fix cilium for full-distro bundle

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
Revert cilium to v1.14
2026-02-05 08:17:59 +00:00 · 2024-04-04 04:50:16 +02:00 · 2024-04-04 04:11:26 +02:00 · 2024-04-04 03:35:42 +02:00 · 2024-04-03 09:01:36 +02:00 · 2024-04-02 08:53:53 +02:00
176 changed files with 57858 additions and 11241 deletions
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ You can use Cozystack as Kubernetes distribution for Bare Metal
 ## Documentation
-The documentation is located on official [cozystack.io](cozystack.io) website.
+The documentation is located on official [cozystack.io](https://cozystack.io) website.
 Read [Get Started](https://cozystack.io/docs/get-started/) section for a quick start.
@@ -44,6 +44,8 @@ If you encounter any difficulties, start with the [troubleshooting guide](https:
 Versioning adheres to the [Semantic Versioning](http://semver.org/) principles.  
 A full list of the available releases is available in the GitHub repository's [Release](https://github.com/aenix-io/cozystack/releases) section.
 - [Roadmap](https://github.com/orgs/aenix-io/projects/2)
 ## Contributions
 Contributions are highly appreciated and very welcomed!
--- a/manifests/cozystack-installer.yaml
+++ b/manifests/cozystack-installer.yaml
@@ -102,3 +102,6 @@ spec:
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node.cilium.io/agent-not-ready"
        operator: "Exists"
        effect: "NoSchedule"
--- a/packages/apps/http-cache/Makefile
+++ b/packages/apps/http-cache/Makefile
@@ -2,7 +2,7 @@ PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
 NGINX_CACHE_TAG = v0.1.0
-TAG := v0.1.0
+TAG := v0.2.0
 image: image-nginx
--- a/packages/apps/kubernetes/Makefile
+++ b/packages/apps/kubernetes/Makefile
@@ -1,7 +1,7 @@
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0
 UBUNTU_CONTAINER_DISK_TAG = v1.29.1
 image: image-ubuntu-container-disk
--- a/packages/core/installer/Makefile
+++ b/packages/core/installer/Makefile
@@ -3,7 +3,7 @@ NAME=installer
 PUSH := 1
 LOAD := 0
 REGISTRY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0
 TALOS_VERSION=$(shell awk '/^version:/ {print $$2}' images/talos/profiles/installer.yaml)
 show:
@@ -21,6 +21,7 @@ update:
 image: image-cozystack image-talos image-matchbox
 image-cozystack:
 	make -C ../../.. repos
 	docker buildx build -f images/cozystack/Dockerfile ../../.. \
 		--provenance false \
 		--tag $(REGISTRY)/cozystack:$(TAG) \
--- a/packages/core/installer/templates/cozystack.yaml
+++ b/packages/core/installer/templates/cozystack.yaml
@@ -82,6 +82,9 @@ spec:
      - key: "node.kubernetes.io/not-ready"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node.cilium.io/agent-not-ready"
        operator: "Exists"
        effect: "NoSchedule"
 ---
 apiVersion: v1
 kind: Service
--- a/packages/core/platform/Makefile
+++ b/packages/core/platform/Makefile
@@ -16,4 +16,4 @@ namespaces-apply:
 	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl apply -f-
 diff:
-	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) -s templates/namespaces.yaml | kubectl diff -f-
+	helm template -n $(NAMESPACE) $(NAME) . --dry-run=server $(API_VERSIONS_FLAGS) | kubectl diff -f-
--- a/packages/core/platform/bundles/full-distro.yaml
+++ b/packages/core/platform/bundles/full-distro.yaml
@@ -0,0 +1,108 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
  values:
    cilium:
      bpf:
        masquerade: true
      cni:
        chainingMode: ~
        customConf: false
        configMap: ""
      enableIPv4Masquerade: true
      enableIdentityMark: true
      ipv4NativeRoutingCIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
      autoDirectNodeRoutes: true
 - name: fluxcd
  releaseName: fluxcd
  chart: cozy-fluxcd
  namespace: cozy-fluxcd
  dependsOn: [cilium]
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: [cilium]
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cilium,cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cilium,cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [cilium,victoria-metrics-operator]
 - name: metallb
  releaseName: metallb
  chart: cozy-metallb
  namespace: cozy-metallb
  privileged: true
  dependsOn: [cilium]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: [cilium]
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cilium,cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cilium,cert-manager]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: [cilium]
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: [cilium]
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cilium,cert-manager]
 - name: linstor
  releaseName: linstor
  chart: cozy-linstor
  namespace: cozy-linstor
  privileged: true
  dependsOn: [piraeus-operator,cilium,cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
--- a/packages/core/platform/bundles/full-paas.yaml
+++ b/packages/core/platform/bundles/full-paas.yaml
@@ -0,0 +1,177 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: cilium
  releaseName: cilium
  chart: cozy-cilium
  namespace: cozy-cilium
  privileged: true
  dependsOn: []
 - name: kubeovn
  releaseName: kubeovn
  chart: cozy-kubeovn
  namespace: cozy-kubeovn
  privileged: true
  dependsOn: [cilium]
  values:
    cozystack:
      nodesHash: {{ include "cozystack.master-node-ips" . | sha256sum }}
    kube-ovn:
      ipv4:
        POD_CIDR: "{{ index $cozyConfig.data "ipv4-pod-cidr" }}"
        POD_GATEWAY: "{{ index $cozyConfig.data "ipv4-pod-gateway" }}"
        SVC_CIDR: "{{ index $cozyConfig.data "ipv4-svc-cidr" }}"
        JOIN_CIDR: "{{ index $cozyConfig.data "ipv4-join-cidr" }}"
 - name: fluxcd
  releaseName: fluxcd
  chart: cozy-fluxcd
  namespace: cozy-fluxcd
  dependsOn: [cilium,kubeovn]
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: [cilium,kubeovn]
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [cilium,kubeovn,victoria-metrics-operator]
 - name: kubevirt-operator
  releaseName: kubevirt-operator
  chart: cozy-kubevirt-operator
  namespace: cozy-kubevirt
  dependsOn: [cilium,kubeovn]
 - name: kubevirt
  releaseName: kubevirt
  chart: cozy-kubevirt
  namespace: cozy-kubevirt
  privileged: true
  dependsOn: [cilium,kubeovn,kubevirt-operator]
 - name: kubevirt-cdi-operator
  releaseName: kubevirt-cdi-operator
  chart: cozy-kubevirt-cdi-operator
  namespace: cozy-kubevirt-cdi
  dependsOn: [cilium,kubeovn]
 - name: kubevirt-cdi
  releaseName: kubevirt-cdi
  chart: cozy-kubevirt-cdi
  namespace: cozy-kubevirt-cdi
  dependsOn: [cilium,kubeovn,kubevirt-cdi-operator]
 - name: metallb
  releaseName: metallb
  chart: cozy-metallb
  namespace: cozy-metallb
  privileged: true
  dependsOn: [cilium,kubeovn]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: [cilium,kubeovn]
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: [cilium,kubeovn]
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: [cilium,kubeovn]
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: linstor
  releaseName: linstor
  chart: cozy-linstor
  namespace: cozy-linstor
  privileged: true
  dependsOn: [piraeus-operator,cilium,kubeovn,cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: [cilium,kubeovn]
 - name: dashboard
  releaseName: dashboard
  chart: cozy-dashboard
  namespace: cozy-dashboard
  dependsOn: [cilium,kubeovn]
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
  {{- end }}
 - name: kamaji
  releaseName: kamaji
  chart: cozy-kamaji
  namespace: cozy-kamaji
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: capi-operator
  releaseName: capi-operator
  chart: cozy-capi-operator
  namespace: cozy-cluster-api
  privileged: true
  dependsOn: [cilium,kubeovn,cert-manager]
 - name: capi-providers
  releaseName: capi-providers
  chart: cozy-capi-providers
  namespace: cozy-cluster-api
  privileged: true
  dependsOn: [cilium,kubeovn,capi-operator]
--- a/packages/core/platform/bundles/hosted-distro.yaml
+++ b/packages/core/platform/bundles/hosted-distro.yaml
@@ -0,0 +1,69 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: fluxcd
  releaseName: fluxcd
  chart: cozy-fluxcd
  namespace: cozy-fluxcd
  dependsOn: []
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: []
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [victoria-metrics-operator]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: []
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cert-manager]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: []
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: []
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
--- a/packages/core/platform/bundles/hosted-paas.yaml
+++ b/packages/core/platform/bundles/hosted-paas.yaml
@@ -0,0 +1,95 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 releases:
 - name: fluxcd
  releaseName: fluxcd
  chart: cozy-fluxcd
  namespace: cozy-fluxcd
  dependsOn: []
 - name: cert-manager
  releaseName: cert-manager
  chart: cozy-cert-manager
  namespace: cozy-cert-manager
  dependsOn: []
 - name: cert-manager-issuers
  releaseName: cert-manager-issuers
  chart: cozy-cert-manager-issuers
  namespace: cozy-cert-manager
  dependsOn: [cert-manager]
 - name: victoria-metrics-operator
  releaseName: victoria-metrics-operator
  chart: cozy-victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  dependsOn: [cert-manager]
 - name: monitoring
  releaseName: monitoring
  chart: cozy-monitoring
  namespace: cozy-monitoring
  privileged: true
  dependsOn: [victoria-metrics-operator]
 - name: grafana-operator
  releaseName: grafana-operator
  chart: cozy-grafana-operator
  namespace: cozy-grafana-operator
  dependsOn: []
 - name: mariadb-operator
  releaseName: mariadb-operator
  chart: cozy-mariadb-operator
  namespace: cozy-mariadb-operator
  dependsOn: [cert-manager,victoria-metrics-operator]
 - name: postgres-operator
  releaseName: postgres-operator
  chart: cozy-postgres-operator
  namespace: cozy-postgres-operator
  dependsOn: [cert-manager]
 - name: rabbitmq-operator
  releaseName: rabbitmq-operator
  chart: cozy-rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  dependsOn: []
 - name: redis-operator
  releaseName: redis-operator
  chart: cozy-redis-operator
  namespace: cozy-redis-operator
  dependsOn: []
 - name: piraeus-operator
  releaseName: piraeus-operator
  chart: cozy-piraeus-operator
  namespace: cozy-linstor
  dependsOn: [cert-manager]
 - name: telepresence
  releaseName: traffic-manager
  chart: cozy-telepresence
  namespace: cozy-telepresence
  dependsOn: []
 - name: dashboard
  releaseName: dashboard
  chart: cozy-dashboard
  namespace: cozy-dashboard
  dependsOn: []
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
  {{- end }}
--- a/packages/core/platform/templates/_helpers.tpl
+++ b/packages/core/platform/templates/_helpers.tpl
@@ -1,7 +1,7 @@
 {{/*
 Get IP-addresses of master nodes
 */}}
-{{- define "master.nodeIPs" -}}
+{{- define "cozystack.master-node-ips" -}}
 {{- $nodes := lookup "v1" "Node" "" "" -}}
 {{- $ips := list -}}
 {{- range $node := $nodes.items -}}
--- a/packages/core/platform/templates/apps.yaml
+++ b/packages/core/platform/templates/apps.yaml
@@ -1,7 +1,10 @@
 {{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $host := "example.org" }}
 {{- $tenantRoot := list }}
-{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta1" }}
+{{- if .Capabilities.APIVersions.Has "helm.toolkit.fluxcd.io/v2beta2" }}
-{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta1" "HelmRelease" "tenant-root" "tenant-root" }}
+{{- $tenantRoot = lookup "helm.toolkit.fluxcd.io/v2beta2" "HelmRelease" "tenant-root" "tenant-root" }}
 {{- end }}
 {{- if and $tenantRoot $tenantRoot.spec $tenantRoot.spec.values $tenantRoot.spec.values.host }}
 {{- $host = $tenantRoot.spec.values.host }}
@@ -19,7 +22,7 @@ metadata:
    namespace.cozystack.io/host: "{{ $host }}"
  name: tenant-root
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
  name: tenant-root
@@ -45,7 +48,9 @@ spec:
  values:
    host: "{{ $host }}"
  dependsOn:
-  - name: cilium
+  {{- range $x := $bundle.releases }}
-    namespace: cozy-cilium
+  {{- if has $x.name (list "cilium" "kubeovn") }}
-  - name: kubeovn
+  - name: {{ $x.name }}
-    namespace: cozy-kubeovn
+    namespace: {{ $x.namespace }}
  {{- end }}
  {{- end }}
--- a/packages/core/platform/templates/helmreleases.yaml
+++ b/packages/core/platform/templates/helmreleases.yaml
@@ -1,38 +1,27 @@
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
-kind: HelmRelease
+{{- $bundleName := index $cozyConfig.data "bundle-name" }}
-metadata:
+{{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
-  name: cilium
+{{- $dependencyNamespaces := dict }}
-  namespace: cozy-cilium
+{{- $disabledComponents := splitList "," ((index $cozyConfig.data "bundle-disable") | default "") }}
-  labels:
+
-    cozystack.io/repository: system
+{{/* collect dependency namespaces from releases */}}
-spec:
+{{- range $x := $bundle.releases }}
-  interval: 1m
+{{- $_ := set $dependencyNamespaces $x.name $x.namespace }}
-  releaseName: cilium
+{{- end }}
-  install:
+
-    remediation:
+{{- range $x := $bundle.releases }}
-      retries: -1
+{{- if not (has $x.name $disabledComponents) }}
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-cilium
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
 ---
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
 kind: HelmRelease
 metadata:
-  name: kubeovn
+  name: {{ $x.name }}
-  namespace: cozy-kubeovn
+  namespace: {{ $x.namespace }}
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
-  releaseName: kubeovn
+  releaseName: {{ $x.releaseName | default $x.name }}
  install:
    remediation:
      retries: -1
@@ -41,718 +30,31 @@ spec:
      retries: -1
  chart:
    spec:
-      chart: cozy-kubeovn
+      chart: {{ $x.chart }}
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  {{- $values := dict }}
  {{- with $x.values }}
  {{- $values = merge . $values }}
  {{- end }}
  {{- with index $cozyConfig.data (printf "values-%s" $x.name) }}
  {{- $values = merge (fromYaml .) $values }}
  {{- end }}
  {{- with $values }}
  values:
-    cozystack:
+    {{- toYaml . | nindent 4}}
-      configHash: {{ index (lookup "v1" "ConfigMap" "cozy-system" "cozystack") "data" | toJson | sha256sum }}
+  {{- end }}
-      nodesHash: {{ include "master.nodeIPs" . | sha256sum }}
+  {{- with $x.dependsOn }}
  dependsOn:
-  - name: cilium
+  {{- range $dep := . }}
-    namespace: cozy-cilium
+  {{- if not (has $dep $disabledComponents) }}
---
+  - name: {{ $dep }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+    namespace: {{ index $dependencyNamespaces $dep }}
 kind: HelmRelease
 metadata:
  name: cozy-fluxcd
  namespace: cozy-fluxcd
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: fluxcd
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-fluxcd
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: cert-manager
  namespace: cozy-cert-manager
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: cert-manager
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-cert-manager
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: cert-manager-issuers
  namespace: cozy-cert-manager
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: cert-manager-issuers
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-cert-manager-issuers
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: victoria-metrics-operator
  namespace: cozy-victoria-metrics-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: victoria-metrics-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-victoria-metrics-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: monitoring
  namespace: cozy-monitoring
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: monitoring
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-monitoring
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: victoria-metrics-operator
    namespace: cozy-victoria-metrics-operator
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-operator
  namespace: cozy-kubevirt
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt
  namespace: cozy-kubevirt
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: kubevirt-operator
    namespace: cozy-kubevirt
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-cdi-operator
  namespace: cozy-kubevirt-cdi
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-cdi-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-cdi-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: kubevirt-cdi
  namespace: cozy-kubevirt-cdi
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kubevirt-cdi
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kubevirt-cdi
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: kubevirt-cdi-operator
    namespace: cozy-kubevirt-cdi
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: metallb
  namespace: cozy-metallb
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: metallb
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-metallb
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: grafana-operator
  namespace: cozy-grafana-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: grafana-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-grafana-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: mariadb-operator
  namespace: cozy-mariadb-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: mariadb-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-mariadb-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
  - name: victoria-metrics-operator
    namespace: cozy-victoria-metrics-operator
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: postgres-operator
  namespace: cozy-postgres-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: postgres-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-postgres-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: rabbitmq-operator
  namespace: cozy-rabbitmq-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: rabbitmq-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-rabbitmq-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: redis-operator
  namespace: cozy-redis-operator
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: redis-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-redis-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: piraeus-operator
  namespace: cozy-linstor
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: piraeus-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-piraeus-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: linstor
  namespace: cozy-linstor
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: linstor
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-linstor
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: piraeus-operator
    namespace: cozy-linstor
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: telepresence
  namespace: cozy-telepresence
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: traffic-manager
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-telepresence
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: dashboard
  namespace: cozy-dashboard
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: dashboard
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-dashboard
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  {{- if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1beta2" }}
  {{- with (lookup "source.toolkit.fluxcd.io/v1beta2" "HelmRepository" "cozy-public" "").items }}
  values:
    kubeapps:
      redis:
        master:
          podAnnotations:
            {{- range $index, $repo := . }}
            {{- with (($repo.status).artifact).revision }}
            repository.cozystack.io/{{ $repo.metadata.name }}: {{ quote . }}
            {{- end }}
            {{- end }}
  {{- end }}
  {{- end }}
---
+  {{- end }}
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
+{{- end }}
-kind: HelmRelease
+{{- end }}
 metadata:
  name: kamaji
  namespace: cozy-kamaji
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: kamaji
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-kamaji
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: capi-operator
  namespace: cozy-cluster-api
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: capi-operator
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-capi-operator
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
  - name: cert-manager
    namespace: cozy-cert-manager
 ---
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: capi-providers
  namespace: cozy-cluster-api
  labels:
    cozystack.io/repository: system
 spec:
  interval: 1m
  releaseName: capi-providers
  install:
    remediation:
      retries: -1
  upgrade:
    remediation:
      retries: -1
  chart:
    spec:
      chart: cozy-capi-providers
      reconcileStrategy: Revision
      sourceRef:
        kind: HelmRepository
        name: cozystack-system
        namespace: cozy-system
  dependsOn:
  - name: capi-operator
    namespace: cozy-cluster-api
  - name: cilium
    namespace: cozy-cilium
  - name: kubeovn
    namespace: cozy-kubeovn
--- a/packages/core/platform/templates/namespaces.yaml
+++ b/packages/core/platform/templates/namespaces.yaml
@@ -1,13 +1,29 @@
-{{- range $ns := .Values.namespaces }}
+{{- $cozyConfig := lookup "v1" "ConfigMap" "cozy-system" "cozystack" }}
 {{- $bundleName := index $cozyConfig.data "bundle-name" }}
 {{- $bundle := tpl (.Files.Get (printf "bundles/%s.yaml" $bundleName)) . | fromYaml }}
 {{- $namespaces := dict }}
 {{/* collect namespaces from releases */}}
 {{- range $x := $bundle.releases }}
 {{- if not (hasKey $namespaces $x.namespace) }}
 {{- $_ := set $namespaces $x.namespace false }}
 {{- end }}
 {{/* if at least one release requires a privileged namespace, then it should be privileged */}}
 {{- if or $x.privileged (index $namespaces $x.namespace) }}
 {{- $_ := set $namespaces $x.namespace true }}
 {{- end }}
 {{- end }}
 {{- range $namespace, $privileged := $namespaces }}
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  annotations:
    "helm.sh/resource-policy": keep
-  {{- if $ns.privileged }}
+  {{- if $privileged }}
  labels:
    pod-security.kubernetes.io/enforce: privileged
  {{- end }}
-  name: {{ $ns.name }}
+  name: {{ $namespace }}
 {{- end }}
--- a/packages/core/platform/values.yaml
+++ b/packages/core/platform/values.yaml
@@ -1,30 +0,0 @@
 namespaces:
 - name: cozy-public
 - name: cozy-system
  privileged: true
 - name: cozy-cert-manager
 - name: cozy-cilium
  privileged: true
 - name: cozy-fluxcd
 - name: cozy-grafana-operator
 - name: cozy-kamaji
 - name: cozy-cluster-api
  privileged: true # for capk only
 - name: cozy-dashboard
 - name: cozy-kubeovn
  privileged: true
 - name: cozy-kubevirt
  privileged: true
 - name: cozy-kubevirt-cdi
 - name: cozy-linstor
  privileged: true
 - name: cozy-mariadb-operator
 - name: cozy-metallb
  privileged: true
 - name: cozy-monitoring
  privileged: true
 - name: cozy-postgres-operator
 - name: cozy-rabbitmq-operator
 - name: cozy-redis-operator
 - name: cozy-telepresence
 - name: cozy-victoria-metrics-operator
--- a/packages/system/cilium/Makefile
+++ b/packages/system/cilium/Makefile
@@ -2,18 +2,18 @@ NAMESPACE=cozy-cilium
 NAME=cilium
 show:
-	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm template --dry-run=server -n $(NAMESPACE) $(NAME) . -f -
 apply:
-	helm upgrade -i -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm upgrade -i -n $(NAMESPACE) $(NAME) . -f -
 diff:
-	helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) .
+	kubectl get hr -n cozy-cilium cilium -o jsonpath='{.spec.values}' | helm diff upgrade --allow-unreleased --normalize-manifests -n $(NAMESPACE) $(NAME) . -f -
 update:
 	rm -rf charts
 	helm repo add cilium https://helm.cilium.io/
 	helm repo update cilium
-	helm pull cilium/cilium --untar --untardir charts
+	helm pull cilium/cilium --untar --untardir charts --version 1.14
 	sed -i -e '/Used in iptables/d' -e '/SYS_MODULE/d' charts/cilium/values.yaml
-	patch -p3 < patches/fix-cgroups.patch
+	patch -p3 --no-backup-if-mismatch < patches/fix-cgroups.patch
--- a/packages/system/cilium/charts/cilium/Chart.yaml
+++ b/packages/system/cilium/charts/cilium/Chart.yaml
@@ -122,7 +122,7 @@ annotations:
      description: |
        CiliumPodIPPool defines an IP pool that can be used for pooled IPAM (i.e. the multi-pool IPAM mode).
 apiVersion: v2
-appVersion: 1.14.5
+appVersion: 1.14.9
 description: eBPF-based Networking, Security, and Observability
 home: https://cilium.io/
 icon: https://cdn.jsdelivr.net/gh/cilium/cilium@v1.14/Documentation/images/logo-solo.svg
@@ -138,4 +138,4 @@ kubeVersion: '>= 1.16.0-0'
 name: cilium
 sources:
 - https://github.com/cilium/cilium
-version: 1.14.5
+version: 1.14.9
--- a/packages/system/cilium/charts/cilium/README.md
+++ b/packages/system/cilium/charts/cilium/README.md
@@ -1,6 +1,6 @@
 # cilium
-![Version: 1.14.5](https://img.shields.io/badge/Version-1.14.5-informational?style=flat-square) ![AppVersion: 1.14.5](https://img.shields.io/badge/AppVersion-1.14.5-informational?style=flat-square)
+![Version: 1.14.9](https://img.shields.io/badge/Version-1.14.9-informational?style=flat-square) ![AppVersion: 1.14.9](https://img.shields.io/badge/AppVersion-1.14.9-informational?style=flat-square)
 Cilium is open source software for providing and transparently securing
 network connectivity and loadbalancing between application workloads such as
@@ -76,7 +76,7 @@ contributors across the globe, there is almost always someone available to help.
 | authentication.mutual.spire.install.agent.securityContext | object | `{}` | Security context to be added to spire agent containers. SecurityContext holds pod-level security attributes and common container settings. ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
 | authentication.mutual.spire.install.agent.serviceAccount | object | `{"create":true,"name":"spire-agent"}` | SPIRE agent service account |
 | authentication.mutual.spire.install.agent.skipKubeletVerification | bool | `true` | SPIRE Workload Attestor kubelet verification. |
-| authentication.mutual.spire.install.agent.tolerations | list | `[]` | SPIRE agent tolerations configuration ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
+| authentication.mutual.spire.install.agent.tolerations | list | `[{"effect":"NoSchedule","key":"node.kubernetes.io/not-ready"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/control-plane"},{"effect":"NoSchedule","key":"node.cloudprovider.kubernetes.io/uninitialized","value":"true"},{"key":"CriticalAddonsOnly","operator":"Exists"}]` | SPIRE agent tolerations configuration By default it follows the same tolerations as the agent itself to allow the Cilium agent on this node to connect to SPIRE. ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/ |
 | authentication.mutual.spire.install.enabled | bool | `true` | Enable SPIRE installation. This will only take effect only if authentication.mutual.spire.enabled is true |
 | authentication.mutual.spire.install.namespace | string | `"cilium-spire"` | SPIRE namespace to install into |
 | authentication.mutual.spire.install.server.affinity | object | `{}` | SPIRE server affinity configuration |
@@ -155,12 +155,12 @@ contributors across the globe, there is almost always someone available to help.
 | clustermesh.apiserver.extraEnv | list | `[]` | Additional clustermesh-apiserver environment variables. |
 | clustermesh.apiserver.extraVolumeMounts | list | `[]` | Additional clustermesh-apiserver volumeMounts. |
 | clustermesh.apiserver.extraVolumes | list | `[]` | Additional clustermesh-apiserver volumes. |
-| clustermesh.apiserver.image | object | `{"digest":"sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.5","useDigest":true}` | Clustermesh API server image. |
+| clustermesh.apiserver.image | object | `{"digest":"sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/clustermesh-apiserver","tag":"v1.14.9","useDigest":true}` | Clustermesh API server image. |
 | clustermesh.apiserver.kvstoremesh.enabled | bool | `false` | Enable KVStoreMesh. KVStoreMesh caches the information retrieved from the remote clusters in the local etcd instance. |
 | clustermesh.apiserver.kvstoremesh.extraArgs | list | `[]` | Additional KVStoreMesh arguments. |
 | clustermesh.apiserver.kvstoremesh.extraEnv | list | `[]` | Additional KVStoreMesh environment variables. |
 | clustermesh.apiserver.kvstoremesh.extraVolumeMounts | list | `[]` | Additional KVStoreMesh volumeMounts. |
-| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.5","useDigest":true}` | KVStoreMesh image. |
+| clustermesh.apiserver.kvstoremesh.image | object | `{"digest":"sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/kvstoremesh","tag":"v1.14.9","useDigest":true}` | KVStoreMesh image. |
 | clustermesh.apiserver.kvstoremesh.resources | object | `{}` | Resource requests and limits for the KVStoreMesh container |
 | clustermesh.apiserver.kvstoremesh.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]}}` | KVStoreMesh Security context |
 | clustermesh.apiserver.metrics.enabled | bool | `true` | Enables exporting apiserver metrics in OpenMetrics format. |
@@ -300,7 +300,7 @@ contributors across the globe, there is almost always someone available to help.
 | eni.subnetIDsFilter | list | `[]` | Filter via subnet IDs which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.subnetTagsFilter | list | `[]` | Filter via tags (k=v) which will dictate which subnets are going to be used to create new ENIs Important note: This requires that each instance has an ENI with a matching subnet attached when Cilium is deployed. If you only want to control subnets for ENIs attached by Cilium, use the CNI configuration file settings (cni.customConf) instead. |
 | eni.updateEC2AdapterLimitViaAPI | bool | `true` | Update ENI Adapter limits from the EC2 API |
-| envoy.affinity | object | `{"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
+| envoy.affinity | object | `{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"cilium.io/no-schedule","operator":"NotIn","values":["true"]}]}]}},"podAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium"}},"topologyKey":"kubernetes.io/hostname"}]},"podAntiAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":[{"labelSelector":{"matchLabels":{"k8s-app":"cilium-envoy"}},"topologyKey":"kubernetes.io/hostname"}]}}` | Affinity for cilium-envoy. |
 | envoy.connectTimeoutSeconds | int | `2` | Time in seconds after which a TCP connection attempt times out |
 | envoy.dnsPolicy | string | `nil` | DNS policy for Cilium envoy pods. Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy |
 | envoy.enabled | bool | `false` | Enable Envoy Proxy in standalone DaemonSet. |
@@ -312,7 +312,7 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.extraVolumes | list | `[]` | Additional envoy volumes. |
 | envoy.healthPort | int | `9878` | TCP port for the health API. |
 | envoy.idleTimeoutDurationSeconds | int | `60` | Set Envoy upstream HTTP idle connection timeout seconds. Does not apply to connections with pending requests. Default 60s |
-| envoy.image | object | `{"digest":"sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b","useDigest":true}` | Envoy container image. |
+| envoy.image | object | `{"digest":"sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium-envoy","tag":"v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5","useDigest":true}` | Envoy container image. |
 | envoy.livenessProbe.failureThreshold | int | `10` | failure threshold of liveness probe |
 | envoy.livenessProbe.periodSeconds | int | `30` | interval between checks of the liveness probe |
 | envoy.log.format | string | `"[%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v"` | The format string to use for laying out the log message metadata of Envoy. |
@@ -324,14 +324,15 @@ contributors across the globe, there is almost always someone available to help.
 | envoy.podLabels | object | `{}` | Labels to be added to envoy pods |
 | envoy.podSecurityContext | object | `{}` | Security Context for cilium-envoy pods. |
 | envoy.priorityClassName | string | `nil` | The priority class to use for cilium-envoy. |
 | envoy.prometheus | object | `{"enabled":true,"port":"9964","serviceMonitor":{"annotations":{},"enabled":false,"interval":"10s","labels":{},"metricRelabelings":null,"relabelings":[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]}}` | Configure Cilium Envoy Prometheus options. Note that some of these apply to either cilium-agent or cilium-envoy. |
 | envoy.prometheus.enabled | bool | `true` | Enable prometheus metrics for cilium-envoy |
 | envoy.prometheus.port | string | `"9964"` | Serve prometheus metrics for cilium-envoy on the configured port |
 | envoy.prometheus.serviceMonitor.annotations | object | `{}` | Annotations to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) |
+| envoy.prometheus.serviceMonitor.enabled | bool | `false` | Enable service monitors. This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml) Note that this setting applies to both cilium-envoy _and_ cilium-agent with Envoy enabled. |
 | envoy.prometheus.serviceMonitor.interval | string | `"10s"` | Interval for scrape metrics. |
 | envoy.prometheus.serviceMonitor.labels | object | `{}` | Labels to add to ServiceMonitor cilium-envoy |
-| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy |
+| envoy.prometheus.serviceMonitor.metricRelabelings | string | `nil` | Metrics relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
-| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy |
+| envoy.prometheus.serviceMonitor.relabelings | list | `[{"replacement":"${1}","sourceLabels":["__meta_kubernetes_pod_node_name"],"targetLabel":"node"}]` | Relabeling configs for the ServiceMonitor cilium-envoy or for cilium-agent with Envoy configured. |
 | envoy.readinessProbe.failureThreshold | int | `3` | failure threshold of readiness probe |
 | envoy.readinessProbe.periodSeconds | int | `30` | interval between checks of the readiness probe |
 | envoy.resources | object | `{}` | Envoy resource limits & requests ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ |
@@ -418,7 +419,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.relay.extraVolumes | list | `[]` | Additional hubble-relay volumes. |
 | hubble.relay.gops.enabled | bool | `true` | Enable gops for hubble-relay |
 | hubble.relay.gops.port | int | `9893` | Configure gops listen port for hubble-relay |
-| hubble.relay.image | object | `{"digest":"sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.5","useDigest":true}` | Hubble-relay container image. |
+| hubble.relay.image | object | `{"digest":"sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-relay","tag":"v1.14.9","useDigest":true}` | Hubble-relay container image. |
 | hubble.relay.listenHost | string | `""` | Host to listen to. Specify an empty string to bind to all the interfaces. |
 | hubble.relay.listenPort | string | `"4245"` | Port to listen to. |
 | hubble.relay.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
@@ -475,7 +476,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.backend.extraEnv | list | `[]` | Additional hubble-ui backend environment variables. |
 | hubble.ui.backend.extraVolumeMounts | list | `[]` | Additional hubble-ui backend volumeMounts. |
 | hubble.ui.backend.extraVolumes | list | `[]` | Additional hubble-ui backend volumes. |
-| hubble.ui.backend.image | object | `{"digest":"sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.12.1","useDigest":true}` | Hubble-ui backend image. |
+| hubble.ui.backend.image | object | `{"digest":"sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui-backend","tag":"v0.13.0","useDigest":true}` | Hubble-ui backend image. |
 | hubble.ui.backend.resources | object | `{}` | Resource requests and limits for the 'backend' container of the 'hubble-ui' deployment. |
 | hubble.ui.backend.securityContext | object | `{}` | Hubble-ui backend security context. |
 | hubble.ui.baseUrl | string | `"/"` | Defines base url prefix for all hubble-ui http requests. It needs to be changed in case if ingress for hubble-ui is configured under some sub-path. Trailing `/` is required for custom path, ex. `/service-map/` |
@@ -483,7 +484,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.frontend.extraEnv | list | `[]` | Additional hubble-ui frontend environment variables. |
 | hubble.ui.frontend.extraVolumeMounts | list | `[]` | Additional hubble-ui frontend volumeMounts. |
 | hubble.ui.frontend.extraVolumes | list | `[]` | Additional hubble-ui frontend volumes. |
-| hubble.ui.frontend.image | object | `{"digest":"sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.12.1","useDigest":true}` | Hubble-ui frontend image. |
+| hubble.ui.frontend.image | object | `{"digest":"sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/hubble-ui","tag":"v0.13.0","useDigest":true}` | Hubble-ui frontend image. |
 | hubble.ui.frontend.resources | object | `{}` | Resource requests and limits for the 'frontend' container of the 'hubble-ui' deployment. |
 | hubble.ui.frontend.securityContext | object | `{}` | Hubble-ui frontend security context. |
 | hubble.ui.frontend.server.ipv6 | object | `{"enabled":true}` | Controls server listener for ipv6 |
@@ -510,7 +511,7 @@ contributors across the globe, there is almost always someone available to help.
 | hubble.ui.updateStrategy | object | `{"rollingUpdate":{"maxUnavailable":1},"type":"RollingUpdate"}` | hubble-ui update strategy. |
 | identityAllocationMode | string | `"crd"` | Method to use for identity allocation (`crd` or `kvstore`). |
 | identityChangeGracePeriod | string | `"5s"` | Time to wait before using new identity on endpoint identity change. |
-| image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Agent container image. |
+| image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Agent container image. |
 | imagePullSecrets | string | `nil` | Configure image pull secrets for pulling container images |
 | ingressController.default | bool | `false` | Set cilium ingress controller to be the default ingress controller This will let cilium ingress controller route entries without ingress class set |
 | ingressController.defaultSecretName | string | `nil` | Default secret name for ingresses without .spec.tls[].secretName set. |
@@ -618,7 +619,7 @@ contributors across the globe, there is almost always someone available to help.
 | operator.extraVolumes | list | `[]` | Additional cilium-operator volumes. |
 | operator.identityGCInterval | string | `"15m0s"` | Interval for identity garbage collection. |
 | operator.identityHeartbeatTimeout | string | `"30m0s"` | Timeout for identity heartbeats. |
-| operator.image | object | `{"alibabacloudDigest":"sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3","awsDigest":"sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a","azureDigest":"sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353","genericDigest":"sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.5","useDigest":true}` | cilium-operator image. |
+| operator.image | object | `{"alibabacloudDigest":"sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5","awsDigest":"sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec","azureDigest":"sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17","genericDigest":"sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/operator","suffix":"","tag":"v1.14.9","useDigest":true}` | cilium-operator image. |
 | operator.nodeGCInterval | string | `"5m0s"` | Interval for cilium node garbage collection. |
 | operator.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for cilium-operator pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | operator.podAnnotations | object | `{}` | Annotations to be added to cilium-operator pods |
@@ -665,7 +666,7 @@ contributors across the globe, there is almost always someone available to help.
 | preflight.extraEnv | list | `[]` | Additional preflight environment variables. |
 | preflight.extraVolumeMounts | list | `[]` | Additional preflight volumeMounts. |
 | preflight.extraVolumes | list | `[]` | Additional preflight volumes. |
-| preflight.image | object | `{"digest":"sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.5","useDigest":true}` | Cilium pre-flight image. |
+| preflight.image | object | `{"digest":"sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301","override":null,"pullPolicy":"IfNotPresent","repository":"quay.io/cilium/cilium","tag":"v1.14.9","useDigest":true}` | Cilium pre-flight image. |
 | preflight.nodeSelector | object | `{"kubernetes.io/os":"linux"}` | Node labels for preflight pod assignment ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector |
 | preflight.podAnnotations | object | `{}` | Annotations to be added to preflight pods |
 | preflight.podDisruptionBudget.enabled | bool | `false` | enable PodDisruptionBudget ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ |
--- a/packages/system/cilium/charts/cilium/files/agent/poststart-eni.bash
+++ b/packages/system/cilium/charts/cilium/files/agent/poststart-eni.bash
@@ -11,9 +11,9 @@ set -o nounset
 # dependencies on anything that is part of the startup script
 # itself, and can be safely run multiple times per node (e.g. in
 # case of a restart).
-if [[ "$(iptables-save | grep -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
+if [[ "$(iptables-save | grep -E -c 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN')" != "0" ]];
 then
    echo 'Deleting iptables rules created by the AWS CNI VPC plugin'
-    iptables-save | grep -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
+    iptables-save | grep -E -v 'AWS-SNAT-CHAIN|AWS-CONNMARK-CHAIN' | iptables-restore
 fi
 echo 'Done!'
--- a/packages/system/cilium/charts/cilium/files/nodeinit/startup.bash
+++ b/packages/system/cilium/charts/cilium/files/nodeinit/startup.bash
@@ -100,7 +100,7 @@ then
    # Since that version containerd no longer allows missing configuration for the CNI,
    # not even for pods with hostNetwork set to true. Thus, we add a temporary one.
    # This will be replaced with the real config by the agent pod.
-    echo -e "{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}" > /etc/cni/net.d/05-cilium.conf
+    echo -e '{\n\t"cniVersion": "0.3.1",\n\t"name": "cilium",\n\t"type": "cilium-cni"\n}' > /etc/cni/net.d/05-cilium.conf
  fi
  # Start containerd. It won't create it's CNI configuration file anymore.
--- a/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/daemonset.yaml
@@ -447,6 +447,9 @@ spec:
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        {{- with .Values.extraVolumeMounts }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
        terminationMessagePolicy: FallbackToLogsOnError
      {{- if .Values.cgroup.autoMount.enabled }}
      # Required to mount cgroup2 filesystem on the underlying Kubernetes node.
--- a/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-agent/servicemonitor.yaml
@@ -34,6 +34,20 @@ spec:
    metricRelabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- if .Values.envoy.prometheus.serviceMonitor.enabled }}
  - port: envoy-metrics
    interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
    honorLabels: true
    path: /metrics
    {{- with .Values.envoy.prometheus.serviceMonitor.relabelings }}
    relabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
    {{- with .Values.envoy.prometheus.serviceMonitor.metricRelabelings }}
    metricRelabelings:
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- end }}
  targetLabels:
  - k8s-app
 {{- end }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-configmap.yaml
@@ -13,6 +13,7 @@
 {{- $fragmentTracking := "true" -}}
 {{- $defaultKubeProxyReplacement := "false" -}}
 {{- $azureUsePrimaryAddress := "true" -}}
 {{- $defaultDNSProxyEnableTransparentMode := "false" -}}
 {{- /* Default values when 1.8 was initially deployed */ -}}
 {{- if semverCompare ">=1.8" (default "1.8" .Values.upgradeCompatibility) -}}
@@ -48,6 +49,7 @@
      {{- $azureUsePrimaryAddress = "false" -}}
  {{- end }}
  {{- $defaultKubeProxyReplacement = "disabled" -}}
  {{- $defaultDNSProxyEnableTransparentMode = "true" -}}
 {{- end -}}
 {{- /* Default values when 1.14 was initially deployed */ -}}
@@ -430,10 +432,16 @@ data:
  #   - vxlan (default)
  #   - geneve
 {{- if .Values.gke.enabled }}
  {{- if ne (.Values.routingMode | default "native") "native" }}
    {{- fail (printf "RoutingMode must be set to native when gke.enabled=true" )}}
  {{- end }}
  routing-mode: "native"
  enable-endpoint-routes: "true"
  enable-local-node-route: "false"
 {{- else if .Values.aksbyocni.enabled }}
  {{- if ne (.Values.routingMode | default "tunnel") "tunnel" }}
    {{- fail (printf "RoutingMode must be set to tunnel when aksbyocni.enabled=true" )}}
  {{- end }}
  routing-mode: "tunnel"
  tunnel-protocol: "vxlan"
 {{- else if .Values.routingMode }}
@@ -1092,6 +1100,13 @@ data:
 {{- end }}
 {{- if .Values.dnsProxy }}
  {{- if hasKey .Values.dnsProxy "enableTransparentMode" }}
  # explicit setting gets precedence
  dnsproxy-enable-transparent-mode: {{ .Values.dnsProxy.enableTransparentMode | quote }}
  {{- else if eq $cniChainingMode "none" }}
  # default DNS proxy to transparent mode in non-chaining modes
  dnsproxy-enable-transparent-mode: {{ $defaultDNSProxyEnableTransparentMode | quote }}
  {{- end }}
  {{- if .Values.dnsProxy.dnsRejectResponseCode }}
  tofqdns-dns-reject-response-code: {{ .Values.dnsProxy.dnsRejectResponseCode | quote }}
  {{- end }}
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/daemonset.yaml
@@ -82,7 +82,7 @@ spec:
        {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
        startupProbe:
          httpGet:
-            host: "localhost"
+            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
@@ -92,7 +92,7 @@ spec:
        {{- end }}
        livenessProbe:
          httpGet:
-            host: "localhost"
+            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
@@ -110,7 +110,7 @@ spec:
          timeoutSeconds: 5
        readinessProbe:
          httpGet:
-            host: "localhost"
+            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
            path: /healthz
            port: {{ .Values.envoy.healthPort }}
            scheme: HTTP
--- a/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-envoy/servicemonitor.yaml
@@ -7,6 +7,7 @@ metadata:
  namespace: {{ .Values.envoy.prometheus.serviceMonitor.namespace | default .Release.Namespace }}
  labels:
    app.kubernetes.io/part-of: cilium
    app.kubernetes.io/name: cilium-envoy
    {{- with .Values.envoy.prometheus.serviceMonitor.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
@@ -22,7 +23,7 @@ spec:
    matchNames:
    - {{ .Release.Namespace }}
  endpoints:
-  - port: metrics
+  - port: envoy-metrics
    interval: {{ .Values.envoy.prometheus.serviceMonitor.interval | quote }}
    honorLabels: true
    path: /metrics
--- a/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/cilium-preflight/daemonset.yaml
@@ -66,8 +66,13 @@ spec:
              - /tmp/ready
            initialDelaySeconds: 5
            periodSeconds: 5
          {{- with .Values.preflight.extraEnv }}
          env:
          - name: K8S_NODE_NAME
            valueFrom:
              fieldRef:
                apiVersion: v1
                fieldPath: spec.nodeName
          {{- with .Values.preflight.extraEnv }}
            {{- toYaml . | trim | nindent 12 }}
          {{- end }}
          volumeMounts:
--- a/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
+++ b/packages/system/cilium/charts/cilium/templates/spire/agent/daemonset.yaml
@@ -88,10 +88,12 @@ spec:
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.authentication.mutual.spire.install.agent.tolerations }}
      tolerations:
-        {{- toYaml . | trim | nindent 8 }}
+        {{- with .Values.authentication.mutual.spire.install.agent.tolerations }}
-      {{- end }}
+          {{- toYaml . | trim | nindent 8 }}
        {{- end }}
        - key:  {{ .Values.agentNotReadyTaintKey | default "node.cilium.io/agent-not-ready" }}
          effect: NoSchedule
      volumes:
        - name: spire-config
          configMap:
--- a/packages/system/cilium/charts/cilium/values.yaml
+++ b/packages/system/cilium/charts/cilium/values.yaml
@@ -143,10 +143,10 @@ rollOutCiliumPods: false
 image:
  override: ~
  repository: "quay.io/cilium/cilium"
-  tag: "v1.14.5"
+  tag: "v1.14.9"
  pullPolicy: "IfNotPresent"
  # cilium-digest
-  digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
+  digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
  useDigest: true
 # -- Affinity for cilium-agent.
@@ -1109,9 +1109,9 @@ hubble:
    image:
      override: ~
      repository: "quay.io/cilium/hubble-relay"
-      tag: "v1.14.5"
+      tag: "v1.14.9"
       # hubble-relay-digest
-      digest: "sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4"
+      digest: "sha256:f506f3c6e0a979437cde79eb781654fda4f10ddb5642cebc4dc81254cfb7eeaa"
      useDigest: true
      pullPolicy: "IfNotPresent"
@@ -1337,8 +1337,8 @@ hubble:
      image:
        override: ~
        repository: "quay.io/cilium/hubble-ui-backend"
-        tag: "v0.12.1"
+        tag: "v0.13.0"
-        digest: "sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe"
+        digest: "sha256:1e7657d997c5a48253bb8dc91ecee75b63018d16ff5e5797e5af367336bc8803"
        useDigest: true
        pullPolicy: "IfNotPresent"
@@ -1368,8 +1368,8 @@ hubble:
      image:
        override: ~
        repository: "quay.io/cilium/hubble-ui"
-        tag: "v0.12.1"
+        tag: "v0.13.0"
-        digest: "sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267"
+        digest: "sha256:7d663dc16538dd6e29061abd1047013a645e6e69c115e008bee9ea9fef9a6666"
        useDigest: true
        pullPolicy: "IfNotPresent"
@@ -1853,9 +1853,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "IfNotPresent"
-    digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true
  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -1968,7 +1968,20 @@ envoy:
        labelSelector:
          matchLabels:
            k8s-app: cilium-envoy
-
+    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - topologyKey: kubernetes.io/hostname
        labelSelector:
          matchLabels:
            k8s-app: cilium
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
            - key: cilium.io/no-schedule
              operator: NotIn
              values:
              - "true"
  # -- Node selector for cilium-envoy.
  nodeSelector:
    kubernetes.io/os: linux
@@ -1989,12 +2002,16 @@ envoy:
  # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
  dnsPolicy: ~
  # -- Configure Cilium Envoy Prometheus options.
  # Note that some of these apply to either cilium-agent or cilium-envoy.
  prometheus:
    # -- Enable prometheus metrics for cilium-envoy
    enabled: true
    serviceMonitor:
      # -- Enable service monitors.
      # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
      # Note that this setting applies to both cilium-envoy _and_ cilium-agent
      # with Envoy enabled.
      enabled: false
      # -- Labels to add to ServiceMonitor cilium-envoy
      labels: {}
@@ -2006,12 +2023,14 @@ envoy:
      # service monitors configured.
      # namespace: ""
      # -- Relabeling configs for the ServiceMonitor cilium-envoy
      # or for cilium-agent with Envoy configured.
      relabelings:
        - sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: node
          replacement: ${1}
      # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy
      # or for cilium-agent with Envoy configured.
      metricRelabelings: ~
    # -- Serve prometheus metrics for cilium-envoy on the configured port
    port: "9964"
@@ -2250,15 +2269,15 @@ operator:
  image:
    override: ~
    repository: "quay.io/cilium/operator"
-    tag: "v1.14.5"
+    tag: "v1.14.9"
    # operator-generic-digest
-    genericDigest: "sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a"
+    genericDigest: "sha256:1552d653870dd8ebbd16ee985a5497dd78a2097370978b0cfbd2da2072f30712"
    # operator-azure-digest
-    azureDigest: "sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353"
+    azureDigest: "sha256:2d3b9d868eb03fa9256d34192a734a2abab283f527a9c97b7cefcd3401649d17"
    # operator-aws-digest
-    awsDigest: "sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a"
+    awsDigest: "sha256:041ad5b49ae63ba0f1974e1a1d9ebf9f52541cd2813088fa687f9d544125a1ec"
    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3"
+    alibabacloudDigest: "sha256:765314779093b54750f83280f009229f20fe1f28466a633d9bb4143d2ad669c5"
    useDigest: true
    pullPolicy: "IfNotPresent"
    suffix: ""
@@ -2535,9 +2554,9 @@ preflight:
  image:
    override: ~
    repository: "quay.io/cilium/cilium"
-    tag: "v1.14.5"
+    tag: "v1.14.9"
    # cilium-digest
-    digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
+    digest: "sha256:4ef1eb7a3bc39d0fefe14685e6c0d4e01301c40df2a89bc93ffca9a1ab927301"
    useDigest: true
    pullPolicy: "IfNotPresent"
@@ -2685,9 +2704,9 @@ clustermesh:
    image:
      override: ~
      repository: "quay.io/cilium/clustermesh-apiserver"
-      tag: "v1.14.5"
+      tag: "v1.14.9"
      # clustermesh-apiserver-digest
-      digest: "sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96"
+      digest: "sha256:5c16f8b8e22ce41e11998e70846fbcecea3a6b683a38253809ead8d871f6d8a3"
      useDigest: true
      pullPolicy: "IfNotPresent"
@@ -2732,9 +2751,9 @@ clustermesh:
      image:
        override: ~
        repository: "quay.io/cilium/kvstoremesh"
-        tag: "v1.14.5"
+        tag: "v1.14.9"
        # kvstoremesh-digest
-        digest: "sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a"
+        digest: "sha256:9d9efb25806660f3663b9cd803fb8679f2b115763470002a9770e2c1eb1e5b22"
        useDigest: true
        pullPolicy: "IfNotPresent"
@@ -3086,6 +3105,8 @@ dnsProxy:
  proxyPort: 0
  # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
  proxyResponseMaxDelay: 100ms
  # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)
  # enableTransparentMode: true
 # -- SCTP Configuration Values
 sctp:
@@ -3136,8 +3157,21 @@ authentication:
          # -- SPIRE Workload Attestor kubelet verification.
          skipKubeletVerification: true
          # -- SPIRE agent tolerations configuration
          # By default it follows the same tolerations as the agent itself
          # to allow the Cilium agent on this node to connect to SPIRE.
          # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-          tolerations: []
+          tolerations:
          - key: node.kubernetes.io/not-ready
            effect: NoSchedule
          - key: node-role.kubernetes.io/master
            effect: NoSchedule
          - key: node-role.kubernetes.io/control-plane
            effect: NoSchedule
          - key: node.cloudprovider.kubernetes.io/uninitialized
            effect: NoSchedule
            value: "true"
          - key: CriticalAddonsOnly
            operator: "Exists"
          # -- SPIRE agent affinity configuration
          affinity: {}
          # -- SPIRE agent nodeSelector configuration
--- a/packages/system/cilium/charts/cilium/values.yaml.tmpl
+++ b/packages/system/cilium/charts/cilium/values.yaml.tmpl
@@ -1854,9 +1854,9 @@ envoy:
  image:
    override: ~
    repository: "quay.io/cilium/cilium-envoy"
-    tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
+    tag: "v1.26.7-bbde4095997ea57ead209f56158790d47224a0f5"
    pullPolicy: "${PULL_POLICY}"
-    digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
+    digest: "sha256:39b75548447978230dedcf25da8940e4d3540c741045ef391a8e74dbb9661a86"
    useDigest: true
  # -- Additional containers added to the cilium Envoy DaemonSet.
@@ -1969,7 +1969,20 @@ envoy:
        labelSelector:
          matchLabels:
            k8s-app: cilium-envoy
-
+    podAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
      - topologyKey: kubernetes.io/hostname
        labelSelector:
          matchLabels:
            k8s-app: cilium
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
          - matchExpressions:
            - key: cilium.io/no-schedule
              operator: NotIn
              values:
              - "true"
  # -- Node selector for cilium-envoy.
  nodeSelector:
    kubernetes.io/os: linux
@@ -1990,12 +2003,16 @@ envoy:
  # Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
  dnsPolicy: ~
  # -- Configure Cilium Envoy Prometheus options.
  # Note that some of these apply to either cilium-agent or cilium-envoy.
  prometheus:
    # -- Enable prometheus metrics for cilium-envoy
    enabled: true
    serviceMonitor:
      # -- Enable service monitors.
      # This requires the prometheus CRDs to be available (see https://github.com/prometheus-operator/prometheus-operator/blob/main/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml)
      # Note that this setting applies to both cilium-envoy _and_ cilium-agent
      # with Envoy enabled.
      enabled: false
      # -- Labels to add to ServiceMonitor cilium-envoy
      labels: {}
@@ -2007,12 +2024,14 @@ envoy:
      # service monitors configured.
      # namespace: ""
      # -- Relabeling configs for the ServiceMonitor cilium-envoy
      # or for cilium-agent with Envoy configured.
      relabelings:
        - sourceLabels:
            - __meta_kubernetes_pod_node_name
          targetLabel: node
          replacement: ${1}
      # -- Metrics relabeling configs for the ServiceMonitor cilium-envoy
      # or for cilium-agent with Envoy configured.
      metricRelabelings: ~
    # -- Serve prometheus metrics for cilium-envoy on the configured port
    port: "9964"
@@ -3089,6 +3108,8 @@ dnsProxy:
  proxyPort: 0
  # -- The maximum time the DNS proxy holds an allowed DNS response before sending it along. Responses are sent as soon as the datapath is updated with the new IP information.
  proxyResponseMaxDelay: 100ms
  # -- DNS proxy operation mode (true/false, or unset to use version dependent defaults)
  # enableTransparentMode: true
 # -- SCTP Configuration Values
 sctp:
@@ -3139,8 +3160,21 @@ authentication:
          # -- SPIRE Workload Attestor kubelet verification.
          skipKubeletVerification: true
          # -- SPIRE agent tolerations configuration
          # By default it follows the same tolerations as the agent itself
          # to allow the Cilium agent on this node to connect to SPIRE.
          # ref: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
-          tolerations: []
+          tolerations:
          - key: node.kubernetes.io/not-ready
            effect: NoSchedule
          - key: node-role.kubernetes.io/master
            effect: NoSchedule
          - key: node-role.kubernetes.io/control-plane
            effect: NoSchedule
          - key: node.cloudprovider.kubernetes.io/uninitialized
            effect: NoSchedule
            value: "true"
          - key: CriticalAddonsOnly
            operator: "Exists"
          # -- SPIRE agent affinity configuration
          affinity: {}
          # -- SPIRE agent nodeSelector configuration
--- a/packages/system/cilium/values.yaml
+++ b/packages/system/cilium/values.yaml
@@ -3,11 +3,10 @@ cilium:
    enabled: false
  externalIPs:
    enabled: true
  tunnel: disabled
  autoDirectNodeRoutes: false
  kubeProxyReplacement: strict
  bpf:
-    masquerade: true
+    masquerade: false
  loadBalancer:
    algorithm: maglev
  cgroup:
@@ -25,3 +24,4 @@ cilium:
    configMap: cni-configuration
  routingMode: native
  enableIPv4Masquerade: false
  enableIdentityMark: false
--- a/packages/system/dashboard/Makefile
+++ b/packages/system/dashboard/Makefile
@@ -3,7 +3,7 @@ NAMESPACE=cozy-dashboard
 PUSH := 1
 LOAD := 0
 REPOSITORY := ghcr.io/aenix-io/cozystack
-TAG := v0.1.0
+TAG := v0.2.0
 show:
 	helm template --dry-run=server -n $(NAMESPACE) $(NAME) .
--- a/packages/system/dashboard/charts/kubeapps/.helmignore
+++ b/packages/system/dashboard/charts/kubeapps/.helmignore
@@ -22,3 +22,5 @@
 .project
 .idea/
 *.tmproj
 # img folder
 img/
--- a/packages/system/dashboard/charts/kubeapps/Chart.lock
+++ b/packages/system/dashboard/charts/kubeapps/Chart.lock
@@ -1,12 +1,12 @@
 dependencies:
 - name: redis
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 18.4.0
+  version: 18.19.2
 - name: postgresql
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 13.2.14
+  version: 13.4.6
 - name: common
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.13.3
+  version: 2.19.0
-digest: sha256:7bede05a463745ea72d332aaaf406d84e335d8af09dce403736f4e4e14c3554d
+digest: sha256:b4965a22517e61212e78abb8d1cbe86e800c8664b3139e2047f4bd62b3e55b24
-generated: "2023-11-21T18:18:20.024990735Z"
+generated: "2024-03-13T11:51:34.216594+01:00"
--- a/packages/system/dashboard/charts/kubeapps/Chart.yaml
+++ b/packages/system/dashboard/charts/kubeapps/Chart.yaml
@@ -2,21 +2,21 @@ annotations:
  category: Infrastructure
  images: |
    - name: kubeapps-apis
-      image: docker.io/bitnami/kubeapps-apis:2.9.0-debian-11-r13
+      image: docker.io/bitnami/kubeapps-apis:2.9.0-debian-12-r19
    - name: kubeapps-apprepository-controller
-      image: docker.io/bitnami/kubeapps-apprepository-controller:2.9.0-debian-11-r12
+      image: docker.io/bitnami/kubeapps-apprepository-controller:2.9.0-debian-12-r18
    - name: kubeapps-asset-syncer
-      image: docker.io/bitnami/kubeapps-asset-syncer:2.9.0-debian-11-r13
+      image: docker.io/bitnami/kubeapps-asset-syncer:2.9.0-debian-12-r19
    - name: kubeapps-oci-catalog
      image: docker.io/bitnami/kubeapps-oci-catalog:2.9.0-debian-11-r6
    - name: kubeapps-pinniped-proxy
      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.9.0-debian-11-r10
    - name: kubeapps-dashboard
-      image: docker.io/bitnami/kubeapps-dashboard:2.9.0-debian-11-r16
+      image: docker.io/bitnami/kubeapps-dashboard:2.9.0-debian-12-r18
    - name: kubeapps-oci-catalog
      image: docker.io/bitnami/kubeapps-oci-catalog:2.9.0-debian-12-r17
    - name: kubeapps-pinniped-proxy
      image: docker.io/bitnami/kubeapps-pinniped-proxy:2.9.0-debian-12-r17
    - name: nginx
-      image: docker.io/bitnami/nginx:1.25.3-debian-11-r1
+      image: docker.io/bitnami/nginx:1.25.4-debian-12-r3
    - name: oauth2-proxy
-      image: docker.io/bitnami/oauth2-proxy:7.5.1-debian-11-r11
+      image: docker.io/bitnami/oauth2-proxy:7.6.0-debian-12-r4
  licenses: Apache-2.0
 apiVersion: v2
 appVersion: 2.9.0
@@ -51,4 +51,4 @@ maintainers:
 name: kubeapps
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/kubeapps
-version: 14.1.2
+version: 14.7.2
--- a/packages/system/dashboard/charts/kubeapps/README.md
+++ b/packages/system/dashboard/charts/kubeapps/README.md
--- a/packages/system/dashboard/charts/kubeapps/charts/common/.helmignore
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/.helmignore
@@ -20,3 +20,5 @@
 .idea/
 *.tmproj
 .vscode/
 # img folder
 img/
--- a/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/Chart.yaml
@@ -2,7 +2,7 @@ annotations:
  category: Infrastructure
  licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.13.3
+appVersion: 2.19.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
  This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts
 type: library
-version: 2.13.3
+version: 2.19.0
--- a/packages/system/dashboard/charts/kubeapps/charts/common/README.md
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/README.md
@@ -24,14 +24,14 @@ data:
  myvalue: "Hello World"
 ```
 Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
 ## Introduction
 This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
 Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
 Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
 ## Prerequisites
 - Kubernetes 1.23+
@@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
 ## License
-Copyright &copy; 2023 VMware, Inc.
+Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_compatibility.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_compatibility.tpl
@@ -0,0 +1,39 @@
 {{/*
 Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 {{/* vim: set filetype=mustache: */}}
 {{/* 
 Return true if the detected platform is Openshift
 Usage:
 {{- include "common.compatibility.isOpenshift" . -}}
 */}}
 {{- define "common.compatibility.isOpenshift" -}}
 {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
 {{- true -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
 Usage:
 {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
 */}}
 {{- define "common.compatibility.renderSecurityContext" -}}
 {{- $adaptedContext := .secContext -}}
 {{- if .context.Values.global.compatibility -}}
  {{- if .context.Values.global.compatibility.openshift -}}
    {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
      {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
      {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
      {{- if not .secContext.seLinuxOptions -}}
      {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
      {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
      {{- end -}}
    {{- end -}}
  {{- end -}}
 {{- end -}}
 {{- omit $adaptedContext "enabled" | toYaml -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_resources.tpl
@@ -0,0 +1,50 @@
 {{/*
 Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Return a resource request/limit object based on a given preset.
 These presets are for basic testing and not meant to be used in production
 {{ include "common.resources.preset" (dict "type" "nano") -}}
 */}}
 {{- define "common.resources.preset" -}}
 {{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
 {{- $presets := dict 
  "nano" (dict 
      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
   )
  "micro" (dict 
      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
   )
  "small" (dict 
      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
   )
  "medium" (dict 
      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
   )
  "large" (dict 
      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
   )
  "xlarge" (dict 
      "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
   )
  "2xlarge" (dict 
      "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
   )
 }}
 {{- if hasKey $presets .type -}}
 {{- index $presets .type | toYaml -}}
 {{- else -}}
 {{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
 {{- end -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_secrets.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_secrets.tpl
@@ -78,6 +78,8 @@ Params:
  - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
  - context - Context - Required - Parent context.
  - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
  - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
  - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
 The order in which this function returns a secret password:
  1. Already existing 'Secret' resource
     (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
@@ -91,7 +93,6 @@ The order in which this function returns a secret password:
 {{- $password := "" }}
 {{- $subchart := "" }}
 {{- $failOnNew := default true .failOnNew }}
 {{- $chartName := default "" .chartName }}
 {{- $passwordLength := default 10 .length }}
 {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
@@ -99,12 +100,14 @@ The order in which this function returns a secret password:
 {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
 {{- if $secretData }}
  {{- if hasKey $secretData .key }}
-    {{- $password = index $secretData .key | quote }}
+    {{- $password = index $secretData .key | b64dec }}
-  {{- else if $failOnNew }}
+  {{- else if not (eq .failOnNew false) }}
    {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
  {{- else if $providedPasswordValue }}
    {{- $password = $providedPasswordValue | toString }}
  {{- end -}}
 {{- else if $providedPasswordValue }}
-  {{- $password = $providedPasswordValue | toString | b64enc | quote }}
+  {{- $password = $providedPasswordValue | toString }}
 {{- else }}
  {{- if .context.Values.enabled }}
@@ -120,12 +123,19 @@ The order in which this function returns a secret password:
    {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
    {{- $password = randAscii $passwordLength }}
    {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
-    {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+    {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
  {{- else }}
-    {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
+    {{- $password = randAlphaNum $passwordLength }}
  {{- end }}
 {{- end -}}
 {{- if not .skipB64enc }}
 {{- $password = $password | b64enc }}
 {{- end -}}
 {{- if .skipQuote -}}
 {{- printf "%s" $password -}}
 {{- else -}}
 {{- printf "%s" $password | quote -}}
 {{- end -}}
 {{- end -}}
 {{/*
--- a/packages/system/dashboard/charts/kubeapps/charts/common/templates/_warnings.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/common/templates/_warnings.tpl
@@ -13,7 +13,70 @@ Usage:
 {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
 WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
-+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
 {{- end }}
-
+{{- end -}}
 {{/*
 Warning about not setting the resource object in all deployments.
 Usage:
 {{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
 Example:
 {{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
 The list in the example assumes that the following values exist:
  - csiProvider.provider.resources
  - server.resources
  - volumePermissions.resources
  - resources
 */}}
 {{- define "common.warnings.resources" -}}
 {{- $values := .context.Values -}}
 {{- $printMessage := false -}}
 {{ $affectedSections := list -}}
 {{- range .sections -}}
  {{- if eq . "" -}}
    {{/* Case where the resources section is at the root (one main deployment in the chart) */}}
    {{- if not (index $values "resources") -}}
    {{- $affectedSections = append $affectedSections "resources" -}}
    {{- $printMessage = true -}}
    {{- end -}}
  {{- else -}}
    {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
    {{- $keys := split "." . -}}
    {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
    {{- $section := $values -}}
    {{- range $keys -}}
      {{- $section = index $section . -}}
    {{- end -}}
    {{- if not (index $section "resources") -}}
      {{/* If the section has enabled=false or replicaCount=0, do not include it */}}
      {{- if and (hasKey $section "enabled") -}}
        {{- if index $section "enabled" -}}
          {{/* enabled=true */}}
          {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
          {{- $printMessage = true -}}
        {{- end -}}
      {{- else if and (hasKey $section "replicaCount")  -}}
        {{/* We need a casting to int because number 0 is not treated as an int by default */}}
        {{- if (gt (index $section "replicaCount" | int) 0) -}}
          {{/* replicaCount > 0 */}}
          {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
          {{- $printMessage = true -}}
        {{- end -}}
      {{- else -}}
        {{/* Default case, add it to the affected sections */}}
        {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
        {{- $printMessage = true -}}
      {{- end -}}
    {{- end -}}
  {{- end -}}
 {{- end -}}
 {{- if $printMessage }}
 WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
 {{- range $affectedSections }}
  - {{ . }}
 {{- end }}
 +info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 {{- end -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/.helmignore
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/.helmignore
@@ -19,3 +19,5 @@
 .project
 .idea/
 *.tmproj
 # img folder
 img/
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.lock
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.lock
@@ -1,6 +1,6 @@
 dependencies:
 - name: common
  repository: oci://registry-1.docker.io/bitnamicharts
-  version: 2.13.3
+  version: 2.19.0
-digest: sha256:9a971689db0c66ea95ac2e911c05014c2b96c6077c991131ff84f2982f88fb83
+digest: sha256:ac559eb57710d8904e266424ee364cd686d7e24517871f0c5c67f7c4500c2bcc
-generated: "2023-10-19T12:32:36.790999138Z"
+generated: "2024-03-08T15:56:40.04210215Z"
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/Chart.yaml
@@ -1,17 +1,19 @@
 annotations:
  category: Database
  images: |
    - name: kubectl
      image: docker.io/bitnami/kubectl:1.29.2-debian-12-r3
    - name: os-shell
-      image: docker.io/bitnami/os-shell:11-debian-11-r91
+      image: docker.io/bitnami/os-shell:12-debian-12-r16
    - name: redis-exporter
      image: docker.io/bitnami/redis-exporter:1.55.0-debian-11-r2
    - name: redis-sentinel
      image: docker.io/bitnami/redis-sentinel:7.2.3-debian-11-r1
    - name: redis
-      image: docker.io/bitnami/redis:7.2.3-debian-11-r1
+      image: docker.io/bitnami/redis:7.2.4-debian-12-r9
    - name: redis-exporter
      image: docker.io/bitnami/redis-exporter:1.58.0-debian-12-r4
    - name: redis-sentinel
      image: docker.io/bitnami/redis-sentinel:7.2.4-debian-12-r7
  licenses: Apache-2.0
 apiVersion: v2
-appVersion: 7.2.3
+appVersion: 7.2.4
 dependencies:
 - name: common
  repository: oci://registry-1.docker.io/bitnamicharts
@@ -33,4 +35,4 @@ maintainers:
 name: redis
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/redis
-version: 18.4.0
+version: 18.19.2
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/README.md
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/README.md
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/.helmignore
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/.helmignore
@@ -20,3 +20,5 @@
 .idea/
 *.tmproj
 .vscode/
 # img folder
 img/
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/Chart.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/Chart.yaml
@@ -2,7 +2,7 @@ annotations:
  category: Infrastructure
  licenses: Apache-2.0
 apiVersion: v2
-appVersion: 2.13.3
+appVersion: 2.19.0
 description: A Library Helm Chart for grouping common logic between bitnami charts.
  This chart is not deployable by itself.
 home: https://bitnami.com
@@ -20,4 +20,4 @@ name: common
 sources:
 - https://github.com/bitnami/charts
 type: library
-version: 2.13.3
+version: 2.19.0
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/README.md
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/README.md
@@ -24,14 +24,14 @@ data:
  myvalue: "Hello World"
 ```
 Looking to use our applications in production? Try [VMware Tanzu Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
 ## Introduction
 This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager.
 Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters.
 Looking to use our applications in production? Try [VMware Application Catalog](https://bitnami.com/enterprise), the enterprise edition of Bitnami Application Catalog.
 ## Prerequisites
 - Kubernetes 1.23+
@@ -220,7 +220,7 @@ helm install test mychart --set path.to.value00="",path.to.value01=""
 ## License
-Copyright &copy; 2023 VMware, Inc.
+Copyright &copy; 2024 Broadcom. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_compatibility.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_compatibility.tpl
@@ -0,0 +1,39 @@
 {{/*
 Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 {{/* vim: set filetype=mustache: */}}
 {{/* 
 Return true if the detected platform is Openshift
 Usage:
 {{- include "common.compatibility.isOpenshift" . -}}
 */}}
 {{- define "common.compatibility.isOpenshift" -}}
 {{- if .Capabilities.APIVersions.Has "security.openshift.io/v1" -}}
 {{- true -}}
 {{- end -}}
 {{- end -}}
 {{/*
 Render a compatible securityContext depending on the platform. By default it is maintained as it is. In other platforms like Openshift we remove default user/group values that do not work out of the box with the restricted-v1 SCC
 Usage:
 {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.containerSecurityContext "context" $) -}}
 */}}
 {{- define "common.compatibility.renderSecurityContext" -}}
 {{- $adaptedContext := .secContext -}}
 {{- if .context.Values.global.compatibility -}}
  {{- if .context.Values.global.compatibility.openshift -}}
    {{- if or (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "force") (and (eq .context.Values.global.compatibility.openshift.adaptSecurityContext "auto") (include "common.compatibility.isOpenshift" .context)) -}}
      {{/* Remove incompatible user/group values that do not work in Openshift out of the box */}}
      {{- $adaptedContext = omit $adaptedContext "fsGroup" "runAsUser" "runAsGroup" -}}
      {{- if not .secContext.seLinuxOptions -}}
      {{/* If it is an empty object, we remove it from the resulting context because it causes validation issues */}}
      {{- $adaptedContext = omit $adaptedContext "seLinuxOptions" -}}
      {{- end -}}
    {{- end -}}
  {{- end -}}
 {{- end -}}
 {{- omit $adaptedContext "enabled" | toYaml -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_resources.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_resources.tpl
@@ -0,0 +1,50 @@
 {{/*
 Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
 {{/* vim: set filetype=mustache: */}}
 {{/*
 Return a resource request/limit object based on a given preset.
 These presets are for basic testing and not meant to be used in production
 {{ include "common.resources.preset" (dict "type" "nano") -}}
 */}}
 {{- define "common.resources.preset" -}}
 {{/* The limits are the requests increased by 50% (except ephemeral-storage)*/}}
 {{- $presets := dict 
  "nano" (dict 
      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "1024Mi")
   )
  "micro" (dict 
      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "1024Mi")
   )
  "small" (dict 
      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "1024Mi")
   )
  "medium" (dict 
      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "1024Mi")
   )
  "large" (dict 
      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "1024Mi")
   )
  "xlarge" (dict 
      "requests" (dict "cpu" "2.0" "memory" "4096Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "1024Mi")
   )
  "2xlarge" (dict 
      "requests" (dict "cpu" "4.0" "memory" "8192Mi" "ephemeral-storage" "50Mi")
      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "1024Mi")
   )
 }}
 {{- if hasKey $presets .type -}}
 {{- index $presets .type | toYaml -}}
 {{- else -}}
 {{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
 {{- end -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_secrets.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_secrets.tpl
@@ -78,6 +78,8 @@ Params:
  - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart.
  - context - Context - Required - Parent context.
  - failOnNew - Boolean - Optional - Default to true. If set to false, skip errors adding new keys to existing secrets.
  - skipB64enc - Boolean - Optional - Default to false. If set to true, no the secret will not be base64 encrypted.
  - skipQuote - Boolean - Optional - Default to false. If set to true, no quotes will be added around the secret.
 The order in which this function returns a secret password:
  1. Already existing 'Secret' resource
     (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned)
@@ -91,7 +93,6 @@ The order in which this function returns a secret password:
 {{- $password := "" }}
 {{- $subchart := "" }}
 {{- $failOnNew := default true .failOnNew }}
 {{- $chartName := default "" .chartName }}
 {{- $passwordLength := default 10 .length }}
 {{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }}
@@ -99,12 +100,14 @@ The order in which this function returns a secret password:
 {{- $secretData := (lookup "v1" "Secret" (include "common.names.namespace" .context) .secret).data }}
 {{- if $secretData }}
  {{- if hasKey $secretData .key }}
-    {{- $password = index $secretData .key | quote }}
+    {{- $password = index $secretData .key | b64dec }}
-  {{- else if $failOnNew }}
+  {{- else if not (eq .failOnNew false) }}
    {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}}
  {{- else if $providedPasswordValue }}
    {{- $password = $providedPasswordValue | toString }}
  {{- end -}}
 {{- else if $providedPasswordValue }}
-  {{- $password = $providedPasswordValue | toString | b64enc | quote }}
+  {{- $password = $providedPasswordValue | toString }}
 {{- else }}
  {{- if .context.Values.enabled }}
@@ -120,12 +123,19 @@ The order in which this function returns a secret password:
    {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }}
    {{- $password = randAscii $passwordLength }}
    {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }}
-    {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }}
+    {{- $password = printf "%s%s" $subStr $password | toString | shuffle }}
  {{- else }}
-    {{- $password = randAlphaNum $passwordLength | b64enc | quote }}
+    {{- $password = randAlphaNum $passwordLength }}
  {{- end }}
 {{- end -}}
 {{- if not .skipB64enc }}
 {{- $password = $password | b64enc }}
 {{- end -}}
 {{- if .skipQuote -}}
 {{- printf "%s" $password -}}
 {{- else -}}
 {{- printf "%s" $password | quote -}}
 {{- end -}}
 {{- end -}}
 {{/*
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_warnings.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/charts/common/templates/_warnings.tpl
@@ -13,7 +13,70 @@ Usage:
 {{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }}
 WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment.
-+info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/
+info https://docs.bitnami.com/tutorials/understand-rolling-tags-containers
 {{- end }}
-
+{{- end -}}
 {{/*
 Warning about not setting the resource object in all deployments.
 Usage:
 {{ include "common.warnings.resources" (dict "sections" (list "path1" "path2") context $) }}
 Example:
 {{- include "common.warnings.resources" (dict "sections" (list "csiProvider.provider" "server" "volumePermissions" "") "context" $) }}
 The list in the example assumes that the following values exist:
  - csiProvider.provider.resources
  - server.resources
  - volumePermissions.resources
  - resources
 */}}
 {{- define "common.warnings.resources" -}}
 {{- $values := .context.Values -}}
 {{- $printMessage := false -}}
 {{ $affectedSections := list -}}
 {{- range .sections -}}
  {{- if eq . "" -}}
    {{/* Case where the resources section is at the root (one main deployment in the chart) */}}
    {{- if not (index $values "resources") -}}
    {{- $affectedSections = append $affectedSections "resources" -}}
    {{- $printMessage = true -}}
    {{- end -}}
  {{- else -}}
    {{/* Case where the are multiple resources sections (more than one main deployment in the chart) */}}
    {{- $keys := split "." . -}}
    {{/* We iterate through the different levels until arriving to the resource section. Example: a.b.c.resources */}}
    {{- $section := $values -}}
    {{- range $keys -}}
      {{- $section = index $section . -}}
    {{- end -}}
    {{- if not (index $section "resources") -}}
      {{/* If the section has enabled=false or replicaCount=0, do not include it */}}
      {{- if and (hasKey $section "enabled") -}}
        {{- if index $section "enabled" -}}
          {{/* enabled=true */}}
          {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
          {{- $printMessage = true -}}
        {{- end -}}
      {{- else if and (hasKey $section "replicaCount")  -}}
        {{/* We need a casting to int because number 0 is not treated as an int by default */}}
        {{- if (gt (index $section "replicaCount" | int) 0) -}}
          {{/* replicaCount > 0 */}}
          {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
          {{- $printMessage = true -}}
        {{- end -}}
      {{- else -}}
        {{/* Default case, add it to the affected sections */}}
        {{- $affectedSections = append $affectedSections (printf "%s.resources" .) -}}
        {{- $printMessage = true -}}
      {{- end -}}
    {{- end -}}
  {{- end -}}
 {{- end -}}
 {{- if $printMessage }}
 WARNING: There are "resources" sections in the chart not set. Using "resourcesPreset" is not recommended for production. For production installations, please set the following values according to your workload needs:
 {{- range $affectedSections }}
  - {{ . }}
 {{- end }}
 +info https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 {{- end -}}
 {{- end -}}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/img/redis-cluster-topology.png
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/img/redis-cluster-topology.png
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/img/redis-topology.png
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/img/redis-topology.png
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/NOTES.txt
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/NOTES.txt
@@ -12,11 +12,11 @@ The chart has been deployed in diagnostic mode. All probes have been disabled an
 Get the list of pods by executing:
-  kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }}
+  kubectl get pods --namespace {{ include "common.names.namespace" . }} -l app.kubernetes.io/instance={{ .Release.Name }}
 Access the pod you want to debug by executing
-  kubectl exec --namespace {{ .Release.Namespace }} -ti <NAME OF THE POD> -- bash
+  kubectl exec --namespace {{ include "common.names.namespace" . }} -ti <NAME OF THE POD> -- bash
 In order to replicate the container startup scripts execute this command:
@@ -53,12 +53,28 @@ For Redis Sentinel:
 {{- end }}
 {{- end }}
 {{- if and .Values.auth.usePasswordFiles (not .Values.auth.usePasswordFileFromSecret) (or (empty .Values.master.initContainers) (empty .Values.replica.initContainers)) }}
 -------------------------------------------------------------------------------
 WARNING
    By specifying ".Values.auth.usePasswordFiles=true" and ".Values.auth.usePasswordFileFromSecret=false"
    Redis is expecting that the password is mounted as a file in each pod
    (by default in /opt/bitnami/redis/secrets/redis-password)
    Ensure that you specify the respective initContainers in
    both .Values.master.initContainers and .Values.replica.initContainers
    in order to populate the contents of this file.
 -------------------------------------------------------------------------------
 {{- end }}
 {{- if eq .Values.architecture "replication" }}
 {{- if .Values.sentinel.enabled }}
 Redis&reg; can be accessed via port {{ .Values.sentinel.service.ports.redis }} on the following DNS name from within your cluster:
-    {{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} for read only operations
+    {{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} for read only operations
 For read/write operations, first access the Redis&reg; Sentinel cluster, which is available in port {{ .Values.sentinel.service.ports.sentinel }} using the same domain name above.
@@ -66,15 +82,15 @@ For read/write operations, first access the Redis&reg; Sentinel cluster, which i
 Redis&reg; can be accessed on the following DNS names from within your cluster:
-    {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }})
+    {{ printf "%s-master.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read/write operations (port {{ .Values.master.service.ports.redis }})
-    {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) .Release.Namespace .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }})
+    {{ printf "%s-replicas.%s.svc.%s" (include "common.names.fullname" .) (include "common.names.namespace" . ) .Values.clusterDomain }} for read-only operations (port {{ .Values.replica.service.ports.redis }})
 {{- end }}
 {{- else }}
 Redis&reg; can be accessed via port {{ .Values.master.service.ports.redis }} on the following DNS name from within your cluster:
-    {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+    {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
 {{- end }}
@@ -82,7 +98,7 @@ Redis&reg; can be accessed via port {{ .Values.master.service.ports.redis }} on
 To get your password run:
-    export REDIS_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d)
+    export REDIS_PASSWORD=$(kubectl get secret --namespace {{ include "common.names.namespace" . }} {{ template "redis.secretName" . }} -o jsonpath="{.data.redis-password}" | base64 -d)
 {{- end }}
@@ -90,15 +106,15 @@ To connect to your Redis&reg; server:
 1. Run a Redis&reg; pod that you can use as a client:
-   kubectl run --namespace {{ .Release.Namespace }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity
+   kubectl run --namespace {{ include "common.names.namespace" . }} redis-client --restart='Never' {{ if .Values.auth.enabled }} --env REDIS_PASSWORD=$REDIS_PASSWORD {{ end }} --image {{ template "redis.image" . }} --command -- sleep infinity
 {{- if .Values.tls.enabled }}
   Copy your TLS certificates to the pod:
-   kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.cert redis-client:/tmp/client.cert
+   kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.cert redis-client:/tmp/client.cert
-   kubectl cp --namespace {{ .Release.Namespace }} /path/to/client.key redis-client:/tmp/client.key
+   kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/client.key redis-client:/tmp/client.key
-   kubectl cp --namespace {{ .Release.Namespace }} /path/to/CA.cert redis-client:/tmp/CA.cert
+   kubectl cp --namespace {{ include "common.names.namespace" . }} /path/to/CA.cert redis-client:/tmp/CA.cert
 {{- end }}
@@ -106,7 +122,7 @@ To connect to your Redis&reg; server:
   kubectl exec --tty -i redis-client \
   {{- if and (.Values.networkPolicy.enabled) (not .Values.networkPolicy.allowExternal) }}--labels="{{ template "common.names.fullname" . }}-client=true" \{{- end }}
-   --namespace {{ .Release.Namespace }} -- bash
+   --namespace {{ include "common.names.namespace" . }} -- bash
 2. Connect using the Redis&reg; CLI:
@@ -133,42 +149,42 @@ To connect to your database from outside the cluster execute the following comma
 {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }}
 {{- if contains "NodePort" .Values.sentinel.service.type }}
-    export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+    export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
-    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }})
+    export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "common.names.fullname" . }})
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- else if contains "LoadBalancer" .Values.sentinel.service.type }}
  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-        Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}'
+        Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}'
-    export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
+    export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ template "common.names.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- else if contains "ClusterIP" .Values.sentinel.service.type }}
-    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} &
+    kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ template "common.names.fullname" . }} {{ .Values.sentinel.service.ports.redis }}:{{ .Values.sentinel.service.ports.redis }} &
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.sentinel.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- end }}
 {{- else }}
 {{- if contains "NodePort" .Values.master.service.type }}
-    export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+    export NODE_IP=$(kubectl get nodes --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
-    export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }})
+    export NODE_PORT=$(kubectl get --namespace {{ include "common.names.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ printf "%s-master" (include "common.names.fullname" .) }})
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $NODE_IP -p $NODE_PORT {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- else if contains "LoadBalancer" .Values.master.service.type }}
  NOTE: It may take a few minutes for the LoadBalancer IP to be available.
-        Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ template "common.names.fullname" . }}'
+        Watch the status with: 'kubectl get svc --namespace {{ include "common.names.namespace" . }} -w {{ template "common.names.fullname" . }}'
-    export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
+    export SERVICE_IP=$(kubectl get svc --namespace {{ include "common.names.namespace" . }} {{ printf "%s-master" (include "common.names.fullname" .) }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}")
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h $SERVICE_IP -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- else if contains "ClusterIP" .Values.master.service.type }}
-    kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} &
+    kubectl port-forward --namespace {{ include "common.names.namespace" . }} svc/{{ printf "%s-master" (include "common.names.fullname" .) }} {{ .Values.master.service.ports.redis }}:{{ .Values.master.service.ports.redis }} &
    {{ if .Values.auth.enabled }}REDISCLI_AUTH="$REDIS_PASSWORD" {{ end }}redis-cli -h 127.0.0.1 -p {{ .Values.master.service.ports.redis }} {{- if .Values.tls.enabled }} --tls --cert /tmp/client.cert --key /tmp/client.key --cacert /tmp/CA.cert{{ end }}
 {{- end }}
@@ -189,3 +205,4 @@ No need to upgrade, ports and nodeports have been set from values
 YOU NEED TO PERFORM AN UPGRADE FOR THE SERVICES AND WORKLOAD TO BE CREATED
 {{- end }}
 {{- end }}
 {{- include "common.warnings.resources" (dict "sections" (list "master" "metrics" "replica" "sentinel" "sysctl" "volumePermissions") "context" $) }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/_helpers.tpl
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/_helpers.tpl
@@ -33,6 +33,13 @@ Return the proper image name (for the init container volume-permissions image)
 {{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }}
 {{- end -}}
 {{/*
 Return kubectl image
 */}}
 {{- define "redis.kubectl.image" -}}
 {{ include "common.images.image" (dict "imageRoot" .Values.kubectl.image "global" .Values.global) }}
 {{- end -}}
 {{/*
 Return sysctl image
 */}}
@@ -240,7 +247,7 @@ Return Redis&reg; password
    {{- else if not (empty .Values.auth.password) -}}
        {{- .Values.auth.password -}}
    {{- else -}}
-        {{- include "getValueFromSecret" (dict "Namespace" .Release.Namespace "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .))  -}}
+        {{- include "getValueFromSecret" (dict "Namespace" (include "common.names.namespace" .) "Name" (include "redis.secretName" .) "Length" 10 "Key" (include "redis.secretPasswordKey" .))  -}}
    {{- end -}}
 {{- end -}}
 {{- end }}
@@ -261,6 +268,7 @@ Compile all warnings into a single message, and call fail.
 {{- $messages := append $messages (include "redis.validateValues.architecture" .) -}}
 {{- $messages := append $messages (include "redis.validateValues.podSecurityPolicy.create" .) -}}
 {{- $messages := append $messages (include "redis.validateValues.tls" .) -}}
 {{- $messages := append $messages (include "redis.validateValues.createMaster" .) -}}
 {{- $messages := without $messages "" -}}
 {{- $message := join "\n" $messages -}}
@@ -312,6 +320,16 @@ redis: tls.enabled
 {{- end -}}
 {{- end -}}
 {{/* Validate values of Redis&reg; - master service enabled */}}
 {{- define "redis.validateValues.createMaster" -}}
 {{- if and .Values.sentinel.service.createMaster (or (not .Values.rbac.create) (not .Values.replica.automountServiceAccountToken) (not .Values.serviceAccount.create)) }}
 redis: sentinel.service.createMaster
    In order to redirect requests only to the master pod via the service, you also need to
    create rbac and serviceAccount. In addition, you need to enable
    replica.automountServiceAccountToken.
 {{- end -}}
 {{- end -}}
 {{/* Define the suffix utilized for external-dns */}}
 {{- define "redis.externalDNS.suffix" -}}
 {{ printf "%s.%s" (include "common.names.fullname" .) .Values.useExternalDNS.suffix }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/configmap.yaml
@@ -8,7 +8,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ printf "%s-configuration" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
@@ -48,10 +48,13 @@ data:
  sentinel.conf: |-
    dir "/tmp"
    port {{ .Values.sentinel.containerPorts.sentinel }}
-    sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }}
+    sentinel monitor {{ .Values.sentinel.masterSet }} {{ template "common.names.fullname" . }}-node-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }} {{ .Values.sentinel.service.ports.redis }} {{ .Values.sentinel.quorum }}
    sentinel down-after-milliseconds {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.downAfterMilliseconds }}
    sentinel failover-timeout {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.failoverTimeout }}
    sentinel parallel-syncs {{ .Values.sentinel.masterSet }} {{ .Values.sentinel.parallelSyncs }}
    {{- if .Values.sentinel.service.createMaster}}
      sentinel client-reconfig-script {{ .Values.sentinel.masterSet }} /opt/bitnami/scripts/start-scripts/push-master-label.sh
    {{- end }}
    # User-supplied sentinel configuration:
    {{- if .Values.sentinel.configuration }}
    {{- include "common.tplvalues.render" ( dict "value" .Values.sentinel.configuration "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/headless-svc.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/headless-svc.yaml
@@ -7,14 +7,16 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ printf "%s-headless" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations (include "redis.externalDNS.annotations" .) }}
  annotations:
    {{- if or .Values.sentinel.service.headless.annotations .Values.commonAnnotations }}
    {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.headless.annotations .Values.commonAnnotations ) "context" . ) }}
    {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
    {{- end }}
    {{- include "redis.externalDNS.annotations" . | nindent 4 }}
  {{- end }}
 spec:
  type: ClusterIP
  clusterIP: None
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/health-configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/health-configmap.yaml
@@ -7,7 +7,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ printf "%s-health" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/application.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/application.yaml
@@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
 kind: {{ .Values.master.kind }}
 metadata:
  name: {{ printf "%s-master" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: master
  {{- if .Values.commonAnnotations }}
@@ -62,10 +62,10 @@ spec:
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.master.hostAliases "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.master.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.master.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ template "redis.masterServiceAccountName" . }}
-      automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }}
+      automountServiceAccountToken: {{ .Values.master.automountServiceAccountToken }}
      {{- if .Values.master.priorityClassName }}
      priorityClassName: {{ .Values.master.priorityClassName | quote }}
      {{- end }}
@@ -108,7 +108,7 @@ spec:
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.master.lifecycleHooks "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.master.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.master.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.master.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -226,6 +226,8 @@ spec:
          {{- end }}
          {{- if .Values.master.resources }}
          resources: {{- toYaml .Values.master.resources | nindent 12 }}
          {{- else if ne .Values.master.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.master.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: start-scripts
@@ -245,10 +247,12 @@ spec:
              {{- end }}
            - name: config
              mountPath: /opt/bitnami/redis/mounted-etc
-            - name: redis-tmp-conf
+            - name: empty-dir
              mountPath: /opt/bitnami/redis/etc/
-            - name: tmp
+              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.tls.enabled }}
            - name: redis-certificates
              mountPath: /opt/bitnami/redis/certs
@@ -262,7 +266,7 @@ spec:
          image: {{ include "redis.metrics.image" . }}
          imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
          {{- if .Values.metrics.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -284,6 +288,8 @@ spec:
          env:
            - name: REDIS_ALIAS
              value: {{ template "common.names.fullname" . }}
            - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS
              value: {{ printf ":%v" .Values.metrics.containerPorts.http }}
            {{- if .Values.auth.enabled }}
            - name: REDIS_USER
              value: default
@@ -312,7 +318,7 @@ spec:
            {{- end }}
          ports:
            - name: metrics
-              containerPort: 9121
+              containerPort: {{ .Values.metrics.containerPorts.http }}
          {{- if not .Values.diagnosticMode.enabled }}
          {{- if .Values.metrics.customStartupProbe }}
          startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
@@ -339,8 +345,13 @@ spec:
          {{- end }}
          {{- if .Values.metrics.resources }}
          resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
          {{- else if ne .Values.metrics.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: app-tmp-dir
            {{- if .Values.auth.usePasswordFiles }}
            - name: redis-password
              mountPath: /secrets/
@@ -383,8 +394,13 @@ spec:
          {{- end }}
          {{- if .Values.volumePermissions.resources }}
          resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
          {{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: redis-data
              mountPath: {{ .Values.master.persistence.path }}
              {{- if .Values.master.persistence.subPath }}
@@ -405,9 +421,14 @@ spec:
          {{- end }}
          {{- if .Values.sysctl.resources }}
          resources: {{- toYaml .Values.sysctl.resources | nindent 12 }}
          {{- else if ne .Values.sysctl.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }}
          {{- end }}
          {{- if .Values.sysctl.mountHostSys }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: host-sys
              mountPath: /host-sys
          {{- end }}
@@ -424,11 +445,15 @@ spec:
            defaultMode: 0755
        {{- if .Values.auth.usePasswordFiles }}
        - name: redis-password
          {{ if .Values.auth.usePasswordFileFromSecret }}
          secret:
            secretName: {{ template "redis.secretName" . }}
            items:
            - key: {{ template "redis.secretPasswordKey" . }}
              path: redis-password
          {{- else }}
          emptyDir: {}
          {{- end }}
        {{- end }}
        - name: config
          configMap:
@@ -438,19 +463,7 @@ spec:
          hostPath:
            path: /sys
        {{- end }}
-        - name: redis-tmp-conf
+        - name: empty-dir
          {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }}
          emptyDir:
            {{- if .Values.master.persistence.medium }}
            medium: {{ .Values.master.persistence.medium | quote }}
            {{- end }}
            {{- if .Values.master.persistence.sizeLimit }}
            sizeLimit: {{ .Values.master.persistence.sizeLimit | quote }}
            {{- end }}
          {{- else }}
          emptyDir: {}
          {{- end }}
        - name: tmp
          {{- if or .Values.master.persistence.medium .Values.master.persistence.sizeLimit }}
          emptyDir:
            {{- if .Values.master.persistence.medium }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/psp.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/psp.yaml
@@ -8,7 +8,7 @@ apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
  name: {{ printf "%s-master" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/pvc.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/pvc.yaml
@@ -8,7 +8,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ printf "redis-data-%s-master" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.persistence.labels .Values.commonLabels ) "context" . ) }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: master
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/service.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/service.yaml
@@ -8,7 +8,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ printf "%s-master" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: master
  {{- if or .Values.master.service.annotations .Values.commonAnnotations }}
@@ -26,6 +26,9 @@ spec:
  {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerIP)) }}
  loadBalancerIP: {{ .Values.master.service.loadBalancerIP }}
  {{- end }}
  {{- if and (eq .Values.master.service.type "LoadBalancer")  .Values.master.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.master.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.master.service.type "LoadBalancer") (not (empty .Values.master.service.loadBalancerSourceRanges)) }}
  loadBalancerSourceRanges: {{ toYaml .Values.master.service.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/serviceaccount.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/master/serviceaccount.yaml
@@ -3,13 +3,13 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
-{{- if .Values.master.serviceAccount.create }}
+{{- if and .Values.master.serviceAccount.create (or (not (eq .Values.architecture "replication")) (not .Values.sentinel.enabled)) }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.master.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "redis.masterServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if or .Values.master.serviceAccount.annotations .Values.commonAnnotations }}
  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.master.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/metrics-svc.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/metrics-svc.yaml
@@ -3,12 +3,12 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
-{{- if .Values.metrics.enabled }}
+{{- if and .Values.metrics.enabled .Values.metrics.service.enabled }}
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ printf "%s-metrics" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: metrics
  {{- if or .Values.metrics.service.annotations .Values.commonAnnotations }}
@@ -26,12 +26,15 @@ spec:
  {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerIP }}
  loadBalancerIP: {{ .Values.metrics.service.loadBalancerIP }}
  {{- end }}
  {{- if and (eq .Values.metrics.service.type "LoadBalancer")  .Values.metrics.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.metrics.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.metrics.service.type "LoadBalancer") .Values.metrics.service.loadBalancerSourceRanges }}
  loadBalancerSourceRanges: {{- toYaml .Values.metrics.service.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
  ports:
    - name: http-metrics
-      port: {{ .Values.metrics.service.port }}
+      port: {{ coalesce .Values.metrics.service.ports.http .Values.metrics.service.port }}
      protocol: TCP
      targetPort: metrics
    {{- if .Values.metrics.service.extraPorts }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/networkpolicy.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/networkpolicy.yaml
@@ -8,7 +8,7 @@ kind: NetworkPolicy
 apiVersion: {{ template "networkPolicy.apiVersion" . }}
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
@@ -18,8 +18,11 @@ spec:
    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
  policyTypes:
    - Ingress
  {{- if or (eq .Values.architecture "replication") .Values.networkPolicy.extraEgress }}
    - Egress
  {{- if .Values.networkPolicy.allowExternalEgress }}
  egress:
    - {}
  {{- else }}
  egress:
    {{- if eq .Values.architecture "replication" }}
    # Allow dns resolution
@@ -76,7 +79,7 @@ spec:
    {{- if .Values.metrics.enabled }}
    # Allow prometheus scrapes for metrics
    - ports:
-        - port: 9121
+        - port: {{ .Values.metrics.containerPorts.http }}
      {{- if not .Values.networkPolicy.metrics.allowExternal }}
      from:
        {{- if or .Values.networkPolicy.metrics.ingressNSMatchLabels .Values.networkPolicy.metrics.ingressNSPodMatchLabels }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/pdb.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/pdb.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
 kind: PodDisruptionBudget
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/podmonitor.yaml
@@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PodMonitor
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.metrics.podMonitor.namespace | quote }}
+  namespace: {{ default (include "common.names.namespace" .) .Values.metrics.podMonitor.namespace | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- if .Values.metrics.podMonitor.additionalLabels }}
    {{- include "common.tplvalues.render" (dict "value" .Values.metrics.podMonitor.additionalLabels "context" $) | nindent 4 }}
@@ -18,7 +18,7 @@ metadata:
  {{- end }}
 spec:
  podMetricsEndpoints:
-    - port: http-metrics
+    - port: {{ .Values.metrics.podMonitor.port }}
      {{- if .Values.metrics.podMonitor.interval }}
      interval: {{ .Values.metrics.podMonitor.interval }}
      {{- end }}
@@ -34,6 +34,36 @@ spec:
      {{- if .Values.metrics.podMonitor.metricRelabelings }}
      metricRelabelings: {{- toYaml .Values.metrics.podMonitor.metricRelabelings | nindent 6 }}
      {{- end }}
    {{- range .Values.metrics.podMonitor.additionalEndpoints }}
    - port: {{ .port }}
      {{- if .interval }}
      interval: {{ .interval }}
      {{- end }}
      {{- if .path }}
      path: {{ .path }}
      {{- end }}
      {{- if .honorLabels }}
      honorLabels: {{ .honorLabels }}
      {{- end }}
      {{- if .relabellings }}
      relabelings: {{- toYaml .relabellings | nindent 6 }}
      {{- end }}
      {{- if .metricRelabelings }}
      metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }}
      {{- end }}
      {{- if .scrapeTimeout }}
      scrapeTimeout: {{ .scrapeTimeout }}
      {{- end }}
      {{- if .params }}
      params:
        {{- range $key, $value := .params }}
        {{ $key }}:
          {{- range $value }}
          - {{ . | quote }}
          {{- end }}
        {{- end }}
      {{- end }}
    {{- end }}
  {{- if .Values.metrics.serviceMonitor.podTargetLabels }}
  podTargetLabels: {{- toYaml .Values.metrics.podMonitor.podTargetLabels | nindent 4 }}
  {{- end }}
@@ -45,8 +75,7 @@ spec:
  {{- end }}
  namespaceSelector:
    matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "common.names.namespace" . | quote }}
  selector:
    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
      app.kubernetes.io/component: metrics
 {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/prometheusrule.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/prometheusrule.yaml
@@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }}
+  namespace: {{ default (include "common.names.namespace" .) .Values.metrics.prometheusRule.namespace | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- if .Values.metrics.prometheusRule.additionalLabels }}
    {{- include "common.tplvalues.render" (dict "value" .Values.metrics.prometheusRule.additionalLabels "context" $) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/application.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/application.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
 kind: {{ .Values.replica.kind }}
 metadata:
  name: {{ printf "%s-replicas" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: replica
  {{- if .Values.commonAnnotations }}
@@ -60,10 +60,10 @@ spec:
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.replica.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ template "redis.replicaServiceAccountName" . }}
-      automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }}
+      automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }}
      {{- if .Values.replica.priorityClassName }}
      priorityClassName: {{ .Values.replica.priorityClassName | quote }}
      {{- end }}
@@ -108,7 +108,7 @@ spec:
          {{- end }}
          {{- end }}
          {{- if .Values.replica.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -136,9 +136,9 @@ spec:
            {{- if .Values.replica.externalMaster.enabled }}
              value: {{ .Values.replica.externalMaster.host | quote }}
            {{- else if and (eq (int64 .Values.master.count) 1) (eq .Values.master.kind "StatefulSet") }}
-              value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+              value: {{ template "common.names.fullname" . }}-master-0.{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
            {{- else }}
-              value: {{ template "common.names.fullname" . }}-master.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
+              value: {{ template "common.names.fullname" . }}-master.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}
            {{- end }}
            - name: REDIS_MASTER_PORT_NUMBER
            {{- if .Values.replica.externalMaster.enabled }}
@@ -246,6 +246,8 @@ spec:
          {{- end }}
          {{- if .Values.replica.resources }}
          resources: {{- toYaml .Values.replica.resources | nindent 12 }}
          {{- else if ne .Values.replica.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.replica.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: start-scripts
@@ -265,8 +267,12 @@ spec:
              {{- end }}
            - name: config
              mountPath: /opt/bitnami/redis/mounted-etc
-            - name: redis-tmp-conf
+            - name: empty-dir
              mountPath: /opt/bitnami/redis/etc
              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.tls.enabled }}
            - name: redis-certificates
              mountPath: /opt/bitnami/redis/certs
@@ -280,7 +286,7 @@ spec:
          image: {{ include "redis.metrics.image" . }}
          imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
          {{- if .Values.metrics.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -302,6 +308,8 @@ spec:
          env:
            - name: REDIS_ALIAS
              value: {{ template "common.names.fullname" . }}
            - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS
              value: {{ printf ":%v" .Values.metrics.containerPorts.http }}
            {{- if .Values.auth.enabled }}
            - name: REDIS_USER
              value: default
@@ -330,7 +338,7 @@ spec:
            {{- end }}
          ports:
            - name: metrics
-              containerPort: 9121
+              containerPort: {{ .Values.metrics.containerPorts.http }}
          {{- if not .Values.diagnosticMode.enabled }}
          {{- if .Values.metrics.customStartupProbe }}
          startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
@@ -357,8 +365,13 @@ spec:
          {{- end }}
          {{- if .Values.metrics.resources }}
          resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
          {{- else if ne .Values.metrics.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.auth.usePasswordFiles }}
            - name: redis-password
              mountPath: /secrets/
@@ -401,8 +414,13 @@ spec:
          {{- end }}
          {{- if .Values.volumePermissions.resources }}
          resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
          {{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: redis-data
              mountPath: {{ .Values.replica.persistence.path }}
              {{- if .Values.replica.persistence.subPath }}
@@ -423,9 +441,14 @@ spec:
          {{- end }}
          {{- if .Values.sysctl.resources }}
          resources: {{- toYaml .Values.sysctl.resources | nindent 12 }}
          {{- else if ne .Values.sysctl.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }}
          {{- end }}
          {{- if .Values.sysctl.mountHostSys }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: host-sys
              mountPath: /host-sys
          {{- end }}
@@ -442,11 +465,15 @@ spec:
            defaultMode: 0755
        {{- if .Values.auth.usePasswordFiles }}
        - name: redis-password
          {{ if .Values.auth.usePasswordFileFromSecret }}
          secret:
            secretName: {{ template "redis.secretName" . }}
            items:
            - key: {{ template "redis.secretPasswordKey" . }}
              path: redis-password
          {{- else }}
          emptyDir: {}
          {{- end }}
        {{- end }}
        - name: config
          configMap:
@@ -456,7 +483,7 @@ spec:
          hostPath:
            path: /sys
        {{- end }}
-        - name: redis-tmp-conf
+        - name: empty-dir
          {{- if or .Values.replica.persistence.medium .Values.replica.persistence.sizeLimit }}
          emptyDir:
            {{- if .Values.replica.persistence.medium }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/hpa.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/hpa.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ printf "%s-replicas" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: replica
  {{- if .Values.commonAnnotations }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/service.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/service.yaml
@@ -8,7 +8,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ printf "%s-replicas" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: replica
  {{- if or .Values.replica.service.annotations .Values.commonAnnotations }}
@@ -26,6 +26,9 @@ spec:
  {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerIP)) }}
  loadBalancerIP: {{ .Values.replica.service.loadBalancerIP }}
  {{- end }}
  {{- if and (eq .Values.replica.service.type "LoadBalancer")  .Values.replica.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.replica.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.replica.service.type "LoadBalancer") (not (empty .Values.replica.service.loadBalancerSourceRanges)) }}
  loadBalancerSourceRanges: {{ toYaml .Values.replica.service.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/serviceaccount.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/replicas/serviceaccount.yaml
@@ -3,13 +3,13 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
-{{- if .Values.replica.serviceAccount.create }}
+{{- if and .Values.replica.serviceAccount.create (eq .Values.architecture "replication") (not .Values.sentinel.enabled) }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.replica.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "redis.replicaServiceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if or .Values.replica.serviceAccount.annotations .Values.commonAnnotations }}
  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/role.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/role.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: Role
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
@@ -23,6 +23,11 @@ rules:
      - 'use'
    resourceNames: [{{ printf "%s-master" (include "common.names.fullname" .) }}]
  {{- end }}
  {{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}}
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["list", "patch"]
  {{- end -}}
  {{- if .Values.rbac.rules }}
  {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }}
  {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/rolebinding.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/rolebinding.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
 kind: RoleBinding
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/scripts-configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/scripts-configmap.yaml
@@ -7,7 +7,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ printf "%s-scripts" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
@@ -48,7 +48,7 @@ data:
        {{- if .Values.useExternalDNS.enabled }}
        full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}"
        {{- else if eq .Values.sentinel.service.type "NodePort" }}
-        full_hostname="${hostname}.{{- .Release.Namespace }}"
+        full_hostname="${hostname}.{{- include "common.names.namespace" . }}"
        {{- else }}
        full_hostname="${hostname}.${HEADLESS_SERVICE}"
        {{- end }}
@@ -71,12 +71,12 @@ data:
    REDISPORT=$(get_port "$HOSTNAME" "REDIS")
-    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    if [ -n "$REDIS_EXTERNAL_MASTER_HOST" ]; then
        REDIS_SERVICE="$REDIS_EXTERNAL_MASTER_HOST"
    else
-        REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+        REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    fi
    SENTINEL_SERVICE_PORT=$(get_port "{{ include "common.names.fullname" . }}" "SENTINEL")
@@ -251,8 +251,8 @@ data:
    . /opt/bitnami/scripts/libvalidations.sh
    . /opt/bitnami/scripts/libfile.sh
-    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
-    REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    REDIS_SERVICE="{{ template "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    get_port() {
        hostname="$1"
@@ -281,7 +281,7 @@ data:
        {{- if .Values.useExternalDNS.enabled }}
        full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}"
        {{- else if eq .Values.sentinel.service.type "NodePort" }}
-        full_hostname="${hostname}.{{- .Release.Namespace }}"
+        full_hostname="${hostname}.{{- include "common.names.namespace" . }}"
        {{- else }}
        full_hostname="${hostname}.${HEADLESS_SERVICE}"
        {{- end }}
@@ -366,6 +366,13 @@ data:
        REDIS_MASTER_PORT_NUMBER=${REDIS_SENTINEL_INFO[1]}
    fi
    {{- if .Values.sentinel.service.createMaster }}
    if [[ "${REDIS_REPLICATION_MODE}" == "master" ]]; then
        # Add isMaster label to master node for master service
        echo "${REDIS_MASTER_HOST/.*}" > /etc/shared/current
    fi
    {{- end }}
    if [[ -n "$REDIS_EXTERNAL_MASTER_HOST" ]]; then
      REDIS_MASTER_HOST="$REDIS_EXTERNAL_MASTER_HOST"
      REDIS_MASTER_PORT_NUMBER="${REDIS_EXTERNAL_MASTER_PORT}"
@@ -450,7 +457,7 @@ data:
    . /opt/bitnami/scripts/libvalidations.sh
    . /opt/bitnami/scripts/libos.sh
-    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    get_full_hostname() {
        hostname="$1"
@@ -458,7 +465,7 @@ data:
        {{- if .Values.useExternalDNS.enabled }}
        full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}"
        {{- else if eq .Values.sentinel.service.type "NodePort" }}
-        full_hostname="${hostname}.{{- .Release.Namespace }}"
+        full_hostname="${hostname}.{{- include "common.names.namespace" . }}"
        {{- else }}
        full_hostname="${hostname}.${HEADLESS_SERVICE}"
        {{- end }}
@@ -481,7 +488,7 @@ data:
    run_sentinel_command() {
        if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then
-            redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@"
+            redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@"
        else
            redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@"
        fi
@@ -492,7 +499,7 @@ data:
      [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]]
    }
-    REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    {{ if .Values.auth.sentinel -}}
    # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable
@@ -530,7 +537,7 @@ data:
        [[ "$REDIS_ROLE" == "master" ]]
    }
-    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{- include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    get_full_hostname() {
        hostname="$1"
@@ -538,7 +545,7 @@ data:
        {{- if .Values.useExternalDNS.enabled }}
        full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}"
        {{- else if eq .Values.sentinel.service.type "NodePort" }}
-        full_hostname="${hostname}.{{- .Release.Namespace }}"
+        full_hostname="${hostname}.{{- include "common.names.namespace" . }}"
        {{- else }}
        full_hostname="${hostname}.${HEADLESS_SERVICE}"
        {{- end }}
@@ -561,7 +568,7 @@ data:
    run_sentinel_command() {
        if is_boolean_yes "$REDIS_SENTINEL_TLS_ENABLED"; then
-            {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@"
+            {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_TLS_PORT_NUMBER" --tls --cert "$REDIS_SENTINEL_TLS_CERT_FILE" --key "$REDIS_SENTINEL_TLS_KEY_FILE" --cacert "$REDIS_SENTINEL_TLS_CA_FILE" sentinel "$@"
        else
            {{ .Values.auth.sentinel | ternary "" "env -u REDISCLI_AUTH " -}} redis-cli -h "$REDIS_SERVICE" -p "$REDIS_SENTINEL_PORT" sentinel "$@"
        fi
@@ -572,7 +579,7 @@ data:
        [[ "$REDIS_MASTER_HOST" != "$(get_full_hostname $HOSTNAME)" ]]
    }
-    REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    REDIS_SERVICE="{{ include "common.names.fullname" . }}.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    # redis-cli automatically consumes credentials from the REDISCLI_AUTH variable
    [[ -n "$REDIS_PASSWORD" ]] && export REDISCLI_AUTH="$REDIS_PASSWORD"
@@ -596,6 +603,14 @@ data:
        exit 0
    fi
  {{- if .Values.sentinel.service.createMaster}}
  push-master-label.sh: |
    #!/bin/bash
    # https://download.redis.io/redis-stable/sentinel.conf
    echo "${6/.*}" > /etc/shared/current
    echo "${4/.*}" > /etc/shared/previous
  {{- end }}
 {{- else }}
  start-master.sh: |
    #!/bin/bash
@@ -676,7 +691,7 @@ data:
        {{- if .Values.useExternalDNS.enabled }}
        full_hostname="${hostname}.{{- include "redis.externalDNS.suffix" . }}"
        {{- else if eq .Values.sentinel.service.type "NodePort" }}
-        full_hostname="${hostname}.{{- .Release.Namespace }}"
+        full_hostname="${hostname}.{{- include "common.names.namespace" . }}"
        {{- else }}
        full_hostname="${hostname}.${HEADLESS_SERVICE}"
        {{- end }}
@@ -698,7 +713,7 @@ data:
    }
    REDISPORT=$(get_port "$HOSTNAME" "REDIS")
-    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
+    HEADLESS_SERVICE="{{ template "common.names.fullname" . }}-headless.{{ include "common.names.namespace" . }}.svc.{{ .Values.clusterDomain }}"
    [[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD="$(< "${REDIS_PASSWORD_FILE}")"
    [[ -f $REDIS_MASTER_PASSWORD_FILE ]] && export REDIS_MASTER_PASSWORD="$(< "${REDIS_MASTER_PASSWORD_FILE}")"
@@ -755,3 +770,29 @@ data:
    {{- end }}
  {{- end }}
 {{- end }}
 ---
 {{- if .Values.sentinel.service.createMaster}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }}
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
 data:
  update-master-label.sh: |
    #!/bin/bash
    while true; do
        while [ ! -f "/etc/shared/current" ]; do
            sleep 1
        done
        echo "new master elected, updating label(s)..."
        kubectl label pod --field-selector metadata.name="$(< "/etc/shared/current")" isMaster="true" --overwrite
        if [ -f /etc/shared/previous ]; then
            kubectl label pod --field-selector metadata.name="$(< "/etc/shared/previous")" isMaster="false" --overwrite
        fi
        rm "/etc/shared/current" "/etc/shared/previous"
    done
 {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/secret-svcbind.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/secret-svcbind.yaml
@@ -17,7 +17,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "common.names.fullname" . }}-svcbind
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/secret.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/secret.yaml
@@ -3,12 +3,12 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
-{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) -}}
+{{- if and .Values.auth.enabled (not .Values.auth.existingSecret) (or .Values.auth.usePasswordFileFromSecret (not .Values.auth.usePasswordFiles)) -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if or .Values.secretAnnotations .Values.commonAnnotations }}
  annotations:
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/hpa.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/hpa.yaml
@@ -8,7 +8,7 @@ apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ printf "%s-node" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: replica
  {{- if .Values.commonAnnotations }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/node-services.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/node-services.yaml
@@ -7,7 +7,7 @@ SPDX-License-Identifier: APACHE-2.0
 {{- range $i := until (int .Values.replica.replicaCount) }}
-{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }}
+{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" $) (printf "%s-%s" ( include "common.names.fullname" $ ) "ports-configmap")).data }}
 {{ $sentinelport := 0}}
 {{ $redisport := 0}}
@@ -20,7 +20,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "common.names.fullname" $ }}-node-{{ $i }}
-  namespace: {{ $.Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" $ | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" $.Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: node
  {{- if or $.Values.commonAnnotations $.Values.sentinel.service.annotations }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/ports-configmap.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/ports-configmap.yaml
@@ -71,14 +71,14 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ template "common.names.fullname" . }}-ports-configmap
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations:
    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
  {{- end }}
 data:
-{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }}
+{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }}
 {{- if $portsmap }}
 {{- /* configmap already exists, do not install again */ -}}
  {{- range $name, $value := $portsmap }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/service.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/service.yaml
@@ -5,7 +5,7 @@ SPDX-License-Identifier: APACHE-2.0
 {{- if or .Release.IsUpgrade (ne .Values.sentinel.service.type "NodePort") .Values.sentinel.service.nodePorts.redis -}}
 {{- if and (eq .Values.architecture "replication") .Values.sentinel.enabled }}
-{{ $portsmap := (lookup "v1" "ConfigMap" $.Release.Namespace (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }}
+{{ $portsmap := (lookup "v1" "ConfigMap" (include "common.names.namespace" .) (printf "%s-%s" ( include "common.names.fullname" . ) "ports-configmap")).data }}
 {{ $sentinelport := 0}}
 {{ $redisport := 0}}
@@ -19,7 +19,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: node
  {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }}
@@ -34,6 +34,9 @@ spec:
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }}
  loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }}
  {{- end }}
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer")  .Values.sentinel.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }}
  loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
@@ -97,5 +100,62 @@ spec:
  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.replica.podLabels .Values.commonLabels ) "context" . ) }}
  selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: node
 {{- if and .Values.sentinel.enabled .Values.sentinel.service.createMaster}}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: "{{ template "common.names.fullname" . }}-master"
  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: node
  {{- if or .Values.sentinel.service.annotations .Values.commonAnnotations }}
  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.sentinel.service.annotations .Values.commonAnnotations ) "context" . ) }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
  {{- end }}
 spec:
  type: {{ .Values.sentinel.service.type }}
  {{- if or (eq .Values.sentinel.service.type "LoadBalancer") (eq .Values.sentinel.service.type "NodePort") }}
  externalTrafficPolicy: {{ .Values.sentinel.service.externalTrafficPolicy | quote }}
  {{- end }}
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerIP)) }}
  loadBalancerIP: {{ .Values.sentinel.service.loadBalancerIP }}
  {{- end }}
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer")  .Values.sentinel.service.loadBalancerClass }}
  loadBalancerClass: {{ .Values.sentinel.service.loadBalancerClass }}
  {{- end }}
  {{- if and (eq .Values.sentinel.service.type "LoadBalancer") (not (empty .Values.sentinel.service.loadBalancerSourceRanges)) }}
  loadBalancerSourceRanges: {{ toYaml .Values.sentinel.service.loadBalancerSourceRanges | nindent 4 }}
  {{- end }}
  {{- if and .Values.sentinel.service.clusterIP (eq .Values.sentinel.service.type "ClusterIP") }}
  clusterIP: {{ .Values.sentinel.service.clusterIP }}
  {{- end }}
  {{- if .Values.sentinel.service.sessionAffinity }}
  sessionAffinity: {{ .Values.sentinel.service.sessionAffinity }}
  {{- end }}
  {{- if .Values.sentinel.service.sessionAffinityConfig }}
  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.sentinel.service.sessionAffinityConfig "context" $) | nindent 4 }}
  {{- end }}
  ports:
    - name: tcp-redis
      {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }}
      port: {{ .Values.sentinel.service.nodePorts.redis }}
      {{- else if eq .Values.sentinel.service.type "NodePort" }}
      port: {{ $redisport }}
      {{- else}}
      port: {{ .Values.sentinel.service.ports.redis }}
      {{- end }}
      targetPort: {{ .Values.replica.containerPorts.redis }}
      {{- if and (or (eq .Values.sentinel.service.type "NodePort") (eq .Values.sentinel.service.type "LoadBalancer")) .Values.sentinel.service.nodePorts.redis }}
      nodePort: {{ .Values.sentinel.service.nodePorts.redis }}
      {{- else if eq .Values.sentinel.service.type "ClusterIP" }}
      nodePort: null
      {{- else if eq .Values.sentinel.service.type "NodePort" }}
      nodePort:  {{ $redisport }}
      {{- end }}
  selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
    isMaster: "true"
 {{- end }}
 {{- end }}
 {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/sentinel/statefulset.yaml
@@ -9,7 +9,7 @@ apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }}
 kind: StatefulSet
 metadata:
  name: {{ printf "%s-node" (include "common.names.fullname" .) }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    app.kubernetes.io/component: node
  {{- if or .Values.commonAnnotations .Values.sentinel.annotations }}
@@ -54,13 +54,13 @@ spec:
        {{- end }}
    spec:
      {{- include "redis.imagePullSecrets" . | nindent 6 }}
      automountServiceAccountToken: {{ .Values.replica.automountServiceAccountToken }}
      {{- if .Values.replica.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.replica.hostAliases "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.replica.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.replica.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
      serviceAccountName: {{ template "redis.serviceAccountName" . }}
      {{- if .Values.replica.priorityClassName }}
      priorityClassName: {{ .Values.replica.priorityClassName | quote }}
@@ -114,7 +114,7 @@ spec:
          {{- end }}
          {{- end }}
          {{- if .Values.replica.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.replica.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.replica.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -270,6 +270,8 @@ spec:
          {{- end }}
          {{- if .Values.replica.resources }}
          resources: {{- toYaml .Values.replica.resources | nindent 12 }}
          {{- else if ne .Values.replica.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.replica.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: start-scripts
@@ -293,10 +295,12 @@ spec:
              {{- end }}
            - name: config
              mountPath: /opt/bitnami/redis/mounted-etc
-            - name: redis-tmp-conf
+            - name: empty-dir
              mountPath: /opt/bitnami/redis/etc
-            - name: tmp
+              subPath: app-conf-dir
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.tls.enabled }}
            - name: redis-certificates
              mountPath: /opt/bitnami/redis/certs
@@ -322,7 +326,7 @@ spec:
          {{- end }}
          {{- end }}
          {{- if .Values.sentinel.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.sentinel.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.sentinel.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -449,12 +453,21 @@ spec:
          {{- end }}
          {{- if .Values.sentinel.resources }}
          resources: {{- toYaml .Values.sentinel.resources | nindent 12 }}
          {{- else if ne .Values.sentinel.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.sentinel.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: start-scripts
              mountPath: /opt/bitnami/scripts/start-scripts
            - name: health
              mountPath: /health
            {{- if .Values.sentinel.service.createMaster}}
            - name: kubectl-shared
              mountPath: /etc/shared
            {{- end }}
            - name: sentinel-data
              mountPath: /opt/bitnami/redis-sentinel/etc
            {{- if .Values.auth.usePasswordFiles }}
@@ -483,7 +496,7 @@ spec:
          image: {{ template "redis.metrics.image" . }}
          imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }}
          {{- if .Values.metrics.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.metrics.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -503,6 +516,8 @@ spec:
          env:
            - name: REDIS_ALIAS
              value: {{ template "common.names.fullname" . }}
            - name: REDIS_EXPORTER_WEB_LISTEN_ADDRESS
              value: {{ printf ":%v" .Values.metrics.containerPorts.http }}
            {{- if .Values.auth.enabled }}
            - name: REDIS_USER
              value: default
@@ -531,7 +546,7 @@ spec:
            {{- end }}
          ports:
            - name: metrics
-              containerPort: 9121
+              containerPort: {{ .Values.metrics.containerPorts.http }}
          {{- if not .Values.diagnosticMode.enabled }}
          {{- if .Values.metrics.customStartupProbe }}
          startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }}
@@ -558,8 +573,13 @@ spec:
          {{- end }}
          {{- if .Values.metrics.resources }}
          resources: {{- toYaml .Values.metrics.resources | nindent 12 }}
          {{- else if ne .Values.metrics.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.metrics.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.auth.usePasswordFiles }}
            - name: redis-password
              mountPath: /secrets/
@@ -573,6 +593,22 @@ spec:
            {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.extraVolumeMounts "context" $ ) | nindent 12 }}
            {{- end }}
        {{- end }}
        {{- if .Values.sentinel.service.createMaster }}
        - name: kubectl-shared
          image: {{ template "redis.kubectl.image" . }}
          imagePullPolicy: {{ .Values.kubectl.image.pullPolicy | quote }}
          command: {{- toYaml .Values.kubectl.command | nindent 12 }}
          securityContext:
            runAsUser: 0
          volumeMounts:
            - name: kubectl-shared
              mountPath: /etc/shared
            - name: kubectl-scripts
              mountPath: /opt/bitnami/scripts/kubectl-scripts
          {{- if .Values.kubectl.resources }}
          resources: {{- toYaml .Values.kubectl.resources | nindent 12 }}
          {{- end }}
        {{- end }}
        {{- if .Values.replica.sidecars }}
        {{- include "common.tplvalues.render" (dict "value" .Values.replica.sidecars "context" $) | nindent 8 }}
        {{- end }}
@@ -602,8 +638,13 @@ spec:
          {{- end }}
          {{- if .Values.volumePermissions.resources }}
          resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }}
          {{- else if ne .Values.volumePermissions.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.volumePermissions.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: redis-data
              mountPath: {{ .Values.replica.persistence.path }}
              {{- if .Values.replica.persistence.subPath }}
@@ -624,9 +665,14 @@ spec:
          {{- end }}
          {{- if .Values.sysctl.resources }}
          resources: {{- toYaml .Values.sysctl.resources | nindent 12 }}
          {{- else if ne .Values.sysctl.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.sysctl.resourcesPreset) | nindent 12 }}
          {{- end }}
          {{- if .Values.sysctl.mountHostSys }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: host-sys
              mountPath: /host-sys
          {{- end }}
@@ -641,13 +687,25 @@ spec:
          configMap:
            name: {{ printf "%s-health" (include "common.names.fullname" .) }}
            defaultMode: 0755
        {{- if .Values.sentinel.service.createMaster}}
        - name: kubectl-shared
          emptyDir: {}
        - name: kubectl-scripts
          configMap:
            name: {{ printf "%s-kubectl-scripts" (include "common.names.fullname" .) }}
            defaultMode: 0755
        {{- end }}
        {{- if .Values.auth.usePasswordFiles }}
        - name: redis-password
          {{ if .Values.auth.usePasswordFileFromSecret }}
          secret:
            secretName: {{ template "redis.secretName" . }}
            items:
            - key: {{ template "redis.secretPasswordKey" . }}
              path: redis-password
          {{- else }}
          emptyDir: {}
          {{- end }}
        {{- end }}
        - name: config
          configMap:
@@ -671,19 +729,7 @@ spec:
          emptyDir: {}
          {{- end }}
        {{- end }}
-        - name: redis-tmp-conf
+        - name: empty-dir
          {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }}
          emptyDir:
            {{- if .Values.sentinel.persistence.medium }}
            medium: {{ .Values.sentinel.persistence.medium | quote }}
            {{- end }}
            {{- if .Values.sentinel.persistence.sizeLimit }}
            sizeLimit: {{ .Values.sentinel.persistence.sizeLimit | quote }}
            {{- end }}
          {{- else }}
          emptyDir: {}
          {{- end }}
        - name: tmp
          {{- if or .Values.sentinel.persistence.medium .Values.sentinel.persistence.sizeLimit }}
          emptyDir:
            {{- if .Values.sentinel.persistence.medium }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/serviceaccount.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/serviceaccount.yaml
@@ -3,13 +3,13 @@ Copyright VMware, Inc.
 SPDX-License-Identifier: APACHE-2.0
 */}}
-{{- if and .Values.serviceAccount.create (and (not .Values.master.serviceAccount.create) (not .Values.replica.serviceAccount.create)) }}
+{{- if and .Values.serviceAccount.create .Values.sentinel.enabled }}
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
  name: {{ template "redis.serviceAccountName" . }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if or .Values.commonAnnotations .Values.serviceAccount.annotations }}
  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/servicemonitor.yaml
@@ -8,7 +8,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ template "common.names.fullname" . }}
-  namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }}
+  namespace: {{ default (include "common.names.namespace" .) .Values.metrics.serviceMonitor.namespace | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
    {{- if .Values.metrics.serviceMonitor.additionalLabels }}
    {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.additionalLabels "context" $) | nindent 4 }}
@@ -18,7 +18,7 @@ metadata:
  {{- end }}
 spec:
  endpoints:
-    - port: http-metrics
+    - port: {{ .Values.metrics.serviceMonitor.port }}
      {{- if .Values.metrics.serviceMonitor.interval }}
      interval: {{ .Values.metrics.serviceMonitor.interval }}
      {{- end }}
@@ -34,18 +34,48 @@ spec:
      {{- if .Values.metrics.serviceMonitor.metricRelabelings }}
      metricRelabelings: {{- toYaml .Values.metrics.serviceMonitor.metricRelabelings | nindent 6 }}
      {{- end }}
      {{- range .Values.metrics.serviceMonitor.additionalEndpoints }}
    - port: {{ .port }}
      {{- if .interval }}
      interval: {{ .interval }}
      {{- end }}
      {{- if .scrapeTimeout }}
      scrapeTimeout: {{ .scrapeTimeout }}
      {{- end }}
      {{- if .honorLabels }}
      honorLabels: {{ .honorLabels }}
      {{- end }}
      {{- if .relabellings }}
      relabelings: {{- toYaml .relabellings | nindent 6 }}
      {{- end }}
      {{- if .metricRelabelings }}
      metricRelabelings: {{- toYaml .metricRelabelings | nindent 6 }}
      {{- end }}
      {{- if .path }}
      path: {{ .path }}
      {{- end }}
      {{- if .params }}
      params:
        {{- range $key, $value := .params }}
        {{ $key }}:
          {{- range $value }}
          - {{ . | quote }}
          {{- end }}
        {{- end }}
      {{- end }}
    {{- end }}
  {{- if .Values.metrics.serviceMonitor.podTargetLabels }}
  podTargetLabels: {{- toYaml .Values.metrics.serviceMonitor.podTargetLabels | nindent 4 }}
  {{- end }}
-  {{ with .Values.metrics.serviceMonitor.sampleLimit }}
+  {{- with .Values.metrics.serviceMonitor.sampleLimit }}
  sampleLimit: {{ . }}
  {{- end }}
-  {{ with .Values.metrics.serviceMonitor.targetLimit }}
+  {{- with .Values.metrics.serviceMonitor.targetLimit }}
  targetLimit: {{ . }}
  {{- end }}
  namespaceSelector:
    matchNames:
-      - {{ .Release.Namespace }}
+      - {{ include "common.names.namespace" . | quote }}
  selector:
    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
      app.kubernetes.io/component: metrics
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/templates/tls-secret.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/templates/tls-secret.yaml
@@ -6,7 +6,7 @@ SPDX-License-Identifier: APACHE-2.0
 {{- if (include "redis.createTlsSecret" .) }}
 {{- $secretName := printf "%s-crt" (include "common.names.fullname" .) }}
 {{- $ca := genCA "redis-ca" 365 }}
-{{- $releaseNamespace := .Release.Namespace }}
+{{- $releaseNamespace := (include "common.names.namespace" .) }}
 {{- $clusterDomain := .Values.clusterDomain }}
 {{- $fullname := include "common.names.fullname" . }}
 {{- $serviceName := include "common.names.fullname" . }}
@@ -18,7 +18,7 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: {{ $secretName }}
-  namespace: {{ .Release.Namespace | quote }}
+  namespace: {{ include "common.names.namespace" . | quote }}
  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
  {{- if .Values.commonAnnotations }}
  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
--- a/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml
+++ b/packages/system/dashboard/charts/kubeapps/charts/redis/values.yaml
@@ -22,7 +22,15 @@ global:
  storageClass: ""
  redis:
    password: ""
-
+  ## Compatibility adaptations for Kubernetes platforms
  ##
  compatibility:
    ## Compatibility adaptations for Openshift
    ##
    openshift:
      ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
      ##
      adaptSecurityContext: disabled
 ## @section Common parameters
 ##
@@ -35,6 +43,9 @@ nameOverride: ""
 ## @param fullnameOverride String to fully override common.names.fullname
 ##
 fullnameOverride: ""
 ## @param namespaceOverride String to fully override common.names.namespace
 ##
 namespaceOverride: ""
 ## @param commonLabels Labels to add to all deployed objects
 ##
 commonLabels: {}
@@ -59,7 +70,6 @@ nameResolutionThreshold: 5
 ## @param nameResolutionTimeout Timeout seconds between probes for internal hostnames resolution
 ##
 nameResolutionTimeout: 5
 ## Enable diagnostic mode in the deployment
 ##
 diagnosticMode:
@@ -74,7 +84,6 @@ diagnosticMode:
  ##
  args:
    - infinity
 ## @section Redis&reg; Image parameters
 ##
@@ -91,11 +100,11 @@ diagnosticMode:
 image:
  registry: docker.io
  repository: bitnami/redis
-  tag: 7.2.3-debian-11-r1
+  tag: 7.2.4-debian-12-r9
  digest: ""
  ## Specify a imagePullPolicy
  ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-  ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+  ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
  ##
  pullPolicy: IfNotPresent
  ## Optionally specify an array of imagePullSecrets.
@@ -109,7 +118,6 @@ image:
  ## Enable debug mode
  ##
  debug: false
 ## @section Redis&reg; common configuration parameters
 ## https://github.com/bitnami/containers/tree/main/bitnami/redis#configuration
 ##
@@ -142,7 +150,9 @@ auth:
  ## @param auth.usePasswordFiles Mount credentials as files instead of using an environment variable
  ##
  usePasswordFiles: false
-
+  ## @param auth.usePasswordFileFromSecret Mount password file from secret
  ##
  usePasswordFileFromSecret: true
 ## @param commonConfiguration [string] Common configuration to be added into the ConfigMap
 ## ref: https://redis.io/topics/config
 ##
@@ -154,10 +164,8 @@ commonConfiguration: |-
 ## @param existingConfigmap The name of an existing ConfigMap with your custom configuration for Redis&reg; nodes
 ##
 existingConfigmap: ""
 ## @section Redis&reg; master configuration parameters
 ##
 master:
  ## @param master.count Number of Redis&reg; master instances to deploy (experimental, requires additional configuration)
  ##
@@ -263,42 +271,60 @@ master:
  ##
  customReadinessProbe: {}
  ## Redis&reg; master resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param master.resources.limits The resources limits for the Redis&reg; master containers
+  ## @param master.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if master.resources is set (master.resources is recommended for production).
-  ## @param master.resources.requests The requested resources for the Redis&reg; master containers
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    limits: {}
+  ## @param master.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    requests: {}
+  ## Example:
  ## resources:
  ##   requests:
  ##     cpu: 2
  ##     memory: 512Mi
  ##   limits:
  ##     cpu: 3
  ##     memory: 1024Mi
  ##
  resources: {}
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param master.podSecurityContext.enabled Enabled Redis&reg; master pods' Security Context
  ## @param master.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param master.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param master.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param master.podSecurityContext.fsGroup Set Redis&reg; master pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param master.containerSecurityContext.enabled Enabled Redis&reg; master containers' Security Context
  ## @param master.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param master.containerSecurityContext.runAsUser Set Redis&reg; master containers' Security Context runAsUser
  ## @param master.containerSecurityContext.runAsGroup Set Redis&reg; master containers' Security Context runAsGroup
  ## @param master.containerSecurityContext.runAsNonRoot Set Redis&reg; master containers' Security Context runAsNonRoot
  ## @param master.containerSecurityContext.allowPrivilegeEscalation Is it possible to escalate Redis&reg; pod(s) privileges
  ## @param master.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem
  ## @param master.containerSecurityContext.seccompProfile.type Set Redis&reg; master containers' Security Context seccompProfile
  ## @param master.containerSecurityContext.capabilities.drop Set Redis&reg; master containers' Security Context capabilities to drop
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
-      drop:
+      drop: ["ALL"]
        - ALL
  ## @param master.kind Use either Deployment, StatefulSet (default) or DaemonSet
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
  ##
@@ -322,6 +348,9 @@ master:
  ## @param master.priorityClassName Redis&reg; master pods' priorityClassName
  ##
  priorityClassName: ""
  ## @param master.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: false
  ## @param master.hostAliases Redis&reg; master pods host aliases
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -369,7 +398,7 @@ master:
  ##
  affinity: {}
  ## @param master.nodeSelector Node labels for Redis&reg; master pods assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param master.tolerations Tolerations for Redis&reg; master pods assignment
@@ -432,7 +461,7 @@ master:
  ##
  initContainers: []
  ## Persistence parameters
-  ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
+  ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
  ##
  persistence:
    ## @param master.persistence.enabled Enable persistence on Redis&reg; master nodes using Persistent Volume Claims
@@ -532,6 +561,10 @@ master:
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
    ##
    loadBalancerIP: ""
    ## @param master.service.loadBalancerClass master service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
    ##
    loadBalancerClass: ""
    ## @param master.service.loadBalancerSourceRanges Redis&reg; master service Load Balancer sources
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g.
@@ -569,7 +602,7 @@ master:
  serviceAccount:
    ## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created
    ##
-    create: false
+    create: true
    ## @param master.serviceAccount.name The name of the ServiceAccount to use.
    ## If not set and create is true, a name is generated using the common.names.fullname template
    ##
@@ -577,14 +610,12 @@ master:
    ## @param master.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
    ##
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
    ## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount
    ##
    annotations: {}
 ## @section Redis&reg; replicas configuration parameters
 ##
 replica:
  ## @param replica.kind Use either DaemonSet or StatefulSet (default)
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/
@@ -702,50 +733,60 @@ replica:
  ##
  customReadinessProbe: {}
  ## Redis&reg; replicas resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param replica.resources.limits The resources limits for the Redis&reg; replicas containers
+  ## @param replica.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if replica.resources is set (replica.resources is recommended for production).
-  ## @param replica.resources.requests The requested resources for the Redis&reg; replicas containers
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    # We usually recommend not to specify default resources and to leave this as a conscious
+  ## @param replica.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    # choice for the user. This also increases chances charts run on environments with little
+  ## Example:
-    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  ## resources:
-    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  ##   requests:
-    limits: {}
+  ##     cpu: 2
-    #   cpu: 250m
+  ##     memory: 512Mi
-    #   memory: 256Mi
+  ##   limits:
-    requests: {}
+  ##     cpu: 3
-    #   cpu: 250m
+  ##     memory: 1024Mi
-    #   memory: 256Mi
+  ##
  resources: {}
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param replica.podSecurityContext.enabled Enabled Redis&reg; replicas pods' Security Context
  ## @param replica.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param replica.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param replica.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param replica.podSecurityContext.fsGroup Set Redis&reg; replicas pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param replica.containerSecurityContext.enabled Enabled Redis&reg; replicas containers' Security Context
  ## @param replica.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param replica.containerSecurityContext.runAsUser Set Redis&reg; replicas containers' Security Context runAsUser
  ## @param replica.containerSecurityContext.runAsGroup Set Redis&reg; replicas containers' Security Context runAsGroup
  ## @param replica.containerSecurityContext.runAsNonRoot Set Redis&reg; replicas containers' Security Context runAsNonRoot
  ## @param replica.containerSecurityContext.allowPrivilegeEscalation Set Redis&reg; replicas pod's Security Context allowPrivilegeEscalation
  ## @param replica.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem
  ## @param replica.containerSecurityContext.seccompProfile.type Set Redis&reg; replicas containers' Security Context seccompProfile
  ## @param replica.containerSecurityContext.capabilities.drop Set Redis&reg; replicas containers' Security Context capabilities to drop
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
-      drop:
+      drop: ["ALL"]
        - ALL
  ## @param replica.schedulerName Alternate scheduler for Redis&reg; replicas pods
  ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
  ##
@@ -769,6 +810,9 @@ replica:
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#pod-management-policies
  ##
  podManagementPolicy: ""
  ## @param replica.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: false
  ## @param replica.hostAliases Redis&reg; replicas pods host aliases
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -816,7 +860,7 @@ replica:
  ##
  affinity: {}
  ## @param replica.nodeSelector Node labels for Redis&reg; replicas pods assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param replica.tolerations Tolerations for Redis&reg; replicas pods assignment
@@ -879,7 +923,7 @@ replica:
  ##
  initContainers: []
  ## Persistence Parameters
-  ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
+  ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
  ##
  persistence:
    ## @param replica.persistence.enabled Enable persistence on Redis&reg; replicas nodes using Persistent Volume Claims
@@ -979,6 +1023,10 @@ replica:
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
    ##
    loadBalancerIP: ""
    ## @param replica.service.loadBalancerClass replicas service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
    ##
    loadBalancerClass: ""
    ## @param replica.service.loadBalancerSourceRanges Redis&reg; replicas service Load Balancer sources
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g.
@@ -1026,7 +1074,7 @@ replica:
  serviceAccount:
    ## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created
    ##
-    create: false
+    create: true
    ## @param replica.serviceAccount.name The name of the ServiceAccount to use.
    ## If not set and create is true, a name is generated using the common.names.fullname template
    ##
@@ -1034,7 +1082,7 @@ replica:
    ## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
    ##
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
    ## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount
    ##
    annotations: {}
@@ -1060,11 +1108,11 @@ sentinel:
  image:
    registry: docker.io
    repository: bitnami/redis-sentinel
-    tag: 7.2.3-debian-11-r1
+    tag: 7.2.4-debian-12-r7
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1202,7 +1250,7 @@ sentinel:
  ##
  customReadinessProbe: {}
  ## Persistence parameters
-  ## ref: https://kubernetes.io/docs/user-guide/persistent-volumes/
+  ## ref: https://kubernetes.io/docs/concepts/storage/persistent-volumes/
  ##
  persistence:
    ## @param sentinel.persistence.enabled Enable persistence on Redis&reg; sentinel nodes using Persistent Volume Claims (Experimental)
@@ -1254,34 +1302,46 @@ sentinel:
    whenScaled: Retain
    whenDeleted: Retain
  ## Redis&reg; Sentinel resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param sentinel.resources.limits The resources limits for the Redis&reg; Sentinel containers
+  ## @param sentinel.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sentinel.resources is set (sentinel.resources is recommended for production).
-  ## @param sentinel.resources.requests The requested resources for the Redis&reg; Sentinel containers
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    limits: {}
+  ## @param sentinel.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    requests: {}
+  ## Example:
  ## resources:
  ##   requests:
  ##     cpu: 2
  ##     memory: 512Mi
  ##   limits:
  ##     cpu: 3
  ##     memory: 1024Mi
  ##
  resources: {}
  ## Configure Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param sentinel.containerSecurityContext.enabled Enabled Redis&reg; Sentinel containers' Security Context
  ## @param sentinel.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param sentinel.containerSecurityContext.runAsUser Set Redis&reg; Sentinel containers' Security Context runAsUser
  ## @param sentinel.containerSecurityContext.runAsGroup Set Redis&reg; Sentinel containers' Security Context runAsGroup
  ## @param sentinel.containerSecurityContext.runAsNonRoot Set Redis&reg; Sentinel containers' Security Context runAsNonRoot
  ## @param sentinel.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem
  ## @param sentinel.containerSecurityContext.allowPrivilegeEscalation Set Redis&reg; Sentinel containers' Security Context allowPrivilegeEscalation
  ## @param sentinel.containerSecurityContext.seccompProfile.type Set Redis&reg; Sentinel containers' Security Context seccompProfile
  ## @param sentinel.containerSecurityContext.capabilities.drop Set Redis&reg; Sentinel containers' Security Context capabilities to drop
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
-      drop:
+      drop: ["ALL"]
        - ALL
  ## @param sentinel.lifecycleHooks for the Redis&reg; sentinel container(s) to automate configuration before or after startup
  ##
  lifecycleHooks: {}
@@ -1323,10 +1383,20 @@ sentinel:
    ## @param sentinel.service.clusterIP Redis&reg; Sentinel service Cluster IP
    ##
    clusterIP: ""
    ## @param sentinel.service.createMaster Enable master service pointing to the current master (experimental)
    ## NOTE: rbac.create need to be set to true
    ##
    createMaster: false
    ## @param sentinel.service.loadBalancerIP Redis&reg; Sentinel service Load Balancer IP
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
    ##
    loadBalancerIP: ""
    ## @param sentinel.service.loadBalancerClass sentinel service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
    ##
    loadBalancerClass: ""
    ## @param sentinel.service.loadBalancerSourceRanges Redis&reg; Sentinel service Load Balancer sources
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g.
@@ -1357,7 +1427,6 @@ sentinel:
  ## @param sentinel.terminationGracePeriodSeconds Integer setting the termination grace period for the redis-node pods
  ##
  terminationGracePeriodSeconds: 30
 ## @section Other Parameters
 ##
@@ -1366,20 +1435,22 @@ sentinel:
 ##
 serviceBindings:
  enabled: false
 ## Network Policy configuration
 ## ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
 ##
 networkPolicy:
  ## @param networkPolicy.enabled Enable creation of NetworkPolicy resources
  ##
-  enabled: false
+  enabled: true
  ## @param networkPolicy.allowExternal Don't require client label for connections
  ## When set to false, only pods with the correct client label will have network access to the ports
  ## Redis&reg; is listening on. When true, Redis&reg; will accept connections from any source
  ## (with the correct destination port).
  ##
  allowExternal: true
  ## @param networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
  ##
  allowExternalEgress: true
  ## @param networkPolicy.extraIngress Add extra ingress rules to the NetworkPolicy
  ## e.g:
  ## extraIngress:
@@ -1419,7 +1490,6 @@ networkPolicy:
  ##
  ingressNSMatchLabels: {}
  ingressNSPodMatchLabels: {}
  metrics:
    ## @param networkPolicy.metrics.allowExternal Don't require client label for connections for metrics endpoint
    ## When set to false, only pods with the correct client label will have network access to the metrics port
@@ -1430,7 +1500,6 @@ networkPolicy:
    ##
    ingressNSMatchLabels: {}
    ingressNSPodMatchLabels: {}
 ## PodSecurityPolicy configuration
 ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 ##
@@ -1472,7 +1541,7 @@ serviceAccount:
  ## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
  ##
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
  ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
  ##
  annotations: {}
@@ -1519,10 +1588,8 @@ tls:
  ## @param tls.dhParamsFilename File containing DH params (in order to support DH based ciphers)
  ##
  dhParamsFilename: ""
 ## @section Metrics Parameters
 ##
 metrics:
  ## @param metrics.enabled Start a sidecar prometheus exporter to expose Redis&reg; metrics
  ##
@@ -1539,7 +1606,7 @@ metrics:
  image:
    registry: docker.io
    repository: bitnami/redis-exporter
-    tag: 1.55.0-debian-11-r2
+    tag: 1.58.0-debian-12-r4
    digest: ""
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1550,6 +1617,10 @@ metrics:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []
  ## @param metrics.containerPorts.http Metrics HTTP container port
  ##
  containerPorts:
    http: 9121
  ## Configure extra options for Redis&reg; containers' liveness, readiness & startup probes
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/
  ## @param metrics.startupProbe.enabled Enable startupProbe on Redis&reg; replicas nodes
@@ -1626,24 +1697,27 @@ metrics:
  ## Configure Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param metrics.containerSecurityContext.enabled Enabled Redis&reg; exporter containers' Security Context
  ## @param metrics.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param metrics.containerSecurityContext.runAsUser Set Redis&reg; exporter containers' Security Context runAsUser
  ## @param metrics.containerSecurityContext.runAsGroup Set Redis&reg; exporter containers' Security Context runAsGroup
  ## @param metrics.containerSecurityContext.runAsNonRoot Set Redis&reg; exporter containers' Security Context runAsNonRoot
  ## @param metrics.containerSecurityContext.allowPrivilegeEscalation Set Redis&reg; exporter containers' Security Context allowPrivilegeEscalation
  ## @param metrics.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context read-only root filesystem
  ## @param metrics.containerSecurityContext.seccompProfile.type Set Redis&reg; exporter containers' Security Context seccompProfile
  ## @param metrics.containerSecurityContext.capabilities.drop Set Redis&reg; exporter containers' Security Context capabilities to drop
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: false
    seccompProfile:
      type: RuntimeDefault
    capabilities:
-      drop:
+      drop: ["ALL"]
        - ALL
  ## @param metrics.extraVolumes Optionally specify extra list of additional volumes for the Redis&reg; metrics sidecar
  ##
  extraVolumes: []
@@ -1651,13 +1725,22 @@ metrics:
  ##
  extraVolumeMounts: []
  ## Redis&reg; exporter resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param metrics.resources.limits The resources limits for the Redis&reg; exporter container
+  ## @param metrics.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if metrics.resources is set (metrics.resources is recommended for production).
-  ## @param metrics.resources.requests The requested resources for the Redis&reg; exporter container
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    limits: {}
+  ## @param metrics.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    requests: {}
+  ## Example:
  ## resources:
  ##   requests:
  ##     cpu: 2
  ##     memory: 512Mi
  ##   limits:
  ##     cpu: 3
  ##     memory: 1024Mi
  ##
  resources: {}
  ## @param metrics.podLabels Extra labels for Redis&reg; exporter pods
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
@@ -1671,12 +1754,16 @@ metrics:
  ## Redis&reg; exporter service parameters
  ##
  service:
    ## @param metrics.service.enabled Create Service resource(s) for scraping metrics using PrometheusOperator ServiceMonitor, can be disabled when using a PodMonitor
    ##
    enabled: true
    ## @param metrics.service.type Redis&reg; exporter service type
    ##
    type: ClusterIP
-    ## @param metrics.service.port Redis&reg; exporter service port
+    ## @param metrics.service.ports.http Redis&reg; exporter service port
    ##
-    port: 9121
+    ports:
      http: 9121
    ## @param metrics.service.externalTrafficPolicy Redis&reg; exporter service external traffic policy
    ## ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
    ##
@@ -1688,6 +1775,10 @@ metrics:
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
    ##
    loadBalancerIP: ""
    ## @param metrics.service.loadBalancerClass exporter service Load Balancer class if service type is `LoadBalancer` (optional, cloud specific)
    ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-loadbalancer
    ##
    loadBalancerClass: ""
    ## @param metrics.service.loadBalancerSourceRanges Redis&reg; exporter service Load Balancer sources
    ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service
    ## e.g.
@@ -1706,6 +1797,9 @@ metrics:
  ##      https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
  ##
  serviceMonitor:
    ## @param metrics.serviceMonitor.port the service port to scrape metrics from
    ##
    port: http-metrics
    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor resource(s) for scraping metrics using PrometheusOperator
    ##
    enabled: false
@@ -1739,11 +1833,27 @@ metrics:
    ## @param metrics.serviceMonitor.targetLimit Limit of how many targets should be scraped
    ##
    targetLimit: false
    ## @param metrics.serviceMonitor.additionalEndpoints  Additional endpoints to scrape (e.g sentinel)
    ##
    additionalEndpoints: []
    # uncomment in order to scrape sentinel metrics, also to in order distinguish between Sentinel and Redis container metrics
    # add metricRelabelings with label like app=redis to main redis pod-monitor port
    # - interval: "30s"
    #   path: "/scrape"
    #   port: "metrics"
    #   params:
    #     target: ["localhost:26379"]
    #   metricRelabelings:
    #     - targetLabel: "app"
    #       replacement: "sentinel"
  ## Prometheus Pod Monitor
  ## ref: https://github.com/coreos/prometheus-operator
  ##      https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#podmonitor
  ##
  podMonitor:
    ## @param metrics.podMonitor.port the pod port to scrape metrics from
    ##
    port: metrics
    ## @param metrics.podMonitor.enabled Create PodMonitor resource(s) for scraping metrics using PrometheusOperator
    ##
    enabled: false
@@ -1762,6 +1872,8 @@ metrics:
    ## @param metrics.podMonitor.metricRelabelings Metrics RelabelConfigs to apply to samples before ingestion.
    ##
    metricRelabelings: []
    # - targetLabel: "app"
    #   replacement: "redis"
    ## @param metrics.podMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint
    ##
    honorLabels: false
@@ -1777,7 +1889,17 @@ metrics:
    ## @param metrics.podMonitor.targetLimit Limit of how many targets should be scraped
    ##
    targetLimit: false
-
+    ## @param metrics.podMonitor.additionalEndpoints  Additional endpoints to scrape (e.g sentinel)
    ##
    additionalEndpoints: []
    # - interval: "30s"
    #   path: "/scrape"
    #   port: "metrics"
    #   params:
    #     target: ["localhost:26379"]
    #   metricRelabelings:
    #     - targetLabel: "app"
    #       replacement: "sentinel"
  ## Custom PrometheusRule to be defined
  ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions
  ##
@@ -1827,7 +1949,6 @@ metrics:
    ##          Redis&reg; instance {{ "{{ $labels.instance }}" }} has evicted {{ "{{ $value }}" }} keys in the last 5 minutes.
    ##
    rules: []
 ## @section Init Container Parameters
 ##
@@ -1851,7 +1972,7 @@ volumePermissions:
  image:
    registry: docker.io
    repository: bitnami/os-shell
-    tag: 11-debian-11-r91
+    tag: 12-debian-12-r16
    digest: ""
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1863,23 +1984,77 @@ volumePermissions:
    ##
    pullSecrets: []
  ## Init container's resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param volumePermissions.resources.limits The resources limits for the init container
+  ## @param volumePermissions.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if volumePermissions.resources is set (volumePermissions.resources is recommended for production).
-  ## @param volumePermissions.resources.requests The requested resources for the init container
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    limits: {}
+  ## @param volumePermissions.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    requests: {}
+  ## Example:
  ## resources:
  ##   requests:
  ##     cpu: 2
  ##     memory: 512Mi
  ##   limits:
  ##     cpu: 3
  ##     memory: 1024Mi
  ##
  resources: {}
  ## Init container Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param volumePermissions.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
  ## NOTE: when runAsUser is set to special value "auto", init container will try to chown the
  ##   data folder to auto-determined user&group, using commands: `id -u`:`id -G | cut -d" " -f2`
  ##   "auto" is especially useful for OpenShift which has scc with dynamic user ids (and 0 is not allowed)
  ##
  containerSecurityContext:
    seLinuxOptions: null
    runAsUser: 0
 ## Kubectl InitContainer
 ## used by Sentinel to update the isMaster label on the Redis(TM) pods
 ##
 kubectl:
  ## Bitnami Kubectl image version
  ## ref: https://hub.docker.com/r/bitnami/kubectl/tags/
  ## @param kubectl.image.registry [default: REGISTRY_NAME] Kubectl image registry
  ## @param kubectl.image.repository [default: REPOSITORY_NAME/kubectl] Kubectl image repository
  ## @skip kubectl.image.tag Kubectl image tag (immutable tags are recommended), by default, using the current version
  ## @param kubectl.image.digest Kubectl image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
  ## @param kubectl.image.pullPolicy Kubectl image pull policy
  ## @param kubectl.image.pullSecrets Kubectl pull secrets
  ##
  image:
    registry: docker.io
    repository: bitnami/kubectl
    tag: 1.29.2-debian-12-r3
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
    ## Secrets must be manually created in the namespace.
    ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
    ## e.g:
    ## pullSecrets:
    ##   - myRegistryKeySecretName
    ##
    pullSecrets: []
  ## @param kubectl.command kubectl command to execute
  ##
  command: ["/opt/bitnami/scripts/kubectl-scripts/update-master-label.sh"]
  ## Bitnami Kubectl resource requests and limits
  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param kubectl.resources.limits The resources limits for the kubectl containers
  ## @param kubectl.resources.requests The requested resources for the kubectl containers
  ##
  resources:
    limits: {}
    requests: {}
 ## init-sysctl container parameters
 ## used to perform sysctl operation to modify Kernel settings (needed sometimes to avoid warnings)
 ##
@@ -1899,7 +2074,7 @@ sysctl:
  image:
    registry: docker.io
    repository: bitnami/os-shell
-    tag: 11-debian-11-r91
+    tag: 12-debian-12-r16
    digest: ""
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1917,14 +2092,22 @@ sysctl:
  ##
  mountHostSys: false
  ## Init container's resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
-  ## @param sysctl.resources.limits The resources limits for the init container
+  ## @param sysctl.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if sysctl.resources is set (sysctl.resources is recommended for production).
-  ## @param sysctl.resources.requests The requested resources for the init container
+  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
-  resources:
+  resourcesPreset: "none"
-    limits: {}
+  ## @param sysctl.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
-    requests: {}
+  ## Example:
-
+  ## resources:
  ##   requests:
  ##     cpu: 2
  ##     memory: 512Mi
  ##   limits:
  ##     cpu: 3
  ##     memory: 1024Mi
  ##
  resources: {}
 ## @section useExternalDNS Parameters
 ##
 ## @param useExternalDNS.enabled Enable various syntax that would enable external-dns to work.  Note this requires a working installation of `external-dns` to be usable.
--- a/packages/system/dashboard/charts/kubeapps/templates/NOTES.txt
+++ b/packages/system/dashboard/charts/kubeapps/templates/NOTES.txt
@@ -85,3 +85,4 @@ To access Kubeapps from outside your K8s cluster, follow the steps below:
 {{- include "kubeapps.checkRollingTags" . }}
 {{- include "kubeapps.validateValues" . }}
 {{- include "common.warnings.resources" (dict "sections" (list "apprepository" "authProxy" "dashboard" "frontend" "kubeappsapis" "ociCatalog" "pinnipedProxy" "postgresql") "context" $) }}
--- a/packages/system/dashboard/charts/kubeapps/templates/apprepository/apprepositories.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/apprepositories.yaml
@@ -41,11 +41,11 @@ spec:
              value: {{ $.Values.apprepository.initialReposProxy.noProxy }}
      {{- end }}
      {{- if $.Values.apprepository.containerSecurityContext.enabled }}
-          securityContext: {{- omit $.Values.apprepository.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.apprepository.containerSecurityContext "context" $) | nindent 12 }}
      {{- end }}
      {{- end }}
      {{- if $.Values.apprepository.podSecurityContext.enabled }}
-      securityContext: {{- omit $.Values.apprepository.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" $.Values.apprepository.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      {{- if .nodeSelector }}
      nodeSelector: {{- toYaml .nodeSelector | nindent 8 }}
--- a/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/apprepository/deployment.yaml
@@ -35,6 +35,7 @@ spec:
    spec:
      {{- include "kubeapps.imagePullSecrets" . | indent 6 }}
      serviceAccountName: {{ template "kubeapps.apprepository.serviceAccountName" . }}
      automountServiceAccountToken: {{ .Values.apprepository.automountServiceAccountToken }}
      {{- if .Values.apprepository.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.hostAliases "context" $) | nindent 8 }}
      {{- end }}
@@ -62,7 +63,7 @@ spec:
      priorityClassName: {{ .Values.apprepository.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.apprepository.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.apprepository.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.apprepository.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.apprepository.initContainers }}
      initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.initContainers "context" $) | trim | nindent 8 }}
@@ -72,7 +73,7 @@ spec:
          image: {{ include "kubeapps.apprepository.image" . }}
          imagePullPolicy: {{ .Values.apprepository.image.pullPolicy | quote }}
          {{- if .Values.apprepository.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.apprepository.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.apprepository.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.apprepository.lifecycleHooks }}
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.lifecycleHooks "context" $) | nindent 12 }}
@@ -141,16 +142,25 @@ spec:
            - secretRef:
                name: {{ include "common.tplvalues.render" (dict "value" .Values.apprepository.extraEnvVarsSecret "context" $) }}
            {{- end }}
-          {{- if .Values.apprepository.extraVolumeMounts }}
+          volumeMounts:
-          volumeMounts: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.extraVolumeMounts "context" $) | nindent 12 }}
+            - name: empty-dir
-          {{- end }}
+              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.apprepository.extraVolumeMounts }}
            {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.extraVolumeMounts "context" $) | nindent 12 }}
            {{- end }}
          {{- if .Values.apprepository.resources }}
          resources: {{- toYaml .Values.apprepository.resources | nindent 12 }}
          {{- else if ne .Values.apprepository.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.apprepository.resourcesPreset) | nindent 12 }}
          {{- end }}
        {{- if .Values.apprepository.sidecars }}
        {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.sidecars "context" $) | trim | nindent 8 }}
        {{- end }}
-      {{- if .Values.apprepository.extraVolumes }}
+      volumes:
-      volumes: {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.extraVolumes "context" $) | nindent 8 }}
+        - name: empty-dir
-      {{- end }}
+          emptyDir: {}
        {{- if .Values.apprepository.extraVolumes }}
        {{- include "common.tplvalues.render" (dict "value" .Values.apprepository.extraVolumes "context" $) | nindent 8 }}
        {{- end }}
 {{- end }}
--- a/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/dashboard/deployment.yaml
@@ -36,6 +36,7 @@ spec:
        app.kubernetes.io/component: dashboard
    spec:
      {{- include "kubeapps.imagePullSecrets" . | indent 6 }}
      automountServiceAccountToken: {{ .Values.dashboard.automountServiceAccountToken }}
      {{- if .Values.dashboard.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.hostAliases "context" $) | nindent 8 }}
      {{- end }}
@@ -63,7 +64,7 @@ spec:
      priorityClassName: {{ .Values.dashboard.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.dashboard.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.dashboard.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dashboard.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.dashboard.initContainers }}
      initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.initContainers "context" $) | nindent 8 }}
@@ -73,7 +74,7 @@ spec:
          image: {{ include "kubeapps.dashboard.image" . }}
          imagePullPolicy: {{ .Values.dashboard.image.pullPolicy | quote }}
          {{- if .Values.dashboard.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.dashboard.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dashboard.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -133,10 +134,21 @@ spec:
          {{- end }}
          {{- if .Values.dashboard.resources }}
          resources: {{- toYaml .Values.dashboard.resources | nindent 12 }}
          {{- else if ne .Values.dashboard.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.dashboard.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: vhost
              mountPath: /opt/bitnami/nginx/conf/server_blocks
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/nginx/tmp
              subPath: app-tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/nginx/logs
              subPath: app-logs-dir
            - name: config
              mountPath: /app/config.json
              subPath: config.json
@@ -153,6 +165,8 @@ spec:
        {{- include "common.tplvalues.render" (dict "value" .Values.dashboard.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
        - name: empty-dir
          emptyDir: {}
        - name: vhost
          configMap:
            name: {{ template "kubeapps.dashboard-config.fullname" . }}
--- a/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/frontend/deployment.yaml
@@ -35,6 +35,7 @@ spec:
        app.kubernetes.io/component: frontend
    spec:
      {{- include "kubeapps.imagePullSecrets" . | indent 6 }}
      automountServiceAccountToken: {{ .Values.frontend.automountServiceAccountToken }}
      {{- if .Values.frontend.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.hostAliases "context" $) | nindent 8 }}
      {{- end }}
@@ -62,7 +63,7 @@ spec:
      priorityClassName: {{ .Values.frontend.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.frontend.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.frontend.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.frontend.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      {{- if .Values.frontend.initContainers }}
      initContainers: {{- include "common.tplvalues.render" (dict "value" .Values.frontend.initContainers "context" $) | nindent 8 }}
@@ -72,7 +73,7 @@ spec:
          image: {{ include "kubeapps.frontend.image" . }}
          imagePullPolicy: {{ .Values.frontend.image.pullPolicy | quote }}
          {{- if .Values.frontend.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.frontend.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.frontend.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -132,8 +133,19 @@ spec:
          {{- end }}
          {{- if .Values.frontend.resources }}
          resources: {{- toYaml .Values.frontend.resources | nindent 12 }}
          {{- else if ne .Values.frontend.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.frontend.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/nginx/tmp
              subPath: app-tmp-dir
            - name: empty-dir
              mountPath: /opt/bitnami/nginx/logs
              subPath: app-logs-dir
            - name: vhost
              mountPath: /opt/bitnami/nginx/conf/server_blocks
            {{- if .Values.frontend.extraVolumeMounts }}
@@ -144,7 +156,7 @@ spec:
          image: {{ include "kubeapps.authProxy.image" . }}
          imagePullPolicy: {{ .Values.authProxy.image.pullPolicy | quote }}
          {{- if .Values.authProxy.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.authProxy.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.authProxy.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.authProxy.lifecycleHooks }}
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.authProxy.lifecycleHooks "context" $) | nindent 12 }}
@@ -219,10 +231,16 @@ spec:
              containerPort: {{ .Values.authProxy.containerPorts.proxy }}
          {{- if .Values.authProxy.resources }}
          resources: {{- toYaml .Values.authProxy.resources | nindent 12 }}
          {{- else if ne .Values.authProxy.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.authProxy.resourcesPreset) | nindent 12 }}
          {{- end }}
-          {{- if .Values.authProxy.extraVolumeMounts }}
+          volumeMounts:
-          volumeMounts: {{- include "common.tplvalues.render" (dict "value" .Values.authProxy.extraVolumeMounts "context" $) | nindent 12 }}
+            - name: empty-dir
-          {{- end }}
+              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.authProxy.extraVolumeMounts }}
            {{- include "common.tplvalues.render" (dict "value" .Values.authProxy.extraVolumeMounts "context" $) | nindent 12 }}
            {{- end }}
        {{- end }}
        {{- if and (gt (len .Values.clusters) 1) (not .Values.authProxy.enabled) }}
          {{ fail "clusters can be configured only when using an auth proxy for cluster oidc authentication." }}
@@ -232,7 +250,7 @@ spec:
          image: {{ include "kubeapps.pinnipedProxy.image" . }}
          imagePullPolicy: {{ .Values.pinnipedProxy.image.pullPolicy | quote }}
          {{- if .Values.pinnipedProxy.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.pinnipedProxy.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.pinnipedProxy.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.diagnosticMode.enabled }}
          command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }}
@@ -283,8 +301,13 @@ spec:
              containerPort: {{ .Values.pinnipedProxy.containerPorts.pinnipedProxy }}
          {{- if .Values.pinnipedProxy.resources }}
          resources: {{- toYaml .Values.pinnipedProxy.resources | nindent 12 }}
          {{- else if ne .Values.pinnipedProxy.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.pinnipedProxy.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
            {{- if .Values.pinnipedProxy.tls.existingSecret }}
            - name: pinniped-tls-secret
              mountPath: "/etc/pinniped-tls"
@@ -298,6 +321,8 @@ spec:
        {{- include "common.tplvalues.render" (dict "value" .Values.frontend.sidecars "context" $) | nindent 8 }}
        {{- end }}
      volumes:
        - name: empty-dir
          emptyDir: {}
        - name: vhost
          configMap:
            name: {{ template "kubeapps.frontend-config.fullname" . }}
--- a/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml
+++ b/packages/system/dashboard/charts/kubeapps/templates/kubeappsapis/deployment.yaml
@@ -34,6 +34,7 @@ spec:
    spec:
      {{- include "kubeapps.imagePullSecrets" . | indent 6 }}
      serviceAccountName: {{ template "kubeapps.kubeappsapis.serviceAccountName" . }}
      automountServiceAccountToken: {{ .Values.kubeappsapis.automountServiceAccountToken }}
      {{- if .Values.kubeappsapis.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.hostAliases "context" $) | nindent 8 }}
      {{- end }}
@@ -61,7 +62,7 @@ spec:
      priorityClassName: {{ .Values.kubeappsapis.priorityClassName | quote }}
      {{- end }}
      {{- if .Values.kubeappsapis.podSecurityContext.enabled }}
-      securityContext: {{- omit .Values.kubeappsapis.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.kubeappsapis.podSecurityContext "context" $) | nindent 8 }}
      {{- end }}
      # Increase termination timeout to let remaining operations to finish before ending the pods
      # This is because new releases/upgrades/deletions are synchronous operations
@@ -74,7 +75,7 @@ spec:
          image: {{ include "kubeapps.kubeappsapis.image" . }}
          imagePullPolicy: {{ .Values.kubeappsapis.image.pullPolicy | quote }}
          {{- if .Values.kubeappsapis.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.kubeappsapis.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.kubeappsapis.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.kubeappsapis.lifecycleHooks }}
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.lifecycleHooks "context" $) | nindent 12 }}
@@ -208,8 +209,13 @@ spec:
          {{- end }}
          {{- if .Values.kubeappsapis.resources }}
          resources: {{- toYaml .Values.kubeappsapis.resources | nindent 12 }}
          {{- else if ne .Values.kubeappsapis.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.kubeappsapis.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
            - name: empty-dir
              mountPath: /tmp
              subPath: tmp-dir
          {{- if .Values.clusters }}
            - name: clusters-config
              mountPath: /config
@@ -232,7 +238,7 @@ spec:
          image: {{ include "kubeapps.ociCatalog.image" . }}
          imagePullPolicy: {{ .Values.ociCatalog.image.pullPolicy | quote }}
          {{- if .Values.ociCatalog.containerSecurityContext.enabled }}
-          securityContext: {{- omit .Values.ociCatalog.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.ociCatalog.containerSecurityContext "context" $) | nindent 12 }}
          {{- end }}
          {{- if .Values.kubeappsapis.lifecycleHooks }}
          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.lifecycleHooks "context" $) | nindent 12 }}
@@ -303,16 +309,23 @@ spec:
          {{- end }}
          {{- if .Values.ociCatalog.resources }}
          resources: {{- toYaml .Values.ociCatalog.resources | nindent 12 }}
          {{- else if ne .Values.ociCatalog.resourcesPreset "none" }}
          resources: {{- include "common.resources.preset" (dict "type" .Values.ociCatalog.resourcesPreset) | nindent 12 }}
          {{- end }}
          volumeMounts:
-          {{- if .Values.ociCatalog.extraVolumeMounts }}
+            - name: empty-dir
-          {{- include "common.tplvalues.render" (dict "value" .Values.ociCatalog.extraVolumeMounts "context" $) | nindent 12 }}
+              mountPath: /tmp
-          {{- end }}
+              subPath: tmp-dir
            {{- if .Values.ociCatalog.extraVolumeMounts }}
            {{- include "common.tplvalues.render" (dict "value" .Values.ociCatalog.extraVolumeMounts "context" $) | nindent 12 }}
            {{- end }}
        {{- end }}
        {{- if .Values.kubeappsapis.sidecars }}
        {{- include "common.tplvalues.render" (dict "value" .Values.kubeappsapis.sidecars "context" $) | trim | nindent 8 }}
        {{- end }}
      volumes:
        - name: empty-dir
          emptyDir: {}
      {{- if .Values.clusters }}
        - name: clusters-config
          configMap:
--- a/packages/system/dashboard/charts/kubeapps/values.yaml
+++ b/packages/system/dashboard/charts/kubeapps/values.yaml
@@ -18,7 +18,15 @@ global:
  ##
  imagePullSecrets: []
  storageClass: ""
-
+  ## Compatibility adaptations for Kubernetes platforms
  ##
  compatibility:
    ## Compatibility adaptations for Openshift
    ##
    openshift:
      ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
      ##
      adaptSecurityContext: disabled
 ## @section Common parameters
 ## @param kubeVersion Override Kubernetes version
@@ -42,7 +50,6 @@ extraDeploy: []
 ## @param enableIPv6 Enable IPv6 configuration
 ##
 enableIPv6: false
 ## Enable diagnostic mode in the deployment
 ##
 diagnosticMode:
@@ -57,7 +64,6 @@ diagnosticMode:
  ##
  args:
    - infinity
 ## @section Traffic Exposure Parameters
 ## Configure the ingress resource that allows you to access the Kubeapps installation
@@ -101,7 +107,6 @@ ingress:
  ##   - Rely on Helm to create self-signed certificates by setting `ingress.selfSigned=true`
  ##
  tls: false
  ## @param ingress.selfSigned Create a TLS secret for this ingress record using self-signed certificates generated by Helm
  ##
  selfSigned: false
@@ -169,7 +174,6 @@ ingress:
  ##             name: http
  ##
  extraRules: []
 ## @section Kubeapps packaging options
 ## Note: the helm and flux plugins are mutually exclusive, you can only
 ## enable one or the other since they both operate on Helm release objects.
@@ -189,7 +193,6 @@ packaging:
  ## @param packaging.flux.enabled Enable support for Flux (v2) packaging.
  flux:
    enabled: false
 ## @section Frontend parameters
 ## Frontend parameters
@@ -208,11 +211,11 @@ frontend:
  image:
    registry: docker.io
    repository: bitnami/nginx
-    tag: 1.25.3-debian-11-r1
+    tag: 1.25.4-debian-12-r3
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -254,7 +257,11 @@ frontend:
  updateStrategy:
    type: RollingUpdate
  ## Frontend containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param frontend.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if frontend.resources is set (frontend.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param frontend.resources.limits.cpu The CPU limits for the NGINX container
  ## @param frontend.resources.limits.memory The memory limits for the NGINX container
  ## @param frontend.resources.requests.cpu The requested CPU for the NGINX container
@@ -287,15 +294,23 @@ frontend:
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param frontend.podSecurityContext.enabled Enabled frontend pods' Security Context
  ## @param frontend.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param frontend.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param frontend.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param frontend.podSecurityContext.fsGroup Set frontend pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context for NGINX
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param frontend.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param frontend.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param frontend.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param frontend.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param frontend.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param frontend.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param frontend.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -305,7 +320,9 @@ frontend:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -415,7 +432,7 @@ frontend:
  ##
  affinity: {}
  ## @param frontend.nodeSelector Node labels for pod assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param frontend.tolerations Tolerations for pod assignment
@@ -434,6 +451,9 @@ frontend:
  ## The value is evaluated as a template
  ##
  topologySpreadConstraints: []
  ## @param frontend.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: true
  ## @param frontend.hostAliases Custom host aliases for frontend pods
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -517,7 +537,6 @@ frontend:
    ##     timeoutSeconds: 300
    ##
    sessionAffinityConfig: {}
 ## @section Dashboard parameters
 ## Dashboard parameters
@@ -539,11 +558,11 @@ dashboard:
  image:
    registry: docker.io
    repository: bitnami/kubeapps-dashboard
-    tag: 2.9.0-debian-11-r16
+    tag: 2.9.0-debian-12-r18
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -634,7 +653,11 @@ dashboard:
  containerPorts:
    http: 8080
  ## Dashboard containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param dashboard.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if dashboard.resources is set (dashboard.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param dashboard.resources.limits.cpu The CPU limits for the Dashboard container
  ## @param dashboard.resources.limits.memory The memory limits for the Dashboard container
  ## @param dashboard.resources.requests.cpu The requested CPU for the Dashboard container
@@ -650,15 +673,23 @@ dashboard:
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param dashboard.podSecurityContext.enabled Enabled Dashboard pods' Security Context
  ## @param dashboard.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param dashboard.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param dashboard.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param dashboard.podSecurityContext.fsGroup Set Dashboard pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context for Dashboard
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param dashboard.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param dashboard.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param dashboard.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param dashboard.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param dashboard.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param dashboard.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param dashboard.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -668,7 +699,9 @@ dashboard:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -780,7 +813,7 @@ dashboard:
  ##
  affinity: {}
  ## @param dashboard.nodeSelector Node labels for pod assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param dashboard.tolerations Tolerations for pod assignment
@@ -799,6 +832,9 @@ dashboard:
  ## The value is evaluated as a template
  ##
  topologySpreadConstraints: []
  ## @param dashboard.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: true
  ## @param dashboard.hostAliases Custom host aliases for Dashboard pods
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -840,7 +876,6 @@ dashboard:
    ## @param dashboard.service.annotations Additional custom annotations for Dashboard service
    ##
    annotations: {}
 ## @section AppRepository Controller parameters
 ## AppRepository Controller parameters
@@ -858,11 +893,11 @@ apprepository:
  image:
    registry: docker.io
    repository: bitnami/kubeapps-apprepository-controller
-    tag: 2.9.0-debian-11-r12
+    tag: 2.9.0-debian-12-r18
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -885,11 +920,11 @@ apprepository:
  syncImage:
    registry: docker.io
    repository: bitnami/kubeapps-asset-syncer
-    tag: 2.9.0-debian-11-r13
+    tag: 2.9.0-debian-12-r19
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -993,7 +1028,11 @@ apprepository:
  updateStrategy:
    type: RollingUpdate
  ## AppRepository Controller containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param apprepository.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if apprepository.resources is set (apprepository.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param apprepository.resources.limits.cpu The CPU limits for the AppRepository Controller container
  ## @param apprepository.resources.limits.memory The memory limits for the AppRepository Controller container
  ## @param apprepository.resources.requests.cpu The requested CPU for the AppRepository Controller container
@@ -1009,15 +1048,23 @@ apprepository:
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param apprepository.podSecurityContext.enabled Enabled AppRepository Controller pods' Security Context
  ## @param apprepository.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param apprepository.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param apprepository.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param apprepository.podSecurityContext.fsGroup Set AppRepository Controller pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context for App Repository jobs
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param apprepository.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param apprepository.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param apprepository.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param apprepository.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param apprepository.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param apprepository.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param apprepository.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1027,7 +1074,9 @@ apprepository:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -1103,7 +1152,7 @@ apprepository:
  ##
  affinity: {}
  ## @param apprepository.nodeSelector Node labels for pod assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param apprepository.tolerations Tolerations for pod assignment
@@ -1122,6 +1171,9 @@ apprepository:
  ## The value is evaluated as a template
  ##
  topologySpreadConstraints: []
  ## @param apprepository.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: true
  ## @param apprepository.hostAliases Custom host aliases for AppRepository Controller pods
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -1157,9 +1209,8 @@ apprepository:
  serviceAccount:
    create: true
    name: ""
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
    annotations: {}
 ## @section Auth Proxy parameters
 ## Auth Proxy configuration for OIDC support
@@ -1181,11 +1232,11 @@ authProxy:
  image:
    registry: docker.io
    repository: bitnami/oauth2-proxy
-    tag: 7.5.1-debian-11-r11
+    tag: 7.6.0-debian-12-r4
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1277,7 +1328,9 @@ authProxy:
  ## Configure Container Security Context for Auth Proxy
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param authProxy.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param authProxy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param authProxy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param authProxy.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param authProxy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param authProxy.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param authProxy.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1287,7 +1340,9 @@ authProxy:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -1297,7 +1352,11 @@ authProxy:
    seccompProfile:
      type: "RuntimeDefault"
  ## OAuth2 Proxy containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param authProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if authProxy.resources is set (authProxy.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param authProxy.resources.limits.cpu The CPU limits for the OAuth2 Proxy container
  ## @param authProxy.resources.limits.memory The memory limits for the OAuth2 Proxy container
  ## @param authProxy.resources.requests.cpu The requested CPU for the OAuth2 Proxy container
@@ -1310,7 +1369,6 @@ authProxy:
    requests:
      cpu: 25m
      memory: 32Mi
 ## @section Pinniped Proxy parameters
 ## Pinniped Proxy configuration for converting user OIDC tokens to k8s client authorization certs
@@ -1331,11 +1389,11 @@ pinnipedProxy:
  image:
    registry: docker.io
    repository: bitnami/kubeapps-pinniped-proxy
-    tag: 2.9.0-debian-11-r10
+    tag: 2.9.0-debian-12-r17
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1401,7 +1459,9 @@ pinnipedProxy:
  ## Configure Container Security Context for Pinniped Proxy
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param pinnipedProxy.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param pinnipedProxy.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param pinnipedProxy.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param pinnipedProxy.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param pinnipedProxy.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param pinnipedProxy.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param pinnipedProxy.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1411,7 +1471,9 @@ pinnipedProxy:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -1421,7 +1483,13 @@ pinnipedProxy:
    seccompProfile:
      type: "RuntimeDefault"
  ## Pinniped Proxy containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param pinnipedProxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if pinnipedProxy.resources is set (pinnipedProxy.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## Pinniped Proxy containers' resource requests and limits
  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param pinnipedProxy.resources.limits.cpu The CPU limits for the Pinniped Proxy container
  ## @param pinnipedProxy.resources.limits.memory The memory limits for the Pinniped Proxy container
  ## @param pinnipedProxy.resources.requests.cpu The requested CPU for the Pinniped Proxy container
@@ -1479,14 +1547,12 @@ pinnipedProxy:
 clusters:
  - name: default
    domain: cluster.local
 ## RBAC configuration
 ##
 rbac:
  ## @param rbac.create Specifies whether RBAC resources should be created
  ##
  create: true
 ## @section Feature flags
 ##
 ## Opt-in features intended for development and advanced use cases.
@@ -1510,7 +1576,6 @@ featureFlags:
    ## @param featureFlags.schemaEditor.enabled Enable a visual editor for customizing the package schemas
    ##
    enabled: false
 ## @section Database Parameters
 ## PostgreSQL chart configuration
@@ -1543,7 +1608,11 @@ postgresql:
  securityContext:
    enabled: false
  ## PostgreSQL containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param postgresql.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if postgresql.resources is set (postgresql.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param postgresql.resources.limits The resources limits for the PostgreSQL container
  ## @param postgresql.resources.requests.cpu The requested CPU for the PostgreSQL container
  ## @param postgresql.resources.requests.memory The requested memory for the PostgreSQL container
@@ -1553,7 +1622,6 @@ postgresql:
    requests:
      memory: 256Mi
      cpu: 250m
 ## @section kubeappsapis parameters
 kubeappsapis:
  ## @param kubeappsapis.enabledPlugins Manually override which plugins are enabled for the Kubeapps-APIs service
@@ -1636,11 +1704,11 @@ kubeappsapis:
  image:
    registry: docker.io
    repository: bitnami/kubeapps-apis
-    tag: 2.9.0-debian-11-r13
+    tag: 2.9.0-debian-12-r19
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1696,7 +1764,11 @@ kubeappsapis:
  containerPorts:
    http: 50051
  ## KubeappsAPIs containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
  ## @param kubeappsapis.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if kubeappsapis.resources is set (kubeappsapis.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param kubeappsapis.resources.limits.cpu The CPU limits for the KubeappsAPIs container
  ## @param kubeappsapis.resources.limits.memory The memory limits for the KubeappsAPIs container
  ## @param kubeappsapis.resources.requests.cpu The requested CPU for the KubeappsAPIs container
@@ -1712,15 +1784,23 @@ kubeappsapis:
  ## Configure Pods Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param kubeappsapis.podSecurityContext.enabled Enabled KubeappsAPIs pods' Security Context
  ## @param kubeappsapis.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
  ## @param kubeappsapis.podSecurityContext.sysctls Set kernel settings using the sysctl interface
  ## @param kubeappsapis.podSecurityContext.supplementalGroups Set filesystem extra groups
  ## @param kubeappsapis.podSecurityContext.fsGroup Set KubeappsAPIs pod's Security Context fsGroup
  ##
  podSecurityContext:
    enabled: true
    fsGroupChangePolicy: Always
    sysctls: []
    supplementalGroups: []
    fsGroup: 1001
  ## Configure Container Security Context for Kubeapps APIs
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param kubeappsapis.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param kubeappsapis.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param kubeappsapis.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param kubeappsapis.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param kubeappsapis.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param kubeappsapis.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param kubeappsapis.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1730,7 +1810,9 @@ kubeappsapis:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -1848,7 +1930,7 @@ kubeappsapis:
  ##
  affinity: {}
  ## @param kubeappsapis.nodeSelector Node labels for pod assignment
-  ## ref: https://kubernetes.io/docs/user-guide/node-selection/
+  ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
  ##
  nodeSelector: {}
  ## @param kubeappsapis.tolerations Tolerations for pod assignment
@@ -1867,6 +1949,9 @@ kubeappsapis:
  ## The value is evaluated as a template
  ##
  topologySpreadConstraints: []
  ## @param kubeappsapis.automountServiceAccountToken Mount Service Account token in pod
  ##
  automountServiceAccountToken: true
  ## @param kubeappsapis.hostAliases Custom host aliases for KubeappsAPIs pods
  ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
  ##
@@ -1912,9 +1997,8 @@ kubeappsapis:
  serviceAccount:
    create: true
    name: ""
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
    annotations: {}
 ## @section OCI Catalog chart configuration
 ociCatalog:
  ## @param ociCatalog.enabled Enable the OCI catalog gRPC service for cataloging
@@ -1933,11 +2017,11 @@ ociCatalog:
  image:
    registry: docker.io
    repository: bitnami/kubeapps-oci-catalog
-    tag: 2.9.0-debian-11-r6
+    tag: 2.9.0-debian-12-r17
    digest: ""
    ## Specify a imagePullPolicy
    ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent'
-    ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images
+    ## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
    ##
    pullPolicy: IfNotPresent
    ## Optionally specify an array of imagePullSecrets.
@@ -1972,7 +2056,11 @@ ociCatalog:
  containerPorts:
    grpc: 50061
  ## OCI Catalog containers' resource requests and limits
-  ## ref: https://kubernetes.io/docs/user-guide/compute-resources/
+  ## ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
  ## @param ociCatalog.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if ociCatalog.resources is set (ociCatalog.resources is recommended for production).
  ## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
  ##
  resourcesPreset: "none"
  ## @param ociCatalog.resources.limits.cpu The CPU limits for the OCI Catalog container
  ## @param ociCatalog.resources.limits.memory The memory limits for the OCI Catalog container
  ## @param ociCatalog.resources.requests.cpu The requested CPU for the OCI Catalog container
@@ -1988,7 +2076,9 @@ ociCatalog:
  ## Configure Container Security Context (only main container)
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param ociCatalog.containerSecurityContext.enabled Enabled containers' Security Context
  ## @param ociCatalog.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
  ## @param ociCatalog.containerSecurityContext.runAsUser Set containers' Security Context runAsUser
  ## @param ociCatalog.containerSecurityContext.runAsGroup Set containers' Security Context runAsGroup
  ## @param ociCatalog.containerSecurityContext.runAsNonRoot Set container's Security Context runAsNonRoot
  ## @param ociCatalog.containerSecurityContext.privileged Set container's Security Context privileged
  ## @param ociCatalog.containerSecurityContext.readOnlyRootFilesystem Set container's Security Context readOnlyRootFilesystem
@@ -1998,7 +2088,9 @@ ociCatalog:
  ##
  containerSecurityContext:
    enabled: true
    seLinuxOptions: null
    runAsUser: 1001
    runAsGroup: 0
    runAsNonRoot: true
    privileged: false
    readOnlyRootFilesystem: false
@@ -2077,7 +2169,6 @@ ociCatalog:
  ## @param ociCatalog.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the OCI Catalog container(s)
  ##
  extraVolumeMounts: []
 ## @section Redis&reg; chart configuration
 ## ref: https://github.com/bitnami/charts/blob/main/bitnami/redis/values.yaml
 ##
--- a/packages/system/dashboard/images/dashboard.json
+++ b/packages/system/dashboard/images/dashboard.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:51a28848a801e102b3383e6d980ac2459fa29cfd9cbc381d03c561672e94139d",
+  "containerimage.config.digest": "sha256:c4bfb560aaa8f9bae1da00fa4b49b3e1fc993606902e47c155238f2b002fadce",
-  "containerimage.digest": "sha256:4b1b4ffc7c797b8fb4ab9561e6fa0a68c00d5b0d945fe47e42ecc6e43e9af0d3"
+  "containerimage.digest": "sha256:974cbeedb328e71aeb2b45970ebc1bcbbdcbdc0ed034a9d3d37924530f66b938"
 }
--- a/packages/system/dashboard/images/dashboard.tag
+++ b/packages/system/dashboard/images/dashboard.tag
@@ -1 +1 @@
-ghcr.io/aenix-io/cozystack/dashboard:v0.1.0
+ghcr.io/aenix-io/cozystack/dashboard:v0.2.0
--- a/packages/system/dashboard/images/dashboard/Dockerfile
+++ b/packages/system/dashboard/images/dashboard/Dockerfile
@@ -1,7 +1,7 @@
 # Copyright 2018-2023 the Kubeapps contributors.
 # SPDX-License-Identifier: Apache-2.0
-FROM bitnami/node:18.18.0 AS build
+FROM bitnami/node:20.11.0 AS build
 WORKDIR /app
 ARG VERSION=2.9.0
--- a/packages/system/dashboard/images/kubeapps-apis.json
+++ b/packages/system/dashboard/images/kubeapps-apis.json
@@ -1,4 +1,4 @@
 {
-  "containerimage.config.digest": "sha256:e522ba90c58c3dab629739fe240e42037a50bfc19442d018e957ef54f05aaa77",
+  "containerimage.config.digest": "sha256:992221768278b67a64b52d4e8bc847f18c8e4be746ac7197be9bbfd4fd092b24",
-  "containerimage.digest": "sha256:ea80daaedd7e782bb42641fe25b2c91fc24260b81f8e576637f3d251c9c7d087"
+  "containerimage.digest": "sha256:6fb48ec9b50422bdd843584cd4db6ee07618ce535fde23903560d2529e4da31a"
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Andrei Kvapil	a3a049ce6a	fix cilium for full-distro bundle Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-04-04 04:50:16 +02:00
Andrei Kvapil	9b47df4407	Revert cilium to v1.14	2024-04-04 04:11:26 +02:00
Andrei Kvapil	39667d69f1	fix: cilium installation	2024-04-04 03:35:42 +02:00
Andrei Kvapil	0d36f3ee6c	fix: full-distro bundle installation (#58 )	2024-04-03 09:01:36 +02:00
Andrei Kvapil	34b9676971	fix: tolerate node.cilium.io/agent-not-ready (#56 )	2024-04-02 08:53:53 +02:00
Andrei Kvapil	2e3314b2dd	fix: chicken and egg problem (#57 )	2024-04-02 08:53:34 +02:00
Andrei Kvapil	c58db33712	fix: Automatically build helm charts when building cozystack image (#55 )	2024-04-02 08:53:13 +02:00
Andrei Kvapil	33bc23cfca	Introduce bundles (#53 ) * bundles * Allow overriding values by prividng values-<release>: <json\|yaml> in cozystack-config * match bundle-name from cozystack-config * add extra bundles	2024-04-01 17:42:51 +02:00
Andrei Kvapil	c5ead1932f	mariadb-operator v0.27.0 (#51 )	2024-04-01 17:42:33 +02:00
Andrei Kvapil	a7d12c1430	update kubeapps and flux (#50 ) * Update fluxcd 2.2.3 * Update kubeapps 14.7.2	2024-04-01 17:42:22 +02:00
Timur Tukaev	5e1380df76	Update README.md (#49 ) Fix link to cozystack website	2024-03-23 22:00:44 +01:00
Andrei Kvapil	03fab7a831	Update Cilium v1.14.5 (#47 )	2024-03-15 22:01:30 +01:00
Andrei Kvapil	e17dcaa65e	Update CNPG to 1.22.2 (#46 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:36 +01:00
Andrei Kvapil	85d4ed251d	Update piraeus-operator and LINSTOR v2.4.1 (#45 )	2024-03-15 21:15:27 +01:00
Andrei Kvapil	f1c01a0fe8	Add link to roadmap (#41 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:17 +01:00
Andrei Kvapil	2cff181279	Preapre release v0.2.0 (#38 ) Signed-off-by: Andrei Kvapil <kvapss@gmail.com>	2024-03-15 21:15:06 +01:00
`@@ -1 +1 @@`
	`ghcr.io/aenix-io/cozystack/dashboard:v0.1.0`	`ghcr.io/aenix-io/cozystack/dashboard:v0.2.0`