:
  enabled: true
-
  services:
    owlsui:
      type: NodePort
-
  ingresses:
    default:
      enabled: true
@@ -160,7 +136,6 @@ owlsui:
        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/group.name: wlan-cicd
-        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
        external-dns.alpha.kubernetes.io/ttl: "60"
--- a/chart/environment-values/values.openwifi-qa.owls-external.yaml
+++ b/chart/environment-values/values.openwifi-qa.owls-external.yaml
@@ -0,0 +1,51 @@
+# This helm values file is to be used when OWLS is run externally.
+owgw:
+  configProperties:
+    # done by default for owgw now:
+    #simulatorid: 53494D020202
+    # on a host with more CPUs you may need to bump this up from default of 64
+    storage.type.postgresql.maxsessions: 120
+    # this actually disables websocket logging:
+    logging.websocket: true
+    # consider lowering the # of days to keep archives in the database
+    #archiver.db.0.name = healthchecks
+    #archiver.db.0.keep = 1
+    #archiver.db.1.name = statistics
+    #archiver.db.1.keep = 1
+    #archiver.db.2.name = devicelogs
+    #archiver.db.2.keep = 1
+    #archiver.db.3.name = commandlist
+    #archiver.db.3.keep = 1
+
+  resources:
+    requests:
+      cpu: 2000m
+      memory: 3Gi
+    limits:
+      cpu: 2000m
+      memory: 5Gi
+
+owprov:
+  resources:
+    requests:
+      cpu: 10m
+      memory: 200Mi
+    limits:
+      cpu: 100m
+      memory: 4Gi
+
+# Postgres tuning for larger # of APs
+#postgresql:
+#  primary:
+#    resourcesPreset: large
+#    persistence:
+#      size: 120Gi
+
+#kafka:
+#  controller:
+#    persistence:
+#      size: 80Gi
+#    extraConfig: |-
+#      # consider tuning this as otherwise kafka storage may be exceeded quickly
+#      # the default is 1 week!
+#      logRetentionHours = 24
--- a/chart/environment-values/values.openwifi-qa.separate-lbs.yaml
+++ b/chart/environment-values/values.openwifi-qa.separate-lbs.yaml
@@ -7,8 +7,8 @@ owgw:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16102"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
-        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002,16003,17002,5912,5913"
+        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16002,16003,17002,5913"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 owsec:
  services:
@@ -19,8 +19,8 @@ owsec:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16101"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16001,17001"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 owfms:
  services:
@@ -31,8 +31,8 @@ owfms:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16104"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16004,17004"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 owprov:
  services:
@@ -43,8 +43,8 @@ owprov:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16105"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16005,17005"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 owanalytics:
  services:
@@ -55,8 +55,8 @@ owanalytics:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16109"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16009,17009"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 owsub:
  services:
@@ -67,8 +67,8 @@ owsub:
        service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
        service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "16106"
        service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
-        service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285"
        service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16006,17006"
+        service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=true

 haproxy:
  enabled: false
--- a/chart/environment-values/values.openwifi-qa.single-external-db.yaml
+++ b/chart/environment-values/values.openwifi-qa.single-external-db.yaml
@@ -0,0 +1,106 @@
+owgw:
+  configProperties:
+    simulatorid: 53494D020202
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owgw
+    storage.type.postgresql.username: owgw
+    storage.type.postgresql.password: owgw
+
+owsec:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owsec
+    storage.type.postgresql.username: owsec
+    storage.type.postgresql.password: owsec
+
+owfms:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owfms
+    storage.type.postgresql.username: owfms
+    storage.type.postgresql.password: owfms
+
+owprov:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owprov
+    storage.type.postgresql.username: owprov
+    storage.type.postgresql.password: owprov
+
+owanalytics:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owanalytics
+    storage.type.postgresql.username: owanalytics
+    storage.type.postgresql.password: owanalytics
+
+owsub:
+  configProperties:
+    storage.type: postgresql
+    storage.type.postgresql.host: pgsql
+    storage.type.postgresql.database: owsub
+    storage.type.postgresql.username: owsub
+    storage.type.postgresql.password: owsub
+
+postgresql:
+  enabled: true
+  initDbScriptSecret:
+    enabled: true
+    initdbScriptsSecret: tip-openwifi-initdb-scripts
+  volumePermissions:
+    enabled: true
+  global:
+    postgresql:
+      auth:
+        postgresPassword: postgres
+  auth:
+    postgresPassword: postgres
+  primary:
+    # TODO: tweak this next major release - 8Gi default is a bit too low
+    #persistence:
+    #  size: 30Gi
+    # Consider using this resource model for small installations
+    #resourcesPreset: medium
+    extendedConfiguration: |-
+      max_connections = 550
+      shared_buffers = 128MB
+    initdb:
+      scriptsSecret: tip-openwifi-initdb-scripts
+    # Consider using this disk size for small installations
+    #persistence:
+    #  size: 30Gi
+
+postgresql-ha:
+  enabled: false
+  initDbScriptSecret:
+    enabled: false
+    initdbScriptsSecret: tip-openwifi-initdb-scripts
+  pgpool:
+    adminPassword: admin
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
+    initdbScriptsSecret: tip-openwifi-initdb-scripts
+  postgresql:
+    replicaCount: 1
+    password: postgres
+    postgresPassword: postgres
+    repmgrPassword: repmgr
+    maxConnections: 1000
+
+    resources:
+      requests:
+        cpu: 250m
+        memory: 1024Mi
+      limits:
+        cpu: 250m
+        memory: 1024Mi
--- a/chart/environment-values/values.openwifi-qa.test-nodes.yaml
+++ b/chart/environment-values/values.openwifi-qa.test-nodes.yaml
@@ -30,6 +30,22 @@ owsec:
    operator: "Exists"
    effect: "NoSchedule"

+  postgresql:
+    primary:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+    readReplicas:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+
 owgwui:
  nodeSelector:
    env: tests
@@ -46,6 +62,22 @@ owfms:
    operator: "Exists"
    effect: "NoSchedule"

+  postgresql:
+    primary:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+    readReplicas:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+
 owprov:
  nodeSelector:
    env: tests
@@ -54,6 +86,22 @@ owprov:
    operator: "Exists"
    effect: "NoSchedule"

+  postgresql:
+    primary:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+    readReplicas:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+
 owprovui:
  nodeSelector:
    env: tests
@@ -64,7 +112,7 @@ owprovui:

 owls:
  nodeSelector:
-    env: tests
+    env: owls
  tolerations:
  - key: "tests"
    operator: "Exists"
@@ -101,6 +149,44 @@ owanalytics:
  - key: "tests"
    operator: "Exists"
    effect: "NoSchedule"
+  postgresql:
+    primary:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+    readReplicas:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+
+owsub:
+  nodeSelector:
+    env: tests
+  tolerations:
+  - key: "tests"
+    operator: "Exists"
+    effect: "NoSchedule"
+  postgresql:
+    primary:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"
+    readReplicas:
+      nodeSelector:
+        env: tests
+      tolerations:
+      - key: "tests"
+        operator: "Exists"
+        effect: "NoSchedule"

 kafka:
  nodeSelector:
@@ -116,3 +202,19 @@ kafka:
    - key: "tests"
      operator: "Exists"
      effect: "NoSchedule"
+
+postgresql-ha:
+  pgpool:
+    nodeSelector:
+      env: tests
+    tolerations:
+    - key: "tests"
+      operator: "Exists"
+      effect: "NoSchedule"
+  postgresql:
+    nodeSelector:
+      env: tests
+    tolerations:
+    - key: "tests"
+      operator: "Exists"
+      effect: "NoSchedule"
--- a/chart/environment-values/values.openwifi-qa.yaml
+++ b/chart/environment-values/values.openwifi-qa.yaml
@@ -5,29 +5,32 @@ owgw:
      readiness:
        exec:
          command: ["true"]
+        failureThreshold: 5
+      readiness:
+        failureThreshold: 5

  resources:
    requests:
-      cpu: 1000m
+      cpu: 2000m
      memory: 100Mi
    limits:
      cpu: 2000m
-      memory: 500Mi
+      memory: 2Gi

-  securityContext:
-    sysctls:
-    - name: net.ipv4.tcp_keepalive_intvl
-      value: "5"
-    - name: net.ipv4.tcp_keepalive_probes
-      value: "2"
-    - name: net.ipv4.tcp_keepalive_time
-      value: "45"
+#  securityContext:
+#    sysctls:
+#    - name: net.ipv4.tcp_keepalive_intvl
+#      value: "5"
+#    - name: net.ipv4.tcp_keepalive_probes
+#      value: "2"
+#    - name: net.ipv4.tcp_keepalive_time
+#      value: "45"

  podAnnotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"

-  podSecurityPolicy:
-    enabled: true
+#  podSecurityPolicy:
+#    enabled: true

  certs:
    restapi-ca.pem: |
@@ -53,6 +56,160 @@ owgw:
      L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
      5IOM7ItsRmen6u3qu+JXros54e4juQ==
      -----END CERTIFICATE-----
+    clientcas.pem: |
+      -----BEGIN CERTIFICATE-----
+      MIIEnDCCA4SgAwIBAgIUVpyCUx1MUeUwxg+7I1BvGFTz7HkwDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjUxMjZaFw0yNjA0MTMyMjM4NDZaMGwx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEpMCcGA1UEAxMgVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtKBrq
+      qd2aKVSk25KfL5xHu8X7/8rJrz3IvyPuVKWhk/N1zabot3suBcGaYNKjnRHxg78R
+      yKwKzajKYWtiQFqztu24g16LQeAnoUxZnF6a0z3JkkRPsz14A2y8TUhdEe1tx+UU
+      4VGsk3n+FMmOQHL+79FO57zQC1LwylgfLSltrI6mF3jowVUQvnwzKhUzT87AJ6EO
+      ndK/q0T/Bgi+aI39zfVOjJjsTJwghvrmYW3iarP1THSKxeib2s02bZKrvvHa5HL4
+      UI8+LvREpVZl4mzt1z6Nl344Y6f+UeJlYa/Ci0jJqaXJmyVnUbAz+c0i5JfwAVn3
+      YQzfC4eLnZCmdF8zAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+      DgQWBBSzG1S44EerPfM4gOQ85f0AYW3R6DAfBgNVHSMEGDAWgBQCRpZgebFT9qny
+      98WfIUDk6ZEB+jAOBgNVHQ8BAf8EBAMCAYYwgYMGCCsGAQUFBwEBBHcwdTAoBggr
+      BgEFBQcwAYYcaHR0cDovL29jc3Aub25lLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcw
+      AoY9aHR0cDovL2NhY2VydHMub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQ
+      cm9qZWN0Um9vdENBLmNydDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY3JsLm9u
+      ZS5kaWdpY2VydC5jb20vVGVsZWNvbUluZnJhUHJvamVjdFJvb3RDQS5jcmwwDQYJ
+      KoZIhvcNAQELBQADggEBAFbz+K94bHIkBMJqps0dApniUmOn0pO6Q6cGh47UP/kX
+      IiPIsnYgG+hqYD/qtsiqJhaWi0hixRWn38UmvZxMRk27aSTGE/TWx0JTC3qDGsSe
+      XkUagumbSfmS0ZyiTwMPeGAjXwyzGorqZWeA95eKfImntMiOf3E7//GK0K7HpCx8
+      IPCnLZsZD2q/mLyBsduImFIRQJbLAhwIxpcd1qYJk+BlGFL+HtBpEbq6JxW2Xy+v
+      DpNWc2WIsUTle0rTc9JNJrLX4ChUJmKqf8obKHap3Xh3//qw/jDB9pOAinA33FLJ
+      EmCnwBvQr9mfNmPBGMYZVU8cPruDQJ57GjmmvdisbJY=
+      -----END CERTIFICATE-----
+      -----BEGIN CERTIFICATE-----
+      MIIDojCCAoqgAwIBAgIUPVYBpqNbcLYygF6Mx+qxSWwQyFowDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjQyNDRaFw0zMTA0MTMyMjM4NDZaMGkx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEmMCQGA1UEAxMdVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGCibwf5u
+      AAwZ+1H8U0e3u2V+0d2gSctucoK86XwUmfe1V2a/qlCYZd29r80IuN1IIeB0naIm
+      KnK/MzXW87clF6tFd1+HzEvmlY/W4KyIXalVCTEzirFSvBEG2oZpM0yC3AefytAO
+      aOpA00LaM3xTfTqMKIRhJBuLy0I4ANUVG6ixVebbGuc78IodleqiLoWy2Q9QHyEO
+      t/7hZndJhiVogh0PveRhho45EbsACu7ymDY+JhlIleevqwlE3iQoq0YcmYADHno6
+      Eq8vcwLpZFxihupUafkd1T3WJYQAJf9coCjBu2qIhNgrcrGD8R9fGswwNRzMRMpX
+      720+GjcDW3bJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAJG
+      lmB5sVP2qfL3xZ8hQOTpkQH6MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+      AAOCAQEAVjl9dm4epG9NUYnagT9sg7scVQEPfz3Lt6w1NXJXgD8mAUlK0jXmEyvM
+      dCPD4514n+8+lM7US8fh+nxc7jO//LwK17Wm9FblgjNFR7+anv0Q99T9fP19DLlF
+      PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
+      19S6qnHeskRDB8MqRLhKMG82oDVLerSnhD0P6HjySBHgTTU7/tYS/OZr1jI6MPbG
+      L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
+      5IOM7ItsRmen6u3qu+JXros54e4juQ==
+      -----END CERTIFICATE-----
+    issuer.pem: |
+      -----BEGIN CERTIFICATE-----
+      MIIEnDCCA4SgAwIBAgIUVpyCUx1MUeUwxg+7I1BvGFTz7HkwDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjUxMjZaFw0yNjA0MTMyMjM4NDZaMGwx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEpMCcGA1UEAxMgVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtKBrq
+      qd2aKVSk25KfL5xHu8X7/8rJrz3IvyPuVKWhk/N1zabot3suBcGaYNKjnRHxg78R
+      yKwKzajKYWtiQFqztu24g16LQeAnoUxZnF6a0z3JkkRPsz14A2y8TUhdEe1tx+UU
+      4VGsk3n+FMmOQHL+79FO57zQC1LwylgfLSltrI6mF3jowVUQvnwzKhUzT87AJ6EO
+      ndK/q0T/Bgi+aI39zfVOjJjsTJwghvrmYW3iarP1THSKxeib2s02bZKrvvHa5HL4
+      UI8+LvREpVZl4mzt1z6Nl344Y6f+UeJlYa/Ci0jJqaXJmyVnUbAz+c0i5JfwAVn3
+      YQzfC4eLnZCmdF8zAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+      DgQWBBSzG1S44EerPfM4gOQ85f0AYW3R6DAfBgNVHSMEGDAWgBQCRpZgebFT9qny
+      98WfIUDk6ZEB+jAOBgNVHQ8BAf8EBAMCAYYwgYMGCCsGAQUFBwEBBHcwdTAoBggr
+      BgEFBQcwAYYcaHR0cDovL29jc3Aub25lLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcw
+      AoY9aHR0cDovL2NhY2VydHMub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQ
+      cm9qZWN0Um9vdENBLmNydDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY3JsLm9u
+      ZS5kaWdpY2VydC5jb20vVGVsZWNvbUluZnJhUHJvamVjdFJvb3RDQS5jcmwwDQYJ
+      KoZIhvcNAQELBQADggEBAFbz+K94bHIkBMJqps0dApniUmOn0pO6Q6cGh47UP/kX
+      IiPIsnYgG+hqYD/qtsiqJhaWi0hixRWn38UmvZxMRk27aSTGE/TWx0JTC3qDGsSe
+      XkUagumbSfmS0ZyiTwMPeGAjXwyzGorqZWeA95eKfImntMiOf3E7//GK0K7HpCx8
+      IPCnLZsZD2q/mLyBsduImFIRQJbLAhwIxpcd1qYJk+BlGFL+HtBpEbq6JxW2Xy+v
+      DpNWc2WIsUTle0rTc9JNJrLX4ChUJmKqf8obKHap3Xh3//qw/jDB9pOAinA33FLJ
+      EmCnwBvQr9mfNmPBGMYZVU8cPruDQJ57GjmmvdisbJY=
+      -----END CERTIFICATE-----
+    root.pem: |
+      -----BEGIN CERTIFICATE-----
+      MIIDojCCAoqgAwIBAgIUPVYBpqNbcLYygF6Mx+qxSWwQyFowDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjQyNDRaFw0zMTA0MTMyMjM4NDZaMGkx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEmMCQGA1UEAxMdVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGCibwf5u
+      AAwZ+1H8U0e3u2V+0d2gSctucoK86XwUmfe1V2a/qlCYZd29r80IuN1IIeB0naIm
+      KnK/MzXW87clF6tFd1+HzEvmlY/W4KyIXalVCTEzirFSvBEG2oZpM0yC3AefytAO
+      aOpA00LaM3xTfTqMKIRhJBuLy0I4ANUVG6ixVebbGuc78IodleqiLoWy2Q9QHyEO
+      t/7hZndJhiVogh0PveRhho45EbsACu7ymDY+JhlIleevqwlE3iQoq0YcmYADHno6
+      Eq8vcwLpZFxihupUafkd1T3WJYQAJf9coCjBu2qIhNgrcrGD8R9fGswwNRzMRMpX
+      720+GjcDW3bJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAJG
+      lmB5sVP2qfL3xZ8hQOTpkQH6MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+      AAOCAQEAVjl9dm4epG9NUYnagT9sg7scVQEPfz3Lt6w1NXJXgD8mAUlK0jXmEyvM
+      dCPD4514n+8+lM7US8fh+nxc7jO//LwK17Wm9FblgjNFR7+anv0Q99T9fP19DLlF
+      PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
+      19S6qnHeskRDB8MqRLhKMG82oDVLerSnhD0P6HjySBHgTTU7/tYS/OZr1jI6MPbG
+      L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
+      5IOM7ItsRmen6u3qu+JXros54e4juQ==
+      -----END CERTIFICATE-----
+
+  certsCAs:
+    issuer.pem: |
+      -----BEGIN CERTIFICATE-----
+      MIIEnDCCA4SgAwIBAgIUVpyCUx1MUeUwxg+7I1BvGFTz7HkwDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjUxMjZaFw0yNjA0MTMyMjM4NDZaMGwx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEpMCcGA1UEAxMgVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IElzc3VpbmcgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtKBrq
+      qd2aKVSk25KfL5xHu8X7/8rJrz3IvyPuVKWhk/N1zabot3suBcGaYNKjnRHxg78R
+      yKwKzajKYWtiQFqztu24g16LQeAnoUxZnF6a0z3JkkRPsz14A2y8TUhdEe1tx+UU
+      4VGsk3n+FMmOQHL+79FO57zQC1LwylgfLSltrI6mF3jowVUQvnwzKhUzT87AJ6EO
+      ndK/q0T/Bgi+aI39zfVOjJjsTJwghvrmYW3iarP1THSKxeib2s02bZKrvvHa5HL4
+      UI8+LvREpVZl4mzt1z6Nl344Y6f+UeJlYa/Ci0jJqaXJmyVnUbAz+c0i5JfwAVn3
+      YQzfC4eLnZCmdF8zAgMBAAGjggE3MIIBMzAPBgNVHRMBAf8EBTADAQH/MB0GA1Ud
+      DgQWBBSzG1S44EerPfM4gOQ85f0AYW3R6DAfBgNVHSMEGDAWgBQCRpZgebFT9qny
+      98WfIUDk6ZEB+jAOBgNVHQ8BAf8EBAMCAYYwgYMGCCsGAQUFBwEBBHcwdTAoBggr
+      BgEFBQcwAYYcaHR0cDovL29jc3Aub25lLmRpZ2ljZXJ0LmNvbTBJBggrBgEFBQcw
+      AoY9aHR0cDovL2NhY2VydHMub25lLmRpZ2ljZXJ0LmNvbS9UZWxlY29tSW5mcmFQ
+      cm9qZWN0Um9vdENBLmNydDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vY3JsLm9u
+      ZS5kaWdpY2VydC5jb20vVGVsZWNvbUluZnJhUHJvamVjdFJvb3RDQS5jcmwwDQYJ
+      KoZIhvcNAQELBQADggEBAFbz+K94bHIkBMJqps0dApniUmOn0pO6Q6cGh47UP/kX
+      IiPIsnYgG+hqYD/qtsiqJhaWi0hixRWn38UmvZxMRk27aSTGE/TWx0JTC3qDGsSe
+      XkUagumbSfmS0ZyiTwMPeGAjXwyzGorqZWeA95eKfImntMiOf3E7//GK0K7HpCx8
+      IPCnLZsZD2q/mLyBsduImFIRQJbLAhwIxpcd1qYJk+BlGFL+HtBpEbq6JxW2Xy+v
+      DpNWc2WIsUTle0rTc9JNJrLX4ChUJmKqf8obKHap3Xh3//qw/jDB9pOAinA33FLJ
+      EmCnwBvQr9mfNmPBGMYZVU8cPruDQJ57GjmmvdisbJY=
+      -----END CERTIFICATE-----
+    root.pem: |
+      -----BEGIN CERTIFICATE-----
+      MIIDojCCAoqgAwIBAgIUPVYBpqNbcLYygF6Mx+qxSWwQyFowDQYJKoZIhvcNAQEL
+      BQAwaTELMAkGA1UEBhMCVVMxJDAiBgNVBAoTG1RlbGVjb20gSW5mcmEgUHJvamVj
+      dCwgSW5jLjEMMAoGA1UECxMDVElQMSYwJAYDVQQDEx1UZWxlY29tIEluZnJhIFBy
+      b2plY3QgUm9vdCBDQTAeFw0yMTA0MTMyMjQyNDRaFw0zMTA0MTMyMjM4NDZaMGkx
+      CzAJBgNVBAYTAlVTMSQwIgYDVQQKExtUZWxlY29tIEluZnJhIFByb2plY3QsIElu
+      Yy4xDDAKBgNVBAsTA1RJUDEmMCQGA1UEAxMdVGVsZWNvbSBJbmZyYSBQcm9qZWN0
+      IFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDIGCibwf5u
+      AAwZ+1H8U0e3u2V+0d2gSctucoK86XwUmfe1V2a/qlCYZd29r80IuN1IIeB0naIm
+      KnK/MzXW87clF6tFd1+HzEvmlY/W4KyIXalVCTEzirFSvBEG2oZpM0yC3AefytAO
+      aOpA00LaM3xTfTqMKIRhJBuLy0I4ANUVG6ixVebbGuc78IodleqiLoWy2Q9QHyEO
+      t/7hZndJhiVogh0PveRhho45EbsACu7ymDY+JhlIleevqwlE3iQoq0YcmYADHno6
+      Eq8vcwLpZFxihupUafkd1T3WJYQAJf9coCjBu2qIhNgrcrGD8R9fGswwNRzMRMpX
+      720+GjcDW3bJAgMBAAGjQjBAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFAJG
+      lmB5sVP2qfL3xZ8hQOTpkQH6MA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsF
+      AAOCAQEAVjl9dm4epG9NUYnagT9sg7scVQEPfz3Lt6w1NXJXgD8mAUlK0jXmEyvM
+      dCPD4514n+8+lM7US8fh+nxc7jO//LwK17Wm9FblgjNFR7+anv0Q99T9fP19DLlF
+      PSNHL2emogy1bl1lLTAoj8nxg2wVKPDSHBGviQ5LR9fsWUIJDv9Bs5k0qWugWYSj
+      19S6qnHeskRDB8MqRLhKMG82oDVLerSnhD0P6HjySBHgTTU7/tYS/OZr1jI6MPbG
+      L+/DtiR5fDVMNdBSGU89UNTi0wHY9+RFuNlIuvZC+x/swF0V9R5mN+ywquTPtDLA
+      5IOM7ItsRmen6u3qu+JXros54e4juQ==
+      -----END CERTIFICATE-----

  public_env_variables:
    SELFSIGNED_CERTS: "true"
@@ -96,7 +253,7 @@ owgw:
          secret:
            secretName: {{ include "owgw.fullname" . }}-owgw-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
@@ -157,6 +314,7 @@ owsec:
    openwifi.restapi.host.0.cert: $OWSEC_ROOT/certs/restapi-certs/tls.crt
    openwifi.restapi.host.0.key: $OWSEC_ROOT/certs/restapi-certs/tls.key
    mailer.hostname: email-smtp.us-east-2.amazonaws.com
+    openwifi.certificates.allowmismatch: "false"

  volumes:
    owsec:
@@ -184,7 +342,7 @@ owsec:
          secret:
            secretName: {{ include "owsec.fullname" . }}-owsec-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
@@ -199,10 +357,9 @@ owgwui:
    default:
      enabled: true
      annotations:
-        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/group.name: wlan-cicd
-        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
      paths:
@@ -267,6 +424,8 @@ owfms:

  public_env_variables:
    SELFSIGNED_CERTS: "true"
+    # This has no effect as template based config is not enabled (see configProperties)
+    FIRMWAREDB_MAXAGE: "360"

  configProperties:
    openwifi.internal.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
@@ -275,6 +434,7 @@ owfms:
    openwifi.restapi.host.0.rootca: $OWFMS_ROOT/certs/restapi-certs/ca.crt
    openwifi.restapi.host.0.cert: $OWFMS_ROOT/certs/restapi-certs/tls.crt
    openwifi.restapi.host.0.key: $OWFMS_ROOT/certs/restapi-certs/tls.key
+    firmwaredb.maxage: 360

  volumes:
    owfms:
@@ -302,7 +462,7 @@ owfms:
          secret:
            secretName: {{ include "owfms.fullname" . }}-owfms-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
@@ -388,7 +548,7 @@ owprov:
          secret:
            secretName: {{ include "owprov.fullname" . }}-owprov-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
@@ -403,10 +563,9 @@ owprovui:
    default:
      enabled: true
      annotations:
-        kubernetes.io/ingress.class: alb
        alb.ingress.kubernetes.io/scheme: internet-facing
        alb.ingress.kubernetes.io/group.name: wlan-cicd
-        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285
+        alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:ap-south-1:289708231103:certificate/2cc8c764-11fd-411d-bf7d-a93f488f3f6c
        alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}]'
        alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_302"}}'
      paths:
@@ -497,7 +656,7 @@ owanalytics:
          secret:
            secretName: {{ include "owanalytics.fullname" . }}-owanalytics-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
@@ -577,52 +736,80 @@ owsub:
          secret:
            secretName: {{ include "owsub.fullname" . }}-owsub-restapi-tls
      - name: restapi-ca
-        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+        mountPath: /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt
        subPath: ca.crt
        volumeDefinition: |
          secret:
            secretName: {{ include "owsub.fullname" . }}-owsub-restapi-tls

-
 kafka:
+  volumePermissions:
+    enabled: true
  commonAnnotations:
    cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
-  heapOpts: -Xmx512m -Xms512m
-  resources:
-    requests:
-      cpu: 100m
-      memory: 512Mi
-    limits:
-      cpu: 500m
-      memory: 1Gi
  readinessProbe:
    initialDelaySeconds: 45
  livenessProbe:
    initialDelaySeconds: 60
+  heapOpts: -Xmx1024m -Xms1024m
+  kraft:
+    enabled: true
  zookeeper:
-    commonAnnotations:
-      cluster-autoscaler.kubernetes.io/safe-to-evict: "false"
-    heapSize: 256
+    enabled: false
+  controller:
+    replicaCount: 1
+    persistence:
+      size: 20Gi
+    extraConfig: |-
+      maxMessageBytes = 1048588
+      offsets.topic.replication.factor = 1
+      transaction.state.log.replication.factor = 1
+    extraEnvVars:
+      - name: ALLOW_PLAINTEXT_LISTENER
+        value: "yes"
    resources:
      requests:
-        cpu: 100m
-        memory: 256Mi
+        cpu: 500m
+        memory: 512Mi
      limits:
-        cpu: 200m
-        memory: 384Mi
+        cpu: 750m
+        memory: 2Gi
+  listeners:
+    client:
+      protocol: PLAINTEXT
+      containerPort: 9092
+    controller:
+      protocol: "PLAINTEXT"
+  broker:
+    persistence:
+      size: 20Gi
+    replicaCount: 0
+    resources:
+      requests:
+        cpu: 500m
+        memory: 512Mi
+      limits:
+        cpu: 750m
+        memory: 2Gi

 clustersysteminfo:
  enabled: true
  delay: 60 # delaying to wait for AWS Route53 DNS propagation

 haproxy:
+  resources:
+    requests:
+      cpu: 50m
+      memory: 50Mi
+    limits:
+      cpu: 50m
+      memory: 50Mi
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
      service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "8080"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
-      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:us-east-2:289708231103:certificate/bfa89c7a-5b64-4a8a-bcfe-ffec655b5285
-      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16004,17004,16002,16003,17002,16005,17005,16001,17001,5912,5913,16009,16007"
+      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "16004,17004,16002,16003,17002,16005,17005,5913,16001,17001,16009,16006,17006"
      service.beta.kubernetes.io/aws-load-balancer-type: nlb-ip

 restapiCerts:
--- a/chart/templates/_initdb_scripts.tpl
+++ b/chart/templates/_initdb_scripts.tpl
@@ -0,0 +1,21 @@
+{{- define "openwifi.user_creation_script" -}}
+{{- $root := . -}}
+{{- $postgresqlBase := index .Values "postgresql-ha" }}
+{{- $postgresqlEmulatedRoot := (dict "Values" $postgresqlBase "Chart" (dict "Name" "postgresql-ha") "Release" $.Release) }}
+#!/bin/bash
+export PGPASSWORD=$PGPOOL_POSTGRES_PASSWORD
+
+until psql -h {{ include "postgresql-ha.postgresql" $postgresqlEmulatedRoot }} postgres postgres -c '\q'; do
+  >&2 echo "Postgres is unavailable - sleeping"
+  sleep 1
+done
+
+{{ range index .Values "postgresql-ha" "initDbScriptSecret" "services" }}
+echo "{{ . }}"
+echo "SELECT 'CREATE USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }}' WHERE NOT EXISTS (SELECT FROM pg_user WHERE usename = '{{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }}')\gexec" | psql -h {{ include "postgresql-ha.postgresql" $postgresqlEmulatedRoot }} postgres postgres
+echo "ALTER USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }} WITH ENCRYPTED PASSWORD '{{ index $root "Values" . "configProperties" "storage.type.postgresql.password" }}'" | psql -h {{ include "postgresql-ha.postgresql" $postgresqlEmulatedRoot }} postgres postgres
+echo "SELECT 'CREATE DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }}' WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '{{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }}')\gexec" | psql -h {{ include "postgresql-ha.postgresql" $postgresqlEmulatedRoot }} postgres postgres
+echo "GRANT ALL PRIVILEGES ON DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }} TO {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }}" | psql -h {{ include "postgresql-ha.postgresql" $postgresqlEmulatedRoot }} postgres postgres
+
+{{ end }}
+{{- end -}}
--- a/chart/templates/_initdb_sql.tpl
+++ b/chart/templates/_initdb_sql.tpl
@@ -0,0 +1,13 @@
+{{- define "openwifi.user_creation_script_sql" -}}
+{{- $root := . -}}
+{{- $postgresqlBase := index .Values "postgresql" }}
+{{- $postgresqlEmulatedRoot := (dict "Values" $postgresqlBase "Chart" (dict "Name" "postgresql") "Release" $.Release) }}
+{{ range index .Values "postgresql" "initDbScriptSecret" "services" }}
+CREATE USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+ALTER USER {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }} WITH ENCRYPTED PASSWORD '{{ index $root "Values" . "configProperties" "storage.type.postgresql.password" }}';
+CREATE DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }};
+GRANT ALL PRIVILEGES ON DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }} TO {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+ALTER DATABASE {{ index $root "Values" . "configProperties" "storage.type.postgresql.database" }} OWNER TO {{ index $root "Values" . "configProperties" "storage.type.postgresql.username" }};
+{{ end }}
+{{- end -}}
+
--- a/chart/templates/secret-postgresql-initdb.yaml
+++ b/chart/templates/secret-postgresql-initdb.yaml
@@ -0,0 +1,31 @@
+{{- $root := . -}}
+{{- if index .Values "postgresql-ha" "initDbScriptSecret" "enabled" }}
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "openwifi.name" . }}
+    helm.sh/chart: {{ include "openwifi.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "openwifi.fullname" . }}-initdb-scripts
+kind: Secret
+type: Opaque
+data:
+  users_creation.sh: {{ include "openwifi.user_creation_script" . | b64enc | quote }}
+{{- end }}
+{{- if index .Values "postgresql" "initDbScriptSecret" "enabled" }}
+---
+apiVersion: v1
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "openwifi.name" . }}
+    helm.sh/chart: {{ include "openwifi.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ include "openwifi.fullname" . }}-initdb-scripts
+kind: Secret
+type: Opaque
+data:
+  initdb.sql: {{ include "openwifi.user_creation_script_sql" . | b64enc | quote }}
+{{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,7 +1,6 @@
 # OpenWIFI Gateway (https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/)
 owgw:
  fullnameOverride: owgw
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -9,7 +8,6 @@ owgw:
 # OpenWIFI Security (https://github.com/Telecominfraproject/wlan-cloud-ucentralsec)
 owsec:
  fullnameOverride: owsec
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -17,7 +15,6 @@ owsec:
 # OpenWIFI Firmware (https://github.com/Telecominfraproject/wlan-cloud-ucentralfms)
 owfms:
  fullnameOverride: owfms
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -25,15 +22,13 @@ owfms:
 # OpenWIFI Provisioning (https://github.com/Telecominfraproject/wlan-cloud-owprov/)
 owprov:
  fullnameOverride: owprov
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
-      #
+
 # OpenWIFI Analytics (https://github.com/Telecominfraproject/wlan-cloud-analytics)
 owanalytics:
  fullnameOverride: owanalytics
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -49,7 +44,6 @@ owprovui:
 # OpenWIFI Subscription (https://github.com/Telecominfraproject/wlan-cloud-userportal/)
 owsub:
  fullnameOverride: owsub
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -57,28 +51,16 @@ owsub:
 # kafka (https://github.com/bitnami/charts/blob/master/bitnami/kafka/)
 kafka:
  enabled: true
-
  fullnameOverride: kafka

-  image:
-    registry: docker.io
-    repository: bitnami/kafka
-    tag: 2.8.0-debian-10-r43
-
-  minBrokerId: 100
-
-  zookeeper:
-    fullnameOverride: zookeeper
-
 # clustersysteminfo check
 clustersysteminfo:
  enabled: false
  delay: 0 # number of seconds to delay clustersysteminfo execution
-
  images:
    clustersysteminfo:
      repository: tip-tip-wlan-cloud-ucentral.jfrog.io/clustersysteminfo
-      tag: main
+      tag: v3.2.0-RC1
      pullPolicy: Always
 #      regcred:
 #        registry: tip-tip-wlan-cloud-ucentral.jfrog.io
@@ -96,23 +78,17 @@ clustersysteminfo:
    # limits:
    #  cpu: 100m
    #  memory: 128Mi
-
  nodeSelector: {}
-
  tolerations: []
-
  affinity: {}
-
  public_env_variables:
    FLAGS: "-s --connect-timeout 3"
    OWSEC: owsec-owsec:16001
    CHECK_RETRIES: 30
-
  secret_env_variables:
    OWSEC_DEFAULT_USERNAME: tip@ucentral.com
    OWSEC_DEFAULT_PASSWORD: openwifi
    #OWSEC_NEW_PASSWORD: "" # Set this value in order for the check to work. Password must comply https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationvalidationexpression
-
  activeDeadlineSeconds: 2400
  backoffLimit: 5
  restartPolicy: OnFailure
@@ -120,9 +96,7 @@ clustersysteminfo:
 # OpenWIFI Load Simulator (https://github.com/Telecominfraproject/wlan-cloud-owls)
 owls:
  enabled: false
-
  fullnameOverride: owls
-
  configProperties:
    openwifi.kafka.enable: "true"
    openwifi.kafka.brokerlist: kafka:9092
@@ -130,17 +104,13 @@ owls:
 # OpenWIFI Load Simulator UI (https://github.com/Telecominfraproject/wlan-cloud-owls-ui)
 owlsui:
  enabled: false
-
  fullnameOverride: owlsui

 # HAproxy (https://github.com/bitnami/charts/tree/master/bitnami/haproxy)
 haproxy:
  enabled: true
-
  fullnameOverride: proxy
-
-  replicaCount: 3
-
+  replicaCount: 1
  service:
    type: LoadBalancer
    ports:
@@ -403,7 +373,7 @@ haproxy:

    # owsub
    frontend front_owsub_rest
-      bind :16009
+      bind :16006
      mode tcp
      default_backend back_owsub_rest
    backend back_owsub_rest
@@ -421,7 +391,6 @@ haproxy:
 # Cert-manager RESTAPI certs
 restapiCerts:
  enabled: false
-
  services:
    - owgw-owgw
    - owsec-owsec
@@ -430,5 +399,32 @@ restapiCerts:
    - owls-owls
    - owanalytics-owanalytics
    - owsub-owsub
-
  clusterDomain: cluster.local
+
+postgresql:
+  enabled: false
+  nameOverride: pgsql
+  fullnameOverride: pgsql
+  initDbScriptSecret:
+    enabled: false
+    services:
+      - owgw
+      - owsec
+      - owfms
+      - owprov
+      - owanalytics
+      - owsub
+
+postgresql-ha:
+  enabled: false
+  nameOverride: pgsql
+  fullnameOverride: pgsql
+  initDbScriptSecret:
+    enabled: false
+    services:
+      - owgw
+      - owsec
+      - owfms
+      - owprov
+      - owanalytics
+      - owsub
--- a/docker-compose/.env
+++ b/docker-compose/.env
@@ -1,16 +1,19 @@
-# Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
-OWANALYTICS_TAG=main
-OWSUB_TAG=main
-KAFKA_TAG=latest
-ZOOKEEPER_TAG=latest
-POSTGRESQL_TAG=latest
+# set either default, selfsigned or letsencrypt
+DEPLOY_TYPE=default
+
+# Image tags
+OWGW_TAG=v3.2.0-RC1
+OWGWUI_TAG=v3.1.0
+OWSEC_TAG=v3.2.0-RC1
+OWFMS_TAG=v3.1.0
+OWPROV_TAG=v3.1.0
+OWPROVUI_TAG=v3.1.0
+OWANALYTICS_TAG=v3.2.0-RC1
+OWSUB_TAG=v3.1.0
+
+KAFKA_TAG=3.7-debian-12
+POSTGRESQL_TAG=15.0

 # Microservice root/config directories
 OWGW_ROOT=/owgw-data
--- a/docker-compose/.env.letsencrypt
+++ b/docker-compose/.env.letsencrypt
@@ -1,17 +1,19 @@
-# Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
-OWANALYTICS_TAG=main
-OWSUB_TAG=main
-KAFKA_TAG=latest
-ZOOKEEPER_TAG=latest
+
+# Image tags
+OWGW_TAG=v3.2.0-RC1
+OWGWUI_TAG=v3.1.0
+OWSEC_TAG=v3.2.0-RC1
+OWFMS_TAG=v3.1.0
+OWPROV_TAG=v3.1.0
+OWPROVUI_TAG=v3.1.0
+OWANALYTICS_TAG=v3.2.0-RC1
+OWSUB_TAG=v3.1.0
+
+KAFKA_TAG=3.7-debian-12
+POSTGRESQL_TAG=15.0
 ACMESH_TAG=latest
-TRAEFIK_TAG=latest
+TRAEFIK_TAG=v3.1.0

 # Microservice root/config directories
 OWGW_ROOT=/owgw-data
@@ -37,12 +39,5 @@ INTERNAL_OWPROVUI_HOSTNAME=owprov-ui.wlan.local
 INTERNAL_OWANALYTICS_HOSTNAME=owanalytics.wlan.local
 INTERNAL_RTTYS_HOSTNAME=rttys.wlan.local
 INTERNAL_OWSUB_HOSTNAME=owsub.wlan.local
-OWGW_HOSTNAME=
-OWGWUI_HOSTNAME=
-OWGWFILEUPLOAD_HOSTNAME=
-OWSEC_HOSTNAME=
-OWFMS_HOSTNAME=
-OWPROV_HOSTNAME=
-OWPROVUI_HOSTNAME=
-OWANALYTICS_HOSTNAME=
-OWSUB_HOSTNAME=
+SDKHOSTNAME=
+#SDKHOSTNAME=openwifi.example.com
--- a/docker-compose/.env.selfsigned
+++ b/docker-compose/.env.selfsigned
@@ -1,15 +1,17 @@
-# Image tags
 COMPOSE_PROJECT_NAME=openwifi
-OWGW_TAG=master
-OWGWUI_TAG=main
-OWSEC_TAG=main
-OWFMS_TAG=main
-OWPROV_TAG=main
-OWPROVUI_TAG=main
-OWANALYTICS_TAG=main
-OWSUB_TAG=main
-KAFKA_TAG=latest
-ZOOKEEPER_TAG=latest
+
+# Image tags
+OWGW_TAG=v3.2.0-RC1
+OWGWUI_TAG=v3.1.0
+OWSEC_TAG=v3.2.0-RC1
+OWFMS_TAG=v3.1.0
+OWPROV_TAG=v3.1.0
+OWPROVUI_TAG=v3.1.0
+OWANALYTICS_TAG=v3.2.0-RC1
+OWSUB_TAG=v3.1.0
+
+KAFKA_TAG=3.7-debian-12
+POSTGRESQL_TAG=15.0
 ACMESH_TAG=latest
 TRAEFIK_TAG=latest

--- a/docker-compose/README.md
+++ b/docker-compose/README.md
@@ -1,91 +1,33 @@
 # OpenWifi SDK Docker Compose
+
 ### Overview
-With the provided Docker Compose files you can instantiate a deployment of the OpenWifi microservices and related components. The repository contains a self-signed certificate and a TIP-signed gateway certificate which are valid for the `*.wlan.local` domain. You also have the possibility to either generate and use Letsencrypt certs or provide your own certificates. Furthermore the deployments are split by whether Traefik is used as a reverse proxy/load balancer in front of the microservices or if they are exposed directly on the host. The advantage of using the deployments with Traefik is that you can use Letsencrypt certs (automatic certificate generation and renewal) and you have the ability to scale specific containers to multiple replicas.
+With the provided Docker Compose files you can instantiate a deployment of the OpenWifi microservices and related components. The repository contains a self-signed certificate and a TIP-signed gateway certificate which are valid for the `*.wlan.local` domain. You also have the possibility to either generate and use Let's Encrypt certs or provide your own certificates. Furthermore the deployments are split by whether Traefik is used as a reverse proxy/load balancer in front of the microservices or if they are exposed directly on the host. The advantage of using the deployments with Traefik is that you can use Let's Encrypt certs (automatic certificate generation and renewal) and you have the ability to scale specific containers to multiple replicas.
 The repository also contains a separate Docker Compose deployment to set up the [OWLS microservice](https://github.com/Telecominfraproject/wlan-cloud-owls) and related components for running a load simulation test against an existing controller.
 - [Non-LB deployment with self-signed certificates](#non-lb-deployment-with-self-signed-certificates)
 - [Non-LB deployment with own certificates](#non-lb-deployment-with-own-certificates)
- [Non-LB deployment with PostgreSQL](#non-lb-deployment-with-postgresql)
 - [LB deployment with self-signed certificates](#lb-deployment-with-self-signed-certificates)
- [LB deployment with Letsencrypt certificates](#lb-deployment-with-letsencrypt-certificates)
+- [LB deployment with Let's Encrypt certificates](#lb-deployment-with-letsencrypt-certificates)
 - [OWLS deployment with self-signed certificates](owls/README.md)
+- [AWS CloudFormation template](cloudformation/openwifi-cloudsdk-docker-compose.yml)
+
 ### Configuration
-If you don't bind mount your own config files they are generated on every startup based on the environment variables in the microservice specific env files. For an overview of the supported configuration properties have a look into the microservice specific env files. For an explanation of the configuration properties please see the README in the respective microservice repository.
-Be aware that the non-LB deployment exposes the generated config files on the host. So if you want to make configuration changes afterwards, please do them directly in the config files located in the microservice data directories.
+Config files for the microservices are generated on every startup based on the environment variables in the microservice specific env files. For an overview of the supported configuration properties have a look into these files. For an explanation of the configuration properties please see the README in the respective microservice repository.
+Be aware that local changes to the config files will be overwritten on every startup if `TEMPLATE_CONFIG` is set to `true` in the microservice env files. If you want to bind mount your own config file or make local changes, please set this variable to `false`.
+
 #### Required password changing on the first startup
 One important action that must be done before using the deployment is changing password for the default user in owsec as described in [owsec docs](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/tree/main#changing-default-password). Please use these docs to find the actions that must be done **after** the deployment in order to start using your deployment.
+
 ### Ports
-Every OpenWifi service is exposed via a separate port either directly on the host or through Traefik. For an overview of the exposed ports have a look into the deployment specific Docker Compose file. If you use your own certificates or make use of the [Letsencrypt LB deployment](#lb-deployment-with-letsencrypt-certificates), you can also configure different hostnames for the microservices.
-Please note that the OWProv-UI is exposed on port `8080(HTTP)/8443(HTTPS)` by default except for the Letsencrypt LB deployment, where the service listens on the default `80/443` HTTP(S) ports.
+Every OpenWifi service is exposed via a separate port either directly on the host or through Traefik. For an overview of the exposed ports have a look into the deployment specific Docker Compose file. If you use your own certificates, you can also configure different hostnames for the microservices.
+Please note that the OWProv-UI is exposed on port `8080(HTTP)/8443(HTTPS)` by default.
+
 ### owsec templates and wwwassets
 On the startup of owsec directories for wwwassets and mailer templates are created from the base files included in Docker image. After the initial startup you may edit those files as you wish in the [owsec-data/persist](./owsec-data/persist) directory.
-## Non-LB deployment with self-signed certificates
-1. Switch into the project directory with `cd docker-compose/`.
-2. Add an entry for `openwifi.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the deployment is.
-3. Spin up the deployment with `docker-compose up -d`.
-4. Check if the containers are up and running with `docker-compose ps`.
-5. Add SSL certificate exceptions in your browser by visiting https://openwifi.wlan.local:16001, https://openwifi.wlan.local:16002, https://openwifi.wlan.local:16004, https://openwifi.wlan.local:16005, https://openwifi.wlan.local:16006 and https://openwifi.wlan.local:16009.
-6. Connect to your AP via SSH and add a static hosts entry in `/etc/hosts` for `openwifi.wlan.local`. This should point to the address of the host the Compose deployment runs on.
-7. Login to the UI `https://openwifi.wlan.local` and follow the instructions to change your default password.
-8. To use the curl test scripts included in the microservice repositories set the following environment variables:
-```
-export OWSEC="openwifi.wlan.local:16001"
-export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-compose/certs/restapi-ca.pem"
-```
-⚠️**Note**: When deploying with self-signed certificates you can not use the 'Trace' and 'Connect' features in the UI since the AP will throw a TLS error. Please use the Letsencrypt deployment or provide your own valid certificates if you want to use these features.
-## Non-LB deployment with own certificates
-1. Switch into the project directory with `cd docker-compose/`. Copy your websocket and REST API certificates into the `certs/` directory. Make sure to reference the certificates accordingly in the service config if you use different file names or if you want to use different certificates for the respective microservices.
-2. Adapt the following hostname and URI variables according to your environment:
-### .env
-| Variable                   | Description                                                         |
-| -------------------------- | ------------------------------------------------------------------- |
-| `INTERNAL_OWGW_HOSTNAME`   | Set this to your OWGW hostname, for example `owgw.example.com`.     |
-| `INTERNAL_OWSEC_HOSTNAME`  | Set this to your OWSec hostname, for example `owsec.example.com`.   |
-| `INTERNAL_OWFMS_HOSTNAME`  | Set this to your OWFms hostname, for example `owfms.example.com`.   |
-| `INTERNAL_OWPROV_HOSTNAME` | Set this to your OWProv hostname, for example `owprov.example.com`. |
-| `INTERNAL_OWANALYTICS_HOSTNAME` | Set this to your OWAnalytics hostname, for example `owanalytics.example.com`. |
-| `INTERNAL_OWSUB_HOSTNAME`  | Set this to your OWSub hostname, for example `owsub.example.com`.   |
-### owgw.env
-| Variable                                 | Description                                                                         |
-| ---------------------------------------- | ----------------------------------------------------------------------------------- |
-| `FILEUPLOADER_HOST_NAME`                 | Set this to your OWGW fileupload hostname, for example `owgw.example.com`.          |
-| `FILEUPLOADER_URI`                       | Set this to your OWGW fileupload URL, for example `https://owgw.example.com:16003`. |
-| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWGW REST API URL, for example `https://owgw.example.com:16002`.   |
-| `RTTY_SERVER`                            | Set this to your OWGW RTTYS hostname, for example `owgw.example.com`.               |
-| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |
-### owgw-ui.env
-| Variable                  | Description                                                                |
-| ------------------------- | -------------------------------------------------------------------------- |
-| `DEFAULT_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
-### owsec.env
-| Variable                                 | Description                                                                         |
-| ---------------------------------------- | ----------------------------------------------------------------------------------- |
-| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
-| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |
-### owfms.env
-| Variable                                 | Description                                                                         |
-| ---------------------------------------- | ----------------------------------------------------------------------------------- |
-| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWFms URL, for example `https://owfms.example.com:16004`. |
-| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |
-### owprov.env
-| Variable                                 | Description                                                                           |
-| ---------------------------------------- | ------------------------------------------------------------------------------------- |
-| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWProv URL, for example `https://owprov.example.com:16005`. |
-| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.              |
-### owprov-ui.env
-| Variable                    | Description                                                                |
-| --------------------------- | -------------------------------------------------------------------------- |
-| `REACT_APP_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
-### owanalytics.env
-| Variable                                 | Description                                                                            |
-| ---------------------------------------- | -------------------------------------------------------------------------------------- |
-| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWAnalytics URL, for example `https://owanalytics.example.com:16009`. |
-| `SYSTEM_URI_UI`                          | Set this to your OWProv-UI URL, for example `https://owprov-ui.example.com`.           |
-3. Spin up the deployment with `docker-compose up -d`.
-4. Check if the containers are up and running with `docker-compose ps`.
-5. Login to the UI and and follow the instructions to change your default password.
-## Non-LB deployment with PostgreSQL
-1. Switch into the project directory with `cd docker-compose/`.
-2. Set the following variables in the env files and make sure to uncomment the lines. It is highly recommended that you change the DB passwords to some random string.
+
+## PostgreSQL
+PostgreSQL is used by default for the database for all components.
+The following variables may be set in the env files. It is highly recommended that you change the DB passwords to some random string. The defaults are shown here.
+
 ### owgw.env
 | Variable                           | Value/Description |
 | ---------------------------------- | ----------------- |
@@ -94,6 +36,7 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `STORAGE_TYPE_POSTGRESQL_USERNAME` | `owgw`            |
 | `STORAGE_TYPE_POSTGRESQL_PASSWORD` | `owgw`            |
 | `STORAGE_TYPE_POSTGRESQL_DATABASE` | `owgw`            |
+
 ### owsec.env
 | Variable                           | Value/Description |
 | ---------------------------------- | ----------------- |
@@ -102,6 +45,7 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `STORAGE_TYPE_POSTGRESQL_USERNAME` | `owsec`           |
 | `STORAGE_TYPE_POSTGRESQL_PASSWORD` | `owsec`           |
 | `STORAGE_TYPE_POSTGRESQL_DATABASE` | `owsec`           |
+
 ### owfms.env
 | Variable                           | Value/Description |
 | ---------------------------------- | ----------------- |
@@ -110,6 +54,7 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `STORAGE_TYPE_POSTGRESQL_USERNAME` | `owfms`           |
 | `STORAGE_TYPE_POSTGRESQL_PASSWORD` | `owfms`           |
 | `STORAGE_TYPE_POSTGRESQL_DATABASE` | `owfms`           |
+
 ### owprov.env
 | Variable                           | Value/Description |
 | ---------------------------------- | ----------------- |
@@ -118,6 +63,7 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `STORAGE_TYPE_POSTGRESQL_USERNAME` | `owprov`          |
 | `STORAGE_TYPE_POSTGRESQL_PASSWORD` | `owprov`          |
 | `STORAGE_TYPE_POSTGRESQL_DATABASE` | `owprov`          |
+
 ### owanalytics.env
 | Variable                           | Value/Description |
 | ---------------------------------- | ----------------- |
@@ -126,6 +72,7 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `STORAGE_TYPE_POSTGRESQL_USERNAME` | `owanalytics`     |
 | `STORAGE_TYPE_POSTGRESQL_PASSWORD` | `owanalytics`     |
 | `STORAGE_TYPE_POSTGRESQL_DATABASE` | `owanalytics`     |
+
 ### postgresql.env
 | Variable                  | Value         |
 | --------------------------| ------------- |
@@ -149,70 +96,146 @@ export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-comp
 | `OWSUB_DB`                | `owsub`       |
 | `OWSUB_DB_USER`           | `owsub`       |
 | `OWSUB_DB_PASSWORD`       | `owsub`       |
-3. Depending on whether you want to use [self-signed certificates](#non-lb-deployment-with-self-signed-certificates) or [provide your own](#non-lb-deployment-with-own-certificates), follow the instructions of the according deployment model. Spin up the deployment with `docker-compose -f docker-compose.yml -f docker-compose.postgresql.yml up -d`. It is recommended to create an alias for this deployment model with `alias docker-compose-postgresql="docker-compose -f docker-compose.yml -f docker-compose.postgresql.yml"`.
-## LB deployment with self-signed certificates
-Follow the same instructions as for the self-signed deployment without Traefik. The only difference is that you have to spin up the deployment with `docker-compose -f docker-compose.lb.selfsigned.yml --env-file .env.selfsigned up -d`. Make sure to specify the Compose and the according .env file every time you're working with the deployment or create an alias, for example `alias docker-compose-lb-selfsigned="docker-compose -f docker-compose.lb.selfsigned.yml --env-file .env.selfsigned"`. You also have the possibility to scale specific services to a specified number of instances with `docker-compose-lb-selfsigned up -d --scale SERVICE=NUM`, where `SERVICE` is the service name as defined in the Compose file.
-## LB deployment with Letsencrypt certificates
-For the Letsencrypt challenge to work you need a public IP address. The hostnames which you set for the microservices have to resolve to this IP address to pass the HTTP-01 challenge (https://letsencrypt.org/docs/challenge-types/#http-01-challenge).
+
+## Non-LB deployment with self-signed certificates
 1. Switch into the project directory with `cd docker-compose/`.
-2. Adapt the following hostname and URI variables according to your environment.
-### .env.letsencrypt
-| Variable                  | Description                                                                   |
-| ------------------------- | ----------------------------------------------------------------------------- |
-| `OWGW_HOSTNAME`           | Set this to your OWGW hostname, for example `owgw.example.com`.               |
-| `OWGWUI_HOSTNAME`         | Set this to your OWGW-UI hostname, for example `owgw-ui.example.com`.         |
-| `OWGWFILEUPLOAD_HOSTNAME` | Set this to your OWGW fileupload hostname, for example `owgw.example.com`.    |
-| `OWSEC_HOSTNAME`          | Set this to your OWSec hostname, for example `owsec.example.com`.             |
-| `OWFMS_HOSTNAME`          | Set this to your OWFms hostname, for example `owfms.example.com`.             |
-| `OWPROV_HOSTNAME`         | Set this to your OWProv hostname, for example `owprov.example.com`.           |
-| `OWPROVUI_HOSTNAME`       | Set this to your OWProv-UI hostname, for example `owprov-ui.example.com`.     |
-| `OWANALYTICS_HOSTNAME`    | Set this to your OWAnalytics hostname, for example `owanalytics.example.com`. |
-| `OWSUB_HOSTNAME`          | Set this to your OWSub hostname, for example `owsub.example.com`.          |
+2. Add an entry for `openwifi.wlan.local` in your hosts file which points to `127.0.0.1` or whatever the IP of the host running the deployment is.
+3. Spin up the deployment with `docker-compose up -d`.
+4. Check if the containers are up and running with `docker-compose ps`.
+5. Add SSL certificate exceptions in your browser by visiting https://openwifi.wlan.local:16001, https://openwifi.wlan.local:16002, https://openwifi.wlan.local:16004, https://openwifi.wlan.local:16005, https://openwifi.wlan.local:16006 and https://openwifi.wlan.local:16009.
+6. Connect to your AP via SSH and add a static hosts entry in `/etc/hosts` for `openwifi.wlan.local`. This should point to the address of the host the Compose deployment runs on.
+7. Login to the UI `https://openwifi.wlan.local` and follow the instructions to change your default password.
+8. To use the curl test scripts included in the microservice repositories set the following environment variables:
+```
+export OWSEC="openwifi.wlan.local:16001"
+export FLAGS="-s --cacert <your-wlan-cloud-ucentral-deploy-location>/docker-compose/certs/restapi-ca.pem"
+```
+⚠️**Note**: When deploying with self-signed certificates you can not use the 'Trace' and 'Connect' features in the UI since the AP will throw a TLS error. Please use the Let's Encrypt deployment or provide your own valid certificates if you want to use these features.
+
+## Non-LB deployment with own certificates
+1. Switch into the project directory with `cd docker-compose/`. Copy your websocket and REST API certificates into the `certs/` directory. Make sure to reference the certificates accordingly in the service config if you use different file names or if you want to use different certificates for the respective microservices.
+2. Adapt the following hostname and URI variables according to your environment:
+
+### .env
+| Variable                        | Description                                                                        |
+| ------------------------------- | ---------------------------------------------------------------------------------- |
+| `INTERNAL_OWGW_HOSTNAME`        | Set this to your OWGW hostname, for example `owgw.example.com`.                    |
+| `INTERNAL_OWSEC_HOSTNAME`       | Set this to your OWSec hostname, for example `owsec.example.com`.                  |
+| `INTERNAL_OWFMS_HOSTNAME`       | Set this to your OWFms hostname, for example `owfms.example.com`.                  |
+| `INTERNAL_OWPROV_HOSTNAME`      | Set this to your OWProv hostname, for example `owprov.example.com`.                |
+| `INTERNAL_OWANALYTICS_HOSTNAME` | Set this to your OWAnalytics hostname, for example `owanalytics.example.com`.      |
+| `INTERNAL_OWSUB_HOSTNAME`       | Set this to your OWSub hostname, for example `owsub.example.com`.                  |

 ### owgw.env
-| Variable                 | Description                                                                         |
-| -----------------------  | ----------------------------------------------------------------------------------- |
-| `FILEUPLOADER_HOST_NAME` | Set this to your OWGW fileupload hostname, for example `owgw.example.com`.          |
-| `FILEUPLOADER_URI`       | Set this to your OWGW fileupload URL, for example `https://owgw.example.com:16003`. |
-| `SYSTEM_URI_PUBLIC`      | Set this to your OWGW REST API URL, for example `https://owgw.example.com:16002`.   |
-| `RTTY_SERVER`            | Set this to your OWGW RTTYS hostname, for example `owgw.example.com`.               |
-| `SYSTEM_URI_UI`          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |
+| Variable                                 | Description                                                                         |
+| ---------------------------------------- | ----------------------------------------------------------------------------------- |
+| `FILEUPLOADER_HOST_NAME`                 | Set this to your OWGW fileupload hostname, for example `owgw.example.com`.          |
+| `FILEUPLOADER_URI`                       | Set this to your OWGW fileupload URL, for example `https://owgw.example.com:16003`. |
+| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWGW REST API URL, for example `https://owgw.example.com:16002`.   |
+| `RTTY_SERVER`                            | Set this to your OWGW RTTYS hostname, for example `owgw.example.com`.               |
+| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |

 ### owgw-ui.env
-| Variable            | Description                                                                |
-| ------------------- | -------------------------------------------------------------------------- |
-| `DEFAULT_OWSEC_URL` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
+| Variable                    | Description                                                                |
+| --------------------------- | -------------------------------------------------------------------------- |
+| `REACT_APP_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |

 ### owsec.env
-| Variable            | Description                                                                |
-| ------------------- | -------------------------------------------------------------------------- |
-| `SYSTEM_URI_PUBLIC` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
-| `SYSTEM_URI_UI`     | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.   |
+| Variable                                 | Description                                                                         |
+| ---------------------------------------- | ----------------------------------------------------------------------------------- |
+| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
+| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |

 ### owfms.env
-| Variable            | Description                                                                |
-| ------------------- | -------------------------------------------------------------------------- |
-| `SYSTEM_URI_PUBLIC` | Set this to your OWFms URL, for example `https://owfms.example.com:16004`. |
-| `SYSTEM_URI_UI`     | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.   |
+| Variable                                 | Description                                                                         |
+| ---------------------------------------- | ----------------------------------------------------------------------------------- |
+| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWFms URL, for example `https://owfms.example.com:16004`. |
+| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.            |
+
 ### owprov.env
-| Variable             | Description                                                                  |
-| -------------------- | ---------------------------------------------------------------------------- |
-| `SYSTEM_URI_PUBLIC`  | Set this to your OWProv URL, for example `https://owprov.example.com:16005`. |
-| `SYSTEM_URI_UI`      | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.     |
+| Variable                                 | Description                                                                           |
+| ---------------------------------------- | ------------------------------------------------------------------------------------- |
+| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWProv URL, for example `https://owprov.example.com:16005`. |
+| `SYSTEM_URI_UI`                          | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.              |
+
 ### owprov-ui.env
 | Variable                    | Description                                                                |
 | --------------------------- | -------------------------------------------------------------------------- |
 | `REACT_APP_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://owsec.example.com:16001`. |
+
 ### owanalytics.env
-| Variable             | Description                                                                            |
-| -------------------- | -------------------------------------------------------------------------------------- |
-| `SYSTEM_URI_PUBLIC`  | Set this to your OWAnalytics URL, for example `https://owanalytics.example.com:16009`. |
-| `SYSTEM_URI_UI`      | Set this to your OWProv-UI URL, for example `https://owprov-ui.example.com`.           |
+| Variable                                 | Description                                                                            |
+| ---------------------------------------- | -------------------------------------------------------------------------------------- |
+| `SYSTEM_URI_PRIVATE`,`SYSTEM_URI_PUBLIC` | Set this to your OWAnalytics URL, for example `https://owanalytics.example.com:16009`. |
+| `SYSTEM_URI_UI`                          | Set this to your OWProv-UI URL, for example `https://owprov-ui.example.com`.           |
+
+3. Spin up the deployment with `docker-compose up -d`.
+4. Check if the containers are up and running with `docker-compose ps`.
+5. Login to the UI and and follow the instructions to change your default password.
+
+## LB deployment with self-signed certificates
+Follow the same instructions as for the self-signed deployment without Traefik. The only difference is that you have to spin up the deployment with `docker-compose -f docker-compose.lb.selfsigned.yml --env-file .env.selfsigned up -d`. Make sure to specify the Compose and the according .env file every time you're working with the deployment or create an alias, for example `alias docker-compose-lb-selfsigned="docker-compose -f docker-compose.lb.selfsigned.yml --env-file .env.selfsigned"`. You also have the possibility to scale specific services to a specified number of instances with `docker-compose-lb-selfsigned up -d --scale SERVICE=NUM`, where `SERVICE` is the service name as defined in the Compose file.
+
+## LB deployment with Let's Encrypt certificates
+For the Let's Encrypt challenge to work you need a public IP address. The hostname which you set in the `$SDKHOSTNAME` env variable has to resolve to this IP address to pass the HTTP-01 challenge (https://letsencrypt.org/docs/challenge-types/#http-01-challenge).
+1. Switch into the project directory with `cd docker-compose/`.
+2. Adapt the following hostname and URI variables according to your environment.
+
+### .env.letsencrypt
+| Variable      | Description                                                                                                |
+| ------------- | ---------------------------------------------------------------------------------------------------------- |
+| `SDKHOSTNAME` | Set this to the public hostname you want to use for all microservices, for example `openwifi.example.com`. |
+
+### owgw.env
+| Variable                 | Description                                                                             |
+| -----------------------  | --------------------------------------------------------------------------------------- |
+| `FILEUPLOADER_HOST_NAME` | Set this to your OWGW fileupload hostname, for example `openwifi.example.com`.          |
+| `FILEUPLOADER_URI`       | Set this to your OWGW fileupload URL, for example `https://openwifi.example.com:16003`. |
+| `SYSTEM_URI_PUBLIC`      | Set this to your OWGW REST API URL, for example `https://openwifi.example.com:16002`.   |
+| `RTTY_SERVER`            | Set this to your OWGW RTTYS hostname, for example `openwifi.example.com`.               |
+| `SYSTEM_URI_UI`          | Set this to your OWGW-UI URL, for example `https://openwifi.example.com`.               |
+
+### owgw-ui.env
+| Variable                    | Description                                                                   |
+| --------------------------- | ----------------------------------------------------------------------------- |
+| `REACT_APP_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://openwifi.example.com:16001`. |
+
+### owsec.env
+| Variable            | Description                                                                   |
+| ------------------- | ----------------------------------------------------------------------------- |
+| `SYSTEM_URI_PUBLIC` | Set this to your OWSec URL, for example `https://openwifi.example.com:16001`. |
+| `SYSTEM_URI_UI`     | Set this to your OWGW-UI URL, for example `https://openwifi.example.com`.     |
+
+### owfms.env
+| Variable            | Description                                                                   |
+| ------------------- | ----------------------------------------------------------------------------- |
+| `SYSTEM_URI_PUBLIC` | Set this to your OWFms URL, for example `https://openwifi.example.com:16004`. |
+| `SYSTEM_URI_UI`     | Set this to your OWGW-UI URL, for example `https://openwifi.example.com`.     |
+
+### owprov.env
+| Variable             | Description                                                                    |
+| -------------------- | ------------------------------------------------------------------------------ |
+| `SYSTEM_URI_PUBLIC`  | Set this to your OWProv URL, for example `https://openwifi.example.com:16005`. |
+| `SYSTEM_URI_UI`      | Set this to your OWGW-UI URL, for example `https://openwifi.example.com`.      |
+
+### owprov-ui.env
+| Variable                    | Description                                                                   |
+| --------------------------- | ----------------------------------------------------------------------------- |
+| `REACT_APP_UCENTRALSEC_URL` | Set this to your OWSec URL, for example `https://openwifi.example.com:16001`. |
+
+### owanalytics.env
+| Variable             | Description                                                                         |
+| -------------------- | ----------------------------------------------------------------------------------- |
+| `SYSTEM_URI_PUBLIC`  | Set this to your OWAnalytics URL, for example `https://openwifi.example.com:16009`. |
+| `SYSTEM_URI_UI`      | Set this to your OWProv-UI URL, for example `https://openwifi.example.com`.         |
+
 ### owsub.env
-| Variable             | Description                                                                  |
-| -------------------- | ---------------------------------------------------------------------------- |
-| `SYSTEM_URI_PUBLIC`  | Set this to your OWSub URL, for example `https://owsub.example.com:16006`.   |
-| `SYSTEM_URI_UI`      | Set this to your OWGW-UI URL, for example `https://owgw-ui.example.com`.     |
+| Variable             | Description                                                                   |
+| -------------------- | ----------------------------------------------------------------------------- |
+| `SYSTEM_URI_PUBLIC`  | Set this to your OWSub URL, for example `https://openwifi.example.com:16006`. |
+
+| `SYSTEM_URI_UI`      | Set this to your OWGW-UI URL, for example `https://openwifi.example.com`.     |
+
 ### traefik.env
 | Variable                                            | Description                               |
 | --------------------------------------------------- | ----------------------------------------- |
--- a/docker-compose/cloudformation/README.md
+++ b/docker-compose/cloudformation/README.md
@@ -0,0 +1,20 @@
+# OpenWiFi Cloud SDK deployment with CloudFormation
+With the YAML template included in this directory you can create an OpenWiFi Cloud SDK deployment with the help of AWS CloudFormation (https://aws.amazon.com/cloudformation).  
+The template creates a CloudFormation stack based on the Docker Compose Let's Encrypt deployment (https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/docker-compose#lb-deployment-with-letsencrypt-certificates). The created stack consists of an EC2 instance, and depending on the input parameters, also adds a Route53 hosted zone and a DNS record.  
+⚠️**Note**: Please be aware that you will be billed for the AWS resources if you create a stack from this template.
+1. Login into the AWS Management Console (https://aws.amazon.com/de/console).
+2. Go to the AWS Systems Manager Parameter Store page and create two parameters according to these instructions https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-create-console.html: one for your Digicert-signed websocket certificate and the other one for the corresponding key. You can leave the default parameter details: you need two standard parameters with type `String` and data type `text`. Just copy and paste your certificate and key into the `Value` field of the respective parameter and remember the parameter names.
+3. Go to the CloudFormation service page and follow the instructions described here https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-using-console-create-stack-template.html to upload a template file and choose the template included in this repository.
+4. In the next step you have to enter multiple input parameters required for a successful deployment. Here's an explanation of all parameters:
+
+**InstanceType**: Choose an AWS EC2 instance type (https://aws.amazon.com/ec2/instance-types). The smallest instance type you can choose is t2.small.  
+**KeyName**: Specify the name of the SSH key pair you want to use to connect the instance. If you don't have a key pair yet, please create or import one according to these instructions https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html.  
+**SSHLocation**: If you want to restrict the IP range which is allowed to connect to the instance via SSH, please specify a valid CIDR IP range here.  
+**CreateRoute53Record**: To expose your SDK installation to the public you need a valid DNS entry for your SDK hostname. This is also required to pass the Let's Encrypt HTTP-01 challenge (https://letsencrypt.org/de/docs/challenge-types/#http-01-challenge). If you set this to `True`, an Amazon Route53 entry (https://aws.amazon.com/route53) for the hostname defined in the **SDKHostname** parameter is automatically created. This Route53 entry will resolve to the public IP address of the EC2 instance. You can also set this to `False` and create a DNS entry manually afterwards.  
+**ExistingHostedZoneId**: If you decide to create a Route53 record and already have an existing hosted zone which you want to use, please specify the according hosted zone ID. You can get the ID by listing your public hosted zones (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/ListInfoOnHostedZone.html).  
+**HostedZoneName**: If you didn't create the hosted zone yet which you want to use for your Route53 record, please specify the domain name of the hosted zone you want to create. Be aware that if you set **CreateRoute53Record** to `True`, you only have to specify either `ExistingHostedZoneId` or `HostedZoneName`. If you decide to create the DNS record yourself, you can leave both parameters empty.  
+**SDKVersion**: The SDK version you want to use for your deployment. You can either use release names (e.g. `v2.6.0`) or Git branch names (for example `release/v2.6.0`).  
+**SDKHostname**: Enter a valid public hostname which you want to use for your deployment. This has to resolve to the public IP address of the created EC2 instance. If you set **CreateRoute53Record** to `False`, don't forget to create a DNS entry manually afterwards.  
+**WebsocketCertParameter**: The name of the AWS Systems Manager parameter containing your Digicert-signed websocket certificate.  
+**WebsocketKeyParameter**: The name of the AWS Systems Manager parameter containing the key to your Digicert-signed websocket certificate.  
+**TraefikAcmeEmail**: Enter a valid email address to complete Let's Encrypt ACME registration.  
--- a/docker-compose/cloudformation/openwifi-cloudsdk-docker-compose.yml
+++ b/docker-compose/cloudformation/openwifi-cloudsdk-docker-compose.yml
@@ -0,0 +1,333 @@
+AWSTemplateFormatVersion: 2010-09-09
+Description: |
+  OpenWiFi Cloud SDK Docker Compose Deployment: This template creates an
+  OpenWiFi Cloud SDK deployment using Docker Compose and Letsencrypt for
+  northbound certificates (https://github.com/Telecominfraproject/
+  wlan-cloud-ucentral-deploy/tree/main/docker-compose
+  #lb-deployment-with-letsencrypt-certificates).
+  **WARNING** You will be billed for the AWS resources used if you create a
+  stack from this template.
+Metadata:
+  AWS::CloudFormation::Interface:
+    ParameterGroups:
+      - Label:
+          default: "Amazon EC2 configuration"
+        Parameters:
+          - InstanceType
+          - LatestUbuntuFocalAMI
+          - KeyName
+          - SSHLocation
+      - Label:
+          default: "Amazon Route53 configuration"
+        Parameters:
+          - CreateRoute53Record
+          - ExistingHostedZoneId
+          - HostedZoneName
+      - Label:
+          default: "OpenWiFi cloud SDK configuration"
+        Parameters:
+          - SDKVersion
+          - SDKHostname
+          - WebsocketCertParameter
+          - WebsocketKeyParameter
+          - TraefikAcmeEmail
+Parameters:
+  KeyName:
+    Description: Name of the EC2 KeyPair to enable SSH access to the instance.
+    Type: AWS::EC2::KeyPair::KeyName
+    ConstraintDescription: Must be the name of an existing EC2 KeyPair.
+  SDKHostname:
+    Description: Hostname you want to use for your OpenWiFi Cloud SDK installation.
+    Default: openwifi.wlan.local
+    Type: String
+    AllowedPattern: "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{2,6}$"
+  TraefikAcmeEmail:
+    Description: Email address used for ACME registration
+    Type: String
+  CreateRoute53Record:
+    Description: |
+      Set this to "True" if you want to create a DNS record for the SDK
+      hostname.
+      This will resolve to the public IP of the created EC2 instance.
+    AllowedValues:
+      - "True"
+      - "False"
+    Default: "False"
+    Type: String
+  ExistingHostedZoneId:
+    Description: |
+      If you want to create the Route53 record in an existing hosted zone,
+      please specify the according hosted zone ID.
+    Type: String
+#    MinLength: 21
+#    MaxLength: 21
+#    AllowedPattern: "[A-Z0-9]+"
+  HostedZoneName:
+    Description: |
+      If you want to create a new hosted zone for the Route53 record, please
+      specify the name of the domain.
+    Type: String
+#    AllowedPattern: "^((?!-)[A-Za-z0-9-]{1,63}(?<!-)\\.)+[A-Za-z]{2,6}$"
+  SDKVersion:
+    Description: OpenWiFi Cloud SDK version to be deployed.
+    Default: main
+    Type: String
+  WebsocketCertParameter:
+    Description: |
+      The AWS Systems Manager parameter containing your Digicert-signed
+      websocket certificate.
+    Type: AWS::SSM::Parameter::Value<String>
+  WebsocketKeyParameter:
+    Description: |
+      The AWS Systems Manager parameter containing the key to your
+      Digicert-signed websocket certificate.
+    Type: AWS::SSM::Parameter::Value<String>
+  LatestUbuntuFocalAMI:
+    Type: AWS::SSM::Parameter::Value<AWS::EC2::Image::Id>
+    Default: "/aws/service/canonical/ubuntu/server/focal/stable/current/amd64/hvm/ebs-gp2/ami-id"
+  InstanceType:
+    Description: Cloud SDK EC2 instance type
+    Type: String
+    Default: t2.small
+    AllowedValues:
+      - t2.small
+      - t2.medium
+      - t2.large
+      - m1.small
+      - m1.medium
+      - m1.large
+      - m1.xlarge
+      - m2.xlarge
+      - m2.2xlarge
+      - m2.4xlarge
+      - m3.medium
+      - m3.large
+      - m3.xlarge
+      - m3.2xlarge
+      - m4.large
+      - m4.xlarge
+      - m4.2xlarge
+      - m4.4xlarge
+      - m4.10xlarge
+      - c1.medium
+      - c1.xlarge
+      - c3.large
+      - c3.xlarge
+      - c3.2xlarge
+      - c3.4xlarge
+      - c3.8xlarge
+      - c4.large
+      - c4.xlarge
+      - c4.2xlarge
+      - c4.4xlarge
+      - c4.8xlarge
+      - g2.2xlarge
+      - g2.8xlarge
+      - r3.large
+      - r3.xlarge
+      - r3.2xlarge
+      - r3.4xlarge
+      - r3.8xlarge
+      - i2.xlarge
+      - i2.2xlarge
+      - i2.4xlarge
+      - i2.8xlarge
+      - d2.xlarge
+      - d2.2xlarge
+      - d2.4xlarge
+      - d2.8xlarge
+      - hi1.4xlarge
+      - hs1.8xlarge
+      - cr1.8xlarge
+      - cc2.8xlarge
+      - cg1.4xlarge
+    ConstraintDescription: must be a valid EC2 instance type.
+  SSHLocation:
+    Description: |
+      The IP address range that can be used to SSH to the EC2 instances
+    Type: String
+    MinLength: "9"
+    MaxLength: "18"
+    Default: 0.0.0.0/0
+    AllowedPattern: "(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})\\.(\\d{1,3})/(\\d{1,2})"
+    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
+Conditions:
+  HasExistingHostedZoneId: !Not [ !Equals [ !Ref ExistingHostedZoneId, "" ] ]
+  HasHostedZoneName: !Not [ !Equals [ !Ref HostedZoneName, "" ] ]
+  CreateRoute53Record: !Equals [ !Ref CreateRoute53Record, "True" ]
+  CreateRecordInExistingZone: !And [ Condition: HasExistingHostedZoneId, Condition: CreateRoute53Record ]
+  CreateRecordInNewZone: !And [ Condition: HasHostedZoneName, Condition: CreateRoute53Record ]
+Resources:
+  CloudSDKInstance:
+    Type: "AWS::EC2::Instance"
+    Metadata:
+      "AWS::CloudFormation::Init":
+        configSets:
+          InstallDockerAndCreateDeployment:
+            - InstallDocker
+            - CreateCloudSDKDeployment
+        InstallDocker:
+          packages:
+            apt:
+              ca-certificates: []
+              curl: []
+              gnupg: []
+              lsb-release: []
+              php-mysql: []
+          commands:
+            a_add_repo_gpg_key:
+              command: |
+                curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
+                | sudo gpg --dearmor -o \
+                /usr/share/keyrings/docker-archive-keyring.gpg
+            b_add_docker_repo:
+              command: |
+                echo "deb [arch=$(dpkg --print-architecture) \
+                signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] \
+                https://download.docker.com/linux/ubuntu $(lsb_release -cs) \
+                stable" | sudo tee /etc/apt/sources.list.d/docker.list \
+                > /dev/null
+            c_install_docker:
+              command: |
+                sudo apt-get update \
+                && sudo apt-get install -y docker-ce docker-ce-cli \
+                containerd.io docker-compose-plugin docker-compose
+            d_enable_and_start_docker:
+              command: |
+                sudo systemctl enable docker && sudo systemctl start docker
+            e_add_ubuntu_user_to_docker_group:
+              command: "sudo usermod -aG docker ubuntu"
+        CreateCloudSDKDeployment:
+          files:
+            /etc/profile.d/aliases.sh:
+              content: |
+                alias docker-compose-lb-letsencrypt="docker-compose -f \
+                docker-compose.lb.letsencrypt.yml --env-file .env.letsencrypt"
+                alias docker-compose-lb-selfsigned="docker-compose -f \
+                docker-compose.lb.selfsigned.yml --env-file .env.selfsigned"
+              mode: "000644"
+              owner: "root"
+              group: "root"
+          commands:
+            a_clone_deploy_repo:
+              command: |
+                git clone https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy
+              cwd: "~"
+            b_checkout_deploy_version:
+              command: !Sub "git checkout ${SDKVersion}"
+              cwd: "~/wlan-cloud-ucentral-deploy"
+            c_create_deployment:
+              command: "./deploy.sh"
+              env:
+                DEFAULT_UCENTRALSEC_URL: !Sub "https://${SDKHostname}:16001"
+                SYSTEM_URI_UI: !Sub "https://${SDKHostname}"
+                SDKHOSTNAME: !Sub "${SDKHostname}"
+                WEBSOCKET_CERT: !Ref WebsocketCertParameter
+                WEBSOCKET_KEY: !Ref WebsocketKeyParameter
+                OWGW_FILEUPLOADER_HOST_NAME: !Sub "${SDKHostname}"
+                OWGW_FILEUPLOADER_URI: !Sub "https://${SDKHostname}:16003"
+                OWGW_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16002"
+                OWGW_RTTY_SERVER: !Sub "${SDKHostname}"
+                OWSEC_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16001"
+                OWFMS_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16004"
+                OWPROV_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16005"
+                OWANALYTICS_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16009"
+                OWSUB_SYSTEM_URI_PUBLIC: !Sub "https://${SDKHostname}:16006"
+                TRAEFIK_ACME_EMAIL: !Sub "${TraefikAcmeEmail}"
+              cwd: "~/wlan-cloud-ucentral-deploy/docker-compose"
+    Properties:
+      ImageId: !Ref LatestUbuntuFocalAMI
+      InstanceType: !Ref InstanceType
+      SecurityGroups:
+        - !Ref CloudSDKSecurityGroup
+      KeyName: !Ref KeyName
+      UserData:
+        Fn::Base64: !Sub |
+          #!/bin/bash -xe
+          apt-get update -y
+          mkdir -p /opt/aws/bin
+          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-py3-latest.tar.gz
+          python3 -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-py3-latest.tar.gz
+          /opt/aws/bin/cfn-init -v \
+            --stack ${AWS::StackName} \
+            --resource CloudSDKInstance \
+            --configsets InstallDockerAndCreateDeployment \
+            --region ${AWS::Region}
+          /opt/aws/bin/cfn-signal -e $? \
+            --stack ${AWS::StackName} \
+            --resource CloudSDKInstance \
+            --region ${AWS::Region}
+    CreationPolicy:
+      ResourceSignal:
+        Timeout: PT5M
+  CloudSDKSecurityGroup:
+    Type: "AWS::EC2::SecurityGroup"
+    Properties:
+      GroupDescription: Enable OpenWiFi Cloud SDK and SSH access
+      SecurityGroupIngress:
+        - IpProtocol: icmp
+          FromPort: "-1"
+          ToPort: "-1"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "80"
+          ToPort: "80"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "443"
+          ToPort: "443"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "15002"
+          ToPort: "15002"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "16001"
+          ToPort: "16006"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "16009"
+          ToPort: "16009"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "5912"
+          ToPort: "5913"
+          CidrIp: 0.0.0.0/0
+        - IpProtocol: tcp
+          FromPort: "22"
+          ToPort: "22"
+          CidrIp: !Ref SSHLocation
+  CloudSDKHostedZone:
+    Condition: HasHostedZoneName
+    Type: AWS::Route53::HostedZone
+    Properties:
+      Name: !Ref HostedZoneName
+  CloudSDKRoute53RecordExistingHostedZone:
+    Condition: CreateRecordInExistingZone
+    Type: AWS::Route53::RecordSet
+    Properties:
+      HostedZoneId: !Ref ExistingHostedZoneId
+      Name: !Ref SDKHostname
+      Type: A
+      TTL: 900
+      ResourceRecords:
+      - !GetAtt CloudSDKInstance.PublicIp
+  CloudSDKRoute53RecordNewHostedZone:
+    Condition: CreateRecordInNewZone
+    Type: AWS::Route53::RecordSet
+    Properties:
+      HostedZoneId: !GetAtt CloudSDKHostedZone.Id
+      Name: !Ref SDKHostname
+      Type: A
+      TTL: 900
+      ResourceRecords:
+      - !GetAtt CloudSDKInstance.PublicIp
+Outputs:
+  WebsiteURL:
+    Description: |
+      Visit this URL and login with user 'tip@ucentral.com' and password
+      'openwifi'.
+    Value: !Join
+      - ""
+      - - "https://"
+        - !Ref SDKHostname
--- a/docker-compose/dco
+++ b/docker-compose/dco
@@ -0,0 +1,32 @@
+#!/bin/bash
+# Wrapper around docker-compose that will use the correct command line options
+# depending on what type of setup you have.
+# It captures $1 == clean and performs cleanup of the volumes and data directories,
+# It captures $1 == launch or l and runs: ... up -d,
+# but passes everything else straight to the docker-compose command.
+cmd="docker-compose"
+deploy_type=$(grep "^DEPLOY_TYPE=" .env | awk -F= '{ print $2 }')
+[ -z "$deploy_type" ] && deploy_type="default"
+if [[ "$deploy_type" == "letsencrypt" ]] ; then
+    cmd="$cmd -f docker-compose.lb.letsencrypt.yml --env-file .env.letsencrypt"
+elif [[ "$deploy_type" == "selfsigned" ]] ; then
+    cmd="$cmd -f docker-compose.lb.selfsigned.yml --env-file .env.selfsigned"
+elif [[ "$deploy_type" == "default" ]] ; then
+    # ok
+    true
+else
+    echo "Invalid DEPLOY_TYPE: $deploy_type"
+    echo "Should be one of: default, letsencrypt or selfsigned"
+    exit 1
+fi
+if [[ "$1" == "clean" ]] ; then
+    set -x
+    $cmd down -v
+    rm -rf *_data
+elif [[ "$1" == "launch" || "$1" == "l" ]] ; then
+    set -x
+    $cmd up -d
+else
+    set -x
+    $cmd "$@"
+fi
--- a/docker-compose/deploy.sh
+++ b/docker-compose/deploy.sh
@@ -26,13 +26,9 @@ usage () {
  echo;
 #  echo "- OWSEC_SYSTEM_URI_PRIVATE - private URL to be used for OWSec";
  echo "- OWSEC_SYSTEM_URI_PUBLIC - public URL to be used for OWSec";
-  echo "- OWSEC_AUTHENTICATION_DEFAULT_USERNAME - username to be used for requests to OWSec";
-  echo "- OWSEC_AUTHENTICATION_DEFAULT_PASSWORD - hashed password for OWSec (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)";
  echo;
 #  echo "- OWFMS_SYSTEM_URI_PRIVATE - private URL to be used for OWFms";
  echo "- OWFMS_SYSTEM_URI_PUBLIC - public URL to be used for OWFms";
-  echo "- OWFMS_S3_SECRET - secret key that is used for OWFms access to firmwares S3 bucket";
-  echo "- OWFMS_S3_KEY - access key that is used for OWFms access to firmwares S3 bucket";
  echo;
 #  echo "- OWPROV_SYSTEM_URI_PRIVATE - private URL to be used for OWProv";
  echo "- OWPROV_SYSTEM_URI_PUBLIC - public URL to be used for OWProv";
@@ -42,6 +38,22 @@ usage () {
  echo;
 #  echo "- OWSUB_SYSTEM_URI_PRIVATE - private URL to be used for OWSub";
  echo "- OWSUB_SYSTEM_URI_PUBLIC - public URL to be used for OWSub";
+  echo;
+  echo "Optional environment variables:"
+  echo "- WEBSOCKET_CERT - Your Digicert-signed websocket certificate"
+  echo "- WEBSOCKET_KEY - The key to your Digicert-signed websocket certificate"
+  echo;
+  echo "- OWSEC_AUTHENTICATION_DEFAULT_USERNAME - username to be used for requests to OWSec";
+  echo "- OWSEC_AUTHENTICATION_DEFAULT_PASSWORD - hashed password for OWSec (details on this may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/#authenticationdefaultpassword)";
+  echo;
+  echo "- OWFMS_S3_SECRET - secret key that is used for OWFms access to firmwares S3 bucket";
+  echo "- OWFMS_S3_KEY - access key that is used for OWFms access to firmwares S3 bucket";
+  echo;
+  echo "- SDKHOSTNAME - Public hostname which is used for cert generation when using the Letsencrypt deployment method"
+  echo;
+  echo "- TRAEFIK_ACME_EMAIL - Email address used for ACME registration"
+  echo;
+  echo "- CERTIFICATES_ALLOWMISMATCH - boolean flag to allow certificates serial mismatch";
 }

 # Check if required environment variables were passed
@@ -62,15 +74,11 @@ usage () {
 [ -z ${OWGW_SYSTEM_URI_PUBLIC+x} ] && echo "OWGW_SYSTEM_URI_PUBLIC is unset" && usage && exit 1
 [ -z ${OWGW_RTTY_SERVER+x} ] && echo "OWGW_RTTY_SERVER is unset" && usage && exit 1
 ## OWSec configuration variables
-[ -z ${OWSEC_AUTHENTICATION_DEFAULT_USERNAME+x} ] && echo "OWSEC_AUTHENTICATION_DEFAULT_USERNAME is unset" && usage && exit 1
-[ -z ${OWSEC_AUTHENTICATION_DEFAULT_PASSWORD+x} ] && echo "OWSEC_AUTHENTICATION_DEFAULT_PASSWORD is unset" && usage && exit 1
 #[ -z ${OWSEC_SYSTEM_URI_PRIVATE+x} ] && echo "OWSEC_SYSTEM_URI_PRIVATE is unset" && usage && exit 1
 [ -z ${OWSEC_SYSTEM_URI_PUBLIC+x} ] && echo "OWSEC_SYSTEM_URI_PUBLIC is unset" && usage && exit 1
 ## OWFms configuration variables
 #[ -z ${OWFMS_SYSTEM_URI_PRIVATE+x} ] && echo "OWFMS_SYSTEM_URI_PRIVATE is unset" && usage && exit 1
 [ -z ${OWFMS_SYSTEM_URI_PUBLIC+x} ] && echo "OWFMS_SYSTEM_URI_PUBLIC is unset" && usage && exit 1
-[ -z ${OWFMS_S3_SECRET+x} ] && echo "OWFMS_S3_SECRET is unset" && usage && exit 1
-[ -z ${OWFMS_S3_KEY+x} ] && echo "OWFMS_S3_KEY is unset" && usage && exit 1
 ## OWProv configuration variables
 #[ -z ${OWPROV_SYSTEM_URI_PRIVATE+x} ] && echo "OWPROV_SYSTEM_URI_PRIVATE is unset" && usage && exit 1
 [ -z ${OWPROV_SYSTEM_URI_PUBLIC+x} ] && echo "OWPROV_SYSTEM_URI_PUBLIC is unset" && usage && exit 1
@@ -109,6 +117,17 @@ fi
 #sed -i "s~\(^INTERNAL_OWANALYTICS_HOSTNAME=\).*~\1$INTERNAL_OWANALYTICS_HOSTNAME~" .env
 #sed -i "s~\(^INTERNAL_OWSUB_HOSTNAME=\).*~\1$INTERNAL_OWSUB_HOSTNAME~" .env

+if [[ ! -z "$SDKHOSTNAME" ]]; then
+  sed -i "s~.*SDKHOSTNAME=.*~SDKHOSTNAME=$SDKHOSTNAME~" .env.letsencrypt
+fi
+
+if [[ ! -z "$WEBSOCKET_CERT" ]]; then
+  echo "$WEBSOCKET_CERT" > certs/websocket-cert.pem
+fi
+if [[ ! -z "$WEBSOCKET_KEY" ]]; then
+  echo "$WEBSOCKET_KEY" > certs/websocket-key.pem && chmod 600 certs/websocket-key.pem
+fi
+
 sed -i "s~.*FILEUPLOADER_HOST_NAME=.*~FILEUPLOADER_HOST_NAME=$OWGW_FILEUPLOADER_HOST_NAME~" owgw.env
 sed -i "s~.*FILEUPLOADER_URI=.*~FILEUPLOADER_URI=$OWGW_FILEUPLOADER_URI~" owgw.env
 sed -i "s~.*SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$OWGW_SYSTEM_URI_PUBLIC~" owgw.env
@@ -120,10 +139,14 @@ if [[ ! -z "$SIMULATORID" ]]; then
  sed -i "s~.*SIMULATORID=.*~SIMULATORID=$SIMULATORID~" owgw.env
 fi

-sed -i "s~.*DEFAULT_UCENTRALSEC_URL=.*~DEFAULT_UCENTRALSEC_URL=$DEFAULT_UCENTRALSEC_URL~" owgw-ui.env
+sed -i "s~.*REACT_APP_UCENTRALSEC_URL=.*~REACT_APP_UCENTRALSEC_URL=$DEFAULT_UCENTRALSEC_URL~" owgw-ui.env

-sed -i "s~.*AUTHENTICATION_DEFAULT_USERNAME=.*~AUTHENTICATION_DEFAULT_USERNAME=$OWSEC_AUTHENTICATION_DEFAULT_USERNAME~" owsec.env
-sed -i "s~.*AUTHENTICATION_DEFAULT_PASSWORD=.*~AUTHENTICATION_DEFAULT_PASSWORD=$OWSEC_AUTHENTICATION_DEFAULT_PASSWORD~" owsec.env
+if [[ ! -z "$OWSEC_AUTHENTICATION_DEFAULT_USERNAME" ]]; then
+  sed -i "s~.*AUTHENTICATION_DEFAULT_USERNAME=.*~AUTHENTICATION_DEFAULT_USERNAME=$OWSEC_AUTHENTICATION_DEFAULT_USERNAME~" owsec.env
+fi
+if [[ ! -z "$OWSEC_AUTHENTICATION_DEFAULT_PASSWORD" ]]; then
+  sed -i "s~.*AUTHENTICATION_DEFAULT_PASSWORD=.*~AUTHENTICATION_DEFAULT_PASSWORD=$OWSEC_AUTHENTICATION_DEFAULT_PASSWORD~" owsec.env
+fi
 #sed -i "s~.*SYSTEM_URI_PRIVATE=.*~SYSTEM_URI_PRIVATE=$OWSEC_SYSTEM_URI_PRIVATE~" owsec.env
 sed -i "s~.*SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$OWSEC_SYSTEM_URI_PUBLIC~" owsec.env
 sed -i "s~.*SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$SYSTEM_URI_UI~" owsec.env
@@ -131,8 +154,12 @@ sed -i "s~.*SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$SYSTEM_URI_UI~" owsec.env
 #sed -i "s~.*SYSTEM_URI_PRIVATE=.*~SYSTEM_URI_PRIVATE=$OWFMS_SYSTEM_URI_PRIVATE~" owfms.env
 sed -i "s~.*SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$OWFMS_SYSTEM_URI_PUBLIC~" owfms.env
 sed -i "s~.*SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$SYSTEM_URI_UI~" owfms.env
-sed -i "s~.*S3_SECRET=.*~S3_SECRET=$OWFMS_S3_SECRET~" owfms.env
-sed -i "s~.*S3_KEY=.*~S3_KEY=$OWFMS_S3_KEY~" owfms.env
+if [[ ! -z "$OWFMS_S3_SECRET" ]]; then
+  sed -i "s~.*S3_SECRET=.*~S3_SECRET=$OWFMS_S3_SECRET~" owfms.env
+fi
+if [[ ! -z "$OWFMS_S3_KEY" ]]; then
+  sed -i "s~.*S3_KEY=.*~S3_KEY=$OWFMS_S3_KEY~" owfms.env
+fi

 #sed -i "s~.*SYSTEM_URI_PRIVATE=.*~SYSTEM_URI_PRIVATE=$OWPROV_SYSTEM_URI_PRIVATE~" owprov.env
 sed -i "s~.*SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$OWPROV_SYSTEM_URI_PUBLIC~" owprov.env
@@ -148,5 +175,17 @@ sed -i "s~.*SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$SYSTEM_URI_UI~" owanalytics.env
 sed -i "s~.*SYSTEM_URI_PUBLIC=.*~SYSTEM_URI_PUBLIC=$OWSUB_SYSTEM_URI_PUBLIC~" owsub.env
 sed -i "s~.*SYSTEM_URI_UI=.*~SYSTEM_URI_UI=$SYSTEM_URI_UI~" owsub.env

+if [[ ! -z "$TRAEFIK_ACME_EMAIL" ]]; then
+  sed -i "s~.*TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_EMAIL=.*~TRAEFIK_CERTIFICATESRESOLVERS_OPENWIFI_ACME_EMAIL=$TRAEFIK_ACME_EMAIL~" traefik.env
+fi
+
+if [[ ! -z "$CERTIFICATES_ALLOWMISMATCH" ]]; then
+  sed -i "s~.*CERTIFICATES_ALLOWMISMATCH=.*~CERTIFICATES_ALLOWMISMATCH=$CERTIFICATES_ALLOWMISMATCH~" owgw.env
+fi
+
 # Run the deployment
-docker-compose up -d
+if [[ ! -z "$SDKHOSTNAME" ]]; then
+  docker-compose -f docker-compose.lb.letsencrypt.yml --env-file .env.letsencrypt up -d
+else
+  docker-compose up -d
+fi
--- a/docker-compose/docker-compose.lb.letsencrypt.yml
+++ b/docker-compose/docker-compose.lb.letsencrypt.yml
@@ -1,5 +1,3 @@
-version: '3'
-
 volumes:
  owgw_data:
    driver: local
@@ -13,12 +11,10 @@ volumes:
    driver: local
  owsub_data:
    driver: local
-  zookeeper_data:
-    driver: local
-  zookeeper_datalog:
-    driver: local
  kafka_data:
    driver: local
+  postgresql_data:
+    driver: local
  letsencrypt_certs:
    driver: local

@@ -36,7 +32,11 @@ services:
      - .env.letsencrypt
      - owgw.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owgw"]
    restart: unless-stopped
    volumes:
      - owgw_data:${OWGW_ROOT}/persist
@@ -71,7 +71,11 @@ services:
      - .env.letsencrypt
      - owsec.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsec"]
    restart: unless-stopped
    volumes:
      - owsec_data:${OWSEC_ROOT}/persist
@@ -87,7 +91,11 @@ services:
      - .env.letsencrypt
      - owfms.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owfms"]
    restart: unless-stopped
    volumes:
      - owfms_data:${OWFMS_ROOT}/persist
@@ -103,7 +111,11 @@ services:
      - .env.letsencrypt
      - owprov.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owprov"]
    restart: unless-stopped
    volumes:
      - owprov_data:${OWPROV_ROOT}
@@ -134,7 +146,11 @@ services:
      - .env.letsencrypt
      - owanalytics.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owanalytics"]
    restart: unless-stopped
    volumes:
      - owanalytics_data:${OWANALYTICS_ROOT}
@@ -150,21 +166,16 @@ services:
      - .env.letsencrypt
      - owsub.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsub"]
    restart: unless-stopped
    volumes:
      - owsub_data:${OWSUB_ROOT}
      - ./certs:/${OWSUB_ROOT}/certs

-  zookeeper:
-    image: "zookeeper:${ZOOKEEPER_TAG}"
-    networks:
-      openwifi:
-    restart: unless-stopped
-    volumes:
-      - zookeeper_data:/data
-      - zookeeper_datalog:/datalog
-
  kafka:
    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
    networks:
@@ -172,11 +183,30 @@ services:
    env_file:
      - kafka.env
    restart: unless-stopped
-    depends_on:
-      - zookeeper
    volumes:
      - kafka_data:/bitnami/kafka

+  init-kafka:
+    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    networks:
+      openwifi:
+    depends_on:
+      - kafka
+    env_file:
+      - kafka.env
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        echo "Sleeping to allow kafka to start up..."
+        sleep 10
+        echo "Creating all required Kafka topics..."
+        for topic in $$TOPICS; do
+          /opt/bitnami/kafka/bin/kafka-topics.sh \
+          --create --if-not-exists --topic $$topic --replication-factor 1 \
+          --partitions 1 --bootstrap-server kafka:9092
+        done && echo "Successfully created Kafka topics, exiting." && exit 0
+
  traefik:
    image: "traefik:${TRAEFIK_TAG}"
    networks:
@@ -191,17 +221,27 @@ services:
      - owfms
      - owprov
      - owprov-ui
+      - owanalytics
+      - owsub
    restart: unless-stopped
    volumes:
      - "./traefik/openwifi_letsencrypt.yaml:/etc/traefik/openwifi.yaml"
      - "./certs/restapi-ca.pem:/certs/restapi-ca.pem"
      - "letsencrypt_certs:/letsencrypt"
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        timeout 10m sh -c 'until [[ "$$(getent hosts $SDKHOSTNAME)" ]]; do echo "Waiting until DNS record for $SDKHOSTNAME is resolvable"; sleep 5; done' \
+        && ./entrypoint.sh traefik
    ports:
      - "15002:15002"
      - "16002:16002"
      - "16003:16003"
      - "80:80"
+      - "8080:8080"
      - "443:443"
+      - "8443:8443"
      - "16001:16001"
      - "16004:16004"
      - "16005:16005"
@@ -209,3 +249,30 @@ services:
      - "16006:16006"
      - "5912:5912"
      - "5913:5913"
+      - "1812:1812/udp"
+      - "1813:1813/udp"
+      - "3799:3799/udp"
+
+  postgresql:
+    image: "postgres:${POSTGRESQL_TAG}"
+    networks:
+      openwifi:
+    command:
+      - "postgres"
+      - "-c"
+      - "max_connections=400"
+      - "-c"
+      - "shared_buffers=20MB"
+    env_file:
+      - postgresql.env
+    restart: unless-stopped
+    volumes:
+      - postgresql_data:/var/lib/postgresql/data
+      - ./postgresql/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
+    healthcheck:
+      # owsub is the last DB created in init-db.sh
+      test: ["CMD-SHELL", "pg_isready -U postgres -d owsub"]
+      interval: 10s
+      retries: 5
+      start_period: 30s
+      timeout: 10s
--- a/docker-compose/docker-compose.lb.selfsigned.yml
+++ b/docker-compose/docker-compose.lb.selfsigned.yml
@@ -1,5 +1,3 @@
-version: '3'
-
 volumes:
  owgw_data:
    driver: local
@@ -13,12 +11,10 @@ volumes:
    driver: local
  owsub_data:
    driver: local
-  zookeeper_data:
-    driver: local
-  zookeeper_datalog:
-    driver: local
  kafka_data:
    driver: local
+  postgresql_data:
+    driver: local

 networks:
  openwifi:
@@ -34,7 +30,11 @@ services:
      - .env.selfsigned
      - owgw.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owgw"]
    restart: unless-stopped
    volumes:
      - owgw_data:${OWGW_ROOT}/persist
@@ -46,8 +46,6 @@ services:

  owgw-ui:
    image: "tip-tip-wlan-cloud-ucentral.jfrog.io/owgw-ui:${OWGWUI_TAG}"
-    env_file: 
-      - owgw-ui.env
    networks:
      openwifi:
        aliases:
@@ -71,7 +69,11 @@ services:
      - .env.selfsigned
      - owsec.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsec"]
    restart: unless-stopped
    volumes:
      - owsec_data:${OWSEC_ROOT}/persist
@@ -87,7 +89,11 @@ services:
      - .env.selfsigned
      - owfms.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owfms"]
    restart: unless-stopped
    volumes:
      - owfms_data:${OWFMS_ROOT}/persist
@@ -103,7 +109,11 @@ services:
      - .env.selfsigned
      - owprov.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owprov"]
    restart: unless-stopped
    volumes:
      - owprov_data:${OWPROV_ROOT}
@@ -134,7 +144,11 @@ services:
      - .env.selfsigned
      - owanalytics.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owanalytics"]
    restart: unless-stopped
    volumes:
      - owanalytics_data:${OWANALYTICS_ROOT}
@@ -150,21 +164,16 @@ services:
      - .env.selfsigned
      - owsub.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsub"]
    restart: unless-stopped
    volumes:
      - owsub_data:${OWSUB_ROOT}
      - ./certs:/${OWSUB_ROOT}/certs

-  zookeeper:
-    image: "zookeeper:${ZOOKEEPER_TAG}"
-    networks:
-      openwifi:
-    restart: unless-stopped
-    volumes:
-      - zookeeper_data:/data
-      - zookeeper_datalog:/datalog
-
  kafka:
    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
    networks:
@@ -172,11 +181,30 @@ services:
    env_file:
      - kafka.env
    restart: unless-stopped
-    depends_on:
-      - zookeeper
    volumes:
      - kafka_data:/bitnami/kafka

+  init-kafka:
+    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    networks:
+      openwifi:
+    depends_on:
+      - kafka
+    env_file:
+      - kafka.env
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        echo "Sleeping to allow kafka to start up..."
+        sleep 10
+        echo "Creating all required Kafka topics..."
+        for topic in $$TOPICS; do
+          /opt/bitnami/kafka/bin/kafka-topics.sh \
+          --create --if-not-exists --topic $$topic --replication-factor 1 \
+          --partitions 1 --bootstrap-server kafka:9092
+        done && echo "Successfully created Kafka topics, exiting." && exit 0
+
  traefik:
    image: "traefik:${TRAEFIK_TAG}"
    networks:
@@ -190,6 +218,8 @@ services:
      - owfms
      - owprov
      - owprov-ui
+      - owanalytics
+      - owsub
    restart: unless-stopped
    volumes:
      - "./traefik/openwifi_selfsigned.yaml:/etc/traefik/openwifi.yaml"
@@ -208,5 +238,33 @@ services:
      - "16004:16004"
      - "16005:16005"
      - "16009:16009"
+      - "16006:16006"
      - "5912:5912"
      - "5913:5913"
+      - "1812:1812/udp"
+      - "1813:1813/udp"
+      - "3799:3799/udp"
+
+  postgresql:
+    image: "postgres:${POSTGRESQL_TAG}"
+    networks:
+      openwifi:
+    command:
+      - "postgres"
+      - "-c"
+      - "max_connections=400"
+      - "-c"
+      - "shared_buffers=20MB"
+    env_file:
+      - postgresql.env
+    restart: unless-stopped
+    volumes:
+      - postgresql_data:/var/lib/postgresql/data
+      - ./postgresql/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
+    healthcheck:
+      # owsub is the last DB created in init-db.sh
+      test: ["CMD-SHELL", "pg_isready -U postgres -d owsub"]
+      interval: 10s
+      retries: 5
+      start_period: 30s
+      timeout: 10s
--- a/docker-compose/docker-compose.postgresql.yml
+++ b/docker-compose/docker-compose.postgresql.yml
@@ -1,47 +0,0 @@
-version: '3'
-
-volumes:
-  postgresql_data:
-    driver: local
-
-services:
-  owgw:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owgw"]
-
-  owsec:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsec"]
-
-  owfms:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owfms"]
-
-  owprov:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owprov"]
-
-  owanalytics:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owanalytics"]
-
-  owsub:
-    depends_on:
-      - postgresql
-    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsub"]
-
-  postgresql:
-    image: "postgres:${POSTGRESQL_TAG}"
-    networks:
-      openwifi:
-    env_file:
-      - postgresql.env
-    restart: unless-stopped
-    volumes:
-      - postgresql_data:/var/lib/postgresql/data
-      - ./postgresql/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
--- a/docker-compose/docker-compose.yml
+++ b/docker-compose/docker-compose.yml
@@ -1,12 +1,8 @@
-version: '3'
-
 volumes:
-  zookeeper_data:
-    driver: local
-  zookeeper_datalog:
-    driver: local
  kafka_data:
    driver: local
+  postgresql_data:
+    driver: local

 networks:
  openwifi:
@@ -21,7 +17,11 @@ services:
    env_file:
      - owgw.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owgw"]
    restart: unless-stopped
    volumes:
      - "./owgw_data:${OWGW_ROOT}"
@@ -33,6 +33,9 @@ services:
      - "16003:16003"
      - "5912:5912"
      - "5913:5913"
+      - "1812:1812/udp"
+      - "1813:1813/udp"
+      - "3799:3799/udp"
    sysctls:
      - net.ipv4.tcp_keepalive_intvl=5
      - net.ipv4.tcp_keepalive_probes=2
@@ -49,6 +52,8 @@ services:
      - owgw
      - owfms
      - owprov
+      - owanalytics
+      - owsub
    restart: unless-stopped
    volumes:
      - "./owgw-ui/default.conf:/etc/nginx/conf.d/default.conf"
@@ -67,7 +72,11 @@ services:
    env_file:
      - owsec.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsec"]
    restart: unless-stopped
    volumes:
      - "./owsec_data:${OWSEC_ROOT}"
@@ -85,7 +94,11 @@ services:
    env_file:
      - owfms.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owfms"]
    restart: unless-stopped
    volumes:
      - "./owfms_data:${OWFMS_ROOT}"
@@ -103,7 +116,11 @@ services:
    env_file:
      - owprov.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owprov"]
    restart: unless-stopped
    volumes:
      - "./owprov_data:${OWPROV_ROOT}"
@@ -123,6 +140,8 @@ services:
      - owgw
      - owfms
      - owprov
+      - owanalytics
+      - owsub
    restart: unless-stopped
    volumes:
      - "./owprov-ui/default.conf:/etc/nginx/conf.d/default.conf"
@@ -141,7 +160,11 @@ services:
    env_file:
      - owanalytics.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owanalytics"]
    restart: unless-stopped
    volumes:
      - "./owanalytics_data:${OWANALYTICS_ROOT}"
@@ -159,7 +182,11 @@ services:
    env_file:
      - owsub.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
+      postgresql:
+        condition: service_healthy
+    command: ["./wait-for-postgres.sh", "postgresql", "/openwifi/owsub"]
    restart: unless-stopped
    volumes:
      - "./owsub_data:${OWSUB_ROOT}"
@@ -168,15 +195,6 @@ services:
      - "16006:16006"
      - "16106:16106"

-  zookeeper:
-    image: "zookeeper:${ZOOKEEPER_TAG}"
-    networks:
-      openwifi:
-    restart: unless-stopped
-    volumes:
-      - zookeeper_data:/data
-      - zookeeper_datalog:/datalog
-
  kafka:
    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
    networks:
@@ -184,7 +202,50 @@ services:
    env_file:
      - kafka.env
    restart: unless-stopped
-    depends_on:
-      - zookeeper
    volumes:
      - kafka_data:/bitnami/kafka
+
+  init-kafka:
+    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    networks:
+      openwifi:
+    depends_on:
+      - kafka
+    env_file:
+      - kafka.env
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        echo "Sleeping to allow kafka to start up..."
+        sleep 10
+        echo "Creating all required Kafka topics..."
+        for topic in $$TOPICS; do
+          /opt/bitnami/kafka/bin/kafka-topics.sh \
+          --create --if-not-exists --topic $$topic --replication-factor 1 \
+          --partitions 1 --bootstrap-server kafka:9092
+        done && echo "Successfully created Kafka topics, exiting." && exit 0
+
+  postgresql:
+    image: "postgres:${POSTGRESQL_TAG}"
+    networks:
+      openwifi:
+    command:
+      - "postgres"
+      - "-c"
+      - "max_connections=400"
+      - "-c"
+      - "shared_buffers=20MB"
+    env_file:
+      - postgresql.env
+    restart: unless-stopped
+    volumes:
+      - postgresql_data:/var/lib/postgresql/data
+      - ./postgresql/init-db.sh:/docker-entrypoint-initdb.d/init-db.sh
+    healthcheck:
+      # owsub is the last DB created in init-db.sh
+      test: ["CMD-SHELL", "pg_isready -U postgres -d owsub"]
+      interval: 10s
+      retries: 5
+      start_period: 30s
+      timeout: 10s
--- a/docker-compose/kafka.env
+++ b/docker-compose/kafka.env
@@ -1,2 +1,10 @@
-KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper:2181
 ALLOW_PLAINTEXT_LISTENER=yes
+TOPICS=command connection device_event_queue device_telemetry healthcheck provisioning_change service_events state wifiscan
+KAFKA_CFG_NODE_ID=0
+KAFKA_CFG_PROCESS_ROLES=controller,broker
+KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
+KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
+KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
+KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT
--- a/docker-compose/owanalytics.env
+++ b/docker-compose/owanalytics.env
@@ -23,16 +23,19 @@ SYSTEM_DATA=$OWANALYTICS_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owanalytics.wlan.local:17009
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16009
 SYSTEM_URI_UI=https://openwifi.wlan.local
+
+#SECURITY_RESTAPI_DISABLE=false
 #KAFKA_ENABLE=true
 KAFKA_BROKERLIST=kafka:9092
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owanalytics
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owanalytics
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owanalytics
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owanalytics
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owanalytics
+STORAGE_TYPE_POSTGRESQL_DATABASE=owanalytics
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owanalytics
 #STORAGE_TYPE_MYSQL_PASSWORD=owanalytics
 #STORAGE_TYPE_MYSQL_DATABASE=owanalytics
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
--- a/docker-compose/owfms.env
+++ b/docker-compose/owfms.env
@@ -21,6 +21,7 @@ SYSTEM_DATA=$OWFMS_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owfms.wlan.local:17004
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16004
 SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
 #S3_BUCKETNAME=ucentral-ap-firmware
 #S3_REGION=us-east-1
 S3_SECRET=b0S6EiR5RLIxoe7Xvz9YXPPdxQCoZ6ze37qunTAI
@@ -28,14 +29,15 @@ S3_KEY=AKIAUG47UZG7R6SRLD7F
 #S3_BUCKET_URI=ucentral-ap-firmware.s3.amazonaws.com
 #KAFKA_ENABLE=true
 KAFKA_BROKERLIST=kafka:9092
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owfms
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owfms
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owfms
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owfms
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owfms
+STORAGE_TYPE_POSTGRESQL_DATABASE=owfms
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owfms
 #STORAGE_TYPE_MYSQL_PASSWORD=owfms
 #STORAGE_TYPE_MYSQL_DATABASE=owfms
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
--- a/docker-compose/owgw-ui.env
+++ b/docker-compose/owgw-ui.env
@@ -1,2 +1 @@
-DEFAULT_UCENTRALSEC_URL=https://openwifi.wlan.local:16001
-ALLOW_UCENTRALSEC_CHANGE=false
+REACT_APP_UCENTRALSEC_URL=https://openwifi.wlan.local:16001
--- a/docker-compose/owgw.env
+++ b/docker-compose/owgw.env
@@ -37,7 +37,11 @@ SYSTEM_DATA=$OWGW_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owgw.wlan.local:17002
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16002
 SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
 #SIMULATORID=
+#IPTOCOUNTRY_PROVIDER=ipinfo
+#IPTOCOUNTRY_IPINFO_TOKEN=
+#IPTOCOUNTRY_IPDATA_APIKEY=
 #RTTY_INTERNAL=true
 #RTTY_ENABLED=true
 RTTY_SERVER=openwifi.wlan.local
@@ -46,16 +50,23 @@ RTTY_SERVER=openwifi.wlan.local
 #RTTY_TIMEOUT=60
 #RTTY_VIEWPORT=5913
 #RTTY_ASSETS=$OWGW_ROOT/rtty_ui
+RADIUS_PROXY_ENABLE=true
+#RADIUS_PROXY_ACCOUNTING_PORT=1813
+#RADIUS_PROXY_AUTHENTICATION_PORT=1812
+#RADIUS_PROXY_COA_PORT=3799
 #KAFKA_ENABLE=true
 KAFKA_BROKERLIST=kafka:9092
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owgw
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owgw
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owgw
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owgw
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owgw
+STORAGE_TYPE_POSTGRESQL_DATABASE=owgw
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owgw
 #STORAGE_TYPE_MYSQL_PASSWORD=owgw
 #STORAGE_TYPE_MYSQL_DATABASE=owgw
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
+
+#CERTIFICATES_ALLOWMISMATCH=false
--- a/docker-compose/owls/.env
+++ b/docker-compose/owls/.env
@@ -1,10 +1,14 @@
-# Image tags
 COMPOSE_PROJECT_NAME=owls
-OWSEC_TAG=main
-OWLS_TAG=main
-OWLSUI_TAG=master
-KAFKA_TAG=latest
-ZOOKEEPER_TAG=latest
+
+# Image tags
+# Currently main branches don't work - owlsui is not compatible with owls.
+#OWSEC_TAG=main
+#OWLS_TAG=main
+#OWLSUI_TAG=master
+OWSEC_TAG=v2.9.0
+OWLS_TAG=v2.9.0
+OWLSUI_TAG=v2.9.0
+KAFKA_TAG=3.7-debian-12

 # Microservice root/config directories
 OWSEC_ROOT=/owsec-data
--- a/docker-compose/owls/README.md
+++ b/docker-compose/owls/README.md
@@ -1,6 +1,6 @@
 # OpenWifi OWLS Docker Compose
 ## Deployment with self-signed certificates
-To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.  
+To run a load simulation you need to generate a specific Digicert-signed AP certificate which will be used to connect to the gateway. The certificate serial number has to start with the digits `53494d` since otherwise the gateway won't allow a load simulation. The rest of the serial number and the specified redirector URL can be chosen randomly. You only need to generate one AP certificate for your simulations.
 Be aware that since the OWLS deployment partly exposes the same ports on the host as the OpenWifi deployment, it is not intended that both run on the same host.
 1. Copy or move your AP load simulation certificate into the `docker-compose/certs` directory. Don't forget to name the files `device-cert.pem` and `device-key.pem` or adapt the path names in the OWLS configuration if you're using different file names.
 2. To be able to run load simulation tests against your OpenWifi SDK deployment, you'll have to [add the serial number of your generated AP certificate to the gateway configuration](https://github.com/Telecominfraproject/wlan-cloud-owls#prepare-your-openwifi-gateway). You can do that by either editing [owgw.env](../owgw.env) or doing the changes directly in your OWGW configuration file if it is exposed on your Docker host.
--- a/docker-compose/owls/deploy_owls.sh
+++ b/docker-compose/owls/deploy_owls.sh
@@ -57,7 +57,7 @@ cd wlan-cloud-ucentral-deploy/docker-compose/owls
 sed -i "s~\(^INTERNAL_OWSEC_HOSTNAME=\).*~\1$INTERNAL_OWSEC_HOSTNAME~" .env
 sed -i "s~\(^INTERNAL_OWLS_HOSTNAME=\).*~\1$INTERNAL_OWLS_HOSTNAME~" .env

-sed -i "s~\(^DEFAULT_UCENTRALSEC_URL=\).*~\1$DEFAULT_UCENTRALSEC_URL~" owls-ui.env
+sed -i "s~\(^REACT_APP_UCENTRALSEC_URL=\).*~\1$DEFAULT_UCENTRALSEC_URL~" owls-ui.env

 sed -i "s~.*AUTHENTICATION_DEFAULT_USERNAME=.*~AUTHENTICATION_DEFAULT_USERNAME=$OWSEC_AUTHENTICATION_DEFAULT_USERNAME~" owsec.env
 sed -i "s~.*AUTHENTICATION_DEFAULT_PASSWORD=.*~AUTHENTICATION_DEFAULT_PASSWORD=$OWSEC_AUTHENTICATION_DEFAULT_PASSWORD~" owsec.env
--- a/docker-compose/owls/docker-compose.yml
+++ b/docker-compose/owls/docker-compose.yml
@@ -1,10 +1,4 @@
-version: '3'
-
 volumes:
-  zookeeper_data:
-    driver: local
-  zookeeper_datalog:
-    driver: local
  kafka_data:
    driver: local

@@ -21,7 +15,8 @@ services:
    env_file:
      - owsec.env
    depends_on:
-      - kafka
+      init-kafka:
+        condition: service_completed_successfully
    restart: unless-stopped
    volumes:
      - "./owsec_data:${OWSEC_ROOT}"
@@ -39,8 +34,10 @@ services:
    env_file:
      - owls.env
    depends_on:
-      - owsec
-      - kafka
+      owsec:
+        condition: service_started
+      init-kafka:
+        condition: service_completed_successfully
    restart: unless-stopped
    volumes:
      - "./owls_data:${OWLS_ROOT}"
@@ -67,15 +64,6 @@ services:
      - "80:80"
      - "443:443"

-  zookeeper:
-    image: "zookeeper:${ZOOKEEPER_TAG}"
-    networks:
-      owls:
-    restart: unless-stopped
-    volumes:
-      - zookeeper_data:/data
-      - zookeeper_datalog:/datalog
-
  kafka:
    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
    networks:
@@ -83,7 +71,26 @@ services:
    env_file:
      - kafka.env
    restart: unless-stopped
-    depends_on:
-      - zookeeper
    volumes:
      - kafka_data:/bitnami/kafka
+
+  init-kafka:
+    image: "docker.io/bitnami/kafka:${KAFKA_TAG}"
+    networks:
+      owls:
+    depends_on:
+      - kafka
+    env_file:
+      - kafka.env
+    entrypoint:
+      - /bin/sh
+      - -c
+      - |
+        echo "Sleeping to allow kafka to start up..."
+        sleep 10
+        echo "Creating all required Kafka topics..."
+        for topic in $$TOPICS; do
+          /opt/bitnami/kafka/bin/kafka-topics.sh \
+          --create --if-not-exists --topic $$topic --replication-factor 1 \
+          --partitions 1 --bootstrap-server kafka:9092
+        done && echo "Successfully created Kafka topics, exiting." && exit 0
--- a/docker-compose/owls/kafka.env
+++ b/docker-compose/owls/kafka.env
@@ -1,2 +1,10 @@
-KAFKA_CFG_ZOOKEEPER_CONNECT=zookeeper:2181
 ALLOW_PLAINTEXT_LISTENER=yes
+TOPICS=service_events
+KAFKA_CFG_NODE_ID=0
+KAFKA_CFG_PROCESS_ROLES=controller,broker
+KAFKA_CFG_CONTROLLER_QUORUM_VOTERS=0@kafka:9093
+KAFKA_CFG_LISTENERS=PLAINTEXT://:9092,CONTROLLER://:9093
+KAFKA_CFG_ADVERTISED_LISTENERS=PLAINTEXT://:9092
+KAFKA_CFG_LISTENER_SECURITY_PROTOCOL_MAP=CONTROLLER:PLAINTEXT,PLAINTEXT:PLAINTEXT
+KAFKA_CFG_CONTROLLER_LISTENER_NAMES=CONTROLLER
+KAFKA_CFG_INTER_BROKER_LISTENER_NAME=PLAINTEXT
--- a/docker-compose/owls/owls-ui.env
+++ b/docker-compose/owls/owls-ui.env
@@ -1,2 +1 @@
-DEFAULT_UCENTRALSEC_URL=https://openwifi-owls.wlan.local:16001
-ALLOW_UCENTRALSEC_CHANGE=false
+REACT_APP_UCENTRALSEC_URL=https://openwifi.wlan.local:16001
--- a/docker-compose/owprov.env
+++ b/docker-compose/owprov.env
@@ -23,16 +23,18 @@ SYSTEM_DATA=$OWPROV_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owprov.wlan.local:17005
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16005
 SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
 #KAFKA_ENABLE=true
 KAFKA_BROKERLIST=kafka:9092
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owprov
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owprov
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owprov
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owprov
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owprov
+STORAGE_TYPE_POSTGRESQL_DATABASE=owprov
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owprov
 #STORAGE_TYPE_MYSQL_PASSWORD=owprov
 #STORAGE_TYPE_MYSQL_DATABASE=owprov
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
--- a/docker-compose/owsec.env
+++ b/docker-compose/owsec.env
@@ -22,6 +22,7 @@ SYSTEM_DATA=$OWSEC_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owsec.wlan.local:17001
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16001
 SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
 #SERVICE_KEY=$OWSEC_ROOT/certs/restapi-key.pem
 #SERVICE_KEY_PASSWORD=mypassword
 #MAILER_HOSTNAME=localhost
@@ -34,14 +35,15 @@ SYSTEM_URI_UI=https://openwifi.wlan.local
 KAFKA_BROKERLIST=kafka:9092
 #DOCUMENT_POLICY_ACCESS=$OWSEC_ROOT/wwwassets/access_policy.html
 #DOCUMENT_POLICY_PASSWORD=$OWSEC_ROOT/wwwassets/password_policy.html
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owsec
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owsec
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owsec
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owsec
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owsec
+STORAGE_TYPE_POSTGRESQL_DATABASE=owsec
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owsec
 #STORAGE_TYPE_MYSQL_PASSWORD=owsec
 #STORAGE_TYPE_MYSQL_DATABASE=owsec
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
--- a/docker-compose/owsub.env
+++ b/docker-compose/owsub.env
@@ -23,16 +23,18 @@ SYSTEM_DATA=$OWSUB_ROOT/persist
 SYSTEM_URI_PRIVATE=https://owsub.wlan.local:17006
 SYSTEM_URI_PUBLIC=https://openwifi.wlan.local:16006
 SYSTEM_URI_UI=https://openwifi.wlan.local
+#SECURITY_RESTAPI_DISABLE=false
 #KAFKA_ENABLE=true
 KAFKA_BROKERLIST=kafka:9092
-#STORAGE_TYPE=sqlite
-#STORAGE_TYPE_POSTGRESQL_HOST=localhost
-#STORAGE_TYPE_POSTGRESQL_USERNAME=owsub
-#STORAGE_TYPE_POSTGRESQL_PASSWORD=owsub
-#STORAGE_TYPE_POSTGRESQL_DATABASE=owsub
-#STORAGE_TYPE_POSTGRESQL_PORT=5432
+STORAGE_TYPE=postgresql
+STORAGE_TYPE_POSTGRESQL_HOST=postgresql
+STORAGE_TYPE_POSTGRESQL_USERNAME=owsub
+STORAGE_TYPE_POSTGRESQL_PASSWORD=owsub
+STORAGE_TYPE_POSTGRESQL_DATABASE=owsub
+STORAGE_TYPE_POSTGRESQL_PORT=5432
 #STORAGE_TYPE_MYSQL_HOST=localhost
 #STORAGE_TYPE_MYSQL_USERNAME=owsub
 #STORAGE_TYPE_MYSQL_PASSWORD=owsub
 #STORAGE_TYPE_MYSQL_DATABASE=owsub
 #STORAGE_TYPE_MYSQL_PORT=3306
+#STORAGE_TYPE=sqlite
--- a/docker-compose/postgresql.env
+++ b/docker-compose/postgresql.env
@@ -15,6 +15,6 @@ OWPROV_DB_PASSWORD=owprov
 OWANALYTICS_DB=owanalytics
 OWANALYTICS_DB_USER=owanalytics
 OWANALYTICS_DB_PASSWORD=owanalytics
-OWUSB_DB=owsub
-OWUSB_DB_USER=owsub
-OWUSB_DB_PASSWORD=owsub
+OWSUB_DB=owsub
+OWSUB_DB_USER=owsub
+OWSUB_DB_PASSWORD=owsub
--- a/docker-compose/postgresql/init-db.sh
+++ b/docker-compose/postgresql/init-db.sh
@@ -3,21 +3,15 @@ set -e

 psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
    CREATE USER $OWGW_DB_USER WITH ENCRYPTED PASSWORD '$OWGW_DB_PASSWORD';
-    CREATE DATABASE $OWGW_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWGW_DB TO $OWGW_DB_USER;
+    CREATE DATABASE $OWGW_DB OWNER $OWGW_DB_USER;
    CREATE USER $OWSEC_DB_USER WITH ENCRYPTED PASSWORD '$OWSEC_DB_PASSWORD';
-    CREATE DATABASE $OWSEC_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWSEC_DB TO $OWSEC_DB_USER;
+    CREATE DATABASE $OWSEC_DB OWNER $OWSEC_DB_USER;
    CREATE USER $OWFMS_DB_USER WITH ENCRYPTED PASSWORD '$OWFMS_DB_PASSWORD';
-    CREATE DATABASE $OWFMS_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWFMS_DB TO $OWFMS_DB_USER;
+    CREATE DATABASE $OWFMS_DB OWNER $OWFMS_DB_USER;
    CREATE USER $OWPROV_DB_USER WITH ENCRYPTED PASSWORD '$OWPROV_DB_PASSWORD';
-    CREATE DATABASE $OWPROV_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWPROV_DB TO $OWPROV_DB_USER;
+    CREATE DATABASE $OWPROV_DB OWNER $OWPROV_DB_USER;
    CREATE USER $OWANALYTICS_DB_USER WITH ENCRYPTED PASSWORD '$OWANALYTICS_DB_PASSWORD';
-    CREATE DATABASE $OWANALYTICS_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWANALYTICS_DB TO $OWANALYTICS_DB_USER;
+    CREATE DATABASE $OWANALYTICS_DB OWNER $OWANALYTICS_DB_USER;
    CREATE USER $OWSUB_DB_USER WITH ENCRYPTED PASSWORD '$OWSUB_DB_PASSWORD';
-    CREATE DATABASE $OWSUB_DB;
-    GRANT ALL PRIVILEGES ON DATABASE $OWSUB_DB TO $OWSUB_DB_USER;
+    CREATE DATABASE $OWSUB_DB OWNER $OWSUB_DB_USER;
 EOSQL
--- a/docker-compose/traefik.env
+++ b/docker-compose/traefik.env
@@ -3,6 +3,9 @@ TRAEFIK_ENTRYPOINTS_OWGWRESTAPI_ADDRESS=:16002
 TRAEFIK_ENTRYPOINTS_OWGWFILEUPLOAD_ADDRESS=:16003
 TRAEFIK_ENTRYPOINTS_OWGWRTTYS_ADDRESS=:5912
 TRAEFIK_ENTRYPOINTS_OWGWRTTYSVIEW_ADDRESS=:5913
+TRAEFIK_ENTRYPOINTS_OWGWRADACC_ADDRESS=:1813/udp
+TRAEFIK_ENTRYPOINTS_OWGWRADAUTH_ADDRESS=:1812/udp
+TRAEFIK_ENTRYPOINTS_OWGWRADCOA_ADDRESS=:3799/udp
 TRAEFIK_ENTRYPOINTS_OWGWUIHTTP_ADDRESS=:80
 TRAEFIK_ENTRYPOINTS_OWGWUIHTTP_HTTP_REDIRECTIONS_ENTRYPOINT_TO=owgwuihttps
 TRAEFIK_ENTRYPOINTS_OWPROVUIHTTP_ADDRESS=:8080
--- a/docker-compose/traefik/openwifi_letsencrypt.yaml
+++ b/docker-compose/traefik/openwifi_letsencrypt.yaml
@@ -39,75 +39,75 @@ http:
    owgw-rttys-view:
      loadBalancer:
        servers:
-          - url: "http://owgw.wlan.local:5913/"
+          - url: "https://owgw.wlan.local:5913/"

  routers:
    owgw-ui-http:
      entryPoints: "owgwuihttp"
      service: "owgw-ui"
-      rule: "Host(`{{ env "OWGWUI_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
    owgw-ui-https:
      entryPoints: "owgwuihttps"
      service: "owgw-ui"
-      rule: "Host(`{{ env "OWGWUI_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owgw-fileupload:
      entryPoints: "owgwfileupload"
      service: "owgw-fileupload"
-      rule: "Host(`{{ env "OWGWFILEUPLOAD_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owgw-restapi:
      entryPoints: "owgwrestapi"
      service: "owgw-restapi"
-      rule: "Host(`{{ env "OWGW_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owgw-rttys-view:
      entryPoints: "owgwrttysview"
      service: "owgw-rttys-view"
-      rule: "Host(`{{ env "OWGW_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owsec-restapi:
      entryPoints: "owsecrestapi"
      service: "owsec-restapi"
-      rule: "Host(`{{ env "OWSEC_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owfms-restapi:
      entryPoints: "owfmsrestapi"
      service: "owfms-restapi"
-      rule: "Host(`{{env "OWFMS_HOSTNAME"}}`)"
+      rule: "Host(`{{env "SDKHOSTNAME"}}`)"
      tls:
        certResolver: "openwifi"
    owprov-restapi:
      entryPoints: "owprovrestapi"
      service: "owprov-restapi"
-      rule: "Host(`{{env "OWPROV_HOSTNAME"}}`)"
+      rule: "Host(`{{env "SDKHOSTNAME"}}`)"
      tls:
        certResolver: "openwifi"
    owprov-ui-http:
-      entryPoints: "owgwuihttp"
+      entryPoints: "owprovuihttp"
      service: "owprov-ui"
-      rule: "Host(`{{ env "OWPROVUI_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
    owprov-ui-https:
-      entryPoints: "owgwuihttps"
+      entryPoints: "owprovuihttps"
      service: "owprov-ui"
-      rule: "Host(`{{ env "OWPROVUI_HOSTNAME" }}`)"
+      rule: "Host(`{{ env "SDKHOSTNAME" }}`)"
      tls:
        certResolver: "openwifi"
    owanalytics-restapi:
      entryPoints: "owanalyticsrestapi"
      service: "owanalytics-restapi"
-      rule: "Host(`{{env "OWANALYTICS_HOSTNAME"}}`)"
+      rule: "Host(`{{env "SDKHOSTNAME"}}`)"
      tls:
        certResolver: "openwifi"
    owsub-restapi:
      entryPoints: "owsubrestapi"
      service: "owsub-restapi"
-      rule: "Host(`{{env "OWSUB_HOSTNAME"}}`)"
+      rule: "Host(`{{env "SDKHOSTNAME"}}`)"
      tls:
        certResolver: "openwifi"

@@ -134,6 +134,32 @@ tcp:
    owgw-rttys:
      entryPoints: "owgwrttys"
      service: "owgw-rttys"
-      rule: "HostSNI(`{{ env "OWGW_HOSTNAME" }}`)"
+      rule: "HostSNI(`*`)"
      tls:
-        certResolver: openwifi
+        passthrough: true
+
+udp:
+  services:
+    owgw-radius-acc:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:1813"
+    owgw-radius-auth:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:1812"
+    owgw-radius-coa:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:3799"
+
+  routers:
+    owgw-radius-acc:
+      entryPoints: "owgwradacc"
+      service: "owgw-radius-acc"
+    owgw-radius-auth:
+      entryPoints: "owgwradauth"
+      service: "owgw-radius-auth"
+    owgw-radius-coa:
+      entryPoints: "owgwradcoa"
+      service: "owgw-radius-coa"
--- a/docker-compose/traefik/openwifi_selfsigned.yaml
+++ b/docker-compose/traefik/openwifi_selfsigned.yaml
@@ -137,8 +137,34 @@ tcp:
      tls:
        passthrough: true
    owsub-restapi:
-      entryPoints: "owpsubestapi"
+      entryPoints: "owsubrestapi"
      service: "owsub-restapi"
      rule: "HostSNI(`*`)"
      tls:
        passthrough: true
+
+udp:
+  services:
+    owgw-radius-acc:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:1813"
+    owgw-radius-auth:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:1812"
+    owgw-radius-coa:
+      loadBalancer:
+        servers:
+          - address: "owgw.wlan.local:3799"
+
+  routers:
+    owgw-radius-acc:
+      entryPoints: "owgwradacc"
+      service: "owgw-radius-acc"
+    owgw-radius-auth:
+      entryPoints: "owgwradauth"
+      service: "owgw-radius-auth"
+    owgw-radius-coa:
+      entryPoints: "owgwradcoa"
+      service: "owgw-radius-coa"