From a2af07d1dc0516731a365adc25f40f9cf4ea6653 Mon Sep 17 00:00:00 2001
From: klinch0 <68821526+klinch0@users.noreply.github.com>
Date: Fri, 14 Mar 2025 12:58:16 +0300
Subject: [PATCH 01/16] bugfix/fix-longterm (#697)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
- Updated the remote write configuration to support multiple endpoints,
allowing data ingestion from both short-term and long-term services for
improved flexibility.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/system/monitoring-agents/templates/vmagent.yaml | 5 ++++-
 packages/system/monitoring-agents/values.yaml            | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/packages/system/monitoring-agents/templates/vmagent.yaml b/packages/system/monitoring-agents/templates/vmagent.yaml
index 65b93983..bf53965b 100644
--- a/packages/system/monitoring-agents/templates/vmagent.yaml
+++ b/packages/system/monitoring-agents/templates/vmagent.yaml
@@ -10,7 +10,10 @@ spec:
     promscrape.streamParse: "true"
     promscrape.maxScrapeSize: 32MB
   remoteWrite:
-  - url: {{ .Values.vmagent.remoteWrite.url | quote }}
+  {{- range .Values.vmagent.remoteWrite.urls }}
+  - url: {{ . | quote }}
+  {{- end }}
+
   scrapeInterval: 30s
   selectAllByDefault: true
   additionalScrapeConfigs:
diff --git a/packages/system/monitoring-agents/values.yaml b/packages/system/monitoring-agents/values.yaml
index 4f1694e3..a6798a78 100644
--- a/packages/system/monitoring-agents/values.yaml
+++ b/packages/system/monitoring-agents/values.yaml
@@ -306,7 +306,9 @@ vmagent:
     cluster: cozystack
     tenant: tenant-root
   remoteWrite:
-    url: http://vminsert-shortterm.tenant-root.svc:8480/insert/0/prometheus
+    urls:
+      - http://vminsert-shortterm.tenant-root.svc:8480/insert/0/prometheus
+      - http://vminsert-longterm.tenant-root.svc:8480/insert/0/prometheus
 
 fluent-bit:
   readinessProbe:

From e0a63c32b0d9d22a5cc595d3ac48efb93fb6a9b8 Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Mon, 17 Mar 2025 10:41:16 +0300
Subject: [PATCH 02/16] bugfix/fix-monitoring-resources

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/extra/monitoring/Chart.yaml          |  2 +-
 .../monitoring/templates/vm/vmcluster.yaml    | 31 ++----------
 packages/extra/monitoring/templates/vpa.yaml  | 39 ++++++++++++---
 packages/extra/monitoring/values.yaml         | 49 +++++++------------
 packages/extra/versions_map                   |  3 +-
 5 files changed, 57 insertions(+), 67 deletions(-)

diff --git a/packages/extra/monitoring/Chart.yaml b/packages/extra/monitoring/Chart.yaml
index 8d40963c..47e29462 100644
--- a/packages/extra/monitoring/Chart.yaml
+++ b/packages/extra/monitoring/Chart.yaml
@@ -3,4 +3,4 @@ name: monitoring
 description: Monitoring and observability stack
 icon: /logos/monitoring.svg
 type: application
-version: 1.9.0
+version: 1.9.1
diff --git a/packages/extra/monitoring/templates/vm/vmcluster.yaml b/packages/extra/monitoring/templates/vm/vmcluster.yaml
index 93b21fc3..344afff1 100644
--- a/packages/extra/monitoring/templates/vm/vmcluster.yaml
+++ b/packages/extra/monitoring/templates/vm/vmcluster.yaml
@@ -13,27 +13,10 @@ spec:
       # it's usually more than default 30
       maxLabelsPerTimeseries: "60"
     replicaCount: 2
-    resources:
-      limits:
-        {{- with . | dig "vminsert" "resources" "limits" "cpu" nil }}
-        cpu: {{ . | quote }}
-        {{- end }}
-        memory: {{ . | dig "vminsert" "resources" "limits" "memory" "1000Mi" }}
-      requests:
-        cpu: {{ . | dig "vminsert" "resources" "requests" "cpu" "500m" }}
-        memory: {{ . | dig "vminsert" "resources" "requests" "memory" "500Mi" }}
+    resources: {}
   vmselect:
     replicaCount: 2
-    resources:
-      limits:
-        # if we don't set the cpu limit, victoriametrics-operator will set 500m here, which is ridiculous small
-        # see internal/config/config.go in victoriametrics-operator
-        # 2 vcpu is the bare minimum for **single** Grafana user
-        cpu: {{ . | dig "vmselect" "resources" "limits" "cpu" "2000m" }}
-        memory: {{ . | dig "vmselect" "resources" "limits" "memory" "1000Mi" }}
-      requests:
-        cpu: {{ . | dig "vmselect" "resources" "requests" "cpu" "500m" }}
-        memory: {{ . | dig "vmselect" "resources" "requests" "memory" "500Mi" }}
+    resources: {}
     extraArgs:
       search.maxUniqueTimeseries: "600000"
       vmalert.proxyURL: http://vmalert-{{ .name }}.{{ $.Release.Namespace }}.svc:8080
@@ -50,15 +33,7 @@ spec:
               storage: 2Gi
   vmstorage:
     replicaCount: 2
-    resources:
-      limits:
-        {{- with . | dig "vmstorage" "resources" "limits" "cpu" nil }}
-        cpu: {{ . | quote }}
-        {{- end }}
-        memory: {{ . | dig "vmstorage" "resources" "limits" "memory" "2048Mi" }}
-      requests:
-        cpu: {{ . | dig "vmstorage" "resources" "requests" "cpu" "100m" }}
-        memory: {{ . | dig "vmstorage" "resources" "requests" "memory" "500Mi" }}
+    resources: {}
     storage:
       volumeClaimTemplate:
         spec:
diff --git a/packages/extra/monitoring/templates/vpa.yaml b/packages/extra/monitoring/templates/vpa.yaml
index 640f7a5b..3235a334 100644
--- a/packages/extra/monitoring/templates/vpa.yaml
+++ b/packages/extra/monitoring/templates/vpa.yaml
@@ -1,62 +1,89 @@
+{{- range .Values.metricsStorages }}
+---
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
-  name: vpa-vminsert
+  name: vpa-vminsert-{{ .name }}
 spec:
   targetRef:
     apiVersion: apps/v1
     kind: Deployment
-    name: vminsert-shortterm
+    name: vminsert-{{ .name }}
   updatePolicy:
     updateMode: Auto
   resourcePolicy:
     containerPolicies:
       - containerName: vminsert
         minAllowed:
+          {{- if and .vminsert .vminsert.minAllowed }}
+          {{- toYaml .vminsert.minAllowed | nindent 10 }}
+          {{- else }}
           cpu: 250m
           memory: 256Mi
+          {{- end }}
         maxAllowed:
+          {{- if and .vminsert .vminsert.maxAllowed }}
+          {{- toYaml .vminsert.maxAllowed | nindent 10 }}
+          {{- else }}
           cpu: 2000m
           memory: 4Gi
+          {{- end }}
 ---
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
-  name: vpa-vmselect
+  name: vpa-vmselect-{{ .name }}
 spec:
   targetRef:
     apiVersion: apps/v1
     kind: StatefulSet
-    name: vmselect-shortterm
+    name: vmselect-{{ .name }}
   updatePolicy:
     updateMode: Auto
   resourcePolicy:
     containerPolicies:
       - containerName: vmselect
         minAllowed:
+          {{- if and .vmselect .vmselect.minAllowed }}
+          {{- toYaml .vmselect.minAllowed | nindent 10 }}
+          {{- else }}
           cpu: 250m
           memory: 256Mi
+          {{- end }}
         maxAllowed:
+          {{- if and .vmselect .vmselect.maxAllowed }}
+          {{- toYaml .vmselect.maxAllowed | nindent 10 }}
+          {{- else }}
           cpu: 4000m
           memory: 8Gi
+          {{- end }}
 ---
 apiVersion: autoscaling.k8s.io/v1
 kind: VerticalPodAutoscaler
 metadata:
-  name: vpa-vmstorage
+  name: vpa-vmstorage-{{ .name }}
 spec:
   targetRef:
     apiVersion: apps/v1
     kind: StatefulSet
-    name: vmstorage-shortterm
+    name: vmstorage-{{ .name }}
   updatePolicy:
     updateMode: Auto
   resourcePolicy:
     containerPolicies:
       - containerName: vmstorage
         minAllowed:
+          {{- if and .vmstorage .vmstorage.minAllowed }}
+          {{- toYaml .vmstorage.minAllowed | nindent 10 }}
+          {{- else }}
           cpu: 100m
           memory: 512Mi
+          {{- end }}
         maxAllowed:
+          {{- if and .vmstorage .vmstorage.maxAllowed }}
+          {{- toYaml .vmstorage.maxAllowed | nindent 10 }}
+          {{- else }}
           cpu: 4000m
           memory: 8Gi
+          {{- end }}
+{{- end }}
diff --git a/packages/extra/monitoring/values.yaml b/packages/extra/monitoring/values.yaml
index 7dbc474d..5af50d67 100644
--- a/packages/extra/monitoring/values.yaml
+++ b/packages/extra/monitoring/values.yaml
@@ -13,26 +13,26 @@ host: ""
 ##   storage: 10Gi
 ##   storageClassName: ""
 ##   vminsert:
-##     resources:
-##       limits:
-##         memory: 1024Mi
-##       requests:
-##         cpu: 200m
-##         memory: 512Mi
+##     minAllowed:
+##       cpu: 200m
+##       memory: 512Mi
+##     maxAllowed:
+##       cpu: 1500m
+##       memory: 3Gi
 ##   vmselect:
-##     resources:
-##       limits:
-##         memory: 2048Mi
-##       requests:
-##         cpu: 300m
-##         memory: 1Gi
+##     minAllowed:
+##       cpu: 300m
+##       memory: 1Gi
+##     maxAllowed:
+##       cpu: 3500m
+##       memory: 6Gi
 ##   vmstorage:
-##     resources:
-##       limits:
-##         memory: 4096Mi
-##       requests:
-##         cpu: 500m
-##         memory: 2Gi
+##     minAllowed:
+##       cpu: 500m
+##       memory: 2Gi
+##     maxAllowed:
+##       cpu: 4000m
+##       memory: 8Gi
 ##
 metricsStorages:
 - name: shortterm
@@ -40,24 +40,11 @@ metricsStorages:
   deduplicationInterval: "15s"
   storage: 10Gi
   storageClassName: ""
-  vminsert:
-    resources: {}
-  vmselect:
-    resources: {}
-  vmstorage:
-    resources: {}
 - name: longterm
   retentionPeriod: "14d"
   deduplicationInterval: "5m"
   storage: 10Gi
   storageClassName: ""
-  vminsert:
-    resources: {}
-  vmselect:
-    resources: {}
-  vmstorage:
-    resources: {}
-
 
 ## @param logsStorages [array] Configuration of logs storage instances
 ##
diff --git a/packages/extra/versions_map b/packages/extra/versions_map
index 13cc268a..92f6a42c 100644
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -31,7 +31,8 @@ monitoring 1.6.1 3bb97596
 monitoring 1.7.0 749110aa
 monitoring 1.8.0 80b4c151
 monitoring 1.8.1 06daf341
-monitoring 1.9.0 HEAD
+monitoring 1.9.0 8267072d
+monitoring 1.9.1 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35

From 85ec09b8de0d77814be8b96a99834b3973a6c480 Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Mon, 17 Mar 2025 19:43:04 +0300
Subject: [PATCH 03/16] bugfix/add-limits-for-extra-packages

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/core/installer/values.yaml           |  2 +-
 packages/extra/etcd/Chart.yaml                |  2 +-
 .../extra/etcd/templates/etcd-cluster.yaml    |  3 +
 packages/extra/etcd/values.yaml               |  9 +++
 .../templates/alerta/alerta-db.yaml           |  7 ++
 .../monitoring/templates/alerta/alerta.yaml   |  1 +
 .../monitoring/templates/grafana/db.yaml      |  8 ++-
 .../monitoring/templates/grafana/grafana.yaml |  1 +
 packages/extra/monitoring/values.yaml         | 15 ++++-
 packages/extra/seaweedfs/Chart.yaml           |  2 +-
 .../extra/seaweedfs/templates/seaweedfs.yaml  | 36 ++++++++--
 packages/extra/seaweedfs/templates/vpa.yaml   | 66 +++++++++++++++++++
 packages/extra/versions_map                   |  6 +-
 packages/system/ingress-nginx/values.yaml     | 22 ++++++-
 .../seaweedfs/templates/cosi-deployment.yaml  |  4 ++
 .../system/seaweedfs/templates/database.yaml  |  8 ++-
 packages/system/seaweedfs/values.yaml         |  1 -
 17 files changed, 176 insertions(+), 17 deletions(-)
 create mode 100644 packages/extra/seaweedfs/templates/vpa.yaml

diff --git a/packages/core/installer/values.yaml b/packages/core/installer/values.yaml
index c3b3f641..65d539ad 100644
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: ghcr.io/cozystack/cozystack/installer:v0.28.0@sha256:71ae2037ca44d49bbcf8be56c127ee92f2486089a8ea1cdd6508af49705956ac
+  image: kklinch0/installer:0.27.39@sha256:9f62b963a79fcd5774af28e248c74082a0fe5f7c443e18648101da01d36cf715
diff --git a/packages/extra/etcd/Chart.yaml b/packages/extra/etcd/Chart.yaml
index 75f070fc..30da9487 100644
--- a/packages/extra/etcd/Chart.yaml
+++ b/packages/extra/etcd/Chart.yaml
@@ -3,4 +3,4 @@ name: etcd
 description: Storage for Kubernetes clusters
 icon: /logos/etcd.svg
 type: application
-version: 2.6.1
+version: 2.7.0
diff --git a/packages/extra/etcd/templates/etcd-cluster.yaml b/packages/extra/etcd/templates/etcd-cluster.yaml
index a31520fa..a44ff0ca 100644
--- a/packages/extra/etcd/templates/etcd-cluster.yaml
+++ b/packages/extra/etcd/templates/etcd-cluster.yaml
@@ -46,6 +46,9 @@ spec:
         - name: metrics
           containerPort: 2381
           protocol: TCP
+        {{- with .Values.resources }}
+        resources: {{- toYaml . | nindent 10 }}
+        {{- end }}
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: "kubernetes.io/hostname"
diff --git a/packages/extra/etcd/values.yaml b/packages/extra/etcd/values.yaml
index 459acc11..7a6a89e5 100644
--- a/packages/extra/etcd/values.yaml
+++ b/packages/extra/etcd/values.yaml
@@ -7,3 +7,12 @@
 size: 4Gi
 storageClass: ""
 replicas: 3
+
+## @param resources Resources
+resources:
+  limits:
+    cpu: 1000m
+    memory: 1Gi
+  requests:
+    cpu: 100m
+    memory: 512Mi
diff --git a/packages/extra/monitoring/templates/alerta/alerta-db.yaml b/packages/extra/monitoring/templates/alerta/alerta-db.yaml
index 5f6b3293..dbbffb5b 100644
--- a/packages/extra/monitoring/templates/alerta/alerta-db.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta-db.yaml
@@ -17,6 +17,13 @@ spec:
     {{- with .Values.alerta.storageClassName }}
     storageClass: {{ . }}
     {{- end }}
+  resources:
+    limits:
+      cpu: 1024m
+      memory: 2048Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
 
   monitoring:
     enablePodMonitor: true
diff --git a/packages/extra/monitoring/templates/alerta/alerta.yaml b/packages/extra/monitoring/templates/alerta/alerta.yaml
index 9513afdc..35d580c1 100644
--- a/packages/extra/monitoring/templates/alerta/alerta.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta.yaml
@@ -77,6 +77,7 @@ spec:
         - name: alerta
           image: "alerta/alerta-web:9.0.4"
           imagePullPolicy: IfNotPresent
+          resources: {{- toYaml .Values.alerta.resources | nindent 12 }}
           env:
             - name: ADMIN_USERS
               valueFrom:
diff --git a/packages/extra/monitoring/templates/grafana/db.yaml b/packages/extra/monitoring/templates/grafana/db.yaml
index f8a7a9fb..6f8a9281 100644
--- a/packages/extra/monitoring/templates/grafana/db.yaml
+++ b/packages/extra/monitoring/templates/grafana/db.yaml
@@ -15,7 +15,13 @@ spec:
   {{- end }}
   monitoring:
     enablePodMonitor: true
-
+  resources:
+    limits:
+      cpu: 1024m
+      memory: 2048Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
diff --git a/packages/extra/monitoring/templates/grafana/grafana.yaml b/packages/extra/monitoring/templates/grafana/grafana.yaml
index a0174255..2397fd10 100644
--- a/packages/extra/monitoring/templates/grafana/grafana.yaml
+++ b/packages/extra/monitoring/templates/grafana/grafana.yaml
@@ -38,6 +38,7 @@ spec:
         spec:
           containers:
             - name: grafana
+              resources: {{- toYaml .Values.grafana.resources | nindent 16 }}
               image: "{{ $.Files.Get "images/grafana.tag" | trim }}"
               securityContext:
                 allowPrivilegeEscalation: false
diff --git a/packages/extra/monitoring/values.yaml b/packages/extra/monitoring/values.yaml
index 5af50d67..1d9a174b 100644
--- a/packages/extra/monitoring/values.yaml
+++ b/packages/extra/monitoring/values.yaml
@@ -61,7 +61,13 @@ logsStorages:
 alerta:
   storage: 10Gi
   storageClassName: ""
-
+  resources:
+    limits:
+      cpu: 1024m
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 256Mi
   alerts:
     ## @param alerta.alerts.telegram.token telegram token for your bot
     ## @param alerta.alerts.telegram.chatID specify multiple ID's separated by comma. Get yours in https://t.me/chatid_echo_bot
@@ -82,3 +88,10 @@ alerta:
 grafana:
   db:
     size: 10Gi
+  resources:
+    limits:
+      cpu: 1024m
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 256Mi
diff --git a/packages/extra/seaweedfs/Chart.yaml b/packages/extra/seaweedfs/Chart.yaml
index 185ebc9c..39114925 100644
--- a/packages/extra/seaweedfs/Chart.yaml
+++ b/packages/extra/seaweedfs/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.0
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/extra/seaweedfs/templates/seaweedfs.yaml b/packages/extra/seaweedfs/templates/seaweedfs.yaml
index 5ab911b5..b9846aa1 100644
--- a/packages/extra/seaweedfs/templates/seaweedfs.yaml
+++ b/packages/extra/seaweedfs/templates/seaweedfs.yaml
@@ -20,16 +20,27 @@ spec:
   values:
     global:
       serviceAccountName: "{{ .Release.Namespace }}-seaweedfs"
-
     seaweedfs:
-      
+      master:
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "512Mi"
       volume:
         replicas: {{ .Values.replicas }}
-
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "512Mi"
         # TODO: workaround for non-working online resize
         podAnnotations:
           volume-size: "{{ .Values.size }}"
-      
         dataDirs:
         - name: data1
           type: "persistentVolumeClaim"
@@ -38,11 +49,16 @@ spec:
           storageClass: {{ . }}
           {{- end }}
           maxVolumes: 0
-
       filer:
         s3:
           domainName: {{ .Values.host | default (printf "s3.%s" $host) }}
-      
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "512Mi"
       s3:
         ingress:
           className: {{ $ingress }}
@@ -56,10 +72,16 @@ spec:
             - hosts:
               - {{ .Values.host | default (printf "s3.%s" $host) }}
               secretName: {{ .Release.Name }}-s3-ingress-tls
-
       cosi:
         driverName: "{{ .Release.Namespace }}.seaweedfs.objectstorage.k8s.io"
         bucketClassName: "{{ .Release.Namespace }}"
+        resources:
+          requests:
+            cpu: "100m"
+            memory: "128Mi"
+          limits:
+            cpu: "500m"
+            memory: "512Mi"
 ---
 apiVersion: cozystack.io/v1alpha1
 kind: WorkloadMonitor
diff --git a/packages/extra/seaweedfs/templates/vpa.yaml b/packages/extra/seaweedfs/templates/vpa.yaml
new file mode 100644
index 00000000..c3c2d3f8
--- /dev/null
+++ b/packages/extra/seaweedfs/templates/vpa.yaml
@@ -0,0 +1,66 @@
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ .Release.Name }}-filer
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: {{ .Release.Name }}-filer
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+      - containerName: seaweedfs
+        minAllowed:
+          cpu: 250m
+          memory: 256Mi
+        maxAllowed:
+          cpu: 1024m
+          memory: 2048Mi
+
+---
+
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ .Release.Name }}-master
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: {{ .Release.Name }}-master
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+      - containerName: seaweedfs
+        minAllowed:
+          cpu: 250m
+          memory: 256Mi
+        maxAllowed:
+          cpu: 1024m
+          memory: 2048Mi
+
+---
+
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ .Release.Name }}-volume
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: StatefulSet
+    name: {{ .Release.Name }}-volume
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+      - containerName: seaweedfs
+        minAllowed:
+          cpu: 250m
+          memory: 256Mi
+        maxAllowed:
+          cpu: 1024m
+          memory: 2048Mi
diff --git a/packages/extra/versions_map b/packages/extra/versions_map
index 92f6a42c..f190ebcb 100644
--- a/packages/extra/versions_map
+++ b/packages/extra/versions_map
@@ -8,7 +8,8 @@ etcd 2.3.0 b908400d
 etcd 2.4.0 cb7b8158
 etcd 2.5.0 861e6c46
 etcd 2.6.0 a7425b0
-etcd 2.6.1 HEAD
+etcd 2.6.1 063439ac
+etcd 2.7.0 HEAD
 info 1.0.0 HEAD
 ingress 1.0.0 f642698
 ingress 1.1.0 838bee5d
@@ -36,4 +37,5 @@ monitoring 1.9.1 HEAD
 seaweedfs 0.1.0 5ca8823
 seaweedfs 0.2.0 9e33dc0
 seaweedfs 0.2.1 249bf35
-seaweedfs 0.3.0 HEAD
+seaweedfs 0.3.0 0e728870
+seaweedfs 0.4.0 HEAD
diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml
index 8ed5b271..607838b5 100644
--- a/packages/system/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/values.yaml
@@ -20,6 +20,13 @@ ingress-nginx:
       args:
       - --server.telemetry-address=0.0.0.0:9090
       - --server.exporter-address=0.0.0.0:9091
+      resources:
+        limits:
+          cpu: 100m
+          memory: 90Mi
+        requests:
+          cpu: 100m
+          memory: 90Mi
     service:
       #type: NodePort # ClusterIP
       externalTrafficPolicy: "Local"
@@ -40,8 +47,21 @@ ingress-nginx:
       upstream-keepalive-timeout: "60"
       upstream-keepalive-connections: "320"
       ssl-session-tickets: "true"
-
+    resources:
+      limits:
+        cpu: 1024m
+        memory: 2048Mi
+      requests:
+        cpu: 100m
+        memory: 90Mi
 
   defaultBackend:
     ##
     enabled: true
+    resources:
+      limits:
+        cpu: 10m
+        memory: 20Mi
+      requests:
+        cpu: 10m
+        memory: 20Mi
diff --git a/packages/system/seaweedfs/charts/seaweedfs/templates/cosi-deployment.yaml b/packages/system/seaweedfs/charts/seaweedfs/templates/cosi-deployment.yaml
index 15e5fa6d..5c5c7e30 100644
--- a/packages/system/seaweedfs/charts/seaweedfs/templates/cosi-deployment.yaml
+++ b/packages/system/seaweedfs/charts/seaweedfs/templates/cosi-deployment.yaml
@@ -140,6 +140,10 @@ spec:
               mountPath: /usr/local/share/ca-certificates/client/
             {{- end }}
             {{ tpl .Values.cosi.extraVolumeMounts . | nindent 12 | trim }}
+          {{- with .Values.cosi.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
         - name: seaweedfs-cosi-sidecar
           image: "{{ .Values.cosi.sidecar.image }}"
           imagePullPolicy: {{ default "IfNotPresent" .Values.global.imagePullPolicy }}
diff --git a/packages/system/seaweedfs/templates/database.yaml b/packages/system/seaweedfs/templates/database.yaml
index e952ff97..892a3ac3 100644
--- a/packages/system/seaweedfs/templates/database.yaml
+++ b/packages/system/seaweedfs/templates/database.yaml
@@ -10,7 +10,13 @@ spec:
 
   monitoring:
     enablePodMonitor: true
-
+  resources:
+    limits:
+      cpu: 1024m
+      memory: 2048Mi
+    requests:
+      cpu: 100m
+      memory: 512Mi
   inheritedMetadata:
     labels:
       policy.cozystack.io/allow-to-apiserver: "true"
diff --git a/packages/system/seaweedfs/values.yaml b/packages/system/seaweedfs/values.yaml
index 056e9bb7..f7e3c5d9 100644
--- a/packages/system/seaweedfs/values.yaml
+++ b/packages/system/seaweedfs/values.yaml
@@ -6,7 +6,6 @@ global:
     WEED_CLUSTER_SW_FILER: "seaweedfs-filer-client:8888"
 
 seaweedfs:
-  
   master:
     replicas: 3
     volumeSizeLimitMB: 100

From 077045b094fe91e9b38abb8fa44f6fa791ea5cae Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Wed, 19 Mar 2025 00:57:13 +0300
Subject: [PATCH 04/16] fix apps resources

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/apps/http-cache/Chart.yaml           |  2 +-
 packages/apps/http-cache/README.md            | 18 +++---
 .../apps/http-cache/templates/_resources.tpl  | 50 +++++++++++++++
 .../templates/haproxy/deployment.yaml         |  5 ++
 .../templates/nginx/deployment.yaml           | 12 ++++
 packages/apps/http-cache/values.schema.json   | 20 ++++++
 packages/apps/http-cache/values.yaml          | 24 +++++++
 packages/apps/kafka/Chart.yaml                |  2 +-
 packages/apps/kafka/README.md                 | 30 ++++-----
 packages/apps/kafka/templates/kafka.yaml      | 13 ++--
 packages/apps/kafka/values.schema.json        | 30 ++++++---
 packages/apps/kafka/values.yaml               | 38 ++++++++----
 packages/apps/kubernetes/Chart.yaml           |  2 +-
 .../cluster-autoscaler/deployment.yaml        |  7 +++
 .../apps/kubernetes/templates/csi/deploy.yaml | 28 +++++++--
 .../kubernetes/templates/kccm/manager.yaml    |  6 +-
 packages/apps/tcp-balancer/Chart.yaml         |  2 +-
 packages/apps/tcp-balancer/README.md          | 18 +++---
 .../tcp-balancer/templates/_resources.tpl     | 50 +++++++++++++++
 .../tcp-balancer/templates/deployment.yaml    |  5 ++
 packages/apps/tcp-balancer/values.schema.json | 62 -------------------
 packages/apps/tcp-balancer/values.yaml        | 13 ++++
 packages/apps/versions_map                    | 15 +++--
 packages/apps/vpn/Chart.yaml                  |  2 +-
 packages/apps/vpn/README.md                   | 12 ++--
 packages/apps/vpn/templates/_resources.tpl    | 50 +++++++++++++++
 packages/apps/vpn/templates/deployment.yaml   |  5 ++
 packages/apps/vpn/values.schema.json          | 10 +++
 packages/apps/vpn/values.yaml                 | 13 ++++
 packages/core/installer/values.yaml           |  2 +-
 30 files changed, 405 insertions(+), 141 deletions(-)
 create mode 100644 packages/apps/http-cache/templates/_resources.tpl
 create mode 100644 packages/apps/tcp-balancer/templates/_resources.tpl
 create mode 100644 packages/apps/vpn/templates/_resources.tpl

diff --git a/packages/apps/http-cache/Chart.yaml b/packages/apps/http-cache/Chart.yaml
index fdb62f9e..2224053c 100644
--- a/packages/apps/http-cache/Chart.yaml
+++ b/packages/apps/http-cache/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/http-cache/README.md b/packages/apps/http-cache/README.md
index 904fdf61..cb482fc0 100644
--- a/packages/apps/http-cache/README.md
+++ b/packages/apps/http-cache/README.md
@@ -60,13 +60,17 @@ VTS module shows wrong upstream resonse time
 
 ### Common parameters
 
-| Name               | Description                                     | Value   |
-| ------------------ | ----------------------------------------------- | ------- |
-| `external`         | Enable external access from outside the cluster | `false` |
-| `size`             | Persistent Volume size                          | `10Gi`  |
-| `storageClass`     | StorageClass used to store the data             | `""`    |
-| `haproxy.replicas` | Number of HAProxy replicas                      | `2`     |
-| `nginx.replicas`   | Number of Nginx replicas                        | `2`     |
+| Name                      | Description                                                                                                                                                                                                       | Value   |
+| ------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`                | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
+| `size`                    | Persistent Volume size                                                                                                                                                                                            | `10Gi`  |
+| `storageClass`            | StorageClass used to store the data                                                                                                                                                                               | `""`    |
+| `haproxy.replicas`        | Number of HAProxy replicas                                                                                                                                                                                        | `2`     |
+| `nginx.replicas`          | Number of Nginx replicas                                                                                                                                                                                          | `2`     |
+| `haproxy.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
+| `haproxy.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `nginx.resources`         | Resources                                                                                                                                                                                                         | `{}`    |
+| `nginx.resourcesPreset`   | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
 
 ### Configuration parameters
 
diff --git a/packages/apps/http-cache/templates/_resources.tpl b/packages/apps/http-cache/templates/_resources.tpl
new file mode 100644
index 00000000..7ada56d4
--- /dev/null
+++ b/packages/apps/http-cache/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict 
+  "nano" (dict 
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict 
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict 
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict 
+      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/packages/apps/http-cache/templates/haproxy/deployment.yaml b/packages/apps/http-cache/templates/haproxy/deployment.yaml
index 10ef9b55..b60814dc 100644
--- a/packages/apps/http-cache/templates/haproxy/deployment.yaml
+++ b/packages/apps/http-cache/templates/haproxy/deployment.yaml
@@ -33,6 +33,11 @@ spec:
       containers:
       - image: haproxy:latest
         name: haproxy
+        {{- if .Values.haproxy.resources }}
+        resources: {{- toYaml .Values.haproxy.resources | nindent 10 }}
+        {{- else if ne .Values.haproxy.resourcesPreset "none" }}
+        resources: {{- include "resources.preset" (dict "type" .Values.haproxy.resourcesPreset "Release" .Release) | nindent 10 }}
+        {{- end }}
         ports:
         - containerPort: 8080
           name: http
diff --git a/packages/apps/http-cache/templates/nginx/deployment.yaml b/packages/apps/http-cache/templates/nginx/deployment.yaml
index e83e81e1..ae640fd5 100644
--- a/packages/apps/http-cache/templates/nginx/deployment.yaml
+++ b/packages/apps/http-cache/templates/nginx/deployment.yaml
@@ -52,6 +52,11 @@ spec:
       shareProcessNamespace: true
       containers:
       - name: nginx
+        {{- if $.Values.nginx.resources }}
+        resources: {{- toYaml $.Values.nginx.resources | nindent 10 }}
+        {{- else if ne $.Values.nginx.resourcesPreset "none" }}
+        resources: {{- include "resources.preset" (dict "type" $.Values.nginx.resourcesPreset "Release" $.Release) | nindent 10 }}
+        {{- end }}
         image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         readinessProbe:
           httpGet:
@@ -83,6 +88,13 @@ spec:
       - name: reloader
         image: "{{ $.Files.Get "images/nginx-cache.tag" | trim }}"
         command: ["/usr/bin/nginx-reloader.sh"]
+        resources:
+          limits:
+            cpu: 50m
+            memory: 50Mi
+          requests:
+            cpu: 50m
+            memory: 50Mi
         #command: ["sleep", "infinity"]
         volumeMounts:
         - mountPath: /etc/nginx/nginx.conf
diff --git a/packages/apps/http-cache/values.schema.json b/packages/apps/http-cache/values.schema.json
index cb1dfc86..ab3fbb7b 100644
--- a/packages/apps/http-cache/values.schema.json
+++ b/packages/apps/http-cache/values.schema.json
@@ -24,6 +24,16 @@
                     "type": "number",
                     "description": "Number of HAProxy replicas",
                     "default": 2
+                },
+                "resources": {
+                    "type": "object",
+                    "description": "Resources",
+                    "default": {}
+                },
+                "resourcesPreset": {
+                    "type": "string",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "default": "nano"
                 }
             }
         },
@@ -34,6 +44,16 @@
                     "type": "number",
                     "description": "Number of Nginx replicas",
                     "default": 2
+                },
+                "resources": {
+                    "type": "object",
+                    "description": "Resources",
+                    "default": {}
+                },
+                "resourcesPreset": {
+                    "type": "string",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "default": "nano"
                 }
             }
         },
diff --git a/packages/apps/http-cache/values.yaml b/packages/apps/http-cache/values.yaml
index 526cb62c..e514ebcc 100644
--- a/packages/apps/http-cache/values.yaml
+++ b/packages/apps/http-cache/values.yaml
@@ -12,8 +12,32 @@ size: 10Gi
 storageClass: ""
 haproxy:
   replicas: 2
+  ## @param haproxy.resources Resources
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 4000m
+  #     memory: 4Gi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 512Mi
+  
+  ## @param haproxy.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  resourcesPreset: "nano"
 nginx:
   replicas: 2
+  ## @param nginx.resources Resources
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 4000m
+  #     memory: 4Gi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 512Mi
+  
+  ## @param nginx.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  resourcesPreset: "nano"
 
 ## @section Configuration parameters
 
diff --git a/packages/apps/kafka/Chart.yaml b/packages/apps/kafka/Chart.yaml
index 3d1d6e36..d4e910d4 100644
--- a/packages/apps/kafka/Chart.yaml
+++ b/packages/apps/kafka/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.4.0
+version: 0.5.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/kafka/README.md b/packages/apps/kafka/README.md
index 7cd045cc..d6a23fc8 100644
--- a/packages/apps/kafka/README.md
+++ b/packages/apps/kafka/README.md
@@ -4,20 +4,22 @@
 
 ### Common parameters
 
-| Name                     | Description                                     | Value   |
-| ------------------------ | ----------------------------------------------- | ------- |
-| `external`               | Enable external access from outside the cluster | `false` |
-| `kafka.size`             | Persistent Volume size for Kafka                | `10Gi`  |
-| `kafka.replicas`         | Number of Kafka replicas                        | `3`     |
-| `kafka.storageClass`     | StorageClass used to store the Kafka data       | `""`    |
-| `zookeeper.size`         | Persistent Volume size for ZooKeeper            | `5Gi`   |
-| `zookeeper.replicas`     | Number of ZooKeeper replicas                    | `3`     |
-| `zookeeper.storageClass` | StorageClass used to store the ZooKeeper data   | `""`    |
+| Name                        | Description                                                                                                                                                                                                       | Value   |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `external`                  | Enable external access from outside the cluster                                                                                                                                                                   | `false` |
+| `kafka.size`                | Persistent Volume size for Kafka                                                                                                                                                                                  | `10Gi`  |
+| `kafka.replicas`            | Number of Kafka replicas                                                                                                                                                                                          | `3`     |
+| `kafka.storageClass`        | StorageClass used to store the Kafka data                                                                                                                                                                         | `""`    |
+| `zookeeper.size`            | Persistent Volume size for ZooKeeper                                                                                                                                                                              | `5Gi`   |
+| `zookeeper.replicas`        | Number of ZooKeeper replicas                                                                                                                                                                                      | `3`     |
+| `zookeeper.storageClass`    | StorageClass used to store the ZooKeeper data                                                                                                                                                                     | `""`    |
+| `kafka.resources`           | Resources                                                                                                                                                                                                         | `{}`    |
+| `kafka.resourcesPreset`     | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
+| `zookeeper.resources`       | Resources                                                                                                                                                                                                         | `{}`    |
+| `zookeeper.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
 
 ### Configuration parameters
 
-| Name              | Description                                                                                                                                                                                                       | Value  |
-| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
-| `topics`          | Topics configuration                                                                                                                                                                                              | `[]`   |
-| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
-| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
+| Name     | Description          | Value |
+| -------- | -------------------- | ----- |
+| `topics` | Topics configuration | `[]`  |
diff --git a/packages/apps/kafka/templates/kafka.yaml b/packages/apps/kafka/templates/kafka.yaml
index 742f365d..c981580c 100644
--- a/packages/apps/kafka/templates/kafka.yaml
+++ b/packages/apps/kafka/templates/kafka.yaml
@@ -8,10 +8,10 @@ metadata:
 spec:
   kafka:
     replicas: {{ .Values.kafka.replicas }}
-    {{- if .Values.resources }}
-    resources: {{- toYaml .Values.resources | nindent 6 }}
-    {{- else if ne .Values.resourcesPreset "none" }}
-    resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 6 }}
+    {{- if .Values.kafka.resources }}
+    resources: {{- toYaml .Values.kafka.resources | nindent 6 }}
+    {{- else if ne .Values.kafka.resourcesPreset "none" }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kafka.resourcesPreset "Release" .Release) | nindent 6 }}
     {{- end }}
     listeners:
       - name: plain
@@ -70,6 +70,11 @@ spec:
           key: kafka-metrics-config.yml
   zookeeper:
     replicas: {{ .Values.zookeeper.replicas }}
+    {{- if .Values.zookeeper.resources }}
+    resources: {{- toYaml .Values.zookeeper.resources | nindent 6 }}
+    {{- else if ne .Values.zookeeper.resourcesPreset "none" }}
+    resources: {{- include "resources.preset" (dict "type" .Values.zookeeper.resourcesPreset "Release" .Release) | nindent 6 }}
+    {{- end }}
     storage:
       type: persistent-claim
       {{- with .Values.zookeeper.size }}
diff --git a/packages/apps/kafka/values.schema.json b/packages/apps/kafka/values.schema.json
index eb7e2488..8a1b33f8 100644
--- a/packages/apps/kafka/values.schema.json
+++ b/packages/apps/kafka/values.schema.json
@@ -24,6 +24,16 @@
                     "type": "string",
                     "description": "StorageClass used to store the Kafka data",
                     "default": ""
+                },
+                "resources": {
+                    "type": "object",
+                    "description": "Resources",
+                    "default": {}
+                },
+                "resourcesPreset": {
+                    "type": "string",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "default": "nano"
                 }
             }
         },
@@ -44,6 +54,16 @@
                     "type": "string",
                     "description": "StorageClass used to store the ZooKeeper data",
                     "default": ""
+                },
+                "resources": {
+                    "type": "object",
+                    "description": "Resources",
+                    "default": {}
+                },
+                "resourcesPreset": {
+                    "type": "string",
+                    "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+                    "default": "nano"
                 }
             }
         },
@@ -52,16 +72,6 @@
             "description": "Topics configuration",
             "default": [],
             "items": {}
-        },
-        "resources": {
-            "type": "object",
-            "description": "Resources",
-            "default": {}
-        },
-        "resourcesPreset": {
-            "type": "string",
-            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
-            "default": "nano"
         }
     }
 }
\ No newline at end of file
diff --git a/packages/apps/kafka/values.yaml b/packages/apps/kafka/values.yaml
index 7b05c6de..185f8841 100644
--- a/packages/apps/kafka/values.yaml
+++ b/packages/apps/kafka/values.yaml
@@ -14,10 +14,35 @@ kafka:
   size: 10Gi
   replicas: 3
   storageClass: ""
+  ## @param kafka.resources Resources
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 4000m
+  #     memory: 4Gi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 512Mi
+  
+  ## @param kafka.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  resourcesPreset: "nano"
+
 zookeeper:
   size: 5Gi
   replicas: 3
   storageClass: ""
+  ## @param zookeeper.resources Resources
+  resources: {}
+  # resources:
+  #   limits:
+  #     cpu: 4000m
+  #     memory: 4Gi
+  #   requests:
+  #     cpu: 100m
+  #     memory: 512Mi
+  
+  ## @param zookeeper.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+  resourcesPreset: "nano"
 
 ## @section Configuration parameters
 
@@ -39,16 +64,3 @@ zookeeper:
 ##     replicas: 3
 ##
 topics: []
-
-## @param resources Resources
-resources: {}
- # resources:
- #   limits:
- #     cpu: 4000m
- #     memory: 4Gi
- #   requests:
- #     cpu: 100m
- #     memory: 512Mi
- 
-## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
-resourcesPreset: "nano"
diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml
index 58d8c8ff..16617d5d 100644
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.15.2
+version: 0.16.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
index 6b31f53a..73d14cf5 100644
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -26,6 +26,13 @@ spec:
       containers:
       - image: "{{ $.Files.Get "images/cluster-autoscaler.tag" | trim }}"
         name: cluster-autoscaler
+        resources:
+          limits:
+            cpu: 512m
+            memory: 512Mi
+          requests:
+            cpu: 124m
+            memory: 124Mi
         command:
         - /cluster-autoscaler
         args:
diff --git a/packages/apps/kubernetes/templates/csi/deploy.yaml b/packages/apps/kubernetes/templates/csi/deploy.yaml
index d0d83e37..a93dfd2a 100644
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -63,11 +63,21 @@ spec:
               mountPath: /etc/kubernetes/kubeconfig
               readOnly: true
           resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
             requests:
-              memory: 50Mi
-              cpu: 10m
+              cpu: 124m
+              memory: 124Mi
         - name: csi-provisioner
           image: quay.io/openshift/origin-csi-external-provisioner:latest
+          resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
+            requests:
+              cpu: 124m
+              memory: 124Mi
           args:
             - "--csi-address=$(ADDRESS)"
             - "--default-fstype=ext4"
@@ -102,9 +112,12 @@ spec:
               mountPath: /etc/kubernetes/kubeconfig
               readOnly: true
           resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
             requests:
-              memory: 50Mi
-              cpu: 10m
+              cpu: 124m
+              memory: 124Mi
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -115,9 +128,12 @@ spec:
             - name: socket-dir
               mountPath: /csi
           resources:
+            limits:
+              cpu: 512m
+              memory: 512Mi
             requests:
-              memory: 50Mi
-              cpu: 10m
+              cpu: 124m
+              memory: 124Mi
       volumes:
         - name: socket-dir
           emptyDir: {}
diff --git a/packages/apps/kubernetes/templates/kccm/manager.yaml b/packages/apps/kubernetes/templates/kccm/manager.yaml
index 12e48245..dd5ad50f 100644
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -36,8 +36,12 @@ spec:
         #securityContext:
         #  privileged: true
         resources:
+          limits:
+            cpu: 512m
+            memory: 512Mi
           requests:
-            cpu: 100m
+            cpu: 124m
+            memory: 124Mi
         volumeMounts:
         - mountPath: /etc/kubernetes/kubeconfig
           name: kubeconfig
diff --git a/packages/apps/tcp-balancer/Chart.yaml b/packages/apps/tcp-balancer/Chart.yaml
index c4e9744f..9d701dcd 100644
--- a/packages/apps/tcp-balancer/Chart.yaml
+++ b/packages/apps/tcp-balancer/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.0
+version: 0.3.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/tcp-balancer/README.md b/packages/apps/tcp-balancer/README.md
index 1e5d7dd9..bbdf88c3 100644
--- a/packages/apps/tcp-balancer/README.md
+++ b/packages/apps/tcp-balancer/README.md
@@ -19,11 +19,13 @@ Managed TCP Load Balancer Service efficiently utilizes HAProxy for load balancin
 
 ### Configuration parameters
 
-| Name                             | Description                                                   | Value   |
-| -------------------------------- | ------------------------------------------------------------- | ------- |
-| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy` | `tcp`   |
-| `httpAndHttps.targetPorts.http`  | HTTP port number.                                             | `80`    |
-| `httpAndHttps.targetPorts.https` | HTTPS port number.                                            | `443`   |
-| `httpAndHttps.endpoints`         | Endpoint addresses list                                       | `[]`    |
-| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting         | `false` |
-| `whitelist`                      | List of client networks                                       | `[]`    |
+| Name                             | Description                                                                                                                                                                                                       | Value   |
+| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
+| `httpAndHttps.mode`              | Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`                                                                                                                                                     | `tcp`   |
+| `httpAndHttps.targetPorts.http`  | HTTP port number.                                                                                                                                                                                                 | `80`    |
+| `httpAndHttps.targetPorts.https` | HTTPS port number.                                                                                                                                                                                                | `443`   |
+| `httpAndHttps.endpoints`         | Endpoint addresses list                                                                                                                                                                                           | `[]`    |
+| `whitelistHTTP`                  | Secure HTTP by enabling  client networks whitelisting                                                                                                                                                             | `false` |
+| `whitelist`                      | List of client networks                                                                                                                                                                                           | `[]`    |
+| `resources`                      | Resources                                                                                                                                                                                                         | `{}`    |
+| `resourcesPreset`                | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano`  |
diff --git a/packages/apps/tcp-balancer/templates/_resources.tpl b/packages/apps/tcp-balancer/templates/_resources.tpl
new file mode 100644
index 00000000..7ada56d4
--- /dev/null
+++ b/packages/apps/tcp-balancer/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict 
+  "nano" (dict 
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict 
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict 
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict 
+      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/packages/apps/tcp-balancer/templates/deployment.yaml b/packages/apps/tcp-balancer/templates/deployment.yaml
index 0f70bbae..fff64a4c 100644
--- a/packages/apps/tcp-balancer/templates/deployment.yaml
+++ b/packages/apps/tcp-balancer/templates/deployment.yaml
@@ -33,6 +33,11 @@ spec:
       containers:
       - image: haproxy:latest
         name: haproxy
+        {{- if .Values.resources }}
+        resources: {{- toYaml .Values.resources | nindent 10 }}
+        {{- else if ne .Values.resourcesPreset "none" }}
+        resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 10 }}
+        {{- end }}
         ports:
         {{- with .Values.httpAndHttps }}
         - containerPort: 8080
diff --git a/packages/apps/tcp-balancer/values.schema.json b/packages/apps/tcp-balancer/values.schema.json
index 43cf639d..e69de29b 100644
--- a/packages/apps/tcp-balancer/values.schema.json
+++ b/packages/apps/tcp-balancer/values.schema.json
@@ -1,62 +0,0 @@
-{
-  "title": "Chart Values",
-  "type": "object",
-  "properties": {
-    "external": {
-      "type": "boolean",
-      "description": "Enable external access from outside the cluster",
-      "default": false
-    },
-    "replicas": {
-      "type": "number",
-      "description": "Number of HAProxy replicas",
-      "default": 2
-    },
-    "httpAndHttps": {
-      "type": "object",
-      "properties": {
-        "mode": {
-          "type": "string",
-          "description": "Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`",
-          "default": "tcp",
-          "enum": [
-            "tcp",
-            "tcp-with-proxy"
-          ]
-        },
-        "targetPorts": {
-          "type": "object",
-          "properties": {
-            "http": {
-              "type": "number",
-              "description": "HTTP port number.",
-              "default": 80
-            },
-            "https": {
-              "type": "number",
-              "description": "HTTPS port number.",
-              "default": 443
-            }
-          }
-        },
-        "endpoints": {
-          "type": "array",
-          "description": "Endpoint addresses list",
-          "default": [],
-          "items": {}
-        }
-      }
-    },
-    "whitelistHTTP": {
-      "type": "boolean",
-      "description": "Secure HTTP by enabling  client networks whitelisting",
-      "default": false
-    },
-    "whitelist": {
-      "type": "array",
-      "description": "List of client networks",
-      "default": [],
-      "items": {}
-    }
-  }
-}
diff --git a/packages/apps/tcp-balancer/values.yaml b/packages/apps/tcp-balancer/values.yaml
index 439283f0..fb14c01a 100644
--- a/packages/apps/tcp-balancer/values.yaml
+++ b/packages/apps/tcp-balancer/values.yaml
@@ -43,3 +43,16 @@ httpAndHttps:
 ##
 whitelistHTTP: false
 whitelist: []
+
+## @param resources Resources
+resources: {}
+# resources:
+#   limits:
+#     cpu: 4000m
+#     memory: 4Gi
+#   requests:
+#     cpu: 100m
+#     memory: 512Mi
+
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+resourcesPreset: "nano"
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index cfd912ab..5f0d7e0e 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -20,7 +20,8 @@ ferretdb 0.5.0 HEAD
 http-cache 0.1.0 a956713
 http-cache 0.2.0 5ca8823
 http-cache 0.3.0 fab5940
-http-cache 0.3.1 HEAD
+http-cache 0.3.1 fab5940b
+http-cache 0.4.0 HEAD
 kafka 0.1.0 760f86d2
 kafka 0.2.0 a2cc83d
 kafka 0.2.1 3ac17018
@@ -30,7 +31,8 @@ kafka 0.3.0 c07c4bbd
 kafka 0.3.1 b7375f73
 kafka 0.3.2 b75aaf17
 kafka 0.3.3 425ce77f
-kafka 0.4.0 HEAD
+kafka 0.4.0 0e10f952
+kafka 0.5.0 HEAD
 kubernetes 0.1.0 f642698
 kubernetes 0.2.0 7cd7de73
 kubernetes 0.3.0 7caccec1
@@ -52,7 +54,8 @@ kubernetes 0.14.0 bfbde07c
 kubernetes 0.14.1 fde4bcfa
 kubernetes 0.15.0 cb7b8158
 kubernetes 0.15.1 43e593c7
-kubernetes 0.15.2 HEAD
+kubernetes 0.15.2 43e593c7
+kubernetes 0.16.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -100,7 +103,8 @@ redis 0.4.0 abc8f082
 redis 0.5.0 0e728870
 redis 0.6.0 HEAD
 tcp-balancer 0.1.0 f642698
-tcp-balancer 0.2.0 HEAD
+tcp-balancer 0.2.0 a9567139
+tcp-balancer 0.3.0 HEAD
 tenant 0.1.3 3d1b86c
 tenant 0.1.4 d200480
 tenant 0.1.5 e3ab858
@@ -147,4 +151,5 @@ vm-instance 0.5.1 HEAD
 vpn 0.1.0 f642698
 vpn 0.2.0 7151424
 vpn 0.3.0 a2bcf100
-vpn 0.3.1 HEAD
+vpn 0.3.1 f7220f19
+vpn 0.4.0 HEAD
diff --git a/packages/apps/vpn/Chart.yaml b/packages/apps/vpn/Chart.yaml
index 8fe285f6..c82e77dd 100644
--- a/packages/apps/vpn/Chart.yaml
+++ b/packages/apps/vpn/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.3.1
+version: 0.4.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/vpn/README.md b/packages/apps/vpn/README.md
index b89b7ca9..3920302d 100644
--- a/packages/apps/vpn/README.md
+++ b/packages/apps/vpn/README.md
@@ -22,8 +22,10 @@ The VPN Service is powered by the Outline Server, an advanced and user-friendly
 
 ### Configuration parameters
 
-| Name          | Description                                 | Value |
-| ------------- | ------------------------------------------- | ----- |
-| `host`        | Host used to substitute into generated URLs | `""`  |
-| `users`       | Users configuration                         | `{}`  |
-| `externalIPs` | List of externalIPs for service.            | `[]`  |
+| Name              | Description                                                                                                                                                                                                       | Value  |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ |
+| `host`            | Host used to substitute into generated URLs                                                                                                                                                                       | `""`   |
+| `users`           | Users configuration                                                                                                                                                                                               | `{}`   |
+| `externalIPs`     | List of externalIPs for service.                                                                                                                                                                                  | `[]`   |
+| `resources`       | Resources                                                                                                                                                                                                         | `{}`   |
+| `resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production). | `nano` |
diff --git a/packages/apps/vpn/templates/_resources.tpl b/packages/apps/vpn/templates/_resources.tpl
new file mode 100644
index 00000000..7ada56d4
--- /dev/null
+++ b/packages/apps/vpn/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict 
+  "nano" (dict 
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict 
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict 
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict 
+      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/packages/apps/vpn/templates/deployment.yaml b/packages/apps/vpn/templates/deployment.yaml
index 72050a25..8de539ab 100644
--- a/packages/apps/vpn/templates/deployment.yaml
+++ b/packages/apps/vpn/templates/deployment.yaml
@@ -42,6 +42,11 @@ spec:
       containers:
         - name: outline-vpn
           image: quay.io/outline/shadowbox:stable
+          {{- if .Values.resources }}
+          resources: {{- toYaml .Values.resources | nindent 10 }}
+          {{- else if ne .Values.resourcesPreset "none" }}
+          resources: {{- include "resources.preset" (dict "type" .Values.resourcesPreset "Release" .Release) | nindent 10 }}
+          {{- end }}
           ports:
             - containerPort: 40000
               protocol: TCP
diff --git a/packages/apps/vpn/values.schema.json b/packages/apps/vpn/values.schema.json
index 30f6807c..84f9c71d 100644
--- a/packages/apps/vpn/values.schema.json
+++ b/packages/apps/vpn/values.schema.json
@@ -24,6 +24,16 @@
             "items": {
                 "type": "string"
             }
+        },
+        "resources": {
+            "type": "object",
+            "description": "Resources",
+            "default": {}
+        },
+        "resourcesPreset": {
+            "type": "string",
+            "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+            "default": "nano"
         }
     }
 }
\ No newline at end of file
diff --git a/packages/apps/vpn/values.yaml b/packages/apps/vpn/values.yaml
index 817c1041..f781e50a 100644
--- a/packages/apps/vpn/values.yaml
+++ b/packages/apps/vpn/values.yaml
@@ -29,3 +29,16 @@ users: {}
 ##   - "11.22.33.46"
 ##
 externalIPs: []
+
+## @param resources Resources
+resources: {}
+# resources:
+#   limits:
+#     cpu: 4000m
+#     memory: 4Gi
+#   requests:
+#     cpu: 100m
+#     memory: 512Mi
+
+## @param resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+resourcesPreset: "nano"
diff --git a/packages/core/installer/values.yaml b/packages/core/installer/values.yaml
index 65d539ad..f058ed3f 100644
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: kklinch0/installer:0.27.39@sha256:9f62b963a79fcd5774af28e248c74082a0fe5f7c443e18648101da01d36cf715
+  image: kklinch0/installer:0.27.49@sha256:baf71ad11ade3ef10b9c77325a6385438054541f44248332afa3f95f8f66f7e5

From d12dd0e117ab5ccb993b19b0d6edb32f2d6be76d Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Wed, 19 Mar 2025 16:13:19 +0300
Subject: [PATCH 05/16] fix vm and k8s resources

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/apps/kubernetes/Chart.yaml           |  2 +-
 .../apps/kubernetes/templates/_resources.tpl  | 50 +++++++++++++
 .../apps/kubernetes/templates/cluster.yaml    | 27 ++++++-
 .../helmreleases/cert-manager-crds.yaml       |  3 +-
 .../templates/helmreleases/cert-manager.yaml  |  3 +-
 .../templates/helmreleases/cilium.yaml        |  3 +-
 .../templates/helmreleases/csi.yaml           |  3 +-
 .../templates/helmreleases/fluxcd.yaml        |  3 +-
 .../templates/helmreleases/ingress-nginx.yaml |  3 +-
 .../helmreleases/monitoring-agents.yaml       |  3 +-
 .../victoria-metrics-operator.yaml            |  3 +-
 packages/apps/kubernetes/values.yaml          | 60 ++++++++++++++++
 packages/apps/tcp-balancer/values.schema.json | 72 +++++++++++++++++++
 packages/apps/tenant/Chart.yaml               |  2 +-
 packages/apps/tenant/templates/namespace.yaml |  1 +
 packages/apps/versions_map                    |  6 +-
 packages/core/installer/values.yaml           |  2 +-
 .../kubevirt/templates/kubevirt-cr.yaml       |  1 +
 18 files changed, 233 insertions(+), 14 deletions(-)
 create mode 100644 packages/apps/kubernetes/templates/_resources.tpl

diff --git a/packages/apps/kubernetes/Chart.yaml b/packages/apps/kubernetes/Chart.yaml
index 16617d5d..bde52de2 100644
--- a/packages/apps/kubernetes/Chart.yaml
+++ b/packages/apps/kubernetes/Chart.yaml
@@ -16,7 +16,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.16.0
+version: 0.17.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/packages/apps/kubernetes/templates/_resources.tpl b/packages/apps/kubernetes/templates/_resources.tpl
new file mode 100644
index 00000000..7ada56d4
--- /dev/null
+++ b/packages/apps/kubernetes/templates/_resources.tpl
@@ -0,0 +1,50 @@
+{{/*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{/* vim: set filetype=mustache: */}}
+
+{{/*
+Return a resource request/limit object based on a given preset.
+These presets are for basic testing and not meant to be used in production
+{{ include "resources.preset" (dict "type" "nano") -}}
+*/}}
+{{- define "resources.preset" -}}
+{{/* The limits are the requests increased by 50% (except ephemeral-storage and xlarge/2xlarge sizes)*/}}
+{{- $presets := dict 
+  "nano" (dict 
+      "requests" (dict "cpu" "100m" "memory" "128Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "150m" "memory" "192Mi" "ephemeral-storage" "2Gi")
+   )
+  "micro" (dict 
+      "requests" (dict "cpu" "250m" "memory" "256Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "375m" "memory" "384Mi" "ephemeral-storage" "2Gi")
+   )
+  "small" (dict 
+      "requests" (dict "cpu" "500m" "memory" "512Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "768Mi" "ephemeral-storage" "2Gi")
+   )
+  "medium" (dict 
+      "requests" (dict "cpu" "500m" "memory" "1024Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "750m" "memory" "1536Mi" "ephemeral-storage" "2Gi")
+   )
+  "large" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "2048Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "1.5" "memory" "3072Mi" "ephemeral-storage" "2Gi")
+   )
+  "xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "3.0" "memory" "6144Mi" "ephemeral-storage" "2Gi")
+   )
+  "2xlarge" (dict 
+      "requests" (dict "cpu" "1.0" "memory" "3072Mi" "ephemeral-storage" "50Mi")
+      "limits" (dict "cpu" "6.0" "memory" "12288Mi" "ephemeral-storage" "2Gi")
+   )
+ }}
+{{- if hasKey $presets .type -}}
+{{- index $presets .type | toYaml -}}
+{{- else -}}
+{{- printf "ERROR: Preset key '%s' invalid. Allowed values are %s" .type (join "," (keys $presets)) | fail -}}
+{{- end -}}
+{{- end -}}
diff --git a/packages/apps/kubernetes/templates/cluster.yaml b/packages/apps/kubernetes/templates/cluster.yaml
index 37cc560f..a208bc6e 100644
--- a/packages/apps/kubernetes/templates/cluster.yaml
+++ b/packages/apps/kubernetes/templates/cluster.yaml
@@ -102,12 +102,37 @@ metadata:
   annotations:
     kamaji.clastix.io/kubeconfig-secret-key: "super-admin.svc"
 spec:
+  apiServer:
+    {{- if .Values.kamajiControlPlane.apiServer.resources }}
+    resources: {{- toYaml .Values.kamajiControlPlane.apiServer.resources | nindent 6 }}
+    {{- else if ne .Values.kamajiControlPlane.apiServer.resourcesPreset "none" }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.apiServer.resourcesPreset "Release" .Release) | nindent 6 }}
+    {{- end }}
+  controllerManager:
+    {{- if .Values.kamajiControlPlane.controllerManager.resources }}
+    resources: {{- toYaml .Values.kamajiControlPlane.controllerManager.resources | nindent 6 }}
+    {{- else if ne .Values.kamajiControlPlane.controllerManager.resourcesPreset "none" }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.controllerManager.resourcesPreset "Release" .Release) | nindent 6 }}
+    {{- end }}
+  scheduler:
+    {{- if .Values.kamajiControlPlane.scheduler.resources }}
+    resources: {{- toYaml .Values.kamajiControlPlane.scheduler.resources | nindent 6 }}
+    {{- else if ne .Values.kamajiControlPlane.scheduler.resourcesPreset "none" }}
+    resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.scheduler.resourcesPreset "Release" .Release) | nindent 6 }}
+    {{- end }}
   dataStoreName: "{{ $etcd }}"
   addons:
     coreDNS:
       dnsServiceIPs:
       - 10.95.0.10
-    konnectivity: {}
+    konnectivity:
+      server:
+        port: 8132
+        {{- if .Values.kamajiControlPlane.addons.konnectivity.server.resources }}
+        resources: {{- toYaml .Values.kamajiControlPlane.addons.konnectivity.server.resources | nindent 10 }}
+        {{- else if ne .Values.kamajiControlPlane.addons.konnectivity.server.resourcesPreset "none" }}
+        resources: {{- include "resources.preset" (dict "type" .Values.kamajiControlPlane.addons.konnectivity.server.resourcesPreset "Release" .Release) | nindent 10 }}
+        {{- end }}
   kubelet:
     cgroupfs: systemd
     preferredAddressTypes:
diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
index 2b07948f..8ee5dc82 100644
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager-crds.yaml
@@ -18,7 +18,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-cert-manager-crds
   storageNamespace: cozy-cert-manager-crds
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
index de9d76f9..8a7213a9 100644
--- a/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cert-manager.yaml
@@ -19,7 +19,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-cert-manager
   storageNamespace: cozy-cert-manager
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
index 50546df3..cf6bbe12 100644
--- a/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/cilium.yaml
@@ -18,7 +18,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-cilium
   storageNamespace: cozy-cilium
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/csi.yaml b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
index 4f0bf29a..2fe33509 100644
--- a/packages/apps/kubernetes/templates/helmreleases/csi.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/csi.yaml
@@ -18,7 +18,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-csi
   storageNamespace: cozy-csi
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml
index fde18212..c11629b9 100644
--- a/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/fluxcd.yaml
@@ -19,7 +19,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-fluxcd
   storageNamespace: cozy-fluxcd
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
index 0bb7f022..8daaf01f 100644
--- a/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/ingress-nginx.yaml
@@ -19,7 +19,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-ingress-nginx
   storageNamespace: cozy-ingress-nginx
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml b/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
index dc8792d7..ab129e64 100644
--- a/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/monitoring-agents.yaml
@@ -21,7 +21,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-monitoring-agents
   storageNamespace: cozy-monitoring-agents
   install:
diff --git a/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml b/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml
index 1079654a..de19c968 100644
--- a/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml
+++ b/packages/apps/kubernetes/templates/helmreleases/victoria-metrics-operator.yaml
@@ -19,7 +19,8 @@ spec:
         namespace: cozy-system
   kubeConfig:
     secretRef:
-      name: {{ .Release.Name }}-kubeconfig
+      name: {{ .Release.Name }}-admin-kubeconfig
+      key: super-admin.svc
   targetNamespace: cozy-victoria-metrics-operator
   storageNamespace: cozy-victoria-metrics-operator
   install:
diff --git a/packages/apps/kubernetes/values.yaml b/packages/apps/kubernetes/values.yaml
index cf66210a..e195b9b9 100644
--- a/packages/apps/kubernetes/values.yaml
+++ b/packages/apps/kubernetes/values.yaml
@@ -69,3 +69,63 @@ addons:
     ##
     enabled: false
     valuesOverride: {}
+
+## @section Kamaji control plane
+##
+kamajiControlPlane:
+  apiServer:
+    ## @param kamajiControlPlane.apiServer.resources Resources
+    resources: {}
+    # resources:
+    #   limits:
+    #     cpu: 4000m
+    #     memory: 4Gi
+    #   requests:
+    #     cpu: 100m
+    #     memory: 512Mi
+    
+    ## @param kamajiControlPlane.apiServer.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    resourcesPreset: "micro"
+
+  controllerManager:
+    ## @param kamajiControlPlane.controllerManager.resources Resources
+    resources: {}
+    # resources:
+    #   limits:
+    #     cpu: 4000m
+    #     memory: 4Gi
+    #   requests:
+    #     cpu: 100m
+    #     memory: 512Mi
+    
+    ## @param kamajiControlPlane.controllerManager.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    resourcesPreset: "micro"
+  scheduler:
+    ## @param kamajiControlPlane.scheduler.resources Resources
+    resources: {}
+    # resources:
+    #   limits:
+    #     cpu: 4000m
+    #     memory: 4Gi
+    #   requests:
+    #     cpu: 100m
+    #     memory: 512Mi
+    
+    ## @param kamajiControlPlane.scheduler.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+    resourcesPreset: "micro"
+  addons:
+    konnectivity:
+      server:
+        ## @param kamajiControlPlane.addons.konnectivity.server.resources Resources
+        resources: {}
+        # resources:
+        #   limits:
+        #     cpu: 4000m
+        #     memory: 4Gi
+        #   requests:
+        #     cpu: 100m
+        #     memory: 512Mi
+        
+        ## @param kamajiControlPlane.addons.konnectivity.server.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).
+        resourcesPreset: "micro"
+            
\ No newline at end of file
diff --git a/packages/apps/tcp-balancer/values.schema.json b/packages/apps/tcp-balancer/values.schema.json
index e69de29b..73a0b045 100644
--- a/packages/apps/tcp-balancer/values.schema.json
+++ b/packages/apps/tcp-balancer/values.schema.json
@@ -0,0 +1,72 @@
+{
+  "title": "Chart Values",
+  "type": "object",
+  "properties": {
+    "external": {
+      "type": "boolean",
+      "description": "Enable external access from outside the cluster",
+      "default": false
+    },
+    "replicas": {
+      "type": "number",
+      "description": "Number of HAProxy replicas",
+      "default": 2
+    },
+    "httpAndHttps": {
+      "type": "object",
+      "properties": {
+        "mode": {
+          "type": "string",
+          "description": "Mode for balancer. Allowed values: `tcp` and `tcp-with-proxy`",
+          "default": "tcp",
+          "enum": [
+            "tcp",
+            "tcp-with-proxy"
+          ]
+        },
+        "targetPorts": {
+          "type": "object",
+          "properties": {
+            "http": {
+              "type": "number",
+              "description": "HTTP port number.",
+              "default": 80
+            },
+            "https": {
+              "type": "number",
+              "description": "HTTPS port number.",
+              "default": 443
+            }
+          }
+        },
+        "endpoints": {
+          "type": "array",
+          "description": "Endpoint addresses list",
+          "default": [],
+          "items": {}
+        }
+      }
+    },
+    "whitelistHTTP": {
+      "type": "boolean",
+      "description": "Secure HTTP by enabling  client networks whitelisting",
+      "default": false
+    },
+    "whitelist": {
+      "type": "array",
+      "description": "List of client networks",
+      "default": [],
+      "items": {}
+    },
+    "resources": {
+      "type": "object",
+      "description": "Resources",
+      "default": {}
+    },
+    "resourcesPreset": {
+      "type": "string",
+      "description": "Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if resources is set (resources is recommended for production).",
+      "default": "nano"
+    }
+  }
+}
diff --git a/packages/apps/tenant/Chart.yaml b/packages/apps/tenant/Chart.yaml
index 7e1a5573..bba14724 100644
--- a/packages/apps/tenant/Chart.yaml
+++ b/packages/apps/tenant/Chart.yaml
@@ -4,4 +4,4 @@ description: Separated tenant namespace
 icon: /logos/tenant.svg
 
 type: application
-version: 1.9.0
+version: 1.9.1
diff --git a/packages/apps/tenant/templates/namespace.yaml b/packages/apps/tenant/templates/namespace.yaml
index 3d2ec3b1..d97ebf42 100644
--- a/packages/apps/tenant/templates/namespace.yaml
+++ b/packages/apps/tenant/templates/namespace.yaml
@@ -41,6 +41,7 @@ metadata:
     {{- end }}
     {{- end }}
     {{- include "cozystack.namespace-anotations" (list $ $existingNS) | nindent 4 }}
+    alpha.kubevirt.io/auto-memory-limits-ratio: "1.0"
   ownerReferences:
   - apiVersion: v1
     blockOwnerDeletion: true
diff --git a/packages/apps/versions_map b/packages/apps/versions_map
index 5f0d7e0e..f96e27b3 100644
--- a/packages/apps/versions_map
+++ b/packages/apps/versions_map
@@ -55,7 +55,8 @@ kubernetes 0.14.1 fde4bcfa
 kubernetes 0.15.0 cb7b8158
 kubernetes 0.15.1 43e593c7
 kubernetes 0.15.2 43e593c7
-kubernetes 0.16.0 HEAD
+kubernetes 0.16.0 3d03b227
+kubernetes 0.17.0 HEAD
 mysql 0.1.0 f642698
 mysql 0.2.0 8b975ff0
 mysql 0.3.0 5ca8823
@@ -126,7 +127,8 @@ tenant 1.6.7 06afcf27
 tenant 1.6.8 4cc48e6f
 tenant 1.7.0 6c73e3f3
 tenant 1.8.0 e2369ba
-tenant 1.9.0 HEAD
+tenant 1.9.0 43e593c7
+tenant 1.9.1 HEAD
 virtual-machine 0.1.4 f2015d6
 virtual-machine 0.1.5 7cd7de7
 virtual-machine 0.2.0 5ca8823
diff --git a/packages/core/installer/values.yaml b/packages/core/installer/values.yaml
index f058ed3f..10d61a69 100644
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: kklinch0/installer:0.27.49@sha256:baf71ad11ade3ef10b9c77325a6385438054541f44248332afa3f95f8f66f7e5
+  image: kklinch0/installer:0.27.58@sha256:51aaa5504b4e3507f93ea798ed4f75a1bdebec067f54ffd2b9c544732380708e
diff --git a/packages/system/kubevirt/templates/kubevirt-cr.yaml b/packages/system/kubevirt/templates/kubevirt-cr.yaml
index 5b0b3a0b..a292c15a 100644
--- a/packages/system/kubevirt/templates/kubevirt-cr.yaml
+++ b/packages/system/kubevirt/templates/kubevirt-cr.yaml
@@ -14,6 +14,7 @@ spec:
       - HotplugVolumes
       - ExpandDisks
       - LiveMigration
+      - AutoResourceLimitsGate
     evictionStrategy: LiveMigrate
   customizeComponents: {}
   imagePullPolicy: IfNotPresent

From 1e03ba4a02e2e45a6c853a3d9b7bc31726999d6d Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Wed, 19 Mar 2025 16:18:42 +0300
Subject: [PATCH 06/16] revert image

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/core/installer/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/installer/values.yaml b/packages/core/installer/values.yaml
index 10d61a69..c3b3f641 100644
--- a/packages/core/installer/values.yaml
+++ b/packages/core/installer/values.yaml
@@ -1,2 +1,2 @@
 cozystack:
-  image: kklinch0/installer:0.27.58@sha256:51aaa5504b4e3507f93ea798ed4f75a1bdebec067f54ffd2b9c544732380708e
+  image: ghcr.io/cozystack/cozystack/installer:v0.28.0@sha256:71ae2037ca44d49bbcf8be56c127ee92f2486089a8ea1cdd6508af49705956ac

From aa3a36831c0c513a47246f9d757595c87b0db1ee Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Thu, 20 Mar 2025 14:47:03 +0300
Subject: [PATCH 07/16] fix mi

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 .../templates/cluster-autoscaler/deployment.yaml          | 2 +-
 packages/apps/kubernetes/templates/csi/deploy.yaml        | 8 ++++----
 packages/apps/kubernetes/templates/kccm/manager.yaml      | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
index 73d14cf5..508069b6 100644
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -32,7 +32,7 @@ spec:
             memory: 512Mi
           requests:
             cpu: 124m
-            memory: 124Mi
+            memory: 128Mi
         command:
         - /cluster-autoscaler
         args:
diff --git a/packages/apps/kubernetes/templates/csi/deploy.yaml b/packages/apps/kubernetes/templates/csi/deploy.yaml
index a93dfd2a..5312715e 100644
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -68,7 +68,7 @@ spec:
               memory: 512Mi
             requests:
               cpu: 124m
-              memory: 124Mi
+              memory: 128Mi
         - name: csi-provisioner
           image: quay.io/openshift/origin-csi-external-provisioner:latest
           resources:
@@ -77,7 +77,7 @@ spec:
               memory: 512Mi
             requests:
               cpu: 124m
-              memory: 124Mi
+              memory: 128Mi
           args:
             - "--csi-address=$(ADDRESS)"
             - "--default-fstype=ext4"
@@ -117,7 +117,7 @@ spec:
               memory: 512Mi
             requests:
               cpu: 124m
-              memory: 124Mi
+              memory: 128Mi
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
           args:
@@ -133,7 +133,7 @@ spec:
               memory: 512Mi
             requests:
               cpu: 124m
-              memory: 124Mi
+              memory: 128Mi
       volumes:
         - name: socket-dir
           emptyDir: {}
diff --git a/packages/apps/kubernetes/templates/kccm/manager.yaml b/packages/apps/kubernetes/templates/kccm/manager.yaml
index dd5ad50f..b9717e71 100644
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -41,7 +41,7 @@ spec:
             memory: 512Mi
           requests:
             cpu: 124m
-            memory: 124Mi
+            memory: 128Mi
         volumeMounts:
         - mountPath: /etc/kubernetes/kubeconfig
           name: kubeconfig

From 5729666e7202491da7fb15fa262a7f97027d15a3 Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Thu, 20 Mar 2025 14:52:00 +0300
Subject: [PATCH 08/16] fix cpu

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 packages/extra/monitoring/templates/alerta/alerta-db.yaml | 2 +-
 packages/extra/monitoring/templates/grafana/db.yaml       | 2 +-
 packages/extra/monitoring/values.yaml                     | 4 ++--
 packages/extra/seaweedfs/templates/vpa.yaml               | 6 +++---
 packages/system/capi-providers/templates/providers.yaml   | 2 +-
 packages/system/ingress-nginx/values.yaml                 | 2 +-
 packages/system/seaweedfs/templates/database.yaml         | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/packages/extra/monitoring/templates/alerta/alerta-db.yaml b/packages/extra/monitoring/templates/alerta/alerta-db.yaml
index dbbffb5b..ea10e6a1 100644
--- a/packages/extra/monitoring/templates/alerta/alerta-db.yaml
+++ b/packages/extra/monitoring/templates/alerta/alerta-db.yaml
@@ -19,7 +19,7 @@ spec:
     {{- end }}
   resources:
     limits:
-      cpu: 1024m
+      cpu: "1"
       memory: 2048Mi
     requests:
       cpu: 100m
diff --git a/packages/extra/monitoring/templates/grafana/db.yaml b/packages/extra/monitoring/templates/grafana/db.yaml
index 6f8a9281..e4ea3f95 100644
--- a/packages/extra/monitoring/templates/grafana/db.yaml
+++ b/packages/extra/monitoring/templates/grafana/db.yaml
@@ -17,7 +17,7 @@ spec:
     enablePodMonitor: true
   resources:
     limits:
-      cpu: 1024m
+      cpu: "1"
       memory: 2048Mi
     requests:
       cpu: 100m
diff --git a/packages/extra/monitoring/values.yaml b/packages/extra/monitoring/values.yaml
index 1d9a174b..c359df3a 100644
--- a/packages/extra/monitoring/values.yaml
+++ b/packages/extra/monitoring/values.yaml
@@ -63,7 +63,7 @@ alerta:
   storageClassName: ""
   resources:
     limits:
-      cpu: 1024m
+      cpu: "1"
       memory: 1Gi
     requests:
       cpu: 100m
@@ -90,7 +90,7 @@ grafana:
     size: 10Gi
   resources:
     limits:
-      cpu: 1024m
+      cpu: "1"
       memory: 1Gi
     requests:
       cpu: 100m
diff --git a/packages/extra/seaweedfs/templates/vpa.yaml b/packages/extra/seaweedfs/templates/vpa.yaml
index c3c2d3f8..fff252a6 100644
--- a/packages/extra/seaweedfs/templates/vpa.yaml
+++ b/packages/extra/seaweedfs/templates/vpa.yaml
@@ -16,7 +16,7 @@ spec:
           cpu: 250m
           memory: 256Mi
         maxAllowed:
-          cpu: 1024m
+          cpu: "1"
           memory: 2048Mi
 
 ---
@@ -39,7 +39,7 @@ spec:
           cpu: 250m
           memory: 256Mi
         maxAllowed:
-          cpu: 1024m
+          cpu: "1"
           memory: 2048Mi
 
 ---
@@ -62,5 +62,5 @@ spec:
           cpu: 250m
           memory: 256Mi
         maxAllowed:
-          cpu: 1024m
+          cpu: "1"
           memory: 2048Mi
diff --git a/packages/system/capi-providers/templates/providers.yaml b/packages/system/capi-providers/templates/providers.yaml
index 6878d424..f6cd7870 100644
--- a/packages/system/capi-providers/templates/providers.yaml
+++ b/packages/system/capi-providers/templates/providers.yaml
@@ -19,7 +19,7 @@ spec:
     - name: manager
       resources:
         limits:
-          cpu: 1024m
+          cpu: "1"
           memory: 1024Mi
 ---
 apiVersion: operator.cluster.x-k8s.io/v1alpha2
diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml
index 607838b5..3515968a 100644
--- a/packages/system/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/values.yaml
@@ -49,7 +49,7 @@ ingress-nginx:
       ssl-session-tickets: "true"
     resources:
       limits:
-        cpu: 1024m
+        cpu: "1"
         memory: 2048Mi
       requests:
         cpu: 100m
diff --git a/packages/system/seaweedfs/templates/database.yaml b/packages/system/seaweedfs/templates/database.yaml
index 892a3ac3..dc11b101 100644
--- a/packages/system/seaweedfs/templates/database.yaml
+++ b/packages/system/seaweedfs/templates/database.yaml
@@ -12,7 +12,7 @@ spec:
     enablePodMonitor: true
   resources:
     limits:
-      cpu: 1024m
+      cpu: "1"
       memory: 2048Mi
     requests:
       cpu: 100m

From f6d4541db36b1a417544a4a62d1c37fc66bb583a Mon Sep 17 00:00:00 2001
From: kklinch0 <kklinch0@gmail.com>
Date: Thu, 20 Mar 2025 14:57:22 +0300
Subject: [PATCH 09/16] fix cpu

Signed-off-by: kklinch0 <kklinch0@gmail.com>
---
 .../templates/cluster-autoscaler/deployment.yaml          | 2 +-
 packages/apps/kubernetes/templates/csi/deploy.yaml        | 8 ++++----
 packages/apps/kubernetes/templates/kccm/manager.yaml      | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
index 508069b6..a00e0155 100644
--- a/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
+++ b/packages/apps/kubernetes/templates/cluster-autoscaler/deployment.yaml
@@ -31,7 +31,7 @@ spec:
             cpu: 512m
             memory: 512Mi
           requests:
-            cpu: 124m
+            cpu: 125m
             memory: 128Mi
         command:
         - /cluster-autoscaler
diff --git a/packages/apps/kubernetes/templates/csi/deploy.yaml b/packages/apps/kubernetes/templates/csi/deploy.yaml
index 5312715e..27a37454 100644
--- a/packages/apps/kubernetes/templates/csi/deploy.yaml
+++ b/packages/apps/kubernetes/templates/csi/deploy.yaml
@@ -67,7 +67,7 @@ spec:
               cpu: 512m
               memory: 512Mi
             requests:
-              cpu: 124m
+              cpu: 125m
               memory: 128Mi
         - name: csi-provisioner
           image: quay.io/openshift/origin-csi-external-provisioner:latest
@@ -76,7 +76,7 @@ spec:
               cpu: 512m
               memory: 512Mi
             requests:
-              cpu: 124m
+              cpu: 125m
               memory: 128Mi
           args:
             - "--csi-address=$(ADDRESS)"
@@ -116,7 +116,7 @@ spec:
               cpu: 512m
               memory: 512Mi
             requests:
-              cpu: 124m
+              cpu: 125m
               memory: 128Mi
         - name: csi-liveness-probe
           image: quay.io/openshift/origin-csi-livenessprobe:latest
@@ -132,7 +132,7 @@ spec:
               cpu: 512m
               memory: 512Mi
             requests:
-              cpu: 124m
+              cpu: 125m
               memory: 128Mi
       volumes:
         - name: socket-dir
diff --git a/packages/apps/kubernetes/templates/kccm/manager.yaml b/packages/apps/kubernetes/templates/kccm/manager.yaml
index b9717e71..81426d4e 100644
--- a/packages/apps/kubernetes/templates/kccm/manager.yaml
+++ b/packages/apps/kubernetes/templates/kccm/manager.yaml
@@ -40,7 +40,7 @@ spec:
             cpu: 512m
             memory: 512Mi
           requests:
-            cpu: 124m
+            cpu: 125m
             memory: 128Mi
         volumeMounts:
         - mountPath: /etc/kubernetes/kubeconfig

From b1baaa7d981abd9d286e628e800c20832335af4c Mon Sep 17 00:00:00 2001
From: Kingdon Barrett <kingdon@urmanac.com>
Date: Sun, 23 Mar 2025 16:22:03 -0400
Subject: [PATCH 10/16] Update Flux Operator to 0.18.0 (#703)

Released early this week


https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.18.0

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **New Features**
  - Upgraded the charts to version 0.18.0.
  - Added options for custom pod scheduling using node selectors.
- Introduced a reporting configuration with a customizable interval
through an environment variable.

- **Documentation**
- Updated release information and configuration details to reflect the
new options and version update.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Kingdon B <kingdon@urmanac.com>
---
 .../charts/flux-operator/Chart.yaml             |  4 ++--
 .../charts/flux-operator/README.md              |  4 +++-
 .../flux-operator/templates/deployment.yaml     |  7 +++++++
 .../charts/flux-operator/values.schema.json     | 17 +++++++++++++++++
 .../charts/flux-operator/values.yaml            |  7 +++++++
 .../fluxcd/charts/flux-instance/Chart.yaml      |  4 ++--
 .../fluxcd/charts/flux-instance/README.md       |  2 +-
 7 files changed, 39 insertions(+), 6 deletions(-)

diff --git a/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
index a88cbb77..93402076 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.17.0
+appVersion: v0.18.0
 description: 'A Helm chart for deploying the Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.17.0
+version: 0.18.0
diff --git a/packages/system/fluxcd-operator/charts/flux-operator/README.md b/packages/system/fluxcd-operator/charts/flux-operator/README.md
index 838dfe1e..7a1090ac 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/README.md
+++ b/packages/system/fluxcd-operator/charts/flux-operator/README.md
@@ -1,6 +1,6 @@
 # flux-operator
 
-![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.17.0](https://img.shields.io/badge/AppVersion-v0.17.0-informational?style=flat-square)
+![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.18.0](https://img.shields.io/badge/AppVersion-v0.18.0-informational?style=flat-square)
 
 The [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator) provides a
 declarative API for the installation and upgrade of CNCF [Flux](https://fluxcd.io) and the
@@ -46,11 +46,13 @@ see the Flux Operator [documentation](https://fluxcd.control-plane.io/operator/)
 | marketplace | object | `{"account":"","license":"","type":""}` | Marketplace settings. |
 | multitenancy | object | `{"defaultServiceAccount":"flux-operator","enabled":false}` | Enable [multitenancy lockdown](https://fluxcd.control-plane.io/operator/resourceset/#role-based-access-control) for the ResourceSet APIs. |
 | nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` | Pod Node Selector settings. |
 | podSecurityContext | object | `{}` | Pod security context settings. |
 | priorityClassName | string | `""` | Pod priority class name. Recommended value is system-cluster-critical. |
 | rbac.create | bool | `true` | Grant the cluster-admin role to the flux-operator service account (required for the Flux Instance deployment). |
 | rbac.createAggregation | bool | `true` | Grant the Kubernetes view, edit and admin roles access to ResourceSet APIs. |
 | readinessProbe | object | `{"httpGet":{"path":"/readyz","port":8081},"initialDelaySeconds":5,"periodSeconds":10}` | Container readiness probe settings. |
+| reporting | object | `{"interval":"5m"}` | Flux [reporting](https://fluxcd.control-plane.io/operator/fluxreport/) settings. |
 | resources | object | `{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"100m","memory":"64Mi"}}` | Container resources requests and limits settings. |
 | securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"seccompProfile":{"type":"RuntimeDefault"}}` | Container security context settings. The default is compliant with the pod security restricted profile. |
 | serviceAccount | object | `{"automount":true,"create":true,"name":""}` | Pod service account settings. The name of the service account defaults to the release name. |
diff --git a/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml b/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml
index 1fe17f4f..8767d972 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/templates/deployment.yaml
@@ -61,6 +61,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: REPORTING_INTERVAL
+              value: {{ .Values.reporting.interval }}
             {{- with .Values.marketplace.type }}
             - name: MARKETPLACE_TYPE
               value: {{ . }}
@@ -108,3 +110,8 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+
diff --git a/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
index 326bedfe..b033d9f6 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
+++ b/packages/system/fluxcd-operator/charts/flux-operator/values.schema.json
@@ -194,6 +194,12 @@
         "nameOverride": {
             "type": "string"
         },
+        "nodeSelector": {
+            "properties": {},
+            "type": [
+                "object"
+            ]
+        },
         "podSecurityContext": {
             "default": {
                 "fsGroup": 1337
@@ -246,6 +252,17 @@
             },
             "type": "object"
         },
+        "reporting": {
+            "properties": {
+                "interval": {
+                    "type": "string"
+                }
+            },
+            "required": [
+                "interval"
+            ],
+            "type": "object"
+        },
         "resources": {
             "properties": {
                 "limits": {
diff --git a/packages/system/fluxcd-operator/charts/flux-operator/values.yaml b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml
index b91a25fd..f1accd65 100644
--- a/packages/system/fluxcd-operator/charts/flux-operator/values.yaml
+++ b/packages/system/fluxcd-operator/charts/flux-operator/values.yaml
@@ -8,6 +8,10 @@ multitenancy:
   enabled: false
   defaultServiceAccount: "flux-operator" # @schema required: true
 
+# -- Flux [reporting](https://fluxcd.control-plane.io/operator/fluxreport/) settings.
+reporting:
+  interval: 5m # @schema required: true
+
 # -- Install and upgrade the custom resource definitions.
 installCRDs: true # @schema default: true
 
@@ -96,6 +100,9 @@ affinity: # @schema default: {"nodeAffinity":{"requiredDuringSchedulingIgnoredDu
 # -- Pod tolerations settings.
 tolerations: [ ] # @schema item: object ; uniqueItems: true
 
+# -- Pod Node Selector settings.
+nodeSelector: { } # @schema type: object
+
 # -- If `true`, the container ports (`8080` and `8081`) are exposed on the host network.
 hostNetwork: false # @schema default: false
 
diff --git a/packages/system/fluxcd/charts/flux-instance/Chart.yaml b/packages/system/fluxcd/charts/flux-instance/Chart.yaml
index 46970bd7..a065c181 100644
--- a/packages/system/fluxcd/charts/flux-instance/Chart.yaml
+++ b/packages/system/fluxcd/charts/flux-instance/Chart.yaml
@@ -8,7 +8,7 @@ annotations:
     - name: Upstream Project
       url: https://github.com/controlplaneio-fluxcd/flux-operator
 apiVersion: v2
-appVersion: v0.17.0
+appVersion: v0.18.0
 description: 'A Helm chart for deploying a Flux instance managed by Flux Operator. '
 home: https://github.com/controlplaneio-fluxcd
 icon: https://raw.githubusercontent.com/cncf/artwork/main/projects/flux/icon/color/flux-icon-color.png
@@ -25,4 +25,4 @@ sources:
 - https://github.com/controlplaneio-fluxcd/flux-operator
 - https://github.com/controlplaneio-fluxcd/charts
 type: application
-version: 0.17.0
+version: 0.18.0
diff --git a/packages/system/fluxcd/charts/flux-instance/README.md b/packages/system/fluxcd/charts/flux-instance/README.md
index d2f2f291..d56bb5f2 100644
--- a/packages/system/fluxcd/charts/flux-instance/README.md
+++ b/packages/system/fluxcd/charts/flux-instance/README.md
@@ -1,6 +1,6 @@
 # flux-instance
 
-![Version: 0.17.0](https://img.shields.io/badge/Version-0.17.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.17.0](https://img.shields.io/badge/AppVersion-v0.17.0-informational?style=flat-square)
+![Version: 0.18.0](https://img.shields.io/badge/Version-0.18.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.18.0](https://img.shields.io/badge/AppVersion-v0.18.0-informational?style=flat-square)
 
 This chart is a thin wrapper around the `FluxInstance` custom resource, which is
 used by the [Flux Operator](https://github.com/controlplaneio-fluxcd/flux-operator)

From 2d997a4f8dddb173f36888edfd62bb589b4c4f4c Mon Sep 17 00:00:00 2001
From: xy2 <kto.3decb@gmail.com>
Date: Sun, 23 Mar 2025 23:22:26 +0300
Subject: [PATCH 11/16] Remove workaround for ZFS tools. (#704)

The mounting of /run parts was fixed in a consistent way upstream.

fixes #699

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

- **Chores**
- Streamlined satellite configurations by removing an unnecessary volume
setting from a container.
- Eliminated an unneeded container entry along with its related
configuration, reducing overall complexity.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

Signed-off-by: Denis Seleznev <kto.3decb@gmail.com>
---
 .../system/linstor/templates/satellites-plunger.yaml     | 2 --
 packages/system/linstor/templates/satellites-talos.yaml  | 9 ---------
 2 files changed, 11 deletions(-)

diff --git a/packages/system/linstor/templates/satellites-plunger.yaml b/packages/system/linstor/templates/satellites-plunger.yaml
index d70191e0..b3abd152 100644
--- a/packages/system/linstor/templates/satellites-plunger.yaml
+++ b/packages/system/linstor/templates/satellites-plunger.yaml
@@ -25,8 +25,6 @@ spec:
           # make some room for live debugging
           readOnlyRootFilesystem: false
         volumeMounts:
-        - mountPath: /run
-          name: host-run
         - mountPath: /dev
           name: dev
         - mountPath: /var/lib/drbd
diff --git a/packages/system/linstor/templates/satellites-talos.yaml b/packages/system/linstor/templates/satellites-talos.yaml
index 6c65cc95..c5be9204 100644
--- a/packages/system/linstor/templates/satellites-talos.yaml
+++ b/packages/system/linstor/templates/satellites-talos.yaml
@@ -22,11 +22,6 @@ spec:
               $patch: delete
             - name: drbd-module-loader
               $patch: delete
-            containers:
-            - name: linstor-satellite
-              volumeMounts:
-              - mountPath: /run
-                name: host-run
             volumes:
             - name: run-systemd-system
               $patch: delete
@@ -46,7 +41,3 @@ spec:
               hostPath:
                 path: /var/etc/lvm/archive
                 type: DirectoryOrCreate
-            - name: host-run
-              hostPath:
-                path: /run
-                type: DirectoryOrCreate

From 92e2173fa5e4e87ef38fec2fce92f80356be0df4 Mon Sep 17 00:00:00 2001
From: Nick Volynkin <nick.volynkin@gmail.com>
Date: Mon, 24 Mar 2025 19:46:41 +0200
Subject: [PATCH 12/16] Fix typo in VirtualPodAutoscaler Makefile

Makefile was copied from VictoriaMetrics Operator, some lines were not
changed.

Follow-up to #676
Resolves #705

Signed-off-by: Nick Volynkin <nick.volynkin@gmail.com>
---
 packages/system/vertical-pod-autoscaler/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/packages/system/vertical-pod-autoscaler/Makefile b/packages/system/vertical-pod-autoscaler/Makefile
index 465eef91..389f9c6e 100644
--- a/packages/system/vertical-pod-autoscaler/Makefile
+++ b/packages/system/vertical-pod-autoscaler/Makefile
@@ -1,11 +1,11 @@
-export NAME=victoria-metrics-operator
+export NAME=vertical-pod-autoscaler
 export NAMESPACE=cozy-$(NAME)
 
 include ../../../scripts/package.mk
 
 update:
 	rm -rf charts
-	# VictoriaMetrics operator
+	# VirtualPodAutoscaler operator
 	helm repo add cowboysysop https://cowboysysop.github.io/charts/
 	helm repo update cowboysysop
 	helm pull cowboysysop/vertical-pod-autoscaler --untar --untardir charts

From 209a3ef181ddace4aa2a7c193c3e868cc5d04c75 Mon Sep 17 00:00:00 2001
From: Andrei Kvapil <kvapss@gmail.com>
Date: Tue, 25 Mar 2025 12:58:19 +0100
Subject: [PATCH 13/16] Fix dependency for piraeus-operator

Signed-off-by: Andrei Kvapil <kvapss@gmail.com>
---
 packages/core/platform/bundles/paas-full.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/core/platform/bundles/paas-full.yaml b/packages/core/platform/bundles/paas-full.yaml
index cd9cb806..7bf3c977 100644
--- a/packages/core/platform/bundles/paas-full.yaml
+++ b/packages/core/platform/bundles/paas-full.yaml
@@ -205,7 +205,7 @@ releases:
   releaseName: piraeus-operator
   chart: cozy-piraeus-operator
   namespace: cozy-linstor
-  dependsOn: [cilium,kubeovn,cert-manager]
+  dependsOn: [cilium,kubeovn,cert-manager,victoria-metrics-operator]
 
 - name: linstor
   releaseName: linstor

From 0045ddc7572e27bb70d9d7006b07a747a9fa1b2b Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Tue, 25 Mar 2025 09:41:10 +0300
Subject: [PATCH 14/16] Update ingress-nginx to mitigate CVE-2025-1974

Closes #709

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 .../charts/ingress-nginx/Chart.yaml           |  8 +--
 .../ingress-nginx/charts/ingress-nginx/OWNERS |  6 --
 .../charts/ingress-nginx/README.md            | 42 ++++++++++----
 .../charts/ingress-nginx/README.md.gotmpl     | 18 ++++++
 ...mission-webhooks-cert-manager-values.yaml} |  8 ++-
 ...ler-admission-tls-cert-manager-values.yaml |  6 --
 ...ontroller-configmap-addheaders-values.yaml | 11 ++++
 ...troller-configmap-proxyheaders-values.yaml | 11 ++++
 ....yaml => controller-configmap-values.yaml} |  9 ++-
 .../controller-custom-ingressclass-flags.yaml |  7 ---
 ...roller-daemonset-extra-modules-values.yaml | 30 ++++++++++
 ... controller-daemonset-metrics-values.yaml} |  9 ++-
 ...oller-daemonset-opentelemetry-values.yaml} |  4 ++
 ...ller-daemonset-podannotations-values.yaml} | 13 ++---
 ....yaml => controller-daemonset-values.yaml} |  4 +-
 ...oller-deployment-extra-modules-values.yaml | 30 ++++++++++
 ...controller-deployment-metrics-values.yaml} |  8 ++-
 ...ller-deployment-opentelemetry-values.yaml} | 10 ++--
 ...ler-deployment-podannotations-values.yaml} | 12 ++--
 .../ci/controller-deployment-values.yaml      | 10 ++++
 ...values.yaml => controller-hpa-values.yaml} | 12 ++--
 .../ci/controller-ingressclass-values.yaml    | 15 +++++
 ...> controller-service-internal-values.yaml} |  5 +-
 ...es.yaml => controller-service-values.yaml} | 10 ++--
 .../ci/daemonset-customconfig-values.yaml     | 14 -----
 .../ci/daemonset-customnodeport-values.yaml   | 22 --------
 .../ci/daemonset-extra-modules.yaml           | 13 -----
 .../ci/daemonset-headers-values.yaml          | 14 -----
 .../ci/daemonset-nodeport-values.yaml         | 10 ----
 ...set-tcp-udp-configMapNamespace-values.yaml | 20 -------
 ...emonset-tcp-udp-portNamePrefix-values.yaml | 18 ------
 .../ci/daemonset-tcp-udp-values.yaml          | 16 ------
 .../ci/daemonset-tcp-values.yaml              | 14 -----
 .../ci/deamonset-metrics-values.yaml          | 12 ----
 .../ci/deployment-autoscaling-values.yaml     | 11 ----
 ...modules-default-container-sec-context.yaml | 15 -----
 ...odules-specific-container-sec-context.yaml | 15 -----
 .../ci/deployment-extra-modules.yaml          | 13 -----
 .../ci/deployment-headers-values.yaml         | 13 -----
 .../ci/deployment-internal-lb-values.yaml     | 19 -------
 .../ci/deployment-nodeport-values.yaml        |  9 ---
 ...ent-tcp-udp-configMapNamespace-values.yaml | 19 -------
 ...loyment-tcp-udp-portNamePrefix-values.yaml | 17 ------
 .../ci/deployment-tcp-udp-values.yaml         | 15 -----
 .../ci/deployment-tcp-values.yaml             | 11 ----
 .../deployment-webhook-extraEnvs-values.yaml  | 12 ----
 .../deployment-webhook-resources-values.yaml  | 23 --------
 .../ingress-nginx/templates/_helpers.tpl      | 11 +---
 .../validating-webhook.yaml                   |  1 +
 .../templates/controller-daemonset.yaml       |  1 -
 .../templates/controller-deployment.yaml      |  1 -
 ...es.yaml => controller-prometheusrule.yaml} |  0
 .../templates/controller-service-webhook.yaml |  2 +-
 .../templates/controller-servicemonitor.yaml  | 55 +++++++++----------
 .../templates/default-backend-deployment.yaml |  2 +-
 .../default-backend-poddisruptionbudget.yaml  |  6 +-
 .../default-backend-serviceaccount.yaml       |  4 +-
 .../job-patch/serviceaccount_test.yaml        |  2 +-
 .../validating-webhook_test.yaml              | 32 +++++++++++
 .../tests/controller-configmap_test.yaml      | 16 +++---
 .../tests/controller-daemonset_test.yaml      | 32 +++++++++++
 .../tests/controller-deployment_test.yaml     | 29 ++++++++++
 .../controller-poddisruptionbudget_test.yaml  | 16 ++++++
 .../tests/controller-prometheusrule_test.yaml | 17 ++++++
 .../controller-service-webhook_test.yaml      | 32 +++++++++++
 .../tests/controller-serviceaccount_test.yaml | 47 ++++++++++++++++
 .../tests/controller-servicemonitor_test.yaml | 29 ++++++++++
 .../default-backend-deployment_test.yaml      | 32 +++++++++++
 ...ault-backend-poddisruptionbudget_test.yaml | 48 ++++++++++++++++
 .../default-backend-serviceaccount_test.yaml  | 51 +++++++++++++++++
 .../charts/ingress-nginx/values.yaml          | 28 +++++++---
 packages/system/ingress-nginx/values.yaml     |  8 +--
 72 files changed, 654 insertions(+), 491 deletions(-)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deamonset-default-values.yaml => admission-webhooks-cert-manager-values.yaml} (79%)
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-customconfig-values.yaml => controller-configmap-values.yaml} (70%)
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deamonset-webhook-values.yaml => controller-daemonset-metrics-values.yaml} (89%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-opentelemetry-customregistry-values.yaml => controller-daemonset-opentelemetry-values.yaml} (88%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{daemonset-podannotations-values.yaml => controller-daemonset-podannotations-values.yaml} (81%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-default-values.yaml => controller-daemonset-values.yaml} (78%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-webhook-values.yaml => controller-deployment-metrics-values.yaml} (82%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-metrics-values.yaml => controller-deployment-opentelemetry-values.yaml} (74%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-podannotations-values.yaml => controller-deployment-podannotations-values.yaml} (80%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-autoscaling-behavior-values.yaml => controller-hpa-values.yaml} (71%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{daemonset-internal-lb-values.yaml => controller-service-internal-values.yaml} (81%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{deployment-customnodeport-values.yaml => controller-service-values.yaml} (69%)
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/templates/{controller-prometheusrules.yaml => controller-prometheusrule.yaml} (100%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml

diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
index 62c880fc..39142ef4 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
@@ -1,9 +1,9 @@
 annotations:
   artifacthub.io/changes: |
-    - Update Ingress-Nginx version controller-v1.11.1
+    - Update Ingress-Nginx version controller-v1.11.5
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.11.1
+appVersion: 1.11.5
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
   load balancer
 home: https://github.com/kubernetes/ingress-nginx
@@ -15,11 +15,9 @@ kubeVersion: '>=1.21.0-0'
 maintainers:
 - name: cpanato
 - name: Gacko
-- name: puerco
-- name: rikatz
 - name: strongjz
 - name: tao12345666333
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.11.1
+version: 4.11.5
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
index d588ede6..428474f6 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
@@ -1,10 +1,4 @@
 # See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
 
-approvers:
-- ingress-nginx-helm-maintainers
-
-reviewers:
-- ingress-nginx-helm-reviewers
-
 labels:
 - area/helm
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md b/packages/system/ingress-nginx/charts/ingress-nginx/README.md
index 0acf3da9..d36a564c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.11.1](https://img.shields.io/badge/Version-4.11.1-informational?style=flat-square) ![AppVersion: 1.11.1](https://img.shields.io/badge/AppVersion-1.11.1-informational?style=flat-square)
+![Version: 4.11.5](https://img.shields.io/badge/Version-4.11.5-informational?style=flat-square) ![AppVersion: 1.11.5](https://img.shields.io/badge/AppVersion-1.11.5-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -229,6 +229,24 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```
+
 ## Values
 
 | Key | Type | Default | Description |
@@ -253,11 +271,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.1"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.2"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
@@ -325,8 +343,8 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a"` |  |
-| controller.image.digestChroot | string | `"sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d"` |  |
+| controller.image.digest | string | `"sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb"` |  |
+| controller.image.digestChroot | string | `"sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.readOnlyRootFilesystem | bool | `false` |  |
@@ -334,7 +352,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.image.runAsNonRoot | bool | `true` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.11.1"` |  |
+| controller.image.tag | string | `"v1.11.5"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@@ -366,7 +384,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.livenessProbe.periodSeconds | int | `10` |  |
 | controller.livenessProbe.successThreshold | int | `1` |  |
 | controller.livenessProbe.timeoutSeconds | int | `1` |  |
-| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
 | controller.metrics.enabled | bool | `false` |  |
 | controller.metrics.port | int | `10254` |  |
 | controller.metrics.portName | string | `"metrics"` |  |
@@ -380,7 +398,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.metrics.service.servicePort | int | `10254` |  |
 | controller.metrics.service.type | string | `"ClusterIP"` |  |
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
-| controller.metrics.serviceMonitor.annotations | object | `{}` |  |
+| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
@@ -400,11 +418,11 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.opentelemetry.containerSecurityContext.runAsUser | int | `65532` | The image's default user, inherited from its base image `cgr.dev/chainguard/static`. |
 | controller.opentelemetry.containerSecurityContext.seccompProfile.type | string | `"RuntimeDefault"` |  |
 | controller.opentelemetry.enabled | bool | `false` |  |
-| controller.opentelemetry.image.digest | string | `"sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472"` |  |
+| controller.opentelemetry.image.digest | string | `"sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922"` |  |
 | controller.opentelemetry.image.distroless | bool | `true` |  |
-| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry"` |  |
+| controller.opentelemetry.image.image | string | `"ingress-nginx/opentelemetry-1.25.3"` |  |
 | controller.opentelemetry.image.registry | string | `"registry.k8s.io"` |  |
-| controller.opentelemetry.image.tag | string | `"v20230721-3e2062ee5"` |  |
+| controller.opentelemetry.image.tag | string | `"v20240813-b933310d"` |  |
 | controller.opentelemetry.name | string | `"opentelemetry"` |  |
 | controller.opentelemetry.resources | object | `{}` |  |
 | controller.podAnnotations | object | `{}` | Annotations to be added to controller pods # |
@@ -515,7 +533,7 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
 | defaultBackend.livenessProbe.successThreshold | int | `1` |  |
 | defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
-| defaultBackend.minAvailable | int | `1` |  |
+| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
 | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
index 17b029bb..3cb9d565 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
@@ -226,4 +226,22 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
+### Pod Security Admission
+
+You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
+
+Example:
+
+```yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-nginx
+  labels:
+    kubernetes.io/metadata.name: ingress-nginx
+    name: ingress-nginx
+    pod-security.kubernetes.io/enforce: restricted
+    pod-security.kubernetes.io/enforce-version: v1.31
+```
+
 {{ template "chart.valuesSection" . }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
similarity index 79%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
index 82fa23e8..7eafd0c5 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
@@ -1,10 +1,12 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
+
   service:
     type: ClusterIP
+
+  admissionWebhooks:
+    certManager:
+      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
deleted file mode 100644
index a13241cd..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
-controller:
-  admissionWebhooks:
-    certManager:
-      enabled: true
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
new file mode 100644
index 00000000..460a610b
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  addHeaders:
+    X-Frame-Options: deny
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
new file mode 100644
index 00000000..e23a13c0
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  proxySetHeaders:
+    X-Forwarded-Proto: https
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml
similarity index 70%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml
index 17494184..a7029895 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml
@@ -3,10 +3,9 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  config:
-    use-proxy-protocol: "true"
-  allowSnippetAnnotations: false
-  admissionWebhooks:
-    enabled: false
+
   service:
     type: ClusterIP
+
+  config:
+    use-proxy-protocol: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
deleted file mode 100644
index b28a2326..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
+++ /dev/null
@@ -1,7 +0,0 @@
-controller:
-  watchIngressWithoutClass: true
-  ingressClassResource:
-    name: custom-nginx
-    enabled: true
-    default: true
-    controllerValue: "k8s.io/custom-nginx"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
new file mode 100644
index 00000000..edf12e77
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
@@ -0,0 +1,30 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  kind: DaemonSet
+
+  extraModules:
+  - name: opentelemetry
+    image:
+      registry: registry.k8s.io
+      image: ingress-nginx/opentelemetry-1.25.3
+      tag: v20240813-b933310d
+      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
+      distroless: true
+    containerSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+      runAsGroup: 65532
+      allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
similarity index 89%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
index 54d364df..7a98580c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
@@ -1,10 +1,13 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: true
+
   service:
     type: ClusterIP
+
+  kind: DaemonSet
+
+  metrics:
+    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
similarity index 88%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
index fb3ef444..179ab2a8 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
@@ -3,7 +3,11 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
+
   service:
     type: ClusterIP
+
+  kind: DaemonSet
+
   opentelemetry:
     enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
similarity index 81%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
index 0b55306a..405992ef 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
@@ -1,17 +1,16 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
+
   service:
     type: ClusterIP
+
+  kind: DaemonSet
+
   podAnnotations:
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml
similarity index 78%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml
index 9f46b4e7..d34025c8 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml
@@ -1,8 +1,10 @@
-# Left blank to test default values
 controller:
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
+
   service:
     type: ClusterIP
+
+  kind: DaemonSet
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
new file mode 100644
index 00000000..d4083cc3
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
@@ -0,0 +1,30 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  kind: Deployment
+
+  extraModules:
+  - name: opentelemetry
+    image:
+      registry: registry.k8s.io
+      image: ingress-nginx/opentelemetry-1.25.3
+      tag: v20240813-b933310d
+      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
+      distroless: true
+    containerSecurityContext:
+      runAsNonRoot: true
+      runAsUser: 65532
+      runAsGroup: 65532
+      allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+      capabilities:
+        drop:
+        - ALL
+      readOnlyRootFilesystem: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
similarity index 82%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
index 76669a53..9c95d347 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
@@ -3,7 +3,11 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: true
+
   service:
     type: ClusterIP
+
+  kind: Deployment
+
+  metrics:
+    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
similarity index 74%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
index 9209ad5a..9443ddef 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
@@ -3,9 +3,11 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
+
   service:
     type: ClusterIP
+
+  kind: Deployment
+
+  opentelemetry:
+    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
similarity index 80%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
index b48d93c4..cf1f2611 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
@@ -3,14 +3,14 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
+
   service:
     type: ClusterIP
+
+  kind: Deployment
+
   podAnnotations:
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml
new file mode 100644
index 00000000..1b092dc0
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml
@@ -0,0 +1,10 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  kind: Deployment
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml
similarity index 71%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml
index dca3f35f..54a0d2f7 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml
@@ -1,4 +1,12 @@
 controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
   autoscaling:
     enabled: true
     behavior:
@@ -8,7 +16,3 @@ controller:
         - type: Pods
           value: 1
           periodSeconds: 180
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
new file mode 100644
index 00000000..c06429f9
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
@@ -0,0 +1,15 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+
+  service:
+    type: ClusterIP
+
+  ingressClassResource:
+    name: custom-nginx
+    default: true
+    controllerValue: k8s.io/custom-nginx
+
+  watchIngressWithoutClass: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml
similarity index 81%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml
index 0a200a74..11108fbc 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml
@@ -1,13 +1,12 @@
 controller:
-  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
+
   service:
     type: ClusterIP
+
     internal:
       enabled: true
       annotations:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml
similarity index 69%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml
index a564eaf9..9039368c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml
@@ -3,18 +3,20 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-  admissionWebhooks:
-    enabled: false
+
   service:
     type: NodePort
+
     nodePorts:
       tcp:
         9000: 30090
       udp:
         9001: 30091
 
+portNamePrefix: port
+
 tcp:
-  9000: "default/test:8080"
+  9000: default/test:8080
 
 udp:
-  9001: "default/test:8080"
+  9001: default/test:8080
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
deleted file mode 100644
index 4393a5bc..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  kind: DaemonSet
-  allowSnippetAnnotations: false
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-  config:
-    use-proxy-protocol: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
deleted file mode 100644
index 1d94be21..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-
-  service:
-    type: NodePort
-    nodePorts:
-      tcp:
-        9000: 30090
-      udp:
-        9001: 30091
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
deleted file mode 100644
index 52a32fcb..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
deleted file mode 100644
index ab7d47bd..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  addHeaders:
-    X-Frame-Options: deny
-  proxySetHeaders:
-    X-Forwarded-Proto: https
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
deleted file mode 100644
index 3b7aa2fc..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
+++ /dev/null
@@ -1,10 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: NodePort
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
deleted file mode 100644
index acd86a77..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
+++ /dev/null
@@ -1,20 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-  tcp:
-    configMapNamespace: default
-  udp:
-    configMapNamespace: default
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
deleted file mode 100644
index 90b0f57a..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
+++ /dev/null
@@ -1,18 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
-
-portNamePrefix: "port"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
deleted file mode 100644
index 25ee64d8..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
deleted file mode 100644
index 380c8b4b..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
+++ /dev/null
@@ -1,14 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
deleted file mode 100644
index cb3cb54b..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-controller:
-  kind: DaemonSet
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  metrics:
-    enabled: true
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
deleted file mode 100644
index b8b3ac68..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  autoscaling:
-    enabled: true
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
deleted file mode 100644
index 91b1b98a..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  containerSecurityContext:
-    allowPrivilegeEscalation: false
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
deleted file mode 100644
index b6013c7d..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest
-      containerSecurityContext:
-        allowPrivilegeEscalation: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
deleted file mode 100644
index 2fbe1cc0..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-  extraModules:
-    - name: opentelemetry
-      image:
-        registry: registry.k8s.io
-        image: busybox
-        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
deleted file mode 100644
index 17a11ac3..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  addHeaders:
-    X-Frame-Options: deny
-  proxySetHeaders:
-    X-Forwarded-Proto: https
-  service:
-    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
deleted file mode 100644
index 663ccb9d..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-    internal:
-      enabled: true
-      annotations:
-        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
-      ports:
-        http: 443
-        https: 80
-      targetPorts:
-        http: 443
-        https: 80
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
deleted file mode 100644
index cd9b3235..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
+++ /dev/null
@@ -1,9 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: NodePort
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
deleted file mode 100644
index c51a4e91..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-  tcp:
-    configMapNamespace: default
-  udp:
-    configMapNamespace: default
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
deleted file mode 100644
index 56323c5e..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
-
-portNamePrefix: "port"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
deleted file mode 100644
index 5b45b69d..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  admissionWebhooks:
-    enabled: false
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-
-udp:
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
deleted file mode 100644
index ac0b6e60..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-  service:
-    type: ClusterIP
-
-tcp:
-  9000: "default/test:8080"
-  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
deleted file mode 100644
index 95487b07..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-controller:
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: true
-    extraEnvs:
-      - name: FOO
-        value: foo
-      - name: TEST
-        value: test
-    patch:
-      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
deleted file mode 100644
index 49ebbb02..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
+++ /dev/null
@@ -1,23 +0,0 @@
-controller:
-  service:
-    type: ClusterIP
-  admissionWebhooks:
-    enabled: true
-    createSecretJob:
-      resources:
-        limits:
-          cpu: 10m
-          memory: 20Mi
-        requests:
-          cpu: 10m
-          memory: 20Mi
-    patchWebhookJob:
-      resources:
-        limits:
-          cpu: 10m
-          memory: 20Mi
-        requests:
-          cpu: 10m
-          memory: 20Mi
-    patch:
-      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
index 0c6a3e20..24cfd14a 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
@@ -203,7 +203,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
+Create the name of the default backend service account to use
 */}}
 {{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
 {{- if .Values.defaultBackend.serviceAccount.create -}}
@@ -244,15 +244,6 @@ Return the appropriate apiGroup for PodSecurityPolicy.
 {{- end -}}
 {{- end -}}
 
-{{/*
-Check the ingress controller version tag is at most three versions behind the last release
-*/}}
-{{- define "isControllerTagValid" -}}
-{{- if not (semverCompare ">=0.27.0-0" .Values.controller.image.tag) -}}
-{{- fail "Controller container image tag should be 0.27.0 or higher" -}}
-{{- end -}}
-{{- end -}}
-
 {{/*
 Extra modules.
 */}}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 4cd36a62..0949cea7 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -40,6 +40,7 @@ webhooks:
       service:
         name: {{ include "ingress-nginx.controller.fullname" . }}-admission
         namespace: {{ include "ingress-nginx.namespace" . }}
+        port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
         path: /networking/v1/ingresses
     {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
     timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
index 80ad656b..6ab68fbd 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -1,5 +1,4 @@
 {{- if eq .Values.controller.kind "DaemonSet" -}}
-{{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: DaemonSet
 metadata:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
index e2915a76..bddde891 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -1,5 +1,4 @@
 {{- if eq .Values.controller.kind "Deployment" -}}
-{{- include  "isControllerTagValid" . -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml
similarity index 100%
rename from packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
index 6dcf1a10..67aac0d9 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -29,7 +29,7 @@ spec:
 {{- end }}
   ports:
     - name: https-webhook
-      port: 443
+      port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
       targetPort: webhook
     {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
       appProtocol: https
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 62301da4..93ab4d24 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -3,51 +3,48 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
-{{- if .Values.controller.metrics.serviceMonitor.namespace }}
+  {{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
-{{- else }}
+  {{- else }}
   namespace: {{ include "ingress-nginx.namespace" . }}
-{{- end }}
+  {{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-  {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
+    {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
     {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
-  {{- end }}
+    {{- end }}
   {{- if .Values.controller.metrics.serviceMonitor.annotations }}
   annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }}
   {{- end }}
 spec:
-  endpoints:
-    - port: {{ .Values.controller.metrics.portName }}
-      interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
-    {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
-      honorLabels: true
-    {{- end }}
-    {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
-      relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }}
-    {{- end }}
-    {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
-      metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
-    {{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
-  jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
-{{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
+  {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
   namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
-{{- else }}
+  {{- else }}
   namespaceSelector:
     matchNames:
-      - {{ include "ingress-nginx.namespace" . }}
-{{- end }}
-{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
-  targetLabels:
-  {{- range .Values.controller.metrics.serviceMonitor.targetLabels }}
-    - {{ . }}
+    - {{ include "ingress-nginx.namespace" . }}
   {{- end }}
-{{- end }}
   selector:
     matchLabels:
       {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
+  endpoints:
+  - port: {{ .Values.controller.metrics.portName }}
+    interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
+    {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
+    honorLabels: true
+    {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
+    relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }}
+    {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
+    metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }}
+    {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
+  jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
+  {{- end }}
+  {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
+  targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
+  {{- end }}
 {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
index c6ccdd5c..6755e237 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -102,7 +102,7 @@ spec:
     {{- if .Values.defaultBackend.nodeSelector }}
       nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
+      serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
     {{- if .Values.defaultBackend.tolerations }}
       tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
     {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index f869e453..c8363fd4 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -1,5 +1,9 @@
 {{- if .Values.defaultBackend.enabled -}}
-{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
+{{- $replicas := .Values.defaultBackend.replicaCount }}
+{{- if .Values.defaultBackend.autoscaling.enabled }}
+{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }}
+{{- end }}
+{{- if gt ($replicas | int) 1 }}
 apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
 kind: PodDisruptionBudget
 metadata:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
index 2afaf0c0..6fd2d623 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.defaultBackend.enabled  .Values.defaultBackend.serviceAccount.create -}}
+{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -8,7 +8,7 @@ metadata:
     {{- with .Values.defaultBackend.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
+  name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
index 7c30d1e6..f72bc438 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
@@ -20,7 +20,7 @@ tests:
           of: ServiceAccount
       - equal:
           path: metadata.name
-          value: ingress-nginx-admission
+          value: RELEASE-NAME-ingress-nginx-admission
 
   - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
     set:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
new file mode 100644
index 00000000..47b6b687
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
@@ -0,0 +1,32 @@
+suite: Admission Webhooks > ValidatingWebhookConfiguration
+templates:
+  - admission-webhooks/validating-webhook.yaml
+
+tests:
+  - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false
+    set:
+      controller.admissionWebhooks.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true
+    set:
+      controller.admissionWebhooks.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ValidatingWebhookConfiguration
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-admission
+
+  - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set
+    set:
+      controller.admissionWebhooks.enabled: true
+      controller.admissionWebhooks.service.servicePort: 9443
+    asserts:
+      - equal:
+          path: webhooks[0].clientConfig.service.port
+          value: 9443
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
index 9cfea980..168b657d 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
@@ -16,16 +16,16 @@ tests:
   - it: should create a ConfigMap with templated values if `controller.config` contains templates
     set:
       controller.config:
-        global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local"
-        global-rate-limit-memcached-port: 11211
-        use-gzip: true
+        template: "test.{{ .Release.Namespace }}.svc.kubernetes.local"
+        integer: 12345
+        boolean: true
     asserts:
       - equal:
-          path: data.global-rate-limit-memcached-host
-          value: memcached.NAMESPACE.svc.kubernetes.local
+          path: data.template
+          value: test.NAMESPACE.svc.kubernetes.local
       - equal:
-          path: data.global-rate-limit-memcached-port
-          value: "11211"
+          path: data.integer
+          value: "12345"
       - equal:
-          path: data.use-gzip
+          path: data.boolean
           value: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
index 6ee794af..81d067bb 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
@@ -138,3 +138,35 @@ tests:
                         values:
                           - controller
                   topologyKey: kubernetes.io/hostname
+
+  - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set
+    set:
+      controller.kind: DaemonSet
+      controller.image.registry: custom.registry.io
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a DaemonSet with a custom image if `controller.image.image` is set
+    set:
+      controller.kind: DaemonSet
+      controller.image.image: custom-repo/custom-image
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set
+    set:
+      controller.kind: DaemonSet
+      controller.image.tag: custom-tag
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
index 82b97a0f..382aecd7 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
@@ -160,3 +160,32 @@ tests:
                         values:
                           - controller
                   topologyKey: kubernetes.io/hostname
+
+  - it: should create a Deployment with a custom registry if `controller.image.registry` is set
+    set:
+      controller.image.registry: custom.registry.io
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with a custom image if `controller.image.image` is set
+    set:
+      controller.image.image: custom-repo/custom-image
+      controller.image.tag: v1.0.0-dev
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with a custom tag if `controller.image.tag` is set
+    set:
+      controller.image.tag: custom-tag
+      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
index 48b4fafc..f215f352 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
@@ -71,3 +71,19 @@ tests:
     asserts:
       - hasDocuments:
           count: 0
+
+  - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set
+    set:
+      controller.replicaCount: 2
+      controller.minAvailable: 1
+      controller.maxUnavailable: 1
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - notExists:
+          path: spec.minAvailable
+      - equal:
+          path: spec.maxUnavailable
+          value: 1
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
new file mode 100644
index 00000000..d60a9831
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
@@ -0,0 +1,17 @@
+suite: Controller > PrometheusRule
+templates:
+  - controller-prometheusrule.yaml
+
+tests:
+  - it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.prometheusRule.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PrometheusRule
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-controller
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
new file mode 100644
index 00000000..1c759edb
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
@@ -0,0 +1,32 @@
+suite: Controller > Service > Webhook
+templates:
+  - controller-service-webhook.yaml
+
+tests:
+  - it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false
+    set:
+      controller.admissionWebhooks.enabled: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true
+    set:
+      controller.admissionWebhooks.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: Service
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-controller-admission
+
+  - it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set
+    set:
+      controller.admissionWebhooks.enabled: true
+      controller.admissionWebhooks.service.servicePort: 9443
+    asserts:
+      - equal:
+          path: spec.ports[0].port
+          value: 9443
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
new file mode 100644
index 00000000..928e5377
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
@@ -0,0 +1,47 @@
+suite: Controller > ServiceAccount
+templates:
+  - controller-serviceaccount.yaml
+
+tests:
+  - it: should not create a ServiceAccount if `serviceAccount.create` is false
+    set:
+      serviceAccount.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ServiceAccount if `serviceAccount.create` is true
+    set:
+      serviceAccount.create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx
+
+  - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set
+    set:
+      serviceAccount.name: ingress-nginx-admission-test-sa
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ingress-nginx-admission-test-sa
+
+  - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
+    set:
+      serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: automountServiceAccountToken
+          value: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
new file mode 100644
index 00000000..310097c1
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
@@ -0,0 +1,29 @@
+suite: Controller > ServiceMonitor
+templates:
+  - controller-servicemonitor.yaml
+
+tests:
+  - it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceMonitor
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-controller
+
+  - it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set
+    set:
+      controller.metrics.enabled: true
+      controller.metrics.serviceMonitor.enabled: true
+      controller.metrics.serviceMonitor.annotations:
+        my-little-annotation: test-value
+    asserts:
+      - equal:
+          path: metadata.annotations
+          value:
+            my-little-annotation: test-value
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
index e237fe7e..4ba4b03d 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
@@ -135,3 +135,35 @@ tests:
                         values:
                           - default-backend
                   topologyKey: kubernetes.io/hostname
+
+  - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.image.registry: custom.registry.io
+      defaultBackend.image.tag: v1.0.0-dev
+      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with a custom image if `defaultBackend.image.image` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.image.image: custom-repo/custom-image
+      defaultBackend.image.tag: v1.0.0-dev
+      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+
+  - it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.image.tag: custom-tag
+      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].image
+          value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
new file mode 100644
index 00000000..09580186
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
@@ -0,0 +1,48 @@
+suite: Default Backend > PodDisruptionBudget
+templates:
+  - default-backend-poddisruptionbudget.yaml
+
+tests:
+  - it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.replicaCount: 2
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+  - it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.replicaCount: 1
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.autoscaling.enabled: true
+      defaultBackend.autoscaling.minReplicas: 2
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: PodDisruptionBudget
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-defaultbackend
+
+  - it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.autoscaling.enabled: true
+      defaultBackend.autoscaling.minReplicas: 1
+    asserts:
+      - hasDocuments:
+          count: 0
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
new file mode 100644
index 00000000..05a815d0
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
@@ -0,0 +1,51 @@
+suite: Default Backend > ServiceAccount
+templates:
+  - default-backend-serviceaccount.yaml
+
+tests:
+  - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.create: false
+    asserts:
+      - hasDocuments:
+          count: 0
+
+  - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.create: true
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-ingress-nginx-backend
+
+  - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: metadata.name
+          value: ingress-nginx-admission-test-sa
+
+  - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
+    set:
+      defaultBackend.enabled: true
+      defaultBackend.serviceAccount.automountServiceAccountToken: false
+    asserts:
+      - hasDocuments:
+          count: 1
+      - isKind:
+          of: ServiceAccount
+      - equal:
+          path: automountServiceAccountToken
+          value: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
index 92735d2a..1c9f1c58 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
@@ -26,9 +26,9 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.11.1"
-    digest: sha256:e6439a12b52076965928e83b7b56aae6731231677b01e81818bce7fa5c60161a
-    digestChroot: sha256:7cabe4bd7558bfdf5b707976d7be56fd15ffece735d7c90fc238b6eda290fd8d
+    tag: "v1.11.5"
+    digest: sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb
+    digestChroot: sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad
     pullPolicy: IfNotPresent
     runAsNonRoot: true
     # www-data -> uid 101
@@ -194,7 +194,7 @@ controller:
     # -- Annotations to be added to the udp config configmap
     annotations: {}
   # -- Maxmind license key to download GeoLite2 Databases.
-  ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
+  ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
   maxmindLicenseKey: ""
   # -- Additional command line arguments to pass to Ingress-Nginx Controller
   # E.g. to specify the default SSL certificate you can use
@@ -299,6 +299,8 @@ controller:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: controller
+  #   matchLabelKeys:
+  #   - pod-template-hash
   #   topologyKey: topology.kubernetes.io/zone
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -307,6 +309,8 @@ controller:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: controller
+  #   matchLabelKeys:
+  #   - pod-template-hash
   #   topologyKey: kubernetes.io/hostname
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -706,12 +710,12 @@ controller:
     name: opentelemetry
     image:
       registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry
+      image: ingress-nginx/opentelemetry-1.25.3
       ## for backwards compatibility consider setting the full image url via the repository value below
       ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
       ## repository:
-      tag: "v20230721-3e2062ee5"
-      digest: sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472
+      tag: v20240813-b933310d
+      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
       distroless: true
     containerSecurityContext:
       runAsNonRoot: true
@@ -804,8 +808,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v1.4.1
-        digest: sha256:36d05b4077fb8e3d13663702fa337f124675ba8667cbd949c03a8e8ea6fa4366
+        tag: v1.5.2
+        digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -873,6 +877,7 @@ controller:
     serviceMonitor:
       enabled: false
       additionalLabels: {}
+      # -- Annotations to be added to the ServiceMonitor.
       annotations: {}
       ## The label to use to retrieve the job name from.
       ## jobLabel: "app.kubernetes.io/name"
@@ -1062,6 +1067,8 @@ defaultBackend:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: default-backend
+  #   matchLabelKeys:
+  #   - pod-template-hash
   #   topologyKey: topology.kubernetes.io/zone
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -1070,6 +1077,8 @@ defaultBackend:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: default-backend
+  #   matchLabelKeys:
+  #   - pod-template-hash
   #   topologyKey: kubernetes.io/hostname
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -1090,6 +1099,7 @@ defaultBackend:
   ##
   podAnnotations: {}
   replicaCount: 1
+  # -- Minimum available pods set in PodDisruptionBudget.
   minAvailable: 1
   resources: {}
   # limits:
diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml
index 3515968a..b20d647b 100644
--- a/packages/system/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/values.yaml
@@ -4,9 +4,9 @@ ingress-nginx:
       enable-ssl-passthrough: ""
     image:
       registry: ghcr.io
-      image: kvaps/ingress-nginx-with-protobuf-exporter/controller
-      tag: v1.11.2
-      digest: sha256:e80856ece4e30e9646d65c8d92c25a3446a0bba1c2468cd026f17df9e60d2c0f
+      image: cozystack/ingress-nginx-with-protobuf-exporter/controller
+      tag: v1.11.5
+      digest: sha256:b78ae118129a9417d4126744cab2fc2f777b3a9ac460d74caa4b57a479b98ead
     allowSnippetAnnotations: true
     replicaCount: 2
     admissionWebhooks:
@@ -16,7 +16,7 @@ ingress-nginx:
       enabled: true
     extraContainers:
     - name: protobuf-exporter
-      image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:25ed6a5f508bbc59134ad786f1e765d1c2187742075a4e828d68ef3f07a78e52
+      image: ghcr.io/cozystack/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.5@sha256:1e60d53324c2028d6f20136cdd5553ebf2d1288aefc5900b96cd379680fc25dc
       args:
       - --server.telemetry-address=0.0.0.0:9090
       - --server.exporter-address=0.0.0.0:9091

From cc9abbc50567b40bf027154fd0e9178c49473341 Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Fri, 28 Mar 2025 16:49:31 +0300
Subject: [PATCH 15/16] Use backported ingress controller

Due to upstream compat issues we backport the security patches to
v1.11.2 of the ingress controller and do not rebuild the existing
protobuf exporter.

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 packages/system/ingress-nginx/values.yaml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/packages/system/ingress-nginx/values.yaml b/packages/system/ingress-nginx/values.yaml
index b20d647b..5571ff37 100644
--- a/packages/system/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/values.yaml
@@ -5,8 +5,8 @@ ingress-nginx:
     image:
       registry: ghcr.io
       image: cozystack/ingress-nginx-with-protobuf-exporter/controller
-      tag: v1.11.5
-      digest: sha256:b78ae118129a9417d4126744cab2fc2f777b3a9ac460d74caa4b57a479b98ead
+      tag: v1.11.2
+      digest: sha256:beba8869ee370599e1f26557a9669ebdc9481c07b34059f348eb3e17b647e7e0
     allowSnippetAnnotations: true
     replicaCount: 2
     admissionWebhooks:
@@ -16,7 +16,7 @@ ingress-nginx:
       enabled: true
     extraContainers:
     - name: protobuf-exporter
-      image: ghcr.io/cozystack/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.5@sha256:1e60d53324c2028d6f20136cdd5553ebf2d1288aefc5900b96cd379680fc25dc
+      image: ghcr.io/kvaps/ingress-nginx-with-protobuf-exporter/protobuf-exporter:v1.11.2@sha256:6d9235a9ee6f2be1921db4687afbdcd85d145b087dd916b5a96455bdb5cff560
       args:
       - --server.telemetry-address=0.0.0.0:9090
       - --server.exporter-address=0.0.0.0:9091
@@ -65,3 +65,4 @@ ingress-nginx:
       requests:
         cpu: 10m
         memory: 20Mi
+

From 5c900a7467d9601a58c981ef452eaa74acf838fe Mon Sep 17 00:00:00 2001
From: Timofei Larkin <lllamnyp@gmail.com>
Date: Fri, 28 Mar 2025 17:00:07 +0300
Subject: [PATCH 16/16] Revert ingress nginx chart to v4.11.2

Signed-off-by: Timofei Larkin <lllamnyp@gmail.com>
---
 .../charts/ingress-nginx/Chart.yaml           |  8 ++-
 .../ingress-nginx/charts/ingress-nginx/OWNERS |  6 ++
 .../charts/ingress-nginx/README.md            | 36 +++---------
 .../charts/ingress-nginx/README.md.gotmpl     | 18 ------
 ...ler-admission-tls-cert-manager-values.yaml |  6 ++
 .../controller-custom-ingressclass-flags.yaml |  7 +++
 ...roller-daemonset-extra-modules-values.yaml | 30 ----------
 ...oller-deployment-extra-modules-values.yaml | 30 ----------
 ...oller-deployment-opentelemetry-values.yaml | 13 -----
 .../ci/controller-ingressclass-values.yaml    | 15 -----
 .../ci/daemonset-customconfig-values.yaml     | 14 +++++
 .../ci/daemonset-customnodeport-values.yaml   | 22 ++++++++
 .../ci/daemonset-extra-modules.yaml           | 13 +++++
 .../ci/daemonset-headers-values.yaml          | 14 +++++
 ...yaml => daemonset-internal-lb-values.yaml} |  5 +-
 .../ci/daemonset-nodeport-values.yaml         | 10 ++++
 ...l => daemonset-podannotations-values.yaml} | 13 +++--
 ...set-tcp-udp-configMapNamespace-values.yaml | 20 +++++++
 ...emonset-tcp-udp-portNamePrefix-values.yaml | 18 ++++++
 .../ci/daemonset-tcp-udp-values.yaml          | 16 ++++++
 .../ci/daemonset-tcp-values.yaml              | 14 +++++
 ...ues.yaml => deamonset-default-values.yaml} |  8 +--
 .../ci/deamonset-metrics-values.yaml          | 12 ++++
 ...ues.yaml => deamonset-webhook-values.yaml} |  9 +--
 ...ployment-autoscaling-behavior-values.yaml} | 12 ++--
 .../ci/deployment-autoscaling-values.yaml     | 11 ++++
 ...ml => deployment-customconfig-values.yaml} |  9 +--
 ... => deployment-customnodeport-values.yaml} | 10 ++--
 ...es.yaml => deployment-default-values.yaml} |  4 +-
 ...modules-default-container-sec-context.yaml | 15 +++++
 ...odules-specific-container-sec-context.yaml | 15 +++++
 .../ci/deployment-extra-modules.yaml          | 13 +++++
 ...es.yaml => deployment-headers-values.yaml} | 10 ++--
 .../ci/deployment-internal-lb-values.yaml     | 19 +++++++
 .../ci/deployment-metrics-values.yaml         | 11 ++++
 ...s.yaml => deployment-nodeport-values.yaml} |  7 +--
 ...-opentelemetry-customregistry-values.yaml} |  4 --
 ... => deployment-podannotations-values.yaml} | 12 ++--
 ...ent-tcp-udp-configMapNamespace-values.yaml | 19 +++++++
 ...loyment-tcp-udp-portNamePrefix-values.yaml | 17 ++++++
 .../ci/deployment-tcp-udp-values.yaml         | 15 +++++
 ...values.yaml => deployment-tcp-values.yaml} |  6 +-
 .../deployment-webhook-extraEnvs-values.yaml  | 12 ++++
 .../deployment-webhook-resources-values.yaml  | 23 ++++++++
 ...es.yaml => deployment-webhook-values.yaml} |  8 +--
 .../ingress-nginx/templates/_helpers.tpl      |  2 +-
 .../validating-webhook.yaml                   |  1 -
 ...e.yaml => controller-prometheusrules.yaml} |  0
 .../templates/controller-service-webhook.yaml |  2 +-
 .../templates/controller-servicemonitor.yaml  | 55 ++++++++++---------
 .../templates/default-backend-deployment.yaml |  2 +-
 .../default-backend-poddisruptionbudget.yaml  |  6 +-
 .../default-backend-serviceaccount.yaml       |  4 +-
 .../job-patch/serviceaccount_test.yaml        |  2 +-
 .../validating-webhook_test.yaml              | 32 -----------
 .../tests/controller-configmap_test.yaml      | 16 +++---
 .../tests/controller-daemonset_test.yaml      | 26 +--------
 .../tests/controller-deployment_test.yaml     | 24 +-------
 .../controller-poddisruptionbudget_test.yaml  | 16 ------
 .../tests/controller-prometheusrule_test.yaml | 17 ------
 .../controller-service-webhook_test.yaml      | 32 -----------
 .../tests/controller-serviceaccount_test.yaml | 47 ----------------
 .../tests/controller-servicemonitor_test.yaml | 29 ----------
 .../default-backend-deployment_test.yaml      | 32 -----------
 ...ault-backend-poddisruptionbudget_test.yaml | 48 ----------------
 .../default-backend-serviceaccount_test.yaml  | 51 -----------------
 .../charts/ingress-nginx/values.yaml          | 22 ++------
 67 files changed, 460 insertions(+), 615 deletions(-)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-service-internal-values.yaml => daemonset-internal-lb-values.yaml} (81%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-daemonset-podannotations-values.yaml => daemonset-podannotations-values.yaml} (81%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{admission-webhooks-cert-manager-values.yaml => deamonset-default-values.yaml} (79%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-daemonset-metrics-values.yaml => deamonset-webhook-values.yaml} (89%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-hpa-values.yaml => deployment-autoscaling-behavior-values.yaml} (71%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-configmap-values.yaml => deployment-customconfig-values.yaml} (70%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-service-values.yaml => deployment-customnodeport-values.yaml} (69%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-daemonset-values.yaml => deployment-default-values.yaml} (78%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-configmap-proxyheaders-values.yaml => deployment-headers-values.yaml} (69%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-deployment-values.yaml => deployment-nodeport-values.yaml} (65%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-daemonset-opentelemetry-values.yaml => deployment-opentelemetry-customregistry-values.yaml} (88%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-deployment-podannotations-values.yaml => deployment-podannotations-values.yaml} (80%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-configmap-addheaders-values.yaml => deployment-tcp-values.yaml} (68%)
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
 create mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
 rename packages/system/ingress-nginx/charts/ingress-nginx/ci/{controller-deployment-metrics-values.yaml => deployment-webhook-values.yaml} (82%)
 rename packages/system/ingress-nginx/charts/ingress-nginx/templates/{controller-prometheusrule.yaml => controller-prometheusrules.yaml} (100%)
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
 delete mode 100644 packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml

diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
index 39142ef4..fd7b8103 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/Chart.yaml
@@ -1,9 +1,9 @@
 annotations:
   artifacthub.io/changes: |
-    - Update Ingress-Nginx version controller-v1.11.5
+    - Update Ingress-Nginx version controller-v1.11.2
   artifacthub.io/prerelease: "false"
 apiVersion: v2
-appVersion: 1.11.5
+appVersion: 1.11.2
 description: Ingress controller for Kubernetes using NGINX as a reverse proxy and
   load balancer
 home: https://github.com/kubernetes/ingress-nginx
@@ -15,9 +15,11 @@ kubeVersion: '>=1.21.0-0'
 maintainers:
 - name: cpanato
 - name: Gacko
+- name: puerco
+- name: rikatz
 - name: strongjz
 - name: tao12345666333
 name: ingress-nginx
 sources:
 - https://github.com/kubernetes/ingress-nginx
-version: 4.11.5
+version: 4.11.2
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
index 428474f6..d588ede6 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/OWNERS
@@ -1,4 +1,10 @@
 # See the OWNERS docs: https://www.kubernetes.dev/docs/guide/owners
 
+approvers:
+- ingress-nginx-helm-maintainers
+
+reviewers:
+- ingress-nginx-helm-reviewers
+
 labels:
 - area/helm
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md b/packages/system/ingress-nginx/charts/ingress-nginx/README.md
index d36a564c..26eab285 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md
@@ -2,7 +2,7 @@
 
 [ingress-nginx](https://github.com/kubernetes/ingress-nginx) Ingress controller for Kubernetes using NGINX as a reverse proxy and load balancer
 
-![Version: 4.11.5](https://img.shields.io/badge/Version-4.11.5-informational?style=flat-square) ![AppVersion: 1.11.5](https://img.shields.io/badge/AppVersion-1.11.5-informational?style=flat-square)
+![Version: 4.11.2](https://img.shields.io/badge/Version-4.11.2-informational?style=flat-square) ![AppVersion: 1.11.2](https://img.shields.io/badge/AppVersion-1.11.2-informational?style=flat-square)
 
 To use, add `ingressClassName: nginx` spec field or the `kubernetes.io/ingress.class: nginx` annotation to your Ingress resources.
 
@@ -229,24 +229,6 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
-### Pod Security Admission
-
-You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
-
-Example:
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
-  labels:
-    kubernetes.io/metadata.name: ingress-nginx
-    name: ingress-nginx
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: v1.31
-```
-
 ## Values
 
 | Key | Type | Default | Description |
@@ -271,11 +253,11 @@ metadata:
 | controller.admissionWebhooks.namespaceSelector | object | `{}` |  |
 | controller.admissionWebhooks.objectSelector | object | `{}` |  |
 | controller.admissionWebhooks.patch.enabled | bool | `true` |  |
-| controller.admissionWebhooks.patch.image.digest | string | `"sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea"` |  |
+| controller.admissionWebhooks.patch.image.digest | string | `"sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3"` |  |
 | controller.admissionWebhooks.patch.image.image | string | `"ingress-nginx/kube-webhook-certgen"` |  |
 | controller.admissionWebhooks.patch.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.admissionWebhooks.patch.image.registry | string | `"registry.k8s.io"` |  |
-| controller.admissionWebhooks.patch.image.tag | string | `"v1.5.2"` |  |
+| controller.admissionWebhooks.patch.image.tag | string | `"v1.4.3"` |  |
 | controller.admissionWebhooks.patch.labels | object | `{}` | Labels to be added to patch job resources |
 | controller.admissionWebhooks.patch.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
 | controller.admissionWebhooks.patch.nodeSelector."kubernetes.io/os" | string | `"linux"` |  |
@@ -343,8 +325,8 @@ metadata:
 | controller.hostname | object | `{}` | Optionally customize the pod hostname. |
 | controller.image.allowPrivilegeEscalation | bool | `false` |  |
 | controller.image.chroot | bool | `false` |  |
-| controller.image.digest | string | `"sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb"` |  |
-| controller.image.digestChroot | string | `"sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad"` |  |
+| controller.image.digest | string | `"sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce"` |  |
+| controller.image.digestChroot | string | `"sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8"` |  |
 | controller.image.image | string | `"ingress-nginx/controller"` |  |
 | controller.image.pullPolicy | string | `"IfNotPresent"` |  |
 | controller.image.readOnlyRootFilesystem | bool | `false` |  |
@@ -352,7 +334,7 @@ metadata:
 | controller.image.runAsNonRoot | bool | `true` |  |
 | controller.image.runAsUser | int | `101` |  |
 | controller.image.seccompProfile.type | string | `"RuntimeDefault"` |  |
-| controller.image.tag | string | `"v1.11.5"` |  |
+| controller.image.tag | string | `"v1.11.2"` |  |
 | controller.ingressClass | string | `"nginx"` | For backwards compatibility with ingress.class annotation, use ingressClass. Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation |
 | controller.ingressClassByName | bool | `false` | Process IngressClass per name (additionally as per spec.controller). |
 | controller.ingressClassResource | object | `{"aliases":[],"annotations":{},"controllerValue":"k8s.io/ingress-nginx","default":false,"enabled":true,"name":"nginx","parameters":{}}` | This section refers to the creation of the IngressClass resource. IngressClasses are immutable and cannot be changed after creation. We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required. |
@@ -384,7 +366,7 @@ metadata:
 | controller.livenessProbe.periodSeconds | int | `10` |  |
 | controller.livenessProbe.successThreshold | int | `1` |  |
 | controller.livenessProbe.timeoutSeconds | int | `1` |  |
-| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/ |
+| controller.maxmindLicenseKey | string | `""` | Maxmind license key to download GeoLite2 Databases. # https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases |
 | controller.metrics.enabled | bool | `false` |  |
 | controller.metrics.port | int | `10254` |  |
 | controller.metrics.portName | string | `"metrics"` |  |
@@ -398,7 +380,7 @@ metadata:
 | controller.metrics.service.servicePort | int | `10254` |  |
 | controller.metrics.service.type | string | `"ClusterIP"` |  |
 | controller.metrics.serviceMonitor.additionalLabels | object | `{}` |  |
-| controller.metrics.serviceMonitor.annotations | object | `{}` | Annotations to be added to the ServiceMonitor. |
+| controller.metrics.serviceMonitor.annotations | object | `{}` |  |
 | controller.metrics.serviceMonitor.enabled | bool | `false` |  |
 | controller.metrics.serviceMonitor.metricRelabelings | list | `[]` |  |
 | controller.metrics.serviceMonitor.namespace | string | `""` |  |
@@ -533,7 +515,7 @@ metadata:
 | defaultBackend.livenessProbe.periodSeconds | int | `10` |  |
 | defaultBackend.livenessProbe.successThreshold | int | `1` |  |
 | defaultBackend.livenessProbe.timeoutSeconds | int | `5` |  |
-| defaultBackend.minAvailable | int | `1` | Minimum available pods set in PodDisruptionBudget. |
+| defaultBackend.minAvailable | int | `1` |  |
 | defaultBackend.minReadySeconds | int | `0` | `minReadySeconds` to avoid killing pods before we are ready # |
 | defaultBackend.name | string | `"defaultbackend"` |  |
 | defaultBackend.networkPolicy.enabled | bool | `false` | Enable 'networkPolicy' or not |
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
index 3cb9d565..17b029bb 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/README.md.gotmpl
@@ -226,22 +226,4 @@ Detail of how and why are in [this issue](https://github.com/helm/charts/pull/13
 
 As of version `1.26.0` of this chart, by simply not providing any clusterIP value, `invalid: spec.clusterIP: Invalid value: "": field is immutable` will no longer occur since `clusterIP: ""` will not be rendered.
 
-### Pod Security Admission
-
-You can use Pod Security Admission by applying labels to the `ingress-nginx` namespace as instructed by the [documentation](https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels).
-
-Example:
-
-```yaml
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: ingress-nginx
-  labels:
-    kubernetes.io/metadata.name: ingress-nginx
-    name: ingress-nginx
-    pod-security.kubernetes.io/enforce: restricted
-    pod-security.kubernetes.io/enforce-version: v1.31
-```
-
 {{ template "chart.valuesSection" . }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
new file mode 100644
index 00000000..a13241cd
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-admission-tls-cert-manager-values.yaml
@@ -0,0 +1,6 @@
+controller:
+  admissionWebhooks:
+    certManager:
+      enabled: true
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
new file mode 100644
index 00000000..b28a2326
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-custom-ingressclass-flags.yaml
@@ -0,0 +1,7 @@
+controller:
+  watchIngressWithoutClass: true
+  ingressClassResource:
+    name: custom-nginx
+    enabled: true
+    default: true
+    controllerValue: "k8s.io/custom-nginx"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
deleted file mode 100644
index edf12e77..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-extra-modules-values.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: DaemonSet
-
-  extraModules:
-  - name: opentelemetry
-    image:
-      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-      distroless: true
-    containerSecurityContext:
-      runAsNonRoot: true
-      runAsUser: 65532
-      runAsGroup: 65532
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
deleted file mode 100644
index d4083cc3..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-extra-modules-values.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: Deployment
-
-  extraModules:
-  - name: opentelemetry
-    image:
-      registry: registry.k8s.io
-      image: ingress-nginx/opentelemetry-1.25.3
-      tag: v20240813-b933310d
-      digest: sha256:f7604ac0547ed64d79b98d92133234e66c2c8aade3c1f4809fed5eec1fb7f922
-      distroless: true
-    containerSecurityContext:
-      runAsNonRoot: true
-      runAsUser: 65532
-      runAsGroup: 65532
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
deleted file mode 100644
index 9443ddef..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-opentelemetry-values.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  kind: Deployment
-
-  opentelemetry:
-    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
deleted file mode 100644
index c06429f9..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-ingressclass-values.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
-controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
-  ingressClassResource:
-    name: custom-nginx
-    default: true
-    controllerValue: k8s.io/custom-nginx
-
-  watchIngressWithoutClass: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
new file mode 100644
index 00000000..4393a5bc
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customconfig-values.yaml
@@ -0,0 +1,14 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  kind: DaemonSet
+  allowSnippetAnnotations: false
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+  config:
+    use-proxy-protocol: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
new file mode 100644
index 00000000..1d94be21
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-customnodeport-values.yaml
@@ -0,0 +1,22 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+
+  service:
+    type: NodePort
+    nodePorts:
+      tcp:
+        9000: 30090
+      udp:
+        9001: 30091
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
new file mode 100644
index 00000000..52a32fcb
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-extra-modules.yaml
@@ -0,0 +1,13 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+  service:
+    type: ClusterIP
+  extraModules:
+    - name: opentelemetry
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
new file mode 100644
index 00000000..ab7d47bd
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-headers-values.yaml
@@ -0,0 +1,14 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  addHeaders:
+    X-Frame-Options: deny
+  proxySetHeaders:
+    X-Forwarded-Proto: https
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
similarity index 81%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
index 11108fbc..0a200a74 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-internal-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-internal-lb-values.yaml
@@ -1,12 +1,13 @@
 controller:
+  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
-
     internal:
       enabled: true
       annotations:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
new file mode 100644
index 00000000..3b7aa2fc
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-nodeport-values.yaml
@@ -0,0 +1,10 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: NodePort
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
similarity index 81%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
index 405992ef..0b55306a 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-podannotations-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-podannotations-values.yaml
@@ -1,16 +1,17 @@
 controller:
+  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
+  metrics:
+    enabled: true
   service:
     type: ClusterIP
-
-  kind: DaemonSet
-
   podAnnotations:
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
new file mode 100644
index 00000000..acd86a77
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-configMapNamespace-values.yaml
@@ -0,0 +1,20 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+  tcp:
+    configMapNamespace: default
+  udp:
+    configMapNamespace: default
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
new file mode 100644
index 00000000..90b0f57a
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-portNamePrefix-values.yaml
@@ -0,0 +1,18 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
+
+portNamePrefix: "port"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
new file mode 100644
index 00000000..25ee64d8
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-udp-values.yaml
@@ -0,0 +1,16 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
new file mode 100644
index 00000000..380c8b4b
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/daemonset-tcp-values.yaml
@@ -0,0 +1,14 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+tcp:
+  9000: "default/test:8080"
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml
similarity index 79%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml
index 7eafd0c5..82fa23e8 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/admission-webhooks-cert-manager-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-default-values.yaml
@@ -1,12 +1,10 @@
 controller:
+  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
   service:
     type: ClusterIP
-
-  admissionWebhooks:
-    certManager:
-      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
new file mode 100644
index 00000000..cb3cb54b
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-metrics-values.yaml
@@ -0,0 +1,12 @@
+controller:
+  kind: DaemonSet
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  metrics:
+    enabled: true
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
similarity index 89%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
index 7a98580c..54d364df 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-metrics-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deamonset-webhook-values.yaml
@@ -1,13 +1,10 @@
 controller:
+  kind: DaemonSet
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: true
   service:
     type: ClusterIP
-
-  kind: DaemonSet
-
-  metrics:
-    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
similarity index 71%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
index 54a0d2f7..dca3f35f 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-hpa-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-behavior-values.yaml
@@ -1,12 +1,4 @@
 controller:
-  image:
-    repository: ingress-controller/controller
-    tag: 1.0.0-dev
-    digest: null
-
-  service:
-    type: ClusterIP
-
   autoscaling:
     enabled: true
     behavior:
@@ -16,3 +8,7 @@ controller:
         - type: Pods
           value: 1
           periodSeconds: 180
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
new file mode 100644
index 00000000..b8b3ac68
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-autoscaling-values.yaml
@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  autoscaling:
+    enabled: true
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
similarity index 70%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
index a7029895..17494184 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customconfig-values.yaml
@@ -3,9 +3,10 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
-  service:
-    type: ClusterIP
-
   config:
     use-proxy-protocol: "true"
+  allowSnippetAnnotations: false
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
similarity index 69%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
index 9039368c..a564eaf9 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-service-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-customnodeport-values.yaml
@@ -3,20 +3,18 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
   service:
     type: NodePort
-
     nodePorts:
       tcp:
         9000: 30090
       udp:
         9001: 30091
 
-portNamePrefix: port
-
 tcp:
-  9000: default/test:8080
+  9000: "default/test:8080"
 
 udp:
-  9001: default/test:8080
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml
similarity index 78%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml
index d34025c8..9f46b4e7 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-default-values.yaml
@@ -1,10 +1,8 @@
+# Left blank to test default values
 controller:
   image:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
   service:
     type: ClusterIP
-
-  kind: DaemonSet
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
new file mode 100644
index 00000000..91b1b98a
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-default-container-sec-context.yaml
@@ -0,0 +1,15 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  service:
+    type: ClusterIP
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+  extraModules:
+    - name: opentelemetry
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
new file mode 100644
index 00000000..b6013c7d
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules-specific-container-sec-context.yaml
@@ -0,0 +1,15 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  service:
+    type: ClusterIP
+  extraModules:
+    - name: opentelemetry
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest
+      containerSecurityContext:
+        allowPrivilegeEscalation: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
new file mode 100644
index 00000000..2fbe1cc0
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-extra-modules.yaml
@@ -0,0 +1,13 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  service:
+    type: ClusterIP
+  extraModules:
+    - name: opentelemetry
+      image:
+        registry: registry.k8s.io
+        image: busybox
+        tag: latest
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
similarity index 69%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
index e23a13c0..17a11ac3 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-proxyheaders-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-headers-values.yaml
@@ -3,9 +3,11 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
-  service:
-    type: ClusterIP
-
+  admissionWebhooks:
+    enabled: false
+  addHeaders:
+    X-Frame-Options: deny
   proxySetHeaders:
     X-Forwarded-Proto: https
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
new file mode 100644
index 00000000..663ccb9d
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-internal-lb-values.yaml
@@ -0,0 +1,19 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+    internal:
+      enabled: true
+      annotations:
+        service.beta.kubernetes.io/aws-load-balancer-internal: "true"
+      ports:
+        http: 443
+        https: 80
+      targetPorts:
+        http: 443
+        https: 80
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml
new file mode 100644
index 00000000..9209ad5a
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-metrics-values.yaml
@@ -0,0 +1,11 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  metrics:
+    enabled: true
+  service:
+    type: ClusterIP
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
similarity index 65%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
index 1b092dc0..cd9b3235 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-nodeport-values.yaml
@@ -3,8 +3,7 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
   service:
-    type: ClusterIP
-
-  kind: Deployment
+    type: NodePort
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml
similarity index 88%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml
index 179ab2a8..fb3ef444 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-daemonset-opentelemetry-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-opentelemetry-customregistry-values.yaml
@@ -3,11 +3,7 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
   service:
     type: ClusterIP
-
-  kind: DaemonSet
-
   opentelemetry:
     enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
similarity index 80%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
index cf1f2611..b48d93c4 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-podannotations-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-podannotations-values.yaml
@@ -3,14 +3,14 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: false
+  metrics:
+    enabled: true
   service:
     type: ClusterIP
-
-  kind: Deployment
-
   podAnnotations:
-    prometheus.io/scrape: "true"
+    prometheus.io/path: /metrics
     prometheus.io/port: "10254"
     prometheus.io/scheme: http
-    prometheus.io/path: /metrics
+    prometheus.io/scrape: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
new file mode 100644
index 00000000..c51a4e91
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-configMapNamespace-values.yaml
@@ -0,0 +1,19 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+  tcp:
+    configMapNamespace: default
+  udp:
+    configMapNamespace: default
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
new file mode 100644
index 00000000..56323c5e
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-portNamePrefix-values.yaml
@@ -0,0 +1,17 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
+
+portNamePrefix: "port"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
new file mode 100644
index 00000000..5b45b69d
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-udp-values.yaml
@@ -0,0 +1,15 @@
+controller:
+  image:
+    repository: ingress-controller/controller
+    tag: 1.0.0-dev
+    digest: null
+  admissionWebhooks:
+    enabled: false
+  service:
+    type: ClusterIP
+
+tcp:
+  9000: "default/test:8080"
+
+udp:
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
similarity index 68%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
index 460a610b..ac0b6e60 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-configmap-addheaders-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-tcp-values.yaml
@@ -3,9 +3,9 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
   service:
     type: ClusterIP
 
-  addHeaders:
-    X-Frame-Options: deny
+tcp:
+  9000: "default/test:8080"
+  9001: "default/test:8080"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
new file mode 100644
index 00000000..95487b07
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-extraEnvs-values.yaml
@@ -0,0 +1,12 @@
+controller:
+  service:
+    type: ClusterIP
+  admissionWebhooks:
+    enabled: true
+    extraEnvs:
+      - name: FOO
+        value: foo
+      - name: TEST
+        value: test
+    patch:
+      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
new file mode 100644
index 00000000..49ebbb02
--- /dev/null
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-resources-values.yaml
@@ -0,0 +1,23 @@
+controller:
+  service:
+    type: ClusterIP
+  admissionWebhooks:
+    enabled: true
+    createSecretJob:
+      resources:
+        limits:
+          cpu: 10m
+          memory: 20Mi
+        requests:
+          cpu: 10m
+          memory: 20Mi
+    patchWebhookJob:
+      resources:
+        limits:
+          cpu: 10m
+          memory: 20Mi
+        requests:
+          cpu: 10m
+          memory: 20Mi
+    patch:
+      enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml
similarity index 82%
rename from packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml
index 9c95d347..76669a53 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/ci/controller-deployment-metrics-values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/ci/deployment-webhook-values.yaml
@@ -3,11 +3,7 @@ controller:
     repository: ingress-controller/controller
     tag: 1.0.0-dev
     digest: null
-
+  admissionWebhooks:
+    enabled: true
   service:
     type: ClusterIP
-
-  kind: Deployment
-
-  metrics:
-    enabled: true
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
index 24cfd14a..99246888 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/_helpers.tpl
@@ -203,7 +203,7 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- end -}}
 
 {{/*
-Create the name of the default backend service account to use
+Create the name of the backend service account to use - only used when podsecuritypolicy is also enabled
 */}}
 {{- define "ingress-nginx.defaultBackend.serviceAccountName" -}}
 {{- if .Values.defaultBackend.serviceAccount.create -}}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
index 0949cea7..4cd36a62 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/admission-webhooks/validating-webhook.yaml
@@ -40,7 +40,6 @@ webhooks:
       service:
         name: {{ include "ingress-nginx.controller.fullname" . }}-admission
         namespace: {{ include "ingress-nginx.namespace" . }}
-        port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
         path: /networking/v1/ingresses
     {{- if .Values.controller.admissionWebhooks.timeoutSeconds }}
     timeoutSeconds: {{ .Values.controller.admissionWebhooks.timeoutSeconds }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml
similarity index 100%
rename from packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrule.yaml
rename to packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-prometheusrules.yaml
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
index 67aac0d9..6dcf1a10 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-service-webhook.yaml
@@ -29,7 +29,7 @@ spec:
 {{- end }}
   ports:
     - name: https-webhook
-      port: {{ .Values.controller.admissionWebhooks.service.servicePort }}
+      port: 443
       targetPort: webhook
     {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
       appProtocol: https
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
index 93ab4d24..62301da4 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/controller-servicemonitor.yaml
@@ -3,48 +3,51 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
   name: {{ include "ingress-nginx.controller.fullname" . }}
-  {{- if .Values.controller.metrics.serviceMonitor.namespace }}
+{{- if .Values.controller.metrics.serviceMonitor.namespace }}
   namespace: {{ .Values.controller.metrics.serviceMonitor.namespace }}
-  {{- else }}
+{{- else }}
   namespace: {{ include "ingress-nginx.namespace" . }}
-  {{- end }}
+{{- end }}
   labels:
     {{- include "ingress-nginx.labels" . | nindent 4 }}
     app.kubernetes.io/component: controller
-    {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
+  {{- if .Values.controller.metrics.serviceMonitor.additionalLabels }}
     {{- toYaml .Values.controller.metrics.serviceMonitor.additionalLabels | nindent 4 }}
-    {{- end }}
+  {{- end }}
   {{- if .Values.controller.metrics.serviceMonitor.annotations }}
   annotations: {{ toYaml .Values.controller.metrics.serviceMonitor.annotations | nindent 4 }}
   {{- end }}
 spec:
-  {{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
+  endpoints:
+    - port: {{ .Values.controller.metrics.portName }}
+      interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
+    {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
+      honorLabels: true
+    {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
+      relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 8 }}
+    {{- end }}
+    {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 8 }}
+    {{- end }}
+{{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
+  jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
+{{- end }}
+{{- if .Values.controller.metrics.serviceMonitor.namespaceSelector }}
   namespaceSelector: {{ toYaml .Values.controller.metrics.serviceMonitor.namespaceSelector | nindent 4 }}
-  {{- else }}
+{{- else }}
   namespaceSelector:
     matchNames:
-    - {{ include "ingress-nginx.namespace" . }}
+      - {{ include "ingress-nginx.namespace" . }}
+{{- end }}
+{{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
+  targetLabels:
+  {{- range .Values.controller.metrics.serviceMonitor.targetLabels }}
+    - {{ . }}
   {{- end }}
+{{- end }}
   selector:
     matchLabels:
       {{- include "ingress-nginx.selectorLabels" . | nindent 6 }}
       app.kubernetes.io/component: controller
-  endpoints:
-  - port: {{ .Values.controller.metrics.portName }}
-    interval: {{ .Values.controller.metrics.serviceMonitor.scrapeInterval }}
-    {{- if .Values.controller.metrics.serviceMonitor.honorLabels }}
-    honorLabels: true
-    {{- end }}
-    {{- if .Values.controller.metrics.serviceMonitor.relabelings }}
-    relabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.relabelings | nindent 4 }}
-    {{- end }}
-    {{- if .Values.controller.metrics.serviceMonitor.metricRelabelings }}
-    metricRelabelings: {{ toYaml .Values.controller.metrics.serviceMonitor.metricRelabelings | nindent 4 }}
-    {{- end }}
-  {{- if .Values.controller.metrics.serviceMonitor.jobLabel }}
-  jobLabel: {{ .Values.controller.metrics.serviceMonitor.jobLabel | quote }}
-  {{- end }}
-  {{- if .Values.controller.metrics.serviceMonitor.targetLabels }}
-  targetLabels: {{ toYaml .Values.controller.metrics.serviceMonitor.targetLabels | nindent 2 }}
-  {{- end }}
 {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
index 6755e237..c6ccdd5c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-deployment.yaml
@@ -102,7 +102,7 @@ spec:
     {{- if .Values.defaultBackend.nodeSelector }}
       nodeSelector: {{ toYaml .Values.defaultBackend.nodeSelector | nindent 8 }}
     {{- end }}
-      serviceAccountName: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
+      serviceAccountName: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
     {{- if .Values.defaultBackend.tolerations }}
       tolerations: {{ toYaml .Values.defaultBackend.tolerations | nindent 8 }}
     {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
index c8363fd4..f869e453 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-poddisruptionbudget.yaml
@@ -1,9 +1,5 @@
 {{- if .Values.defaultBackend.enabled -}}
-{{- $replicas := .Values.defaultBackend.replicaCount }}
-{{- if .Values.defaultBackend.autoscaling.enabled }}
-{{- $replicas = .Values.defaultBackend.autoscaling.minReplicas }}
-{{- end }}
-{{- if gt ($replicas | int) 1 }}
+{{- if or (gt (.Values.defaultBackend.replicaCount | int) 1) (gt (.Values.defaultBackend.autoscaling.minReplicas | int) 1) }}
 apiVersion: {{ ternary "policy/v1" "policy/v1beta1" (semverCompare ">=1.21.0-0" .Capabilities.KubeVersion.Version) }}
 kind: PodDisruptionBudget
 metadata:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
index 6fd2d623..2afaf0c0 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/templates/default-backend-serviceaccount.yaml
@@ -1,4 +1,4 @@
-{{- if and .Values.defaultBackend.enabled .Values.defaultBackend.serviceAccount.create -}}
+{{- if and .Values.defaultBackend.enabled  .Values.defaultBackend.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -8,7 +8,7 @@ metadata:
     {{- with .Values.defaultBackend.labels }}
     {{- toYaml . | nindent 4 }}
     {{- end }}
-  name: {{ include "ingress-nginx.defaultBackend.serviceAccountName" . }}
+  name: {{ template "ingress-nginx.defaultBackend.serviceAccountName" . }}
   namespace: {{ include "ingress-nginx.namespace" . }}
 automountServiceAccountToken: {{ .Values.defaultBackend.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
index f72bc438..7c30d1e6 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/job-patch/serviceaccount_test.yaml
@@ -20,7 +20,7 @@ tests:
           of: ServiceAccount
       - equal:
           path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-admission
+          value: ingress-nginx-admission
 
   - it: should create a ServiceAccount with specified name if `controller.admissionWebhooks.patch.serviceAccount.name` is set
     set:
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
deleted file mode 100644
index 47b6b687..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/admission-webhooks/validating-webhook_test.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-suite: Admission Webhooks > ValidatingWebhookConfiguration
-templates:
-  - admission-webhooks/validating-webhook.yaml
-
-tests:
-  - it: should not create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is false
-    set:
-      controller.admissionWebhooks.enabled: false
-    asserts:
-      - hasDocuments:
-          count: 0
-
-  - it: should create a ValidatingWebhookConfiguration if `controller.admissionWebhooks.enabled` is true
-    set:
-      controller.admissionWebhooks.enabled: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ValidatingWebhookConfiguration
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-admission
-
-  - it: should create a ValidatingWebhookConfiguration with a custom port if `controller.admissionWebhooks.service.servicePort` is set
-    set:
-      controller.admissionWebhooks.enabled: true
-      controller.admissionWebhooks.service.servicePort: 9443
-    asserts:
-      - equal:
-          path: webhooks[0].clientConfig.service.port
-          value: 9443
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
index 168b657d..9cfea980 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-configmap_test.yaml
@@ -16,16 +16,16 @@ tests:
   - it: should create a ConfigMap with templated values if `controller.config` contains templates
     set:
       controller.config:
-        template: "test.{{ .Release.Namespace }}.svc.kubernetes.local"
-        integer: 12345
-        boolean: true
+        global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local"
+        global-rate-limit-memcached-port: 11211
+        use-gzip: true
     asserts:
       - equal:
-          path: data.template
-          value: test.NAMESPACE.svc.kubernetes.local
+          path: data.global-rate-limit-memcached-host
+          value: memcached.NAMESPACE.svc.kubernetes.local
       - equal:
-          path: data.integer
-          value: "12345"
+          path: data.global-rate-limit-memcached-port
+          value: "11211"
       - equal:
-          path: data.boolean
+          path: data.use-gzip
           value: "true"
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
index 81d067bb..bc810a1c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-daemonset_test.yaml
@@ -139,34 +139,12 @@ tests:
                           - controller
                   topologyKey: kubernetes.io/hostname
 
-  - it: should create a DaemonSet with a custom registry if `controller.image.registry` is set
-    set:
-      controller.kind: DaemonSet
-      controller.image.registry: custom.registry.io
-      controller.image.tag: v1.0.0-dev
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
-  - it: should create a DaemonSet with a custom image if `controller.image.image` is set
-    set:
-      controller.kind: DaemonSet
-      controller.image.image: custom-repo/custom-image
-      controller.image.tag: v1.0.0-dev
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
   - it: should create a DaemonSet with a custom tag if `controller.image.tag` is set
     set:
       controller.kind: DaemonSet
-      controller.image.tag: custom-tag
+      controller.image.tag: my-little-custom-tag
       controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+          value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
index 382aecd7..da400487 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-deployment_test.yaml
@@ -161,31 +161,11 @@ tests:
                           - controller
                   topologyKey: kubernetes.io/hostname
 
-  - it: should create a Deployment with a custom registry if `controller.image.registry` is set
-    set:
-      controller.image.registry: custom.registry.io
-      controller.image.tag: v1.0.0-dev
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: custom.registry.io/ingress-nginx/controller:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
-  - it: should create a Deployment with a custom image if `controller.image.image` is set
-    set:
-      controller.image.image: custom-repo/custom-image
-      controller.image.tag: v1.0.0-dev
-      controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
   - it: should create a Deployment with a custom tag if `controller.image.tag` is set
     set:
-      controller.image.tag: custom-tag
+      controller.image.tag: my-little-custom-tag
       controller.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
     asserts:
       - equal:
           path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/ingress-nginx/controller:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
+          value: registry.k8s.io/ingress-nginx/controller:my-little-custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
index f215f352..48b4fafc 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-poddisruptionbudget_test.yaml
@@ -71,19 +71,3 @@ tests:
     asserts:
       - hasDocuments:
           count: 0
-
-  - it: should create a PodDisruptionBudget without `minAvailable` and with `maxUnavailable` if `controller.minAvailable` and `controller.maxUnavailable` are set
-    set:
-      controller.replicaCount: 2
-      controller.minAvailable: 1
-      controller.maxUnavailable: 1
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: PodDisruptionBudget
-      - notExists:
-          path: spec.minAvailable
-      - equal:
-          path: spec.maxUnavailable
-          value: 1
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
deleted file mode 100644
index d60a9831..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-prometheusrule_test.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-suite: Controller > PrometheusRule
-templates:
-  - controller-prometheusrule.yaml
-
-tests:
-  - it: should create a PrometheusRule if `controller.metrics.prometheusRule.enabled` is true
-    set:
-      controller.metrics.enabled: true
-      controller.metrics.prometheusRule.enabled: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: PrometheusRule
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-controller
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
deleted file mode 100644
index 1c759edb..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-service-webhook_test.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
-suite: Controller > Service > Webhook
-templates:
-  - controller-service-webhook.yaml
-
-tests:
-  - it: should not create a webhook Service if `controller.admissionWebhooks.enabled` is false
-    set:
-      controller.admissionWebhooks.enabled: false
-    asserts:
-      - hasDocuments:
-          count: 0
-
-  - it: should create a webhook Service if `controller.admissionWebhooks.enabled` is true
-    set:
-      controller.admissionWebhooks.enabled: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: Service
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-controller-admission
-
-  - it: should create a webhook Service with a custom port if `controller.admissionWebhooks.service.servicePort` is set
-    set:
-      controller.admissionWebhooks.enabled: true
-      controller.admissionWebhooks.service.servicePort: 9443
-    asserts:
-      - equal:
-          path: spec.ports[0].port
-          value: 9443
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
deleted file mode 100644
index 928e5377..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-serviceaccount_test.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
-suite: Controller > ServiceAccount
-templates:
-  - controller-serviceaccount.yaml
-
-tests:
-  - it: should not create a ServiceAccount if `serviceAccount.create` is false
-    set:
-      serviceAccount.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
-
-  - it: should create a ServiceAccount if `serviceAccount.create` is true
-    set:
-      serviceAccount.create: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx
-
-  - it: should create a ServiceAccount with specified name if `serviceAccount.name` is set
-    set:
-      serviceAccount.name: ingress-nginx-admission-test-sa
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: metadata.name
-          value: ingress-nginx-admission-test-sa
-
-  - it: should create a ServiceAccount with token auto-mounting disabled if `serviceAccount.automountServiceAccountToken` is false
-    set:
-      serviceAccount.automountServiceAccountToken: false
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: automountServiceAccountToken
-          value: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
deleted file mode 100644
index 310097c1..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/controller-servicemonitor_test.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-suite: Controller > ServiceMonitor
-templates:
-  - controller-servicemonitor.yaml
-
-tests:
-  - it: should create a ServiceMonitor if `controller.metrics.serviceMonitor.enabled` is true
-    set:
-      controller.metrics.enabled: true
-      controller.metrics.serviceMonitor.enabled: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceMonitor
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-controller
-
-  - it: should create a ServiceMonitor with annotations if `controller.metrics.serviceMonitor.annotations` is set
-    set:
-      controller.metrics.enabled: true
-      controller.metrics.serviceMonitor.enabled: true
-      controller.metrics.serviceMonitor.annotations:
-        my-little-annotation: test-value
-    asserts:
-      - equal:
-          path: metadata.annotations
-          value:
-            my-little-annotation: test-value
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
index 4ba4b03d..e237fe7e 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-deployment_test.yaml
@@ -135,35 +135,3 @@ tests:
                         values:
                           - default-backend
                   topologyKey: kubernetes.io/hostname
-
-  - it: should create a Deployment with a custom registry if `defaultBackend.image.registry` is set
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.image.registry: custom.registry.io
-      defaultBackend.image.tag: v1.0.0-dev
-      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: custom.registry.io/defaultbackend-amd64:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
-  - it: should create a Deployment with a custom image if `defaultBackend.image.image` is set
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.image.image: custom-repo/custom-image
-      defaultBackend.image.tag: v1.0.0-dev
-      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/custom-repo/custom-image:v1.0.0-dev@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-
-  - it: should create a Deployment with a custom tag if `defaultBackend.image.tag` is set
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.image.tag: custom-tag
-      defaultBackend.image.digest: sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
-    asserts:
-      - equal:
-          path: spec.template.spec.containers[0].image
-          value: registry.k8s.io/defaultbackend-amd64:custom-tag@sha256:faa2d18687f734994b6bd9e309e7a73852a81c30e1b8f63165fcd4f0a087e3cd
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
deleted file mode 100644
index 09580186..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-poddisruptionbudget_test.yaml
+++ /dev/null
@@ -1,48 +0,0 @@
-suite: Default Backend > PodDisruptionBudget
-templates:
-  - default-backend-poddisruptionbudget.yaml
-
-tests:
-  - it: should create a PodDisruptionBudget if `defaultBackend.replicaCount` is greater than 1
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.replicaCount: 2
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: PodDisruptionBudget
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-defaultbackend
-
-  - it: should not create a PodDisruptionBudget if `defaultBackend.replicaCount` is less than or equal 1
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.replicaCount: 1
-    asserts:
-      - hasDocuments:
-          count: 0
-
-  - it: should create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is greater than 1
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.autoscaling.enabled: true
-      defaultBackend.autoscaling.minReplicas: 2
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: PodDisruptionBudget
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-defaultbackend
-
-  - it: should not create a PodDisruptionBudget if `defaultBackend.autoscaling.enabled` is true and `defaultBackend.autoscaling.minReplicas` is less than or equal 1
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.autoscaling.enabled: true
-      defaultBackend.autoscaling.minReplicas: 1
-    asserts:
-      - hasDocuments:
-          count: 0
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
deleted file mode 100644
index 05a815d0..00000000
--- a/packages/system/ingress-nginx/charts/ingress-nginx/tests/default-backend-serviceaccount_test.yaml
+++ /dev/null
@@ -1,51 +0,0 @@
-suite: Default Backend > ServiceAccount
-templates:
-  - default-backend-serviceaccount.yaml
-
-tests:
-  - it: should not create a ServiceAccount if `defaultBackend.serviceAccount.create` is false
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.serviceAccount.create: false
-    asserts:
-      - hasDocuments:
-          count: 0
-
-  - it: should create a ServiceAccount if `defaultBackend.serviceAccount.create` is true
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.serviceAccount.create: true
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: metadata.name
-          value: RELEASE-NAME-ingress-nginx-backend
-
-  - it: should create a ServiceAccount with specified name if `defaultBackend.serviceAccount.name` is set
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.serviceAccount.name: ingress-nginx-admission-test-sa
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: metadata.name
-          value: ingress-nginx-admission-test-sa
-
-  - it: should create a ServiceAccount with token auto-mounting disabled if `defaultBackend.serviceAccount.automountServiceAccountToken` is false
-    set:
-      defaultBackend.enabled: true
-      defaultBackend.serviceAccount.automountServiceAccountToken: false
-    asserts:
-      - hasDocuments:
-          count: 1
-      - isKind:
-          of: ServiceAccount
-      - equal:
-          path: automountServiceAccountToken
-          value: false
diff --git a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
index 1c9f1c58..fbd0b31c 100644
--- a/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
+++ b/packages/system/ingress-nginx/charts/ingress-nginx/values.yaml
@@ -26,9 +26,9 @@ controller:
     ## for backwards compatibility consider setting the full image url via the repository value below
     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
     ## repository:
-    tag: "v1.11.5"
-    digest: sha256:a1cbad75b0a7098bf9325132794dddf9eef917e8a7fe246749a4cea7ff6f01eb
-    digestChroot: sha256:ec9df3eb6b06563a079ee46045da94cbf750f7dbb16fdbcb9e3265b551ed72ad
+    tag: "v1.11.2"
+    digest: sha256:d5f8217feeac4887cb1ed21f27c2674e58be06bd8f5184cacea2a69abaf78dce
+    digestChroot: sha256:21b55a2f0213a18b91612a8c0850167e00a8e34391fd595139a708f9c047e7a8
     pullPolicy: IfNotPresent
     runAsNonRoot: true
     # www-data -> uid 101
@@ -194,7 +194,7 @@ controller:
     # -- Annotations to be added to the udp config configmap
     annotations: {}
   # -- Maxmind license key to download GeoLite2 Databases.
-  ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
+  ## https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases
   maxmindLicenseKey: ""
   # -- Additional command line arguments to pass to Ingress-Nginx Controller
   # E.g. to specify the default SSL certificate you can use
@@ -299,8 +299,6 @@ controller:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: controller
-  #   matchLabelKeys:
-  #   - pod-template-hash
   #   topologyKey: topology.kubernetes.io/zone
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -309,8 +307,6 @@ controller:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: controller
-  #   matchLabelKeys:
-  #   - pod-template-hash
   #   topologyKey: kubernetes.io/hostname
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -808,8 +804,8 @@ controller:
         ## for backwards compatibility consider setting the full image url via the repository value below
         ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
         ## repository:
-        tag: v1.5.2
-        digest: sha256:e8825994b7a2c7497375a9b945f386506ca6a3eda80b89b74ef2db743f66a5ea
+        tag: v1.4.3
+        digest: sha256:a320a50cc91bd15fd2d6fa6de58bd98c1bd64b9a6f926ce23a600d87043455a3
         pullPolicy: IfNotPresent
       # -- Provide a priority class name to the webhook patching job
       ##
@@ -877,7 +873,6 @@ controller:
     serviceMonitor:
       enabled: false
       additionalLabels: {}
-      # -- Annotations to be added to the ServiceMonitor.
       annotations: {}
       ## The label to use to retrieve the job name from.
       ## jobLabel: "app.kubernetes.io/name"
@@ -1067,8 +1062,6 @@ defaultBackend:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: default-backend
-  #   matchLabelKeys:
-  #   - pod-template-hash
   #   topologyKey: topology.kubernetes.io/zone
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -1077,8 +1070,6 @@ defaultBackend:
   #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
   #       app.kubernetes.io/instance: '{{ .Release.Name }}'
   #       app.kubernetes.io/component: default-backend
-  #   matchLabelKeys:
-  #   - pod-template-hash
   #   topologyKey: kubernetes.io/hostname
   #   maxSkew: 1
   #   whenUnsatisfiable: ScheduleAnyway
@@ -1099,7 +1090,6 @@ defaultBackend:
   ##
   podAnnotations: {}
   replicaCount: 1
-  # -- Minimum available pods set in PodDisruptionBudget.
   minAvailable: 1
   resources: {}
   # limits: