From a4816882eedad26479f24d0646b94f1c50a93e9d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20J=C3=A4ckle?= <thomas.jaeckle@beyonnex.io>
Date: Tue, 2 May 2023 20:29:54 +0200
Subject: [PATCH] Provide Helm chart in Ditto repository
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* initially migrated from IoT Packages project
* however enhanced with a lot more configuration options in order to be the basis for a productive Helm chart
* also added quite advanced ingress configuration

Signed-off-by: Thomas Jäckle <thomas.jaeckle@beyonnex.io>
---
 .github/workflows/license-check.yml           |    2 +-
 deployment/helm/.gitignore                    |    2 +
 deployment/helm/.helmignore                   |   19 +
 deployment/helm/Chart.yaml                    |   36 +
 deployment/helm/README.md                     |   30 +-
 deployment/helm/local-values.yaml             |  154 ++
 .../helm/logback-config/connectivity.xml      |   41 +
 deployment/helm/logback-config/gateway.xml    |   37 +
 deployment/helm/logback-config/policies.xml   |   37 +
 deployment/helm/logback-config/things.xml     |   37 +
 .../helm/logback-config/thingssearch.xml      |   37 +
 deployment/helm/nginx-config/ditto-down.svg   |   78 +
 deployment/helm/nginx-config/ditto-up.svg     |   67 +
 deployment/helm/nginx-config/index.html       |  174 ++
 deployment/helm/nginx-config/nginx-cors.conf  |   39 +
 deployment/helm/swaggerui-config/index.html   |   74 +
 deployment/helm/templates/NOTES.txt           |   33 +
 deployment/helm/templates/_helpers.tpl        |   72 +
 .../templates/connectivity-deployment.yaml    |  323 ++++
 .../templates/connectivity-networkpolicy.yaml |   42 +
 .../helm/templates/connectivity-pdb.yaml      |   26 +
 .../templates/connectivity-podmonitor.yaml    |   38 +
 .../helm/templates/dittoui-deployment.yaml    |   66 +
 .../helm/templates/dittoui-networkpolicy.yaml |   36 +
 deployment/helm/templates/dittoui-pdb.yaml    |   26 +
 .../helm/templates/dittoui-service.yaml       |   33 +
 .../helm/templates/gateway-deployment.yaml    |  293 +++
 .../helm/templates/gateway-networkpolicy.yaml |   51 +
 deployment/helm/templates/gateway-pdb.yaml    |   26 +
 .../helm/templates/gateway-podmonitor.yaml    |   38 +
 deployment/helm/templates/gateway-secret.yaml |   32 +
 .../helm/templates/gateway-service.yaml       |   33 +
 deployment/helm/templates/logback-config.yaml |   31 +
 deployment/helm/templates/mongodb-secret.yaml |   27 +
 deployment/helm/templates/nginx-auth.yaml     |   36 +
 deployment/helm/templates/nginx-config.yaml   |   30 +
 .../helm/templates/nginx-configmap.yaml       |  229 +++
 .../helm/templates/nginx-deployment.yaml      |  149 ++
 .../helm/templates/nginx-ingress-api.yaml     |   62 +
 .../helm/templates/nginx-ingress-root.yaml    |   62 +
 .../helm/templates/nginx-ingress-ui.yaml      |   62 +
 .../helm/templates/nginx-ingress-ws.yaml      |   62 +
 .../helm/templates/nginx-networkpolicy.yaml   |   32 +
 deployment/helm/templates/nginx-route.yaml    |   35 +
 deployment/helm/templates/nginx-service.yaml  |   37 +
 .../helm/templates/policies-deployment.yaml   |  292 +++
 .../templates/policies-networkpolicy.yaml     |   42 +
 deployment/helm/templates/policies-pdb.yaml   |   26 +
 .../helm/templates/policies-podmonitor.yaml   |   38 +
 deployment/helm/templates/role.yaml           |   24 +
 deployment/helm/templates/rolebinding.yaml    |   27 +
 deployment/helm/templates/serviceaccount.yaml |   20 +
 .../helm/templates/swaggerui-config.yaml      |   30 +
 .../helm/templates/swaggerui-deployment.yaml  |  114 ++
 .../templates/swaggerui-networkpolicy.yaml    |   36 +
 deployment/helm/templates/swaggerui-pdb.yaml  |   26 +
 .../helm/templates/swaggerui-service.yaml     |   33 +
 .../helm/templates/things-deployment.yaml     |  296 ++++
 .../helm/templates/things-networkpolicy.yaml  |   42 +
 deployment/helm/templates/things-pdb.yaml     |   26 +
 .../helm/templates/things-podmonitor.yaml     |   38 +
 .../templates/thingssearch-deployment.yaml    |  294 +++
 .../templates/thingssearch-networkpolicy.yaml |   42 +
 .../helm/templates/thingssearch-pdb.yaml      |   26 +
 .../templates/thingssearch-podmonitor.yaml    |   38 +
 deployment/helm/values.yaml                   | 1575 +++++++++++++++++
 66 files changed, 5969 insertions(+), 2 deletions(-)
 create mode 100644 deployment/helm/.gitignore
 create mode 100644 deployment/helm/.helmignore
 create mode 100644 deployment/helm/Chart.yaml
 create mode 100644 deployment/helm/local-values.yaml
 create mode 100644 deployment/helm/logback-config/connectivity.xml
 create mode 100755 deployment/helm/logback-config/gateway.xml
 create mode 100755 deployment/helm/logback-config/policies.xml
 create mode 100755 deployment/helm/logback-config/things.xml
 create mode 100755 deployment/helm/logback-config/thingssearch.xml
 create mode 100644 deployment/helm/nginx-config/ditto-down.svg
 create mode 100644 deployment/helm/nginx-config/ditto-up.svg
 create mode 100644 deployment/helm/nginx-config/index.html
 create mode 100644 deployment/helm/nginx-config/nginx-cors.conf
 create mode 100644 deployment/helm/swaggerui-config/index.html
 create mode 100644 deployment/helm/templates/NOTES.txt
 create mode 100644 deployment/helm/templates/_helpers.tpl
 create mode 100644 deployment/helm/templates/connectivity-deployment.yaml
 create mode 100644 deployment/helm/templates/connectivity-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/connectivity-pdb.yaml
 create mode 100644 deployment/helm/templates/connectivity-podmonitor.yaml
 create mode 100644 deployment/helm/templates/dittoui-deployment.yaml
 create mode 100644 deployment/helm/templates/dittoui-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/dittoui-pdb.yaml
 create mode 100644 deployment/helm/templates/dittoui-service.yaml
 create mode 100644 deployment/helm/templates/gateway-deployment.yaml
 create mode 100644 deployment/helm/templates/gateway-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/gateway-pdb.yaml
 create mode 100644 deployment/helm/templates/gateway-podmonitor.yaml
 create mode 100644 deployment/helm/templates/gateway-secret.yaml
 create mode 100644 deployment/helm/templates/gateway-service.yaml
 create mode 100644 deployment/helm/templates/logback-config.yaml
 create mode 100644 deployment/helm/templates/mongodb-secret.yaml
 create mode 100644 deployment/helm/templates/nginx-auth.yaml
 create mode 100644 deployment/helm/templates/nginx-config.yaml
 create mode 100644 deployment/helm/templates/nginx-configmap.yaml
 create mode 100644 deployment/helm/templates/nginx-deployment.yaml
 create mode 100644 deployment/helm/templates/nginx-ingress-api.yaml
 create mode 100644 deployment/helm/templates/nginx-ingress-root.yaml
 create mode 100644 deployment/helm/templates/nginx-ingress-ui.yaml
 create mode 100644 deployment/helm/templates/nginx-ingress-ws.yaml
 create mode 100644 deployment/helm/templates/nginx-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/nginx-route.yaml
 create mode 100644 deployment/helm/templates/nginx-service.yaml
 create mode 100644 deployment/helm/templates/policies-deployment.yaml
 create mode 100644 deployment/helm/templates/policies-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/policies-pdb.yaml
 create mode 100644 deployment/helm/templates/policies-podmonitor.yaml
 create mode 100644 deployment/helm/templates/role.yaml
 create mode 100644 deployment/helm/templates/rolebinding.yaml
 create mode 100644 deployment/helm/templates/serviceaccount.yaml
 create mode 100644 deployment/helm/templates/swaggerui-config.yaml
 create mode 100644 deployment/helm/templates/swaggerui-deployment.yaml
 create mode 100644 deployment/helm/templates/swaggerui-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/swaggerui-pdb.yaml
 create mode 100644 deployment/helm/templates/swaggerui-service.yaml
 create mode 100644 deployment/helm/templates/things-deployment.yaml
 create mode 100644 deployment/helm/templates/things-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/things-pdb.yaml
 create mode 100644 deployment/helm/templates/things-podmonitor.yaml
 create mode 100644 deployment/helm/templates/thingssearch-deployment.yaml
 create mode 100644 deployment/helm/templates/thingssearch-networkpolicy.yaml
 create mode 100644 deployment/helm/templates/thingssearch-pdb.yaml
 create mode 100644 deployment/helm/templates/thingssearch-podmonitor.yaml
 create mode 100644 deployment/helm/values.yaml

diff --git a/.github/workflows/license-check.yml b/.github/workflows/license-check.yml
index a6e7224e006..1254d09eb1d 100644
--- a/.github/workflows/license-check.yml
+++ b/.github/workflows/license-check.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Ensure license year for added files is the file's creation year
         shell: bash
         run: |
-          included_file_endings=".*\.(java|xml|yml)"
+          included_file_endings=".*\.(java|xml|yml|yaml)"
           current_year=$(date +'%Y')
           missing_counter=0
           for file in ${{ steps.the-files.outputs.added }}; do
diff --git a/deployment/helm/.gitignore b/deployment/helm/.gitignore
new file mode 100644
index 00000000000..f791801bcae
--- /dev/null
+++ b/deployment/helm/.gitignore
@@ -0,0 +1,2 @@
+charts/
+Chart.lock
diff --git a/deployment/helm/.helmignore b/deployment/helm/.helmignore
new file mode 100644
index 00000000000..d8882204716
--- /dev/null
+++ b/deployment/helm/.helmignore
@@ -0,0 +1,19 @@
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deployment/helm/Chart.yaml b/deployment/helm/Chart.yaml
new file mode 100644
index 00000000000..0e196dd8f00
--- /dev/null
+++ b/deployment/helm/Chart.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+---
+apiVersion: v2
+name: ditto
+description: |
+  Eclipse Ditto™ is a technology in the IoT implementing a software pattern called “digital twins”.
+  A digital twin is a virtual, cloud based, representation of his real world counterpart
+  (real world “Things”, e.g. devices like sensors, smart heating, connected cars, smart grids, EV charging stations etc).
+type: application
+version: 3.3.0
+appVersion: 3.2.1
+keywords:
+  - iot-chart
+  - digital-twin
+  - IoT
+home: https://www.eclipse.org/ditto
+sources:
+  - https://github.com/eclipse-ditto/ditto
+icon: https://www.eclipse.org/ditto/images/ditto.svg
+maintainers:
+  - name: thjaeckle
+    email: thomas.jaeckle@beyonnex.io
+dependencies:
+  - name: mongodb
+    repository: https://charts.bitnami.com/bitnami
+    version: ^12.x
+    condition: mongodb.enabled
diff --git a/deployment/helm/README.md b/deployment/helm/README.md
index 7a15958ac0f..07943d65a9a 100644
--- a/deployment/helm/README.md
+++ b/deployment/helm/README.md
@@ -1,6 +1,6 @@
 # Eclipse Ditto :: Helm
 
-The Ditto Helm chart is managed at the [Eclipse IoT Packages](https://github.com/eclipse/packages/tree/master/charts/ditto) project.
+The Ditto Helm chart sources are managed here.
 
 ## Install Ditto via Helm Chart
 
@@ -19,3 +19,31 @@ To uninstall/delete the eclipse-ditto deployment:
 ```shell script
 helm delete eclipse-ditto
 ```
+
+# Working locally with the chart
+
+In order to test / develop the chart locally, this section should be of help.
+
+## Testing templating
+For that, no running k8s cluster is necessary - the output will be the rendered k8s deployment descriptors:
+
+```shell
+helm template my-ditto . -f values.yaml -f local-values.yaml --debug
+```
+
+## Installation
+To install the Ditto chart with the name `"my-ditto"`, perform:
+
+```shell
+helm install -f values.yaml -f local-values.yaml my-ditto . --wait
+kubectl port-forward svc/my-ditto-nginx 8080:8080
+```
+
+Now, you can access Ditto on [http://localhost:8080](http://localhost:8080) - have fun.
+
+## Uninstallation
+To uninstall the chart again, perform:
+
+```shell
+helm uninstall my-ditto
+```
diff --git a/deployment/helm/local-values.yaml b/deployment/helm/local-values.yaml
new file mode 100644
index 00000000000..c58ad3f1c86
--- /dev/null
+++ b/deployment/helm/local-values.yaml
@@ -0,0 +1,154 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+---
+# Default values for ditto.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+global:
+  jwtOnly: false
+  basicAuthUsers:
+    ditto:
+      user: ditto
+      password: ditto
+  logging:
+    customConfigFile:
+      enabled: true
+
+## ----------------------------------------------------------------------------
+## policies configuration
+## ref: https://www.eclipse.org/ditto/architecture-services-policies.html
+policies:
+  resources:
+    cpu: 0.2
+    memoryMi: 512
+  jvm:
+    activeProcessorCount: 2
+    heapRamPercentage: 50
+  config:
+    persistence:
+      events:
+        historicalHeadersToPersist:
+        - "ditto-originator"
+        - "ditto-origin"
+        - "correlation-id"
+
+## ----------------------------------------------------------------------------
+## things configuration
+## ref: https://www.eclipse.org/ditto/architecture-services-things.html
+things:
+  resources:
+    cpu: 0.2
+    memoryMi: 512
+  jvm:
+    activeProcessorCount: 2
+    heapRamPercentage: 50
+  config:
+    persistence:
+      events:
+        historicalHeadersToPersist:
+          - "ditto-originator"
+          - "ditto-origin"
+          - "correlation-id"
+
+## ----------------------------------------------------------------------------
+## things-search configuration
+## ref: https://www.eclipse.org/ditto/architecture-services-things-search.html
+thingsSearch:
+  resources:
+    cpu: 0.2
+    memoryMi: 512
+  jvm:
+    activeProcessorCount: 2
+    heapRamPercentage: 50
+
+## ----------------------------------------------------------------------------
+## connectivity configuration
+## ref: https://www.eclipse.org/ditto/architecture-services-connectivity.html
+connectivity:
+  resources:
+    cpu: 0.2
+    memoryMi: 768
+  jvm:
+    activeProcessorCount: 2
+    heapRamPercentage: 55
+
+## ----------------------------------------------------------------------------
+## gateway configuration
+## ref: https://www.eclipse.org/ditto/architecture-services-gateway.html
+gateway:
+  resources:
+    cpu: 0.2
+    memoryMi: 512
+  jvm:
+    activeProcessorCount: 2
+    heapRamPercentage: 50
+  config:
+    authentication:
+      enablePreAuthentication: true
+      oauth:
+        openidConnectIssuers:
+         example:
+           issuer: "example.com"
+           authSubjects:
+           - "{{ jwt:sub }}"
+           - "{{ jwt:groups }}"
+      devops:
+        ## this controls whether /devops resource is secured or not
+        secured: true
+        authMethod: "basic"
+        oauth:
+          # configure the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims
+          allowedClockSkew: 20s
+          openidConnectIssuers:
+           example-ops:
+             issuer: "example.com"
+             authSubjects:
+             - "{{ jwt:sub }}"
+             - "{{ jwt:groups }}"
+        oauthSubjects:
+        - "example-ops:devops-admin"
+        ## this controls whether /status resource is secured or not
+        statusSecured: true
+        statusAuthMethod: "basic"
+        # array of strings for subjects authorized to use "/status" API
+        statusOauthSubjects:
+        - "example-ops:devops-admin"
+
+## ----------------------------------------------------------------------------
+## nginx configuration
+nginx:
+  resources:
+    cpu: 0.1
+    memoryMi: 64
+  initContainers:
+    waitForGateway:
+      enabled: false
+
+## ----------------------------------------------------------------------------
+## mongodb dependency chart configuration
+mongodb:
+  enabled: false
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  readinessProbe:
+    enabled: false
+  livenessProbe:
+    enabled: false
+  auth:
+    enabled: false
+  persistence:
+    enabled: false
diff --git a/deployment/helm/logback-config/connectivity.xml b/deployment/helm/logback-config/connectivity.xml
new file mode 100644
index 00000000000..0d22766ad5c
--- /dev/null
+++ b/deployment/helm/logback-config/connectivity.xml
@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0
+  -->
+<configuration>
+    <appender name="jsonConsoleAppender" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <excludeMdcKeyName>sourceActorSystem</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaUid</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaTimestamp</excludeMdcKeyName>
+            <mdcKeyFieldName>x-correlation-id=correlation-id</mdcKeyFieldName>
+            <mdcKeyFieldName>connection-id=ditto-connection-id</mdcKeyFieldName>
+            <mdcKeyFieldName>connection-type=ditto-connection-type</mdcKeyFieldName>
+        </encoder>
+    </appender>
+
+    <!-- Do not print INFO cluster messages of mongo driver: -->
+    <logger name="org.mongodb.driver" level="WARN"/>
+
+    <logger name="akka.management.cluster.bootstrap.contactpoint.HttpClusterBootstrapRoutes" level="WARN"/>
+    <logger name="akka.management.cluster.bootstrap.internal.BootstrapCoordinator" level="WARN"/>
+    <logger name="akka.actor.CoordinatedShutdown" level="INFO"/>
+
+    <logger name="org.apache.kafka" level="WARN"/>
+
+    <!-- Log level for the application -->
+    <logger name="org.eclipse.ditto" level="${LOG_LEVEL_APPLICATION:-INFO}"/>
+
+    <root level="${LOG_LEVEL:-INFO}">
+        <appender-ref ref="jsonConsoleAppender"/>
+    </root>
+</configuration>
diff --git a/deployment/helm/logback-config/gateway.xml b/deployment/helm/logback-config/gateway.xml
new file mode 100755
index 00000000000..348e3a63875
--- /dev/null
+++ b/deployment/helm/logback-config/gateway.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0
+  -->
+<configuration>
+    <appender name="jsonConsoleAppender" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <excludeMdcKeyName>sourceActorSystem</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaUid</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaTimestamp</excludeMdcKeyName>
+            <mdcKeyFieldName>x-correlation-id=correlation-id</mdcKeyFieldName>
+        </encoder>
+    </appender>
+
+    <!-- Do not print INFO cluster messages of mongo driver: -->
+    <logger name="org.mongodb.driver" level="WARN"/>
+
+    <logger name="akka.management.cluster.bootstrap.contactpoint.HttpClusterBootstrapRoutes" level="WARN"/>
+    <logger name="akka.management.cluster.bootstrap.internal.BootstrapCoordinator" level="WARN"/>
+    <logger name="akka.actor.CoordinatedShutdown" level="INFO"/>
+
+    <!-- Log level for the application -->
+    <logger name="org.eclipse.ditto" level="${LOG_LEVEL_APPLICATION:-INFO}"/>
+
+    <root level="${LOG_LEVEL:-INFO}">
+        <appender-ref ref="jsonConsoleAppender"/>
+    </root>
+</configuration>
diff --git a/deployment/helm/logback-config/policies.xml b/deployment/helm/logback-config/policies.xml
new file mode 100755
index 00000000000..348e3a63875
--- /dev/null
+++ b/deployment/helm/logback-config/policies.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0
+  -->
+<configuration>
+    <appender name="jsonConsoleAppender" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <excludeMdcKeyName>sourceActorSystem</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaUid</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaTimestamp</excludeMdcKeyName>
+            <mdcKeyFieldName>x-correlation-id=correlation-id</mdcKeyFieldName>
+        </encoder>
+    </appender>
+
+    <!-- Do not print INFO cluster messages of mongo driver: -->
+    <logger name="org.mongodb.driver" level="WARN"/>
+
+    <logger name="akka.management.cluster.bootstrap.contactpoint.HttpClusterBootstrapRoutes" level="WARN"/>
+    <logger name="akka.management.cluster.bootstrap.internal.BootstrapCoordinator" level="WARN"/>
+    <logger name="akka.actor.CoordinatedShutdown" level="INFO"/>
+
+    <!-- Log level for the application -->
+    <logger name="org.eclipse.ditto" level="${LOG_LEVEL_APPLICATION:-INFO}"/>
+
+    <root level="${LOG_LEVEL:-INFO}">
+        <appender-ref ref="jsonConsoleAppender"/>
+    </root>
+</configuration>
diff --git a/deployment/helm/logback-config/things.xml b/deployment/helm/logback-config/things.xml
new file mode 100755
index 00000000000..348e3a63875
--- /dev/null
+++ b/deployment/helm/logback-config/things.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0
+  -->
+<configuration>
+    <appender name="jsonConsoleAppender" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <excludeMdcKeyName>sourceActorSystem</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaUid</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaTimestamp</excludeMdcKeyName>
+            <mdcKeyFieldName>x-correlation-id=correlation-id</mdcKeyFieldName>
+        </encoder>
+    </appender>
+
+    <!-- Do not print INFO cluster messages of mongo driver: -->
+    <logger name="org.mongodb.driver" level="WARN"/>
+
+    <logger name="akka.management.cluster.bootstrap.contactpoint.HttpClusterBootstrapRoutes" level="WARN"/>
+    <logger name="akka.management.cluster.bootstrap.internal.BootstrapCoordinator" level="WARN"/>
+    <logger name="akka.actor.CoordinatedShutdown" level="INFO"/>
+
+    <!-- Log level for the application -->
+    <logger name="org.eclipse.ditto" level="${LOG_LEVEL_APPLICATION:-INFO}"/>
+
+    <root level="${LOG_LEVEL:-INFO}">
+        <appender-ref ref="jsonConsoleAppender"/>
+    </root>
+</configuration>
diff --git a/deployment/helm/logback-config/thingssearch.xml b/deployment/helm/logback-config/thingssearch.xml
new file mode 100755
index 00000000000..348e3a63875
--- /dev/null
+++ b/deployment/helm/logback-config/thingssearch.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ Copyright (c) 2023 Contributors to the Eclipse Foundation
+  ~
+  ~ See the NOTICE file(s) distributed with this work for additional
+  ~ information regarding copyright ownership.
+  ~
+  ~ This program and the accompanying materials are made available under the
+  ~ terms of the Eclipse Public License 2.0 which is available at
+  ~ http://www.eclipse.org/legal/epl-2.0
+  ~
+  ~ SPDX-License-Identifier: EPL-2.0
+  -->
+<configuration>
+    <appender name="jsonConsoleAppender" class="ch.qos.logback.core.ConsoleAppender">
+        <encoder class="net.logstash.logback.encoder.LogstashEncoder">
+            <excludeMdcKeyName>sourceActorSystem</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaUid</excludeMdcKeyName>
+            <excludeMdcKeyName>akkaTimestamp</excludeMdcKeyName>
+            <mdcKeyFieldName>x-correlation-id=correlation-id</mdcKeyFieldName>
+        </encoder>
+    </appender>
+
+    <!-- Do not print INFO cluster messages of mongo driver: -->
+    <logger name="org.mongodb.driver" level="WARN"/>
+
+    <logger name="akka.management.cluster.bootstrap.contactpoint.HttpClusterBootstrapRoutes" level="WARN"/>
+    <logger name="akka.management.cluster.bootstrap.internal.BootstrapCoordinator" level="WARN"/>
+    <logger name="akka.actor.CoordinatedShutdown" level="INFO"/>
+
+    <!-- Log level for the application -->
+    <logger name="org.eclipse.ditto" level="${LOG_LEVEL_APPLICATION:-INFO}"/>
+
+    <root level="${LOG_LEVEL:-INFO}">
+        <appender-ref ref="jsonConsoleAppender"/>
+    </root>
+</configuration>
diff --git a/deployment/helm/nginx-config/ditto-down.svg b/deployment/helm/nginx-config/ditto-down.svg
new file mode 100644
index 00000000000..679cf25b967
--- /dev/null
+++ b/deployment/helm/nginx-config/ditto-down.svg
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+        xmlns:dc="http://purl.org/dc/elements/1.1/"
+        xmlns:cc="http://creativecommons.org/ns#"
+        xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+        xmlns="http://www.w3.org/2000/svg"
+        xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+        xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+        width="64px"
+        height="64px"
+        viewBox="0 0 64 64"
+        version="1.1"
+        id="SVGRoot"
+        inkscape:version="0.92.1 r15371"
+        sodipodi:docname="ditto-sandbox-down.svg">
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="4"
+     inkscape:cx="36.5"
+     inkscape:cy="32"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:window-width="1600"
+     inkscape:window-height="1137"
+     inkscape:window-x="3832"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:grid-bbox="true" />
+  <defs
+     id="defs4485" />
+  <metadata
+     id="metadata4488">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     id="layer1"
+     inkscape:groupmode="layer"
+     inkscape:label="Layer 1">
+    <circle
+       style="opacity:1;fill:#3a8c9a;fill-opacity:1;stroke:none;stroke-width:5.99148989;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       id="path5283"
+       cx="32.187649"
+       cy="32"
+       r="31.999998" />
+    <g
+       id="g6928-2-3"
+       transform="matrix(0.4753937,0,0,0.4753937,-13.450147,-13.637795)"
+       style="fill:#ffffff;fill-opacity:1"
+       inkscape:export-xdpi="96"
+       inkscape:export-ydpi="96">
+      <g
+         id="g6926-1-4"
+         style="fill:#ffffff;fill-opacity:1">
+        <path
+           id="path6924-2-3"
+           d="m 103.1,128.9 c 0,3.9 -3.2,7.1 -7.1,7.1 -4,0 -7.1,-3.1 -7.1,-7.1 0,-4 3.1,-7.1 7.1,-7.1 3.9,0 7.1,3.2 7.1,7.1 z M 90.9,80.9 V 56 h 10.2 v 24.9 l -2.7,30.7 h -4.9 z"
+           inkscape:connector-curvature="0"
+           style="fill:#ffffff;fill-opacity:1" />
+      </g>
+    </g>
+  </g>
+</svg>
diff --git a/deployment/helm/nginx-config/ditto-up.svg b/deployment/helm/nginx-config/ditto-up.svg
new file mode 100644
index 00000000000..33b074ba859
--- /dev/null
+++ b/deployment/helm/nginx-config/ditto-up.svg
@@ -0,0 +1,67 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+        xmlns:dc="http://purl.org/dc/elements/1.1/"
+        xmlns:cc="http://creativecommons.org/ns#"
+        xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+        xmlns="http://www.w3.org/2000/svg"
+        xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+        xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+        width="64px"
+        height="64px"
+        viewBox="0 0 64 64"
+        version="1.1"
+        id="SVGRoot"
+        inkscape:version="0.92.1 r15371"
+        sodipodi:docname="ditto-sandbox-up.svg">
+  <sodipodi:namedview
+     id="base"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageopacity="0.0"
+     inkscape:pageshadow="2"
+     inkscape:zoom="4"
+     inkscape:cx="36.5"
+     inkscape:cy="32"
+     inkscape:document-units="px"
+     inkscape:current-layer="layer1"
+     showgrid="false"
+     inkscape:window-width="1600"
+     inkscape:window-height="1137"
+     inkscape:window-x="3832"
+     inkscape:window-y="-8"
+     inkscape:window-maximized="1"
+     inkscape:grid-bbox="true" />
+  <defs
+     id="defs4485" />
+  <metadata
+     id="metadata4488">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     id="layer1"
+     inkscape:groupmode="layer"
+     inkscape:label="Layer 1">
+    <circle
+       style="opacity:1;fill:#3a8c9a;fill-opacity:1;stroke:none;stroke-width:5.99148989;stroke-linecap:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;paint-order:stroke fill markers"
+       id="path5283"
+       cx="32.25"
+       cy="32.25"
+       r="31.999998" />
+    <polygon
+       points="129.2,69.2 84,114.3 62.8,93.2 57.2,98.8 84,125.7 134.8,74.8 "
+       id="polygon2339-8-2-8-5-2"
+       style="fill:#ffffff;fill-opacity:1;stroke:#008ecf;stroke-opacity:1"
+       transform="matrix(0.39751555,0,0,0.39751555,-5.911566,-6.488167)" />
+  </g>
+</svg>
diff --git a/deployment/helm/nginx-config/index.html b/deployment/helm/nginx-config/index.html
new file mode 100644
index 00000000000..abed686cd52
--- /dev/null
+++ b/deployment/helm/nginx-config/index.html
@@ -0,0 +1,174 @@
+<!doctype html>
+<html>
+<head>
+  <title>Eclipse Ditto</title>
+
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js"></script>
+
+  <style>
+    body {
+      text-align: center;
+      padding: 150px;
+    }
+
+    h1 {
+      font-size: 50px;
+    }
+
+    body {
+      font: 20px Helvetica, sans-serif;
+      color: #333;
+    }
+
+    article {
+      display: block;
+      text-align: left;
+      width: 750px;
+      margin: 0 auto;
+    }
+
+    a {
+      color: #dc8100;
+      text-decoration: none;
+    }
+
+    a:hover {
+      color: #333;
+      text-decoration: none;
+    }
+
+    .stats {
+      line-height: 3em;
+    }
+
+    .stats-count {
+      font: normal 2em Abel;
+      color: #3a8c9a;
+      font-weight: bold;
+      text-align: center;
+      margin: 5px;
+      clear: left;
+      float: left;
+      width: 5em;
+      background-color: lightgray;
+    }
+
+    .stats-count-text {
+      padding-left: 1em;
+      vertical-align: middle;
+    }
+
+    .health {
+      background-size: contain;
+      height: 30px;
+      width: 30px;
+      float: left;
+    }
+
+    .health-up {
+      background-image: url(ditto-up.svg);
+    }
+
+    .health-down {
+      background-image: url(ditto-down.svg);
+    }
+
+    .health-list li {
+      clear: both;
+      line-height: 30px;
+      padding-bottom: 5px;
+    }
+
+    .health-key {
+      float: left;
+      width: 9em;
+    }
+
+    .health-status {
+      line-height: 30px;
+      padding-left: 1em;
+    }
+  </style>
+</head>
+<body>
+
+<article>
+  <h1>Eclipse Ditto</h1>
+  <div>
+    <p>From here, you can:
+    <ul>
+      <li><a href="./ui/">visit the Eclipse Ditto™ UI to administer Ditto</a></li>
+      <li><a href="./apidoc/">interactively explore the Eclipse Ditto™ OpenAPI documentation</a></li>
+    </ul>
+  </div>
+  <h2 style="clear: both">Health</h2>
+  <div id="health-content">
+  </div>
+  <h2>Statistics</h2>
+  <div>
+    <div class="stats">
+      <span id="total-things-count" class="stats-count"></span><span
+      class="stats-count-text"> persisted <em>Things</em></span>
+    </div>
+    <div class="stats">
+      <span id="hot-things-count" class="stats-count"></span><span class="stats-count-text"> currently "hot" <em>Things</em> (loaded in memory)</span>
+    </div>
+  </div>
+</article>
+
+<script>
+  function update_count(selector, count) {
+    $(selector).animate({
+                          counter: count
+                        }, {
+                          duration: 3000,
+                          easing: 'swing',
+                          step: function (now) {
+                            $(this).text(Math.ceil(now));
+                          }
+                        });
+  }
+
+  function calcHealthStatusClass(status) {
+    let healthStatusClass;
+    if (status === "UP") {
+      healthStatusClass = "health-up";
+    } else if (status === "DOWN") {
+      healthStatusClass = "health-down";
+    } else {
+      healthStatusClass = "health-down";
+    }
+    return healthStatusClass;
+  }
+
+  function calculateHealth(data) {
+    let overallStatus = data.status;
+    $(`<p>
+            <span class="health-key"></span>
+            <span class="health ${calcHealthStatusClass(overallStatus)}"></span>
+            <span class="health-status">${overallStatus}</span>
+        </p>`).appendTo("#health-content");
+  }
+
+  $.getJSON("./stats/search", function (data) {
+    let allThingsCount = data.allThingsCount;
+    update_count('#total-things-count', allThingsCount);
+  }).fail(function () {
+    update_count('#total-things-count', 0);
+  });
+  $.getJSON("./stats/things", function (data) {
+    let hotThings = data.hotThings;
+    update_count('#hot-things-count', hotThings);
+  }).fail(function () {
+    update_count('#hot-things-count', 0);
+  });
+  $.getJSON("./health", function (data) {
+    calculateHealth(data);
+  }).fail(function (jqXHR, textStatus, errorThrown) {
+    calculateHealth(jqXHR.responseJSON);
+  })
+</script>
+
+</body>
+</html>
+
diff --git a/deployment/helm/nginx-config/nginx-cors.conf b/deployment/helm/nginx-config/nginx-cors.conf
new file mode 100644
index 00000000000..f9ed9330776
--- /dev/null
+++ b/deployment/helm/nginx-config/nginx-cors.conf
@@ -0,0 +1,39 @@
+#
+# CORS header support
+#
+# As of Nginx 1.7.5, add_header supports an "always" parameter which
+# allows CORS to work if the backend returns 4xx or 5xx status code.
+#
+# For more information on CORS, please see: http://enable-cors.org/
+# From this Gist: https://gist.github.com/Stanback/7145487
+# And this: https://gist.github.com/pauloricardomg/7084524
+#
+
+set $cors '1';
+
+# OPTIONS indicates a CORS pre-flight request
+if ($request_method = 'OPTIONS') {
+  set $cors "${cors}o";
+}
+
+if ($cors = '1') {
+  add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
+  add_header 'Access-Control-Allow-Credentials' 'true' always;
+  add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
+  add_header 'Access-Control-Expose-Headers' '*' always;
+}
+
+# OPTIONS (pre-flight) request from allowed CORS domain. return response directly
+if ($cors = '1o') {
+  # Tell client that this pre-flight info is valid for 20 days
+  add_header 'Access-Control-Max-Age' 1728000;
+  add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+  add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
+  add_header 'Access-Control-Allow-Credentials' 'true' always;
+  add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
+  add_header 'Access-Control-Expose-Headers' '*' always;
+  add_header 'Content-Type' 'text/plain charset=UTF-8';
+  add_header 'Content-Length' 0;
+  return 200;
+}
diff --git a/deployment/helm/swaggerui-config/index.html b/deployment/helm/swaggerui-config/index.html
new file mode 100644
index 00000000000..460d0fe7bc6
--- /dev/null
+++ b/deployment/helm/swaggerui-config/index.html
@@ -0,0 +1,74 @@
+<!-- HTML for static distribution bundle build -->
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>Eclipse Ditto - HTTP API</title>
+    <link rel="stylesheet" type="text/css" href="./swagger-ui.css" >
+    <link rel="icon" type="image/png" href="./favicon-16x16.png" sizes="16x16" />
+    <link rel="icon" type="image/png" href="./favicon-32x32.png" sizes="32x32" />
+    <style>
+        html
+        {
+            box-sizing: border-box;
+            overflow: -moz-scrollbars-vertical;
+            overflow-y: scroll;
+        }
+        *,
+        *:before,
+        *:after
+        {
+            box-sizing: inherit;
+        }
+
+        body {
+            margin:0;
+            background: #fafafa;
+        }
+
+        #swagger-ui .swagger-ui.swagger-container .topbar {
+        }
+
+        #swagger-ui .swagger-ui.swagger-container .topbar .topbar-wrapper a {
+            display: none;
+        }
+    </style>
+</head>
+
+<body>
+
+<div id="swagger-ui"></div>
+
+<script src="./swagger-ui-bundle.js"> </script>
+<script src="./swagger-ui-standalone-preset.js"> </script>
+<script>
+    window.onload = function() {
+
+        const ui = SwaggerUIBundle({
+                                       urls: [
+                                           {url: "./openapi/ditto-api-2.yml", name:"Ditto API v2"}
+                                       ],
+                                       "urls.primaryName": "Ditto API v2",
+                                       validatorUrl: null,
+                                       docExpansion: "none",
+                                       dom_id: '#swagger-ui',
+                                       deepLinking: true,
+                                       presets: [
+                                           SwaggerUIBundle.presets.apis,
+                                           SwaggerUIStandalonePreset
+                                       ],
+                                       plugins: [
+                                           SwaggerUIBundle.plugins.DownloadUrl
+                                       ],
+                                       layout: "StandaloneLayout",
+                                       oauth2RedirectUrl: window.location.origin + "./oauth2-redirect.html",
+                                       onComplete: function () {
+                                       }
+                                   });
+        window.ui = ui;
+    }
+</script>
+</body>
+
+</html>
+
diff --git a/deployment/helm/templates/NOTES.txt b/deployment/helm/templates/NOTES.txt
new file mode 100644
index 00000000000..1b2fcbce4be
--- /dev/null
+++ b/deployment/helm/templates/NOTES.txt
@@ -0,0 +1,33 @@
+Eclipse Ditto successfully installed!
+
+{{- if ( not .Values.openshift.routes.enabled ) }}
+Access Ditto in your browser (http://localhost:8080) by running:
+
+    kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "ditto.fullname" . }}-nginx 8080:8080
+
+The /status resource can be accessed by:
+
+    export STATUS_PWD=$(kubectl --namespace {{ .Release.Namespace }} get secret {{ include "ditto.fullname" . }}-gateway-secret -o jsonpath="{.data.status-password}" | base64 --decode)
+    curl -i -X GET "http://devops:${STATUS_PWD}@localhost:8080/status"
+
+The /devops resource can be accessed by:
+
+    export DEVOPS_PWD=$(kubectl --namespace {{ .Release.Namespace }} get secret {{ include "ditto.fullname" . }}-gateway-secret -o jsonpath="{.data.devops-password}" | base64 --decode)
+    curl -i -X GET "http://devops:${DEVOPS_PWD}@localhost:8080/devops"
+{{- else -}}
+Access Ditto in your browser, get the URL with:
+
+    echo https://$(kubectl --namespace {{ .Release.Namespace }} get route {{ include "ditto.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
+
+The /status resource can be accessed by:
+
+    export STATUS_PWD=$(kubectl --namespace {{ .Release.Namespace }} get secret {{ include "ditto.fullname" . }}-gateway-secret -o jsonpath="{.data.status-password}" | base64 --decode)
+    export URL=https://devops:${STATUS_PWD}@$(kubectl --namespace {{ .Release.Namespace }} get route {{ include "ditto.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
+    curl -i -X GET "$URL/status"
+
+The /devops resource can be accessed by:
+
+    export DEVOPS_PWD=$(kubectl --namespace {{ .Release.Namespace }} get secret {{ include "ditto.fullname" . }}-gateway-secret -o jsonpath="{.data.devops-password}" | base64 --decode)
+    export URL=https://devops:${DEVOPS_PWD}@$(kubectl --namespace {{ .Release.Namespace }} get route {{ include "ditto.fullname" . }} -o jsonpath="{.status.ingress[0].host}")
+    curl -i -X GET "$URL/devops"
+{{- end }}
diff --git a/deployment/helm/templates/_helpers.tpl b/deployment/helm/templates/_helpers.tpl
new file mode 100644
index 00000000000..8ba1d57081f
--- /dev/null
+++ b/deployment/helm/templates/_helpers.tpl
@@ -0,0 +1,72 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ditto.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ditto.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ditto.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "ditto.labels" -}}
+helm.sh/chart: {{ include "ditto.chart" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ditto.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "ditto.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create a fully qualified MongoDB server name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "ditto.mongodb.fullname" -}}
+{{- if .Values.mongodb.fullnameOverride -}}
+{{- .Values.mongodb.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default "mongodb" .Values.mongodb.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/deployment/helm/templates/connectivity-deployment.yaml b/deployment/helm/templates/connectivity-deployment.yaml
new file mode 100644
index 00000000000..3d71e531b69
--- /dev/null
+++ b/deployment/helm/templates/connectivity-deployment.yaml
@@ -0,0 +1,323 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.connectivity.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-connectivity
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.connectivity.replicaCount }}
+  strategy:
+  {{- with .Values.connectivity.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  minReadySeconds: {{ .Values.connectivity.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        actorSystemName: {{ .Values.akka.actorSystemName }}
+        {{- with .Values.connectivity.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.global.prometheus.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "{{ .Values.global.prometheus.path }}"
+        prometheus.io/port: "{{ .Values.global.prometheus.port }}"
+        {{- end }}
+        checksum/mongodb-config: {{ include (print $.Template.BasePath "/mongodb-secret.yaml") . | sha256sum }}
+        {{- with .Values.connectivity.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "ditto.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: change-volume-owner
+          image: busybox
+          securityContext:
+            runAsUser: 0
+          command: [ "sh", "-c", "chown -R 1000:1000 /var/log/ditto && echo 'changed ownership of /var/log/ditto to 1000:1000'" ]
+          volumeMounts:
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-connectivity
+          image: {{ printf "%s:%s" .Values.connectivity.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.connectivity.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.connectivity.image.pullPolicy }}
+          env:
+            {{- if not .Values.global.logging.customConfigFile.enabled }}
+            - name: DITTO_LOGGING_DISABLE_SYSOUT_LOG
+              value: "{{ if .Values.global.logging.sysout.enabled }}false{{ else }}true{{ end }}"
+            - name: DITTO_LOGGING_FILE_APPENDER
+              value: "{{ if .Values.global.logging.logFiles.enabled }}true{{ else }}false{{ end }}"
+            {{- end }}
+            - name: DITTO_TRACING_ENABLED
+              value: "{{ .Values.global.tracing.enabled }}"
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "{{ .Values.global.tracing.otelExporterOtlpEndpoint }}"
+            - name: DITTO_TRACING_SAMPLER
+              value: "{{ .Values.global.tracing.sampler }}"
+            - name: DITTO_TRACING_RANDOM_SAMPLER_PROBABILITY
+              value: "{{ .Values.global.tracing.randomSampler.probability }}"
+            - name: DITTO_TRACING_ADAPTIVE_SAMPLER_THROUGHPUT
+              value: "{{ .Values.global.tracing.adaptiveSampler.throughput }}"
+            {{- if .Values.global.logging.logstash.enabled }}
+            - name: DITTO_LOGGING_LOGSTASH_SERVER
+              value: "{{ .Values.global.logging.logstash.endpoint }}"
+            {{- end }}
+            - name: POD_LABEL_SELECTOR
+              value: "app.kubernetes.io/name=%s"
+            - name: POD_NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: INSTANCE_INDEX
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: DISCOVERY_METHOD
+              value: "kubernetes-api"
+            - name: TZ
+              value: "{{ .Values.global.timezone }}"
+            - name: JAVA_TOOL_OPTIONS
+              value: >
+                {{ .Values.global.jvmOptions }}
+                -XX:ActiveProcessorCount={{ .Values.connectivity.jvm.activeProcessorCount }}
+                -XX:MaxRAMPercentage={{ .Values.connectivity.jvm.heapRamPercentage }}
+                -XX:InitialRAMPercentage={{ .Values.connectivity.jvm.heapRamPercentage }}
+                -XX:MaxGCPauseMillis={{ .Values.connectivity.jvm.maxGcPauseMillis }}
+                {{ .Values.connectivity.additionalJvmOptions }}
+                {{- .Values.global.akkaOptions }}
+                {{- if .Values.global.logging.customConfigFile.enabled }}
+                -Dlogback.configurationFile=/opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+                {{- end }}
+                {{- range $index, $header := .Values.connectivity.config.persistence.events.historicalHeadersToPersist }}
+                "{{ printf "%s%d=%s" "-Dditto.connectivity.connection.event.historical-headers-to-persist." $index $header }}"
+                {{- end }}
+                {{ join " " .Values.connectivity.systemProps }}
+            - name: MONGO_DB_SSL_ENABLED
+              value: "{{ if .Values.dbconfig.connectivity.ssl }}true{{ else }}false{{ end }}"
+            - name: MONGO_DB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.dbconfig.uriSecret }}{{ .Values.dbconfig.uriSecret }}{{ else }}{{ include "ditto.fullname" . }}-mongodb-secret{{ end }}
+                  key: connectivity-uri
+            - name: MONGO_DB_CONNECTION_MIN_POOL_SIZE
+              value: "{{ .Values.connectivity.config.mongodb.minPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_SIZE
+              value: "{{ .Values.connectivity.config.mongodb.maxPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_IDLE_TIME
+              value: "{{ .Values.connectivity.config.mongodb.maxPoolIdleTime }}"
+            - name: CLUSTER_BS_REQUIRED_CONTACTS
+              value: "{{ .Values.global.cluster.requiredContactPoints }}"
+            - name: DITTO_DDATA_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.ddata.numberOfShards }}"
+            - name: DITTO_DDATA_MAX_DELTA_ELEMENTS
+              value: "{{ .Values.global.cluster.ddata.maxDeltaElements }}"
+            - name: CLUSTER_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.numberOfShards }}"
+            - name: CLUSTER_DOWNING_STABLE_AFTER
+              value: "{{ .Values.global.cluster.downingStableAfter }}"
+            - name: CLUSTER_DOWNING_DOWN_ALL_WHEN_UNSTABLE
+              value: "{{ .Values.global.cluster.downAllWhenUnstable }}"
+            {{- if .Values.global.prometheus.enabled }}
+            - name: PROMETHEUS_PORT
+              value: "{{ .Values.global.prometheus.port }}"
+            {{- end }}
+            - name: AKKA_PERSISTENCE_MONGO_JOURNAL_WRITE_CONCERN
+              value: "{{ .Values.connectivity.config.mongodb.journalWriteConcern }}"
+            - name: AKKA_PERSISTENCE_MONGO_SNAPS_WRITE_CONCERN
+              value: "{{ .Values.connectivity.config.mongodb.snapsWriteConcern }}"
+            - name: BREAKER_MAXTRIES
+              value: "{{ .Values.connectivity.config.mongodb.journalCircuitBreaker.maxTries }}"
+            - name: BREAKER_TIMEOUT
+              value: "{{ .Values.connectivity.config.mongodb.journalCircuitBreaker.timeout }}"
+            - name: BREAKER_RESET
+              value: "{{ .Values.connectivity.config.mongodb.journalCircuitBreaker.reset }}"
+            - name: SNAPSHOT_BREAKER_MAXTRIES
+              value: "{{ .Values.connectivity.config.mongodb.snapsCircuitBreaker.maxTries }}"
+            - name: SNAPSHOT_BREAKER_TIMEOUT
+              value: "{{ .Values.connectivity.config.mongodb.snapsCircuitBreaker.timeout }}"
+            - name: SNAPSHOT_BREAKER_RESET
+              value: "{{ .Values.connectivity.config.mongodb.snapsCircuitBreaker.reset }}"
+            - name: CONNECTION_ACTIVITY_CHECK_INTERVAL
+              value: "{{ .Values.connectivity.config.persistence.activityCheckInterval }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_RESOLUTION
+              value: "{{ .Values.connectivity.config.cleanup.metricsReporter.resolution }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_HISTORY
+              value: "{{ .Values.connectivity.config.cleanup.metricsReporter.history }}"
+            - name: CLEANUP_ENABLED
+              value: "{{ .Values.connectivity.config.cleanup.enabled }}"
+            - name: CLEANUP_QUIET_PERIOD
+              value: "{{ .Values.connectivity.config.cleanup.quietPeriod }}"
+            - name: CLEANUP_HISTORY_RETENTION_DURATION
+              value: "{{ .Values.connectivity.config.cleanup.history.retentionDuration }}"
+            - name: CLEANUP_INTERVAL
+              value: "{{ .Values.connectivity.config.cleanup.interval }}"
+            - name: CLEANUP_TIMER_THRESHOLD
+              value: "{{ .Values.connectivity.config.cleanup.timerThreshold }}"
+            - name: CLEANUP_CREDITS_PER_BATCH
+              value: "{{ .Values.connectivity.config.cleanup.creditsPerBatch }}"
+            - name: CONNECTION_SNAPSHOT_INTERVAL
+              value: "{{ .Values.connectivity.config.persistence.snapshots.interval }}"
+            - name: CONNECTION_SNAPSHOT_THRESHOLD
+              value: "{{ .Values.connectivity.config.persistence.snapshots.threshold }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_ENABLED
+              value: "{{ .Values.connectivity.config.policiesEnforcer.cache.enabled }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_MAX_SIZE
+              value: "{{ .Values.connectivity.config.policiesEnforcer.cache.maxSize }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_WRITE
+              value: "{{ .Values.connectivity.config.policiesEnforcer.cache.expireAfterWrite }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_ACCESS
+              value: "{{ .Values.connectivity.config.policiesEnforcer.cache.expireAfterAccess }}"
+            - name: RECONNECT_RATE_FREQUENCY
+              value: "{{ .Values.connectivity.config.connections.reconnect.rate.frequency }}"
+            - name: RECONNECT_RATE_ENTITIES
+              value: "{{ .Values.connectivity.config.connections.reconnect.rate.entities }}"
+            - name: CONNECTIVITY_CONNECTION_ALLOWED_HOSTNAMES
+              value: "{{ .Values.connectivity.config.connections.allowedHostnames }}"
+            - name: CONNECTIVITY_CONNECTION_BLOCKED_HOSTNAMES
+              value: "{{ .Values.connectivity.config.connections.blockedHostnames }}"
+            - name: CONNECTIVITY_CONNECTION_BLOCKED_SUBNETS
+              value: "{{ .Values.connectivity.config.connections.blockedSubnets }}"
+            - name: CONNECTIVITY_CONNECTION_BLOCKED_HOST_REGEX
+              value: "{{ .Values.connectivity.config.connections.blockedHostRegex }}"
+            - name: CONNECTION_SOURCE_NUMBER
+              value: "{{ .Values.connectivity.config.connections.limits.maxSources }}"
+            - name: CONNECTION_TARGET_NUMBER
+              value: "{{ .Values.connectivity.config.connections.limits.maxTargets }}"
+            - name: CONNECTIVITY_SIGNAL_ENRICHMENT_BUFFER_SIZE
+              value: "{{ .Values.connectivity.config.connections.enrichment.bufferSize }}"
+            - name: KAFKA_CONSUMER_THROTTLING_ENABLED
+              value: "{{ .Values.connectivity.config.connections.kafka.consumer.throttling.enabled }}"
+            - name: KAFKA_CONSUMER_THROTTLING_INTERVAL
+              value: "{{ .Values.connectivity.config.connections.kafka.consumer.throttling.interval }}"
+            - name: KAFKA_CONSUMER_THROTTLING_LIMIT
+              value: "{{ .Values.connectivity.config.connections.kafka.consumer.throttling.limit }}"
+            - name: KAFKA_CONSUMER_THROTTLING_MAX_IN_FLIGHT_FACTOR
+              value: "{{ .Values.connectivity.config.connections.kafka.consumer.throttling.maxInflightFactor }}"
+            - name: KAFKA_PRODUCER_QUEUE_SIZE
+              value: "{{ .Values.connectivity.config.connections.kafka.producer.queueSize }}"
+            - name: KAFKA_PRODUCER_PARALLELISM
+              value: "{{ .Values.connectivity.config.connections.kafka.producer.parallelism }}"
+            {{- if .Values.connectivity.extraEnv }}
+              {{- toYaml .Values.connectivity.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: remoting
+              containerPort: {{ .Values.akka.remoting.port }}
+              protocol: TCP
+            - name: management
+              containerPort: {{ .Values.akka.mgmthttp.port }}
+              protocol: TCP
+            {{- if .Values.global.prometheus.enabled }}
+            - name: prometheus
+              protocol: TCP
+              containerPort: {{ .Values.global.prometheus.port }}
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: management
+              path: /ready
+            initialDelaySeconds: {{ .Values.connectivity.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.connectivity.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.connectivity.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.connectivity.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.connectivity.readinessProbe.failureThreshold }}
+          livenessProbe:
+            httpGet:
+              port: management
+              path: /alive
+            initialDelaySeconds: {{ .Values.connectivity.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.connectivity.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.connectivity.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.connectivity.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.connectivity.livenessProbe.failureThreshold }}
+          volumeMounts:
+            {{- if .Values.global.logging.customConfigFile.enabled }}
+            - name: ditto-custom-log-config
+              mountPath: /opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+              subPath: {{ .Values.global.logging.customConfigFile.fileName }}
+            {{- end }}
+            {{- if .Values.global.logging.logFiles.enabled }}
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.connectivity.resources.cpu 1000 }}m
+              memory: {{ .Values.connectivity.resources.memoryMi }}Mi
+            limits:
+              # ## no cpu limit to avoid CFS scheduler limits
+              # ref: https://doc.akka.io/docs/akka/snapshot/additional/deploy.html#in-kubernetes
+              # cpu: ""
+              memory: {{ .Values.connectivity.resources.memoryMi }}Mi
+          {{- if .Values.openshift.enabled }}
+          {{- with .Values.openshift.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- else }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+          {{- end }}
+      {{- with .Values.connectivity.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.connectivity.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.connectivity.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if .Values.global.logging.customConfigFile.enabled }}
+        - name: ditto-custom-log-config
+          configMap:
+            name: {{ .Release.Name }}-logback-config-connectivity-xml
+        {{- end }}
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: ditto-log-files-directory
+          hostPath:
+            path: /var/log/ditto
+            type: DirectoryOrCreate
+        {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/connectivity-networkpolicy.yaml b/deployment/helm/templates/connectivity-networkpolicy.yaml
new file mode 100644
index 00000000000..81c57ee2bd5
--- /dev/null
+++ b/deployment/helm/templates/connectivity-networkpolicy.yaml
@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.connectivity.networkPolicy.enabled }}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-connectivity
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow inner cluster communication
+  - from:
+    - podSelector:
+        matchLabels:
+          actorSystemName: {{ .Values.akka.actorSystemName }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.akka.remoting.port }}
+    - protocol: TCP
+      port: {{ .Values.akka.mgmthttp.port }}
+  # Open all egress
+  egress:
+  - {}
+{{- end }}
diff --git a/deployment/helm/templates/connectivity-pdb.yaml b/deployment/helm/templates/connectivity-pdb.yaml
new file mode 100644
index 00000000000..c33ebbdee52
--- /dev/null
+++ b/deployment/helm/templates/connectivity-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.connectivity.podDisruptionBudget.enabled (gt .Values.connectivity.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-connectivity
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.connectivity.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/connectivity-podmonitor.yaml b/deployment/helm/templates/connectivity-podmonitor.yaml
new file mode 100644
index 00000000000..d133f138215
--- /dev/null
+++ b/deployment/helm/templates/connectivity-podmonitor.yaml
@@ -0,0 +1,38 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.connectivity.podMonitor.enabled .Values.global.prometheus.port -}}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
+---
+kind: PodMonitor
+apiVersion: monitoring.coreos.com/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-connectivity
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podMetricsEndpoints:
+  - targetPort: {{ .Values.global.prometheus.port }}
+    path: "/"
+    {{- if .Values.connectivity.podMonitor.interval }}
+    interval: {{ .Values.connectivity.podMonitor.interval }}
+    {{- end }}
+    {{- if .Values.connectivity.podMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.connectivity.podMonitor.scrapeTimeout }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-connectivity
+  namespaceSelector:
+    matchNames:
+      - {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/dittoui-deployment.yaml b/deployment/helm/templates/dittoui-deployment.yaml
new file mode 100644
index 00000000000..6cace32316a
--- /dev/null
+++ b/deployment/helm/templates/dittoui-deployment.yaml
@@ -0,0 +1,66 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.dittoui.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-dittoui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.dittoui.replicaCount }}
+  strategy:
+  {{- with .Values.dittoui.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.dittoui.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- with .Values.dittoui.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-dittoui
+          image: {{ printf "%s:%s" .Values.dittoui.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.dittoui.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.dittoui.image.pullPolicy }}
+          env:
+            {{- if .Values.dittoui.extraEnv }}
+              {{- toYaml .Values.dittoui.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          resources:
+            requests:
+              cpu: {{ mulf .Values.dittoui.resources.cpu 1000 }}m
+              memory: {{ .Values.dittoui.resources.memoryMi }}Mi
+            limits:
+              # cpu: ""
+              memory: {{ .Values.dittoui.resources.memoryMi }}Mi
+{{- end }}
diff --git a/deployment/helm/templates/dittoui-networkpolicy.yaml b/deployment/helm/templates/dittoui-networkpolicy.yaml
new file mode 100644
index 00000000000..98010824eeb
--- /dev/null
+++ b/deployment/helm/templates/dittoui-networkpolicy.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.dittoui.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-dittoui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+          app.kubernetes.io/instance: {{ .Release.Name }}
+    ports:
+    - protocol: TCP
+      port: 8080
+{{- end }}
diff --git a/deployment/helm/templates/dittoui-pdb.yaml b/deployment/helm/templates/dittoui-pdb.yaml
new file mode 100644
index 00000000000..e3a5a6e52bf
--- /dev/null
+++ b/deployment/helm/templates/dittoui-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.dittoui.podDisruptionBudget.enabled (gt .Values.dittoui.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-dittoui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.dittoui.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/dittoui-service.yaml b/deployment/helm/templates/dittoui-service.yaml
new file mode 100644
index 00000000000..f640c4a8c15
--- /dev/null
+++ b/deployment/helm/templates/dittoui-service.yaml
@@ -0,0 +1,33 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.dittoui.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ditto.fullname" . }}-dittoui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+{{ include "ditto.labels" . | indent 4 }}
+  {{- with .Values.dittoui.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+    - port: {{ .Values.dittoui.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-dittoui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-deployment.yaml b/deployment/helm/templates/gateway-deployment.yaml
new file mode 100644
index 00000000000..51f6536124d
--- /dev/null
+++ b/deployment/helm/templates/gateway-deployment.yaml
@@ -0,0 +1,293 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.gateway.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.gateway.replicaCount }}
+  strategy:
+  {{- with .Values.gateway.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  minReadySeconds: {{ .Values.gateway.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        actorSystemName: {{ .Values.akka.actorSystemName }}
+        {{- with .Values.gateway.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.global.prometheus.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "{{ .Values.global.prometheus.path }}"
+        prometheus.io/port: "{{ .Values.global.prometheus.port }}"
+        {{- end }}
+        checksum/password-config: {{ include (print $.Template.BasePath "/gateway-secret.yaml") . | sha256sum }}
+        checksum/mongodb-config: {{ include (print $.Template.BasePath "/mongodb-secret.yaml") . | sha256sum }}
+        {{- with .Values.gateway.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "ditto.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: change-volume-owner
+          image: busybox
+          securityContext:
+            runAsUser: 0
+          command: [ "sh", "-c", "chown -R 1000:1000 /var/log/ditto && echo 'changed ownership of /var/log/ditto to 1000:1000'" ]
+          volumeMounts:
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-gateway
+          image: {{ printf "%s:%s" .Values.gateway.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.gateway.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.gateway.image.pullPolicy }}
+          env:
+            {{- if not .Values.global.logging.customConfigFile.enabled }}
+            - name: DITTO_LOGGING_DISABLE_SYSOUT_LOG
+              value: "{{ if .Values.global.logging.sysout.enabled }}false{{ else }}true{{ end }}"
+            - name: DITTO_LOGGING_FILE_APPENDER
+              value: "{{ if .Values.global.logging.logFiles.enabled }}true{{ else }}false{{ end }}"
+            {{- end }}
+            - name: DITTO_TRACING_ENABLED
+              value: "{{ .Values.global.tracing.enabled }}"
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "{{ .Values.global.tracing.otelExporterOtlpEndpoint }}"
+            - name: DITTO_TRACING_SAMPLER
+              value: "{{ .Values.global.tracing.sampler }}"
+            - name: DITTO_TRACING_RANDOM_SAMPLER_PROBABILITY
+              value: "{{ .Values.global.tracing.randomSampler.probability }}"
+            - name: DITTO_TRACING_ADAPTIVE_SAMPLER_THROUGHPUT
+              value: "{{ .Values.global.tracing.adaptiveSampler.throughput }}"
+            {{- if .Values.global.logging.logstash.enabled }}
+            - name: DITTO_LOGGING_LOGSTASH_SERVER
+              value: "{{ .Values.global.logging.logstash.endpoint }}"
+            {{- end }}
+            - name: POD_LABEL_SELECTOR
+              value: "app.kubernetes.io/name=%s"
+            - name: POD_NAMESPACE
+              value: {{ .Release.Namespace }}
+            - name: INSTANCE_INDEX
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: DISCOVERY_METHOD
+              value: "kubernetes-api"
+            - name: TZ
+              value: "{{ .Values.global.timezone }}"
+            - name: JAVA_TOOL_OPTIONS
+              value: >
+                {{ .Values.global.jvmOptions }}
+                -XX:ActiveProcessorCount={{ .Values.gateway.jvm.activeProcessorCount }}
+                -XX:MaxRAMPercentage={{ .Values.gateway.jvm.heapRamPercentage }}
+                -XX:InitialRAMPercentage={{ .Values.gateway.jvm.heapRamPercentage }}
+                -XX:MaxGCPauseMillis={{ .Values.gateway.jvm.maxGcPauseMillis }}
+                {{ .Values.gateway.additionalJvmOptions }}
+                {{- .Values.global.akkaOptions }}
+                {{- if .Values.global.logging.customConfigFile.enabled }}
+                -Dlogback.configurationFile=/opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+                {{- end }}
+                {{- range $key, $value := .Values.gateway.config.authentication.oauth.openidConnectIssuers }}
+                "{{ printf "%s%s%s=%s" "-Dditto.gateway.authentication.oauth.openid-connect-issuers." $key ".issuer" $value.issuer }}"
+                {{- range $index, $subject := $value.authSubjects }}
+                "{{ printf "%s%s%s%d=%s" "-Dditto.gateway.authentication.oauth.openid-connect-issuers." $key ".auth-subjects." $index $subject }}"
+                {{- end }}
+                {{- end }}
+                {{- range $key, $value := .Values.gateway.config.authentication.devops.oauth.openidConnectIssuers }}
+                "{{ printf "%s%s%s=%s" "-Dditto.gateway.authentication.devops.oauth.openid-connect-issuers." $key ".issuer" $value.issuer }}"
+                {{- range $index, $subject := $value.authSubjects }}
+                "{{ printf "%s%s%s%d=%s" "-Dditto.gateway.authentication.devops.oauth.openid-connect-issuers." $key ".auth-subjects." $index $subject }}"
+                {{- end }}
+                {{- end }}
+                {{ join " " .Values.gateway.systemProps }}
+            - name: CLUSTER_BS_REQUIRED_CONTACTS
+              value: "{{ .Values.global.cluster.requiredContactPoints }}"
+            - name: DITTO_DDATA_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.ddata.numberOfShards }}"
+            - name: DITTO_DDATA_MAX_DELTA_ELEMENTS
+              value: "{{ .Values.global.cluster.ddata.maxDeltaElements }}"
+            - name: CLUSTER_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.numberOfShards }}"
+            - name: CLUSTER_DOWNING_STABLE_AFTER
+              value: "{{ .Values.global.cluster.downingStableAfter }}"
+            - name: CLUSTER_DOWNING_DOWN_ALL_WHEN_UNSTABLE
+              value: "{{ .Values.global.cluster.downAllWhenUnstable }}"
+            {{- if .Values.global.prometheus.enabled }}
+            - name: PROMETHEUS_PORT
+              value: "{{ .Values.global.prometheus.port }}"
+            {{- end }}
+            - name: ENABLE_PRE_AUTHENTICATION
+              value: "{{ .Values.gateway.config.authentication.enablePreAuthentication }}"
+            - name: DEVOPS_SECURED
+              value: "{{ .Values.gateway.config.authentication.devops.secured }}"
+            - name: DEVOPS_AUTHENTICATION_METHOD
+              value: "{{ .Values.gateway.config.authentication.devops.authMethod }}"
+            - name: DEVOPS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
+                  key: devops-password
+            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.oauthSubjects }}
+            - name: DEVOPS_OAUTH2_SUBJECTS.{{ $index }}
+              value: "{{ $oauthSubject }}"
+            {{- end }}
+            - name: DEVOPS_STATUS_SECURED
+              value: "{{ .Values.gateway.config.authentication.devops.statusSecured }}"
+            - name: STATUS_AUTHENTICATION_METHOD
+              value: "{{ .Values.gateway.config.authentication.devops.statusAuthMethod }}"
+            - name: STATUS_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.gateway.config.authentication.devops.existingSecret | default ( printf "%s-gateway-secret" ( include "ditto.fullname" . )) }}
+                  key: status-password
+            {{- range $index, $oauthSubject := .Values.gateway.config.authentication.devops.statusOauthSubjects }}
+            - name: STATUS_OAUTH2_SUBJECTS.{{ $index }}
+              value: "{{ $oauthSubject }}"
+            {{- end }}
+            - name: WS_SUBSCRIBER_BACKPRESSURE
+              value: "{{ .Values.gateway.config.websocket.subscriber.backpressureQueueSize }}"
+            - name: WS_PUBLISHER_BACKPRESSURE
+              value: "{{ .Values.gateway.config.websocket.publisher.backpressureBufferSize }}"
+            - name: GATEWAY_WEBSOCKET_THROTTLING_ENABLED
+              value: "{{ .Values.gateway.config.websocket.throttling.enabled }}"
+            - name: GATEWAY_WEBSOCKET_THROTTLING_INTERVAL
+              value: "{{ .Values.gateway.config.websocket.throttling.interval }}"
+            - name: GATEWAY_WEBSOCKET_THROTTLING_LIMIT
+              value: "{{ .Values.gateway.config.websocket.throttling.limit }}"
+            - name: GATEWAY_SSE_THROTTLING_ENABLED
+              value: "{{ .Values.gateway.config.sse.throttling.enabled }}"
+            - name: GATEWAY_SSE_THROTTLING_INTERVAL
+              value: "{{ .Values.gateway.config.sse.throttling.interval }}"
+            - name: GATEWAY_SSE_THROTTLING_LIMIT
+              value: "{{ .Values.gateway.config.sse.throttling.limit }}"
+            - name: OAUTH_ALLOWED_CLOCK_SKEW
+              value: "{{ .Values.gateway.config.authentication.oauth.allowedClockSkew }}"
+            {{- if .Values.gateway.extraEnv }}
+              {{- toYaml .Values.gateway.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.gateway.service.port }}
+              protocol: TCP
+            - name: remoting
+              containerPort: {{ .Values.akka.remoting.port }}
+              protocol: TCP
+            - name: management
+              containerPort: {{ .Values.akka.mgmthttp.port }}
+              protocol: TCP
+            {{- if .Values.global.prometheus.enabled }}
+            - name: prometheus
+              protocol: TCP
+              containerPort: {{ .Values.global.prometheus.port }}
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: management
+              path: /ready
+            initialDelaySeconds: {{ .Values.gateway.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gateway.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gateway.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gateway.readinessProbe.failureThreshold }}
+          livenessProbe:
+            httpGet:
+              port: management
+              path: /alive
+            initialDelaySeconds: {{ .Values.gateway.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.gateway.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.gateway.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.gateway.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.gateway.livenessProbe.failureThreshold }}
+          volumeMounts:
+            {{- if .Values.global.logging.customConfigFile.enabled }}
+            - name: ditto-custom-log-config
+              mountPath: /opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+              subPath: {{ .Values.global.logging.customConfigFile.fileName }}
+            {{- end }}
+            {{- if .Values.global.logging.logFiles.enabled }}
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.gateway.resources.cpu 1000 }}m
+              memory: {{ .Values.gateway.resources.memoryMi }}Mi
+            limits:
+              # ## no cpu limit to avoid CFS scheduler limits
+              # ref: https://doc.akka.io/docs/akka/snapshot/additional/deploy.html#in-kubernetes
+              # cpu: ""
+              memory: {{ .Values.gateway.resources.memoryMi }}Mi
+          {{- if .Values.openshift.enabled }}
+          {{- with .Values.openshift.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- else }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+          {{- end }}
+      {{- with .Values.gateway.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.gateway.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if .Values.global.logging.customConfigFile.enabled }}
+        - name: ditto-custom-log-config
+          configMap:
+            name: {{ .Release.Name }}-logback-config-gateway-xml
+        {{- end }}
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: ditto-log-files-directory
+          hostPath:
+            path: /var/log/ditto
+            type: DirectoryOrCreate
+        {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-networkpolicy.yaml b/deployment/helm/templates/gateway-networkpolicy.yaml
new file mode 100644
index 00000000000..7072f92548e
--- /dev/null
+++ b/deployment/helm/templates/gateway-networkpolicy.yaml
@@ -0,0 +1,51 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.gateway.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow access from Nginx
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+          app.kubernetes.io/instance: {{ .Release.Name }}
+    ports:
+    - protocol: TCP
+      port: http
+  # Allow inner cluster communication
+  - from:
+    - podSelector:
+        matchLabels:
+          actorSystemName: {{ .Values.akka.actorSystemName }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.akka.remoting.port }}
+    - protocol: TCP
+      port: {{ .Values.akka.mgmthttp.port }}
+  # Open all egress
+  egress:
+  - {}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-pdb.yaml b/deployment/helm/templates/gateway-pdb.yaml
new file mode 100644
index 00000000000..1be894d9e5f
--- /dev/null
+++ b/deployment/helm/templates/gateway-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.gateway.podDisruptionBudget.enabled (gt .Values.gateway.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.gateway.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-podmonitor.yaml b/deployment/helm/templates/gateway-podmonitor.yaml
new file mode 100644
index 00000000000..b57a9b65de4
--- /dev/null
+++ b/deployment/helm/templates/gateway-podmonitor.yaml
@@ -0,0 +1,38 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.gateway.podMonitor.enabled .Values.global.prometheus.port -}}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
+---
+kind: PodMonitor
+apiVersion: monitoring.coreos.com/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podMetricsEndpoints:
+  - targetPort: {{ .Values.global.prometheus.port }}
+    path: "/"
+    {{- if .Values.gateway.podMonitor.interval }}
+    interval: {{ .Values.gateway.podMonitor.interval }}
+    {{- end }}
+    {{- if .Values.gateway.podMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.gateway.podMonitor.scrapeTimeout }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+  namespaceSelector:
+    matchNames:
+      - {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-secret.yaml b/deployment/helm/templates/gateway-secret.yaml
new file mode 100644
index 00000000000..fab1708b8c1
--- /dev/null
+++ b/deployment/helm/templates/gateway-secret.yaml
@@ -0,0 +1,32 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if not .Values.gateway.existingSecret }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway-secret
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway-secret
+{{ include "ditto.labels" . | indent 4 }}
+type: Opaque
+data:
+  {{- if .Values.gateway.devopsPassword }}
+  devops-password: {{ .Values.gateway.devopsPassword | b64enc | quote }}
+  {{- else }}
+  devops-password: {{ randAlphaNum 12 | b64enc | quote }}
+  {{- end }}
+  {{- if .Values.gateway.statusPassword }}
+  status-password: {{ .Values.gateway.statusPassword | b64enc | quote }}
+  {{- else }}
+  status-password: {{ randAlphaNum 12 | b64enc | quote }}
+  {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/gateway-service.yaml b/deployment/helm/templates/gateway-service.yaml
new file mode 100644
index 00000000000..c4549ee7c00
--- /dev/null
+++ b/deployment/helm/templates/gateway-service.yaml
@@ -0,0 +1,33 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.gateway.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ditto.fullname" . }}-gateway
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+{{ include "ditto.labels" . | indent 4 }}
+  {{- with .Values.gateway.service.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+    - port: {{ .Values.gateway.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-gateway
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/deployment/helm/templates/logback-config.yaml b/deployment/helm/templates/logback-config.yaml
new file mode 100644
index 00000000000..029cf98467a
--- /dev/null
+++ b/deployment/helm/templates/logback-config.yaml
@@ -0,0 +1,31 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.global.logging.customConfigFile.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+{{- $logbackFileName := .Values.global.logging.customConfigFile.fileName -}}
+{{ $root := . }}
+{{ range $path, $bytes := .Files.Glob "logback-config/**" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $releaseName }}-{{ $path | replace "/" "-" | replace "." "-" }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}-logback-config
+{{ $labels | indent 4 }}
+data:
+  {{ $logbackFileName }}: |-
+{{ $root.Files.Get $path | indent 4 }}
+---
+{{- end -}}
+{{- end -}}
diff --git a/deployment/helm/templates/mongodb-secret.yaml b/deployment/helm/templates/mongodb-secret.yaml
new file mode 100644
index 00000000000..06584e605e5
--- /dev/null
+++ b/deployment/helm/templates/mongodb-secret.yaml
@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if not .Values.dbconfig.uriSecret -}}
+{{- $mongoName := include "ditto.mongodb.fullname" . -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "ditto.fullname" . }}-mongodb-secret
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-mongodb-secret
+{{ include "ditto.labels" . | indent 4 }}
+type: Opaque
+data:
+  connectivity-uri: {{ .Values.dbconfig.connectivity.uri | replace "#{PLACEHOLDER_MONGODB_HOSTNAME}#" $mongoName | b64enc | quote}}
+  things-uri: {{ .Values.dbconfig.things.uri | replace "#{PLACEHOLDER_MONGODB_HOSTNAME}#" $mongoName | b64enc | quote}}
+  thingsSearch-uri: {{ .Values.dbconfig.thingsSearch.uri | replace "#{PLACEHOLDER_MONGODB_HOSTNAME}#" $mongoName | b64enc | quote}}
+  policies-uri: {{ .Values.dbconfig.policies.uri | replace "#{PLACEHOLDER_MONGODB_HOSTNAME}#" $mongoName | b64enc | quote}}
+{{- end }}
diff --git a/deployment/helm/templates/nginx-auth.yaml b/deployment/helm/templates/nginx-auth.yaml
new file mode 100644
index 00000000000..582cf89e8c5
--- /dev/null
+++ b/deployment/helm/templates/nginx-auth.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $releaseName }}-nginx-config-nginx-htpasswd
+  labels:
+    app.kubernetes.io/name: {{ $name }}-nginx-config
+{{ $labels | indent 4 }}
+type: Opaque
+stringData:
+  nginx.htpasswd: |-
+{{- if .Values.global.hashedBasicAuthUsers }}
+{{ range .Values.global.hashedBasicAuthUsers }}
+{{- . | indent 4 }}
+{{ end }}
+{{- else }}
+{{ range $key, $value := .Values.global.basicAuthUsers }}
+{{- (htpasswd $value.user $value.password) | indent 4 }}
+{{ end }}
+{{ end }}
+---
+{{- end }}
diff --git a/deployment/helm/templates/nginx-config.yaml b/deployment/helm/templates/nginx-config.yaml
new file mode 100644
index 00000000000..0d6e51a47f4
--- /dev/null
+++ b/deployment/helm/templates/nginx-config.yaml
@@ -0,0 +1,30 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+{{ $root := . }}
+{{ range $path, $bytes := .Files.Glob "nginx-config/**" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $releaseName }}-{{ $path | replace "/" "-" | replace "." "-" }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}-nginx-config
+{{ $labels | indent 4 }}
+data:
+  {{ $path | replace "nginx-config/" ""}}: |-
+{{ $root.Files.Get $path | indent 4 }}
+---
+{{- end -}}
+{{- end -}}
diff --git a/deployment/helm/templates/nginx-configmap.yaml b/deployment/helm/templates/nginx-configmap.yaml
new file mode 100644
index 00000000000..77408545484
--- /dev/null
+++ b/deployment/helm/templates/nginx-configmap.yaml
@@ -0,0 +1,229 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.enabled -}}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}-nginx-conf
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx-conf
+{{ include "ditto.labels" . | indent 4 }}
+data:
+  nginx.conf: |-
+    worker_processes 1;
+    pid /run/nginx/nginx.pid;
+    
+    events {worker_connections 1024;}
+    
+    http {
+      charset utf-8;
+      default_type application/json;
+      include mime.types;
+    
+      # timeouts are configured slightly higher than ditto-eclipse-ditto-gateway read-timeout of 60 seconds
+      proxy_connect_timeout 70; # seconds, default: 60
+      proxy_send_timeout 70; # seconds, default: 60
+      proxy_read_timeout 70; # seconds, default: 60
+      # will try another upstream if an error or timeout occurred during the connection
+      # or if the upstream returns 502 response
+      proxy_next_upstream error timeout http_502;
+      # will retry up to 3 times to find another upstream to connect to
+      proxy_next_upstream_tries 3;
+      # will try for max. 20s to find another upstream to connect to
+      proxy_next_upstream_timeout 20;
+
+      send_timeout 70; # seconds, default: 60
+    
+      client_header_buffer_size 8k; # allow longer URIs + headers (default: 1k)
+      large_client_header_buffers 4 16k;
+    
+      merge_slashes off; # allow multiple slashes for CRS Authentication
+
+      map $http_authorization $authentication {
+        default "Authentication required";
+        "~Bearer" "off";
+        # the above means: if we get a request containing an "Authorization: Bearer ..." header, set "off" to $authentication
+      }
+
+      map $http_authorization $nginx_auth_user {
+        default "nginx:${remote_user}";
+        "~Bearer" "";
+      }
+    
+      upstream {{ include "ditto.fullname" . }}-gateway {
+        server {{ include "ditto.fullname" . }}-gateway:8080;
+      }
+
+      {{ if .Values.dittoui.enabled -}}
+      upstream {{ include "ditto.fullname" . }}-dittoui {
+        server {{ include "ditto.fullname" . }}-dittoui:8080;
+      }
+      {{- end }}
+
+      {{ if .Values.swaggerui.enabled -}}
+      upstream {{ include "ditto.fullname" . }}-swaggerui {
+        server {{ include "ditto.fullname" . }}-swaggerui:8080;
+      }
+      {{- end }}
+
+      log_format jsonlog escape=json '{'
+        '"@timestamp":"$time_iso8601",'
+        '"remote_addr":"$remote_addr",'
+        '"remote_user":"$remote_user",'
+        '"request":"$request",'
+        '"status": "$status",'
+        '"body_bytes_sent":"$body_bytes_sent",'
+        '"request_time":"$request_time",'
+        '"upstream_response_time":"$upstream_response_time",'
+        '"http_referrer":"$http_referer",'
+        '"http_user_agent":"$http_user_agent",'
+        '"correlation-id":"$http_correlation_id"'
+      '}';
+      access_log /var/log/nginx/access.log jsonlog;
+
+      server {
+        listen 8080;
+        server_name localhost;
+
+        location / {
+          index index.html;
+        }
+    
+        # api
+        location /api {
+          include nginx-cors.conf;
+
+          {{ if .Values.global.jwtOnly -}}
+          proxy_pass_request_headers    on;
+          proxy_set_header              Authorization             $http_authorization;
+          {{ else }}
+          auth_basic                    $authentication;
+          auth_basic_user_file          nginx.htpasswd;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+          proxy_set_header              x-ditto-pre-authenticated $nginx_auth_user;
+          {{- end }}
+        
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+    
+          proxy_set_header Connection  '';
+          chunked_transfer_encoding    off;
+          proxy_buffering              off;
+          proxy_cache                  off;
+        }
+    
+        # ws
+        location /ws {
+
+          {{ if .Values.global.jwtOnly -}}
+          proxy_pass_request_headers    on;
+          proxy_set_header              Authorization             $http_authorization;
+          {{ else }}
+          auth_basic                    $authentication;
+          auth_basic_user_file          nginx.htpasswd;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+          proxy_set_header              x-ditto-pre-authenticated $nginx_auth_user;
+          {{- end }}
+          
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+    
+          proxy_set_header              Upgrade                   $http_upgrade;
+          proxy_set_header              Connection                "upgrade";
+          proxy_read_timeout            1d;
+          proxy_send_timeout            1d;
+        }
+    
+        # health
+        location /health {
+          include nginx-cors.conf;
+
+          # exclude health checks from being logged in access log:
+          access_log off;
+    
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway/health;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+        }
+    
+        # status
+        location /status {
+          include nginx-cors.conf;
+
+          # exclude status access from being logged in access log:
+          access_log off;
+    
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway/overall/status;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+        }
+
+        # stats
+        location /stats {
+          include nginx-cors.conf;
+
+          # exclude stats access from being logged in access log:
+          access_log off;
+
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway/stats;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+        }
+    
+        # devops
+        location /devops {
+          include nginx-cors.conf;
+
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-gateway/devops;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                      $http_host;
+          proxy_set_header              X-Real-IP                 $remote_addr;
+          proxy_set_header              X-Forwarded-For           $proxy_add_x_forwarded_for;
+          proxy_set_header              X-Forwarded-User          $remote_user;
+        }
+
+        {{ if .Values.dittoui.enabled -}}
+        location /ui/ {
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-dittoui/;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                $http_host;
+        }
+        {{- end }}
+
+        {{ if .Values.swaggerui.enabled -}}
+        # swagger
+        # access API doc on: /apidoc/
+        location /apidoc/ {
+          proxy_pass                    http://{{ include "ditto.fullname" . }}-swaggerui/;
+          proxy_http_version            1.1;
+          proxy_set_header              Host                $http_host;
+        }
+        {{- end }}
+      }
+    }
+
+{{- end }}
diff --git a/deployment/helm/templates/nginx-deployment.yaml b/deployment/helm/templates/nginx-deployment.yaml
new file mode 100644
index 00000000000..3fa88faec5a
--- /dev/null
+++ b/deployment/helm/templates/nginx-deployment.yaml
@@ -0,0 +1,149 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-nginx
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.nginx.replicaCount }}
+  strategy:
+  {{- with .Values.nginx.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.nginx.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        checksum/nginx-conf: {{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}
+        checksum/nginx-config: {{ include (print $.Template.BasePath "/nginx-config.yaml") . | sha256sum }}
+        checksum/nginx-auth: {{ include (print $.Template.BasePath "/nginx-auth.yaml") . | sha256sum }}
+        {{- with .Values.nginx.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nginx.initContainers.waitForGateway.enabled }}
+      initContainers:
+        - name: {{ .Values.nginx.initContainers.waitForGateway.name }}
+          image: {{ .Values.nginx.initContainers.waitForGateway.image }}
+          args:
+            - /bin/sh
+            - -c
+            - >
+              set -x;
+              while [[ "$(curl -sL -w "%{http_code}\n" http://{{ include "ditto.fullname" . }}-gateway:8080/health -o /dev/null)" != "200" ]]; do
+                echo '.'
+                sleep 1;
+              done
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-nginx
+          image: "{{ .Values.nginx.image.repository }}:{{ .Values.nginx.image.tag }}"
+          imagePullPolicy: {{ .Values.nginx.image.pullPolicy }}
+          env:
+          {{- if .Values.nginx.extraEnv }}
+            {{- toYaml .Values.nginx.extraEnv | nindent 12 }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          {{- if .Values.nginx.readinessProbe }}
+          readinessProbe:
+            {{- toYaml .Values.nginx.readinessProbe | nindent 12 }}
+          {{- end }}
+          {{- if .Values.nginx.livenessProbe }}
+          livenessProbe:
+            {{- toYaml .Values.nginx.livenessProbe | nindent 12 }}
+          {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.nginx.resources.cpu 1000 }}m
+              memory: {{ .Values.nginx.resources.memoryMi }}Mi
+            limits:
+              # cpu: ""
+              memory: {{ .Values.nginx.resources.memoryMi }}Mi
+          volumeMounts:
+            - name: nginx-conf
+              mountPath: /etc/nginx/nginx.conf
+              subPath: nginx.conf
+            - name: nginx-htpasswd
+              mountPath: /etc/nginx/nginx.htpasswd
+              subPath: nginx.htpasswd
+            - name: nginx-cors
+              mountPath: /etc/nginx/nginx-cors.conf
+              subPath: nginx-cors.conf
+            - name: nginx-index
+              mountPath: /etc/nginx/html/index.html
+              subPath: index.html
+            - name: nginx-ditto-down
+              mountPath: /etc/nginx/html/ditto-down.svg
+              subPath: ditto-down.svg
+            - name: nginx-ditto-up
+              mountPath: /etc/nginx/html/ditto-up.svg
+              subPath: ditto-up.svg
+            - name: nginx-cache
+              mountPath: /var/cache/nginx
+            - name: nginx-run
+              mountPath: /run/nginx
+      volumes:
+        - name: nginx-conf
+          configMap:
+            name: {{ .Release.Name }}-nginx-conf
+        - name: nginx-htpasswd
+          secret:
+            secretName: {{ .Release.Name }}-nginx-config-nginx-htpasswd
+        - name: nginx-cors
+          configMap:
+            name: {{ .Release.Name }}-nginx-config-nginx-cors-conf
+        - name: nginx-index
+          configMap:
+            name: {{ .Release.Name }}-nginx-config-index-html
+        - name: nginx-ditto-down
+          configMap:
+            name: {{ .Release.Name }}-nginx-config-ditto-down-svg
+        - name: nginx-ditto-up
+          configMap:
+            name: {{ .Release.Name }}-nginx-config-ditto-up-svg
+        - name: nginx-cache
+          emptyDir: {}
+        - name: nginx-run
+          emptyDir: {}
+      {{- with .Values.nginx.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nginx.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.nginx.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/nginx-ingress-api.yaml b/deployment/helm/templates/nginx-ingress-api.yaml
new file mode 100644
index 00000000000..d1900b7ab8f
--- /dev/null
+++ b/deployment/helm/templates/nginx-ingress-api.yaml
@@ -0,0 +1,62 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ditto.fullname" . -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-api
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  annotations:
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ingress.api.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  defaultBackend:
+    service:
+      name: {{ $fullName }}-{{ .Values.ingress.defaultBackendSuffix }}
+      port:
+        name: http
+{{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingress.api.paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              service:
+                name: {{ $fullName }}-{{ .backendSuffix }}
+                port:
+                  name: http
+          {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/helm/templates/nginx-ingress-root.yaml b/deployment/helm/templates/nginx-ingress-root.yaml
new file mode 100644
index 00000000000..655af5a6160
--- /dev/null
+++ b/deployment/helm/templates/nginx-ingress-root.yaml
@@ -0,0 +1,62 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ditto.fullname" . -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-root
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  annotations:
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ingress.root.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  defaultBackend:
+    service:
+      name: {{ $fullName }}-{{ .Values.ingress.defaultBackendSuffix }}
+      port:
+        name: http
+{{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingress.root.paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              service:
+                name: {{ $fullName }}-{{ .backendSuffix }}
+                port:
+                  name: http
+          {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/nginx-ingress-ui.yaml b/deployment/helm/templates/nginx-ingress-ui.yaml
new file mode 100644
index 00000000000..b16d6b324a2
--- /dev/null
+++ b/deployment/helm/templates/nginx-ingress-ui.yaml
@@ -0,0 +1,62 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ditto.fullname" . -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-ui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  annotations:
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ingress.ui.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  defaultBackend:
+    service:
+      name: {{ $fullName }}-{{ .Values.ingress.defaultBackendSuffix }}
+      port:
+        name: http
+{{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingress.ui.paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              service:
+                name: {{ $fullName }}-{{ .backendSuffix }}
+                port:
+                  name: http
+          {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/helm/templates/nginx-ingress-ws.yaml b/deployment/helm/templates/nginx-ingress-ws.yaml
new file mode 100644
index 00000000000..d0a425919ef
--- /dev/null
+++ b/deployment/helm/templates/nginx-ingress-ws.yaml
@@ -0,0 +1,62 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ditto.fullname" . -}}
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-ws
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  annotations:
+  {{- with .Values.ingress.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.ingress.ws.annotations }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  defaultBackend:
+    service:
+      name: {{ $fullName }}-{{ .Values.ingress.defaultBackendSuffix }}
+      port:
+        name: http
+{{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+      {{- end }}
+      secretName: {{ .secretName }}
+  {{- end }}
+{{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          {{- range .Values.ingress.ws.paths }}
+          - path: {{ .path }}
+            {{- if .pathType }}
+            pathType: {{ .pathType }}
+            {{- else }}
+            pathType: Prefix
+            {{- end }}
+            backend:
+              service:
+                name: {{ $fullName }}-{{ .backendSuffix }}
+                port:
+                  name: http
+          {{- end }}
+{{- end }}
\ No newline at end of file
diff --git a/deployment/helm/templates/nginx-networkpolicy.yaml b/deployment/helm/templates/nginx-networkpolicy.yaml
new file mode 100644
index 00000000000..e194772310f
--- /dev/null
+++ b/deployment/helm/templates/nginx-networkpolicy.yaml
@@ -0,0 +1,32 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-nginx
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  ingress:
+  # Allow access from OpenShift Router
+  - ports:
+    - protocol: TCP
+      port: 8080
+{{- end }}
diff --git a/deployment/helm/templates/nginx-route.yaml b/deployment/helm/templates/nginx-route.yaml
new file mode 100644
index 00000000000..dff36831c6b
--- /dev/null
+++ b/deployment/helm/templates/nginx-route.yaml
@@ -0,0 +1,35 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.openshift.routes.enabled -}}
+---
+kind: Route
+apiVersion: route.openshift.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  {{- with .Values.openshift.routes.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  host: {{ .Values.openshift.routes.host | default "" }}
+  to:
+    kind: Service
+    name: {{ include "ditto.fullname" . }}-nginx
+    weight: 100
+  port:
+    targetPort: {{ .Values.openshift.routes.targetPort }}
+  tls:
+    termination: {{ .Values.openshift.routes.tlsTermination | default "edge" }}
+    insecureEdgeTerminationPolicy: {{ .Values.openshift.routes.tlsInsecurePolicy | default "Redirect" }}
+{{- end }}
diff --git a/deployment/helm/templates/nginx-service.yaml b/deployment/helm/templates/nginx-service.yaml
new file mode 100644
index 00000000000..7e711056315
--- /dev/null
+++ b/deployment/helm/templates/nginx-service.yaml
@@ -0,0 +1,37 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.nginx.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ditto.fullname" . }}-nginx
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+{{ include "ditto.labels" . | indent 4 }}
+  {{- with .Values.nginx.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.nginx.service.type }}
+  ports:
+    - port: {{ .Values.nginx.service.port }}
+      {{- if (and (eq .Values.nginx.service.type "NodePort") (not (empty .Values.nginx.service.nodePort))) }}
+      nodePort: {{ .Values.nginx.service.nodePort }}
+      {{- end }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/deployment/helm/templates/policies-deployment.yaml b/deployment/helm/templates/policies-deployment.yaml
new file mode 100644
index 00000000000..17f41c50a0b
--- /dev/null
+++ b/deployment/helm/templates/policies-deployment.yaml
@@ -0,0 +1,292 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.policies.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-policies
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.policies.replicaCount }}
+  strategy:
+  {{- with .Values.policies.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  minReadySeconds: {{ .Values.policies.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        actorSystemName: {{ .Values.akka.actorSystemName }}
+        {{- with .Values.policies.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.global.prometheus.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "{{ .Values.global.prometheus.path }}"
+        prometheus.io/port: "{{ .Values.global.prometheus.port }}"
+        {{- end }}
+        checksum/mongodb-config: {{ include (print $.Template.BasePath "/mongodb-secret.yaml") . | sha256sum }}
+        {{- with .Values.policies.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "ditto.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: change-volume-owner
+          image: busybox
+          securityContext:
+            runAsUser: 0
+          command: [ "sh", "-c", "chown -R 1000:1000 /var/log/ditto && echo 'changed ownership of /var/log/ditto to 1000:1000'" ]
+          volumeMounts:
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-policies
+          image: {{ printf "%s:%s" .Values.policies.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.policies.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.policies.image.pullPolicy }}
+          env:
+            {{- if not .Values.global.logging.customConfigFile.enabled }}
+            - name: DITTO_LOGGING_DISABLE_SYSOUT_LOG
+              value: "{{ if .Values.global.logging.sysout.enabled }}false{{ else }}true{{ end }}"
+            - name: DITTO_LOGGING_FILE_APPENDER
+              value: "{{ if .Values.global.logging.logFiles.enabled }}true{{ else }}false{{ end }}"
+            {{- end }}
+            - name: DITTO_TRACING_ENABLED
+              value: "{{ .Values.global.tracing.enabled }}"
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "{{ .Values.global.tracing.otelExporterOtlpEndpoint }}"
+            - name: DITTO_TRACING_SAMPLER
+              value: "{{ .Values.global.tracing.sampler }}"
+            - name: DITTO_TRACING_RANDOM_SAMPLER_PROBABILITY
+              value: "{{ .Values.global.tracing.randomSampler.probability }}"
+            - name: DITTO_TRACING_ADAPTIVE_SAMPLER_THROUGHPUT
+              value: "{{ .Values.global.tracing.adaptiveSampler.throughput }}"
+            {{- if .Values.global.logging.logstash.enabled }}
+            - name: DITTO_LOGGING_LOGSTASH_SERVER
+              value: "{{ .Values.global.logging.logstash.endpoint }}"
+            {{- end }}
+            - name: POD_LABEL_SELECTOR
+              value: "app.kubernetes.io/name=%s"
+            - name: POD_NAMESPACE
+              value: {{.Release.Namespace}}
+            - name: INSTANCE_INDEX
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: DISCOVERY_METHOD
+              value: "kubernetes-api"
+            - name: TZ
+              value: "{{ .Values.global.timezone }}"
+            - name: JAVA_TOOL_OPTIONS
+              value: >
+                {{ .Values.global.jvmOptions }}
+                -XX:ActiveProcessorCount={{ .Values.policies.jvm.activeProcessorCount }}
+                -XX:MaxRAMPercentage={{ .Values.policies.jvm.heapRamPercentage }}
+                -XX:InitialRAMPercentage={{ .Values.policies.jvm.heapRamPercentage }}
+                -XX:MaxGCPauseMillis={{ .Values.policies.jvm.maxGcPauseMillis }}
+                {{ .Values.policies.additionalJvmOptions }}
+                {{- .Values.global.akkaOptions }}
+                {{- if .Values.global.logging.customConfigFile.enabled }}
+                -Dlogback.configurationFile=/opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+                {{- end }}
+                {{- range $index, $header := .Values.policies.config.persistence.events.historicalHeadersToPersist }}
+                "{{ printf "%s%d=%s" "-Dditto.policies.policy.event.historical-headers-to-persist." $index $header }}"
+                {{- end }}
+                {{ join " " .Values.policies.systemProps }}
+            - name: MONGO_DB_SSL_ENABLED
+              value: "{{ if .Values.dbconfig.policies.ssl }}true{{ else }}false{{ end }}"
+            - name: MONGO_DB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.dbconfig.uriSecret }}{{ .Values.dbconfig.uriSecret }}{{ else }}{{ include "ditto.fullname" . }}-mongodb-secret{{ end }}
+                  key: policies-uri
+            - name: MONGO_DB_CONNECTION_MIN_POOL_SIZE
+              value: "{{ .Values.policies.config.mongodb.minPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_SIZE
+              value: "{{ .Values.policies.config.mongodb.maxPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_IDLE_TIME
+              value: "{{ .Values.policies.config.mongodb.maxPoolIdleTime }}"
+            {{- if .Values.global.prometheus.enabled }}
+            - name: PROMETHEUS_PORT
+              value: "{{ .Values.global.prometheus.port }}"
+            {{- end }}
+            - name: CLUSTER_BS_REQUIRED_CONTACTS
+              value: "{{ .Values.global.cluster.requiredContactPoints }}"
+            - name: DITTO_DDATA_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.ddata.numberOfShards }}"
+            - name: DITTO_DDATA_MAX_DELTA_ELEMENTS
+              value: "{{ .Values.global.cluster.ddata.maxDeltaElements }}"
+            - name: CLUSTER_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.numberOfShards }}"
+            - name: CLUSTER_DOWNING_STABLE_AFTER
+              value: "{{ .Values.global.cluster.downingStableAfter }}"
+            - name: CLUSTER_DOWNING_DOWN_ALL_WHEN_UNSTABLE
+              value: "{{ .Values.global.cluster.downAllWhenUnstable }}"
+            - name: AKKA_PERSISTENCE_MONGO_JOURNAL_WRITE_CONCERN
+              value: "{{ .Values.policies.config.mongodb.journalWriteConcern }}"
+            - name: AKKA_PERSISTENCE_MONGO_SNAPS_WRITE_CONCERN
+              value: "{{ .Values.policies.config.mongodb.snapsWriteConcern }}"
+            - name: BREAKER_MAXTRIES
+              value: "{{ .Values.policies.config.mongodb.journalCircuitBreaker.maxTries }}"
+            - name: BREAKER_TIMEOUT
+              value: "{{ .Values.policies.config.mongodb.journalCircuitBreaker.timeout }}"
+            - name: BREAKER_RESET
+              value: "{{ .Values.policies.config.mongodb.journalCircuitBreaker.reset }}"
+            - name: SNAPSHOT_BREAKER_MAXTRIES
+              value: "{{ .Values.policies.config.mongodb.snapsCircuitBreaker.maxTries }}"
+            - name: SNAPSHOT_BREAKER_TIMEOUT
+              value: "{{ .Values.policies.config.mongodb.snapsCircuitBreaker.timeout }}"
+            - name: SNAPSHOT_BREAKER_RESET
+              value: "{{ .Values.policies.config.mongodb.snapsCircuitBreaker.reset }}"
+            - name: POLICY_ACTIVITY_CHECK_INTERVAL
+              value: "{{ .Values.policies.config.persistence.activityCheckInterval }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_RESOLUTION
+              value: "{{ .Values.policies.config.cleanup.metricsReporter.resolution }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_HISTORY
+              value: "{{ .Values.policies.config.cleanup.metricsReporter.history }}"
+            - name: CLEANUP_ENABLED
+              value: "{{ .Values.policies.config.cleanup.enabled }}"
+            - name: CLEANUP_QUIET_PERIOD
+              value: "{{ .Values.policies.config.cleanup.quietPeriod }}"
+            - name: CLEANUP_HISTORY_RETENTION_DURATION
+              value: "{{ .Values.policies.config.cleanup.history.retentionDuration }}"
+            - name: CLEANUP_INTERVAL
+              value: "{{ .Values.policies.config.cleanup.interval }}"
+            - name: CLEANUP_TIMER_THRESHOLD
+              value: "{{ .Values.policies.config.cleanup.timerThreshold }}"
+            - name: CLEANUP_CREDITS_PER_BATCH
+              value: "{{ .Values.policies.config.cleanup.creditsPerBatch }}"
+            - name: POLICIES_PERSISTENCE_PING_RATE_FREQUENCY
+              value: "{{ .Values.policies.config.persistence.pingRate.frequency }}"
+            - name: POLICIES_PERSISTENCE_PING_RATE_ENTITIES
+              value: "{{ .Values.policies.config.persistence.pingRate.entities }}"
+            - name: POLICY_SNAPSHOT_INTERVAL
+              value: "{{ .Values.policies.config.persistence.snapshots.interval }}"
+            - name: POLICY_SNAPSHOT_THRESHOLD
+              value: "{{ .Values.policies.config.persistence.snapshots.threshold }}"
+            {{- if .Values.policies.extraEnv }}
+              {{- toYaml .Values.policies.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+            - name: remoting
+              containerPort: {{ .Values.akka.remoting.port }}
+              protocol: TCP
+            - name: management
+              containerPort: {{ .Values.akka.mgmthttp.port }}
+              protocol: TCP
+            {{- if .Values.global.prometheus.enabled }}
+            - name: prometheus
+              protocol: TCP
+              containerPort: {{ .Values.global.prometheus.port }}
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: management
+              path: /ready
+            initialDelaySeconds: {{ .Values.policies.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.policies.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.policies.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.policies.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.policies.readinessProbe.failureThreshold }}
+          livenessProbe:
+            httpGet:
+              port: management
+              path: /alive
+            initialDelaySeconds: {{ .Values.policies.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.policies.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.policies.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.policies.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.policies.livenessProbe.failureThreshold }}
+          volumeMounts:
+            {{- if .Values.global.logging.customConfigFile.enabled }}
+            - name: ditto-custom-log-config
+              mountPath: /opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+              subPath: {{ .Values.global.logging.customConfigFile.fileName }}
+            {{- end }}
+            {{- if .Values.global.logging.logFiles.enabled }}
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.policies.resources.cpu 1000 }}m
+              memory: {{ .Values.policies.resources.memoryMi }}Mi
+            limits:
+              # ## no cpu limit to avoid CFS scheduler limits
+              # ref: https://doc.akka.io/docs/akka/snapshot/additional/deploy.html#in-kubernetes
+              # cpu: ""
+              memory: {{ .Values.policies.resources.memoryMi }}Mi
+          {{- if .Values.openshift.enabled }}
+          {{- with .Values.openshift.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- else }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+          {{- end }}
+      {{- with .Values.policies.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.policies.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.policies.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if .Values.global.logging.customConfigFile.enabled }}
+        - name: ditto-custom-log-config
+          configMap:
+            name: {{ .Release.Name }}-logback-config-policies-xml
+        {{- end }}
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: ditto-log-files-directory
+          hostPath:
+            path: /var/log/ditto
+            type: DirectoryOrCreate
+        {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/policies-networkpolicy.yaml b/deployment/helm/templates/policies-networkpolicy.yaml
new file mode 100644
index 00000000000..e73f8c31459
--- /dev/null
+++ b/deployment/helm/templates/policies-networkpolicy.yaml
@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.policies.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-policies
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow inner cluster communication
+  - from:
+    - podSelector:
+        matchLabels:
+          actorSystemName: {{ .Values.akka.actorSystemName }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.akka.remoting.port }}
+    - protocol: TCP
+      port: {{ .Values.akka.mgmthttp.port }}
+  # Open all egress
+  egress:
+  - {}
+{{- end }}
diff --git a/deployment/helm/templates/policies-pdb.yaml b/deployment/helm/templates/policies-pdb.yaml
new file mode 100644
index 00000000000..e15dd6bd5aa
--- /dev/null
+++ b/deployment/helm/templates/policies-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.policies.podDisruptionBudget.enabled (gt .Values.policies.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-policies
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.policies.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/policies-podmonitor.yaml b/deployment/helm/templates/policies-podmonitor.yaml
new file mode 100644
index 00000000000..0069a617310
--- /dev/null
+++ b/deployment/helm/templates/policies-podmonitor.yaml
@@ -0,0 +1,38 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.policies.podMonitor.enabled .Values.global.prometheus.port -}}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
+---
+kind: PodMonitor
+apiVersion: monitoring.coreos.com/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-policies
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podMetricsEndpoints:
+  - targetPort: {{ .Values.global.prometheus.port }}
+    path: "/"
+    {{- if .Values.policies.podMonitor.interval }}
+    interval: {{ .Values.policies.podMonitor.interval }}
+    {{- end }}
+    {{- if .Values.policies.podMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.policies.podMonitor.scrapeTimeout }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-policies
+  namespaceSelector:
+    matchNames:
+      - {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/role.yaml b/deployment/helm/templates/role.yaml
new file mode 100644
index 00000000000..623ea685b72
--- /dev/null
+++ b/deployment/helm/templates/role.yaml
@@ -0,0 +1,24 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.rbac.enabled -}}
+---
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}
+{{ include "ditto.labels" . | indent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["pods"]
+  verbs: ["get", "watch", "list"]
+{{- end -}}
diff --git a/deployment/helm/templates/rolebinding.yaml b/deployment/helm/templates/rolebinding.yaml
new file mode 100644
index 00000000000..3fdece1eb9f
--- /dev/null
+++ b/deployment/helm/templates/rolebinding.yaml
@@ -0,0 +1,27 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.rbac.enabled -}}
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}
+{{ include "ditto.labels" . | indent 4 }}
+roleRef:
+  kind: Role
+  name: {{ include "ditto.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+- kind: ServiceAccount
+  name: {{ template "ditto.serviceAccountName" . }}
+{{- end -}}
diff --git a/deployment/helm/templates/serviceaccount.yaml b/deployment/helm/templates/serviceaccount.yaml
new file mode 100644
index 00000000000..04f60c2146a
--- /dev/null
+++ b/deployment/helm/templates/serviceaccount.yaml
@@ -0,0 +1,20 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.serviceAccount.create -}}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ template "ditto.serviceAccountName" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}
+{{ include "ditto.labels" . | indent 4 }}
+{{- end -}}
diff --git a/deployment/helm/templates/swaggerui-config.yaml b/deployment/helm/templates/swaggerui-config.yaml
new file mode 100644
index 00000000000..3f035ae4a7a
--- /dev/null
+++ b/deployment/helm/templates/swaggerui-config.yaml
@@ -0,0 +1,30 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.swaggerui.enabled -}}
+{{- $releaseName := .Release.Name -}}
+{{- $name := include "ditto.name" . -}}
+{{- $labels := include "ditto.labels" . -}}
+{{ $root := . }}
+{{ range $path, $bytes := .Files.Glob "swaggerui-config/**" }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ $releaseName }}-{{ $path | replace "/" "-" | replace "." "-" }}
+  labels:
+    app.kubernetes.io/name: {{ $name }}-swaggerui-config
+{{ $labels | indent 4 }}
+data:
+  {{ $path | replace "swaggerui-config/" ""}}: |-
+{{ $root.Files.Get $path | indent 4 }}
+---
+{{- end -}}
+{{- end -}}
diff --git a/deployment/helm/templates/swaggerui-deployment.yaml b/deployment/helm/templates/swaggerui-deployment.yaml
new file mode 100644
index 00000000000..e6854da2dfa
--- /dev/null
+++ b/deployment/helm/templates/swaggerui-deployment.yaml
@@ -0,0 +1,114 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.swaggerui.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-swaggerui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.swaggerui.replicaCount }}
+  strategy:
+  {{- with .Values.swaggerui.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        {{- with .Values.swaggerui.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- with .Values.swaggerui.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      initContainers:
+        - name: {{ .Chart.Name }}-swaggerui-init
+          image: "docker.io/boky/alpine-bootstrap:latest"
+          imagePullPolicy: {{ .Values.swaggerui.image.pullPolicy }}
+          command:
+            - sh
+            - -ec
+            - |
+               mkdir -p /usr/share/nginx/html/openapi
+               curl -sL https://raw.githubusercontent.com/eclipse/ditto/{{ .Chart.AppVersion }}/documentation/src/main/resources/openapi/ditto-api-2.yml -o /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "\=- url: 'https://ditto.eclipseprojects.io/api/2'=d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "/description: online Ditto Sandbox/d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               echo "removing Google auth from ditto-api-2.yml"
+               sed --in-place "/- Google:/,+1d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "/    Google:/,+9d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               {{- if not .Values.gateway.config.authentication.enablePreAuthentication }}
+               echo "removing NginxBasic auth from ditto-api-2.yml"
+               sed --in-place "/- NginxBasic: \[]/d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "/    NginxBasic:/,+3d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               {{- end }}
+               {{- if eq .Values.gateway.config.authentication.devops.authMethod "oauth2" }}
+               echo "removing DevOpsBasic auth from ditto-api-2.yml"
+               sed --in-place "/- DevOpsBasic: \[]/d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "/    DevOpsBasic:/,+3d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               {{- else }}
+               echo "removing DevOpsBearer auth from ditto-api-2.yml"
+               sed --in-place "/- DevOpsBearer: \[]/d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               sed --in-place "/    DevOpsBearer:/,+4d" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               {{- end }}
+               sed --in-place "s=- url: /api/2=- url: {{ .Values.global.proxyPart }}/api/2=g" /usr/share/nginx/html/openapi/ditto-api-2.yml
+               cp -rv /usr/share/nginx/html/openapi/. /init-config/
+          volumeMounts:
+            - name: swagger-ui-init-config
+              mountPath: /init-config
+      containers:
+        - name: {{ .Chart.Name }}-swaggerui
+          image: "{{ .Values.swaggerui.image.repository }}:{{ .Values.swaggerui.image.tag }}"
+          imagePullPolicy: {{ .Values.swaggerui.image.pullPolicy }}
+          env:
+            - name: QUERY_CONFIG_ENABLED
+              value: "true"
+            {{- if .Values.swaggerui.extraEnv }}
+              {{- toYaml .Values.swaggerui.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          resources:
+            requests:
+              cpu: {{ mulf .Values.swaggerui.resources.cpu 1000 }}m
+              memory: {{ .Values.swaggerui.resources.memoryMi }}Mi
+            limits:
+              # cpu: ""
+              memory: {{ .Values.swaggerui.resources.memoryMi }}Mi
+          volumeMounts:
+            - name: swagger-ui-init-config
+              mountPath: /usr/share/nginx/html/openapi
+            - name: swaggerui-index
+              mountPath: /usr/share/nginx/html/index.html
+              subPath: index.html
+      volumes:
+        - name: swagger-ui-init-config
+          emptyDir: {}
+        - name: swaggerui-index
+          configMap:
+            name: {{ .Release.Name }}-swaggerui-config-index-html
+{{- end }}
diff --git a/deployment/helm/templates/swaggerui-networkpolicy.yaml b/deployment/helm/templates/swaggerui-networkpolicy.yaml
new file mode 100644
index 00000000000..102c206100a
--- /dev/null
+++ b/deployment/helm/templates/swaggerui-networkpolicy.yaml
@@ -0,0 +1,36 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.swaggerui.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-swaggerui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - podSelector:
+        matchLabels:
+          app.kubernetes.io/name: {{ include "ditto.name" . }}-nginx
+          app.kubernetes.io/instance: {{ .Release.Name }}
+    ports:
+    - protocol: TCP
+      port: 8080
+{{- end }}
diff --git a/deployment/helm/templates/swaggerui-pdb.yaml b/deployment/helm/templates/swaggerui-pdb.yaml
new file mode 100644
index 00000000000..43abca8abc2
--- /dev/null
+++ b/deployment/helm/templates/swaggerui-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.swaggerui.podDisruptionBudget.enabled (gt .Values.swaggerui.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-swaggerui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.swaggerui.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/swaggerui-service.yaml b/deployment/helm/templates/swaggerui-service.yaml
new file mode 100644
index 00000000000..bb330b57059
--- /dev/null
+++ b/deployment/helm/templates/swaggerui-service.yaml
@@ -0,0 +1,33 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.swaggerui.enabled -}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ditto.fullname" . }}-swaggerui
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+{{ include "ditto.labels" . | indent 4 }}
+  {{- with .Values.swaggerui.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ports:
+    - port: {{ .Values.swaggerui.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-swaggerui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/deployment/helm/templates/things-deployment.yaml b/deployment/helm/templates/things-deployment.yaml
new file mode 100644
index 00000000000..8fc066316d3
--- /dev/null
+++ b/deployment/helm/templates/things-deployment.yaml
@@ -0,0 +1,296 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.things.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-things
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.things.replicaCount }}
+  strategy:
+  {{- with .Values.things.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  minReadySeconds: {{ .Values.things.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        actorSystemName: {{ .Values.akka.actorSystemName }}
+        {{- with .Values.things.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.global.prometheus.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "{{ .Values.global.prometheus.path }}"
+        prometheus.io/port: "{{ .Values.global.prometheus.port }}"
+        {{- end }}
+        checksum/mongodb-config: {{ include (print $.Template.BasePath "/mongodb-secret.yaml") . | sha256sum }}
+        {{- with .Values.things.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "ditto.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: change-volume-owner
+          image: busybox
+          securityContext:
+            runAsUser: 0
+          command: [ "sh", "-c", "chown -R 1000:1000 /var/log/ditto && echo 'changed ownership of /var/log/ditto to 1000:1000'" ]
+          volumeMounts:
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-things
+          image: {{ printf "%s:%s" .Values.things.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.things.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.things.image.pullPolicy }}
+          env:
+            {{- if not .Values.global.logging.customConfigFile.enabled }}
+            - name: DITTO_LOGGING_DISABLE_SYSOUT_LOG
+              value: "{{ if .Values.global.logging.sysout.enabled }}false{{ else }}true{{ end }}"
+            - name: DITTO_LOGGING_FILE_APPENDER
+              value: "{{ if .Values.global.logging.logFiles.enabled }}true{{ else }}false{{ end }}"
+            {{- end }}
+            - name: DITTO_TRACING_ENABLED
+              value: "{{ .Values.global.tracing.enabled }}"
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "{{ .Values.global.tracing.otelExporterOtlpEndpoint }}"
+            - name: DITTO_TRACING_SAMPLER
+              value: "{{ .Values.global.tracing.sampler }}"
+            - name: DITTO_TRACING_RANDOM_SAMPLER_PROBABILITY
+              value: "{{ .Values.global.tracing.randomSampler.probability }}"
+            - name: DITTO_TRACING_ADAPTIVE_SAMPLER_THROUGHPUT
+              value: "{{ .Values.global.tracing.adaptiveSampler.throughput }}"
+            {{- if .Values.global.logging.logstash.enabled }}
+            - name: DITTO_LOGGING_LOGSTASH_SERVER
+              value: "{{ .Values.global.logging.logstash.endpoint }}"
+            {{- end }}
+            - name: POD_LABEL_SELECTOR
+              value: "app.kubernetes.io/name=%s"
+            - name: POD_NAMESPACE
+              value: {{.Release.Namespace}}
+            - name: INSTANCE_INDEX
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: DISCOVERY_METHOD
+              value: "kubernetes-api"
+            - name: TZ
+              value: "{{ .Values.global.timezone }}"
+            - name: JAVA_TOOL_OPTIONS
+              value: >
+                {{ .Values.global.jvmOptions }}
+                -XX:ActiveProcessorCount={{ .Values.things.jvm.activeProcessorCount }}
+                -XX:MaxRAMPercentage={{ .Values.things.jvm.heapRamPercentage }}
+                -XX:InitialRAMPercentage={{ .Values.things.jvm.heapRamPercentage }}
+                -XX:MaxGCPauseMillis={{ .Values.things.jvm.maxGcPauseMillis }}
+                {{ .Values.things.additionalJvmOptions }}
+                {{- .Values.global.akkaOptions }}
+                {{- if .Values.global.logging.customConfigFile.enabled }}
+                -Dlogback.configurationFile=/opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+                {{- end }}
+                {{- range $index, $header := .Values.things.config.persistence.events.historicalHeadersToPersist }}
+                "{{ printf "%s%d=%s" "-Dditto.things.thing.event.historical-headers-to-persist." $index $header }}"
+                {{- end }}
+                '-Dditto.things.wot.to-thing-description.json-template={{ .Values.things.config.wot.tdJsonTemplate | replace "\n" "" | replace "\\\"" "\"" }}'
+                {{ join " " .Values.things.systemProps }}
+            - name: MONGO_DB_SSL_ENABLED
+              value: "{{ if .Values.dbconfig.things.ssl }}true{{ else }}false{{ end }}"
+            - name: MONGO_DB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.dbconfig.uriSecret }}{{ .Values.dbconfig.uriSecret }}{{ else }}{{ include "ditto.fullname" . }}-mongodb-secret{{ end }}
+                  key: things-uri
+            - name: MONGO_DB_CONNECTION_MIN_POOL_SIZE
+              value: "{{ .Values.things.config.mongodb.minPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_SIZE
+              value: "{{ .Values.things.config.mongodb.maxPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_IDLE_TIME
+              value: "{{ .Values.things.config.mongodb.maxPoolIdleTime }}"
+            {{- if .Values.global.prometheus.enabled }}
+            - name: PROMETHEUS_PORT
+              value: "{{ .Values.global.prometheus.port }}"
+            {{- end }}
+            - name: CLUSTER_BS_REQUIRED_CONTACTS
+              value: "{{ .Values.global.cluster.requiredContactPoints }}"
+            - name: DITTO_DDATA_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.ddata.numberOfShards }}"
+            - name: DITTO_DDATA_MAX_DELTA_ELEMENTS
+              value: "{{ .Values.global.cluster.ddata.maxDeltaElements }}"
+            - name: CLUSTER_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.numberOfShards }}"
+            - name: CLUSTER_DOWNING_STABLE_AFTER
+              value: "{{ .Values.global.cluster.downingStableAfter }}"
+            - name: CLUSTER_DOWNING_DOWN_ALL_WHEN_UNSTABLE
+              value: "{{ .Values.global.cluster.downAllWhenUnstable }}"
+            - name: AKKA_PERSISTENCE_MONGO_JOURNAL_WRITE_CONCERN
+              value: "{{ .Values.things.config.mongodb.journalWriteConcern }}"
+            - name: AKKA_PERSISTENCE_MONGO_SNAPS_WRITE_CONCERN
+              value: "{{ .Values.things.config.mongodb.snapsWriteConcern }}"
+            - name: BREAKER_MAXTRIES
+              value: "{{ .Values.things.config.mongodb.journalCircuitBreaker.maxTries }}"
+            - name: BREAKER_TIMEOUT
+              value: "{{ .Values.things.config.mongodb.journalCircuitBreaker.timeout }}"
+            - name: BREAKER_RESET
+              value: "{{ .Values.things.config.mongodb.journalCircuitBreaker.reset }}"
+            - name: SNAPSHOT_BREAKER_MAXTRIES
+              value: "{{ .Values.things.config.mongodb.snapsCircuitBreaker.maxTries }}"
+            - name: SNAPSHOT_BREAKER_TIMEOUT
+              value: "{{ .Values.things.config.mongodb.snapsCircuitBreaker.timeout }}"
+            - name: SNAPSHOT_BREAKER_RESET
+              value: "{{ .Values.things.config.mongodb.snapsCircuitBreaker.reset }}"
+            - name: THING_ACTIVITY_CHECK_INTERVAL
+              value: "{{ .Values.things.config.persistence.activityCheckInterval }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_RESOLUTION
+              value: "{{ .Values.things.config.cleanup.metricsReporter.resolution }}"
+            - name: HEALTH_CHECK_METRICS_REPORTER_HISTORY
+              value: "{{ .Values.things.config.cleanup.metricsReporter.history }}"
+            - name: CLEANUP_ENABLED
+              value: "{{ .Values.things.config.cleanup.enabled }}"
+            - name: CLEANUP_QUIET_PERIOD
+              value: "{{ .Values.things.config.cleanup.quietPeriod }}"
+            - name: CLEANUP_HISTORY_RETENTION_DURATION
+              value: "{{ .Values.things.config.cleanup.history.retentionDuration }}"
+            - name: CLEANUP_INTERVAL
+              value: "{{ .Values.things.config.cleanup.interval }}"
+            - name: CLEANUP_TIMER_THRESHOLD
+              value: "{{ .Values.things.config.cleanup.timerThreshold }}"
+            - name: CLEANUP_CREDITS_PER_BATCH
+              value: "{{ .Values.things.config.cleanup.creditsPerBatch }}"
+            - name: THING_SNAPSHOT_INTERVAL
+              value: "{{ .Values.things.config.persistence.snapshots.interval }}"
+            - name: THING_SNAPSHOT_THRESHOLD
+              value: "{{ .Values.things.config.persistence.snapshots.threshold }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_ENABLED
+              value: "{{ .Values.things.config.policiesEnforcer.cache.enabled }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_MAX_SIZE
+              value: "{{ .Values.things.config.policiesEnforcer.cache.maxSize }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_WRITE
+              value: "{{ .Values.things.config.policiesEnforcer.cache.expireAfterWrite }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_ACCESS
+              value: "{{ .Values.things.config.policiesEnforcer.cache.expireAfterAccess }}"
+            - name: THINGS_WOT_TO_THING_DESCRIPTION_BASE_PREFIX
+              value: "{{ .Values.things.config.wot.tdBasePrefix }}"
+            {{- if .Values.things.extraEnv }}
+              {{- toYaml .Values.things.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: remoting
+              containerPort: {{ .Values.akka.remoting.port }}
+              protocol: TCP
+            - name: management
+              containerPort: {{ .Values.akka.mgmthttp.port }}
+              protocol: TCP
+            {{- if .Values.global.prometheus.enabled }}
+            - name: prometheus
+              protocol: TCP
+              containerPort: {{ .Values.global.prometheus.port }}
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: management
+              path: /ready
+            initialDelaySeconds: {{ .Values.things.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.things.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.things.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.things.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.things.readinessProbe.failureThreshold }}
+          livenessProbe:
+            httpGet:
+              port: management
+              path: /alive
+            initialDelaySeconds: {{ .Values.things.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.things.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.things.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.things.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.things.livenessProbe.failureThreshold }}
+          volumeMounts:
+            {{- if .Values.global.logging.customConfigFile.enabled }}
+            - name: ditto-custom-log-config
+              mountPath: /opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+              subPath: {{ .Values.global.logging.customConfigFile.fileName }}
+            {{- end }}
+            {{- if .Values.global.logging.logFiles.enabled }}
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.things.resources.cpu 1000 }}m
+              memory: {{ .Values.things.resources.memoryMi }}Mi
+            limits:
+              # ## no cpu limit to avoid CFS scheduler limits
+              # ref: https://doc.akka.io/docs/akka/snapshot/additional/deploy.html#in-kubernetes
+              # cpu: ""
+              memory: {{ .Values.things.resources.memoryMi }}Mi
+          {{- if .Values.openshift.enabled }}
+          {{- with .Values.openshift.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- else }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+          {{- end }}
+      {{- with .Values.things.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.things.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.things.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if .Values.global.logging.customConfigFile.enabled }}
+        - name: ditto-custom-log-config
+          configMap:
+            name: {{ .Release.Name }}-logback-config-things-xml
+        {{- end }}
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: ditto-log-files-directory
+          hostPath:
+            path: /var/log/ditto
+            type: DirectoryOrCreate
+        {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/things-networkpolicy.yaml b/deployment/helm/templates/things-networkpolicy.yaml
new file mode 100644
index 00000000000..86b8d0c6c3a
--- /dev/null
+++ b/deployment/helm/templates/things-networkpolicy.yaml
@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.things.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-things
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow inner cluster communication
+  - from:
+    - podSelector:
+        matchLabels:
+          actorSystemName: {{ .Values.akka.actorSystemName }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.akka.remoting.port }}
+    - protocol: TCP
+      port: {{ .Values.akka.mgmthttp.port }}
+  # Open all egress
+  egress:
+  - {}
+{{- end }}
diff --git a/deployment/helm/templates/things-pdb.yaml b/deployment/helm/templates/things-pdb.yaml
new file mode 100644
index 00000000000..8f73693f60d
--- /dev/null
+++ b/deployment/helm/templates/things-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.things.podDisruptionBudget.enabled (gt .Values.things.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-things
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.things.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/things-podmonitor.yaml b/deployment/helm/templates/things-podmonitor.yaml
new file mode 100644
index 00000000000..e9816d72801
--- /dev/null
+++ b/deployment/helm/templates/things-podmonitor.yaml
@@ -0,0 +1,38 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.things.podMonitor.enabled .Values.global.prometheus.port -}}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
+---
+kind: PodMonitor
+apiVersion: monitoring.coreos.com/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-things
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podMetricsEndpoints:
+  - targetPort: {{ .Values.global.prometheus.port }}
+    path: "/"
+    {{- if .Values.things.podMonitor.interval }}
+    interval: {{ .Values.things.podMonitor.interval }}
+    {{- end }}
+    {{- if .Values.things.podMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.things.podMonitor.scrapeTimeout }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-things
+  namespaceSelector:
+    matchNames:
+      - {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/thingssearch-deployment.yaml b/deployment/helm/templates/thingssearch-deployment.yaml
new file mode 100644
index 00000000000..64f5e8907bd
--- /dev/null
+++ b/deployment/helm/templates/thingssearch-deployment.yaml
@@ -0,0 +1,294 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.thingsSearch.enabled -}}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ditto.fullname" . }}-thingssearch
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  replicas: {{ .Values.thingsSearch.replicaCount }}
+  strategy:
+  {{- with .Values.thingsSearch.updateStrategy }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  minReadySeconds: {{ .Values.thingsSearch.minReadySeconds }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        actorSystemName: {{ .Values.akka.actorSystemName }}
+        {{- with .Values.thingsSearch.additionalLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      annotations:
+        {{- if .Values.global.prometheus.enabled }}
+        prometheus.io/scrape: "true"
+        prometheus.io/path: "{{ .Values.global.prometheus.path }}"
+        prometheus.io/port: "{{ .Values.global.prometheus.port }}"
+        {{- end }}
+        checksum/mongodb-config: {{ include (print $.Template.BasePath "/mongodb-secret.yaml") . | sha256sum }}
+        {{- with .Values.thingsSearch.additionalAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- if .Values.rbac.enabled }}
+      serviceAccountName: {{ template "ditto.serviceAccountName" . }}
+      {{- end }}
+      {{- with .Values.global.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        fsGroup: 1000
+      initContainers:
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: change-volume-owner
+          image: busybox
+          securityContext:
+            runAsUser: 0
+          command: [ "sh", "-c", "chown -R 1000:1000 /var/log/ditto && echo 'changed ownership of /var/log/ditto to 1000:1000'" ]
+          volumeMounts:
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+        {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-thingssearch
+          image: {{ printf "%s:%s" .Values.thingsSearch.image.repository ( default .Chart.AppVersion ( default .Values.dittoTag .Values.thingsSearch.image.tag ) ) }}
+          imagePullPolicy: {{ .Values.thingsSearch.image.pullPolicy }}
+          env:
+            {{- if not .Values.global.logging.customConfigFile.enabled }}
+            - name: DITTO_LOGGING_DISABLE_SYSOUT_LOG
+              value: "{{ if .Values.global.logging.sysout.enabled }}false{{ else }}true{{ end }}"
+            - name: DITTO_LOGGING_FILE_APPENDER
+              value: "{{ if .Values.global.logging.logFiles.enabled }}true{{ else }}false{{ end }}"
+            {{- end }}
+            - name: DITTO_TRACING_ENABLED
+              value: "{{ .Values.global.tracing.enabled }}"
+            - name: OTEL_EXPORTER_OTLP_ENDPOINT
+              value: "{{ .Values.global.tracing.otelExporterOtlpEndpoint }}"
+            - name: DITTO_TRACING_SAMPLER
+              value: "{{ .Values.global.tracing.sampler }}"
+            - name: DITTO_TRACING_RANDOM_SAMPLER_PROBABILITY
+              value: "{{ .Values.global.tracing.randomSampler.probability }}"
+            - name: DITTO_TRACING_ADAPTIVE_SAMPLER_THROUGHPUT
+              value: "{{ .Values.global.tracing.adaptiveSampler.throughput }}"
+            {{- if .Values.global.logging.logstash.enabled }}
+            - name: DITTO_LOGGING_LOGSTASH_SERVER
+              value: "{{ .Values.global.logging.logstash.endpoint }}"
+            {{- end }}
+            - name: POD_LABEL_SELECTOR
+              value: "app.kubernetes.io/name=%s"
+            - name: POD_NAMESPACE
+              value: {{.Release.Namespace}}
+            - name: INSTANCE_INDEX
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+            - name: HOSTNAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: status.podIP
+            - name: DISCOVERY_METHOD
+              value: "kubernetes-api"
+            - name: TZ
+              value: "{{ .Values.global.timezone }}"
+            - name: JAVA_TOOL_OPTIONS
+              value: >
+                {{ .Values.global.jvmOptions }}
+                -XX:ActiveProcessorCount={{ .Values.thingsSearch.jvm.activeProcessorCount }}
+                -XX:MaxRAMPercentage={{ .Values.thingsSearch.jvm.heapRamPercentage }}
+                -XX:InitialRAMPercentage={{ .Values.thingsSearch.jvm.heapRamPercentage }}
+                -XX:MaxGCPauseMillis={{ .Values.thingsSearch.jvm.maxGcPauseMillis }}
+                {{ .Values.thingsSearch.additionalJvmOptions }}
+                {{- .Values.global.akkaOptions }}
+                {{- if .Values.global.logging.customConfigFile.enabled }}
+                -Dlogback.configurationFile=/opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+                {{- end }}
+                {{ join " " .Values.thingsSearch.systemProps }}
+            - name: MONGO_DB_SSL_ENABLED
+              value: "{{ if .Values.dbconfig.thingsSearch.ssl }}true{{ else }}false{{ end }}"
+            - name: MONGO_DB_URI
+              valueFrom:
+                secretKeyRef:
+                  name: {{ if .Values.dbconfig.uriSecret }}{{ .Values.dbconfig.uriSecret }}{{ else }}{{ include "ditto.fullname" . }}-mongodb-secret{{ end }}
+                  key: thingsSearch-uri
+            - name: MONGO_DB_CONNECTION_MIN_POOL_SIZE
+              value: "{{ .Values.thingsSearch.config.mongodb.minPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_SIZE
+              value: "{{ .Values.thingsSearch.config.mongodb.maxPoolSize }}"
+            - name: MONGO_DB_CONNECTION_POOL_IDLE_TIME
+              value: "{{ .Values.thingsSearch.config.mongodb.maxPoolIdleTime }}"
+            {{- if .Values.global.prometheus.enabled }}
+            - name: PROMETHEUS_PORT
+              value: "{{ .Values.global.prometheus.port }}"
+            {{- end }}
+            - name: CLUSTER_BS_REQUIRED_CONTACTS
+              value: "{{ .Values.global.cluster.requiredContactPoints }}"
+            - name: DITTO_DDATA_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.ddata.numberOfShards }}"
+            - name: DITTO_DDATA_MAX_DELTA_ELEMENTS
+              value: "{{ .Values.global.cluster.ddata.maxDeltaElements }}"
+            - name: CLUSTER_NUMBER_OF_SHARDS
+              value: "{{ .Values.global.cluster.numberOfShards }}"
+            - name: CLUSTER_DOWNING_STABLE_AFTER
+              value: "{{ .Values.global.cluster.downingStableAfter }}"
+            - name: CLUSTER_DOWNING_DOWN_ALL_WHEN_UNSTABLE
+              value: "{{ .Values.global.cluster.downAllWhenUnstable }}"
+            - name: MONGO_DB_READ_PREFERENCE
+              value: "{{ .Values.thingsSearch.config.mongodb.searchReadPreference }}"
+            - name: QUERY_PERSISTENCE_MONGO_DB_READ_CONCERN
+              value: "{{ .Values.thingsSearch.config.mongodb.queryReadConcern }}"
+            - name: MONGO_DB_WRITE_CONCERN
+              value: "{{ .Values.thingsSearch.config.mongodb.searchWriteConcern }}"
+            - name: UPDATER_PERSISTENCE_MONGO_DB_READ_CONCERN
+              value: "{{ .Values.thingsSearch.config.mongodb.updaterPersistenceReadConcern }}"
+            - name: UPDATER_PERSISTENCE_MONGO_DB_READ_PREFERENCE
+              value: "{{ .Values.thingsSearch.config.mongodb.updaterPersistenceReadPreference }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_PERSISTENCE_WITH_ACKS_WRITE_CONCERN
+              value: "{{ .Values.thingsSearch.config.mongodb.searchWithAcksWriteConcern }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_POLICY_CACHE_SIZE
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.maxSize }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_POLICY_CACHE_EXPIRY
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.expireAfterWrite }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_POLICY_CACHE_EXPIRY_AFTER_ACCESS
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.expireAfterAccess }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_THING_CACHE_SIZE
+              value: "{{ .Values.thingsSearch.config.updater.stream.thingCache.maxSize }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_THING_CACHE_EXPIRY
+              value: "{{ .Values.thingsSearch.config.updater.stream.thingCache.expireAfterWrite }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_THING_CACHE_EXPIRY_AFTER_ACCESS
+              value: "{{ .Values.thingsSearch.config.updater.stream.thingCache.expireAfterAccess }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_RETRIEVAL_PARALLELISM
+              value: "{{ .Values.thingsSearch.config.updater.stream.retrievalParallelism }}"
+            - name: THINGS_SEARCH_UPDATER_STREAM_PERSISTENCE_PARALLELISM
+              value: "{{ .Values.thingsSearch.config.updater.stream.persistence.parallelism }}"
+            - name: ACTIVITY_CHECK_INTERVAL
+              value: "{{ .Values.thingsSearch.config.updater.activityCheckInterval }}"
+            - name: BACKGROUND_SYNC_ENABLED
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.enabled }}"
+            - name: BACKGROUND_SYNC_QUIET_PERIOD
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.quietPeriod }}"
+            - name: BACKGROUND_SYNC_IDLE_TIMEOUT
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.idleTimeout }}"
+            - name: BACKGROUND_SYNC_TOLERANCE_WINDOW
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.toleranceWindow }}"
+            - name: BACKGROUND_SYNC_KEEP_EVENTS
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.keepEvents }}"
+            - name: BACKGROUND_SYNC_THROTTLE_THROUGHPUT
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.throttle.throughput }}"
+            - name: BACKGROUND_SYCN_THROTTLE_PERIOD
+              value: "{{ .Values.thingsSearch.config.updater.backgroundSync.throttle.period }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_MAX_SIZE
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.maxSize }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_WRITE
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.expireAfterWrite }}"
+            - name: DITTO_POLICIES_ENFORCER_CACHE_EXPIRE_AFTER_ACCESS
+              value: "{{ .Values.thingsSearch.config.updater.stream.policiesEnforcer.cache.expireAfterAccess }}"
+            {{- if .Values.thingsSearch.extraEnv }}
+              {{- toYaml .Values.thingsSearch.extraEnv | nindent 12 }}
+            {{- end }}
+          ports:
+            - name: remoting
+              containerPort: {{ .Values.akka.remoting.port }}
+              protocol: TCP
+            - name: management
+              containerPort: {{ .Values.akka.mgmthttp.port }}
+              protocol: TCP
+            {{- if .Values.global.prometheus.enabled }}
+            - name: prometheus
+              protocol: TCP
+              containerPort: {{ .Values.global.prometheus.port }}
+            {{- end }}
+          readinessProbe:
+            httpGet:
+              port: management
+              path: /ready
+            initialDelaySeconds: {{ .Values.thingsSearch.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.thingsSearch.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.thingsSearch.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.thingsSearch.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.thingsSearch.readinessProbe.failureThreshold }}
+          livenessProbe:
+            httpGet:
+              port: management
+              path: /alive
+            initialDelaySeconds: {{ .Values.thingsSearch.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.thingsSearch.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.thingsSearch.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.thingsSearch.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.thingsSearch.livenessProbe.failureThreshold }}
+          volumeMounts:
+            {{- if .Values.global.logging.customConfigFile.enabled }}
+            - name: ditto-custom-log-config
+              mountPath: /opt/ditto/{{ .Values.global.logging.customConfigFile.fileName }}
+              subPath: {{ .Values.global.logging.customConfigFile.fileName }}
+            {{- end }}
+            {{- if .Values.global.logging.logFiles.enabled }}
+            - name: ditto-log-files-directory
+              mountPath: /var/log/ditto
+            {{- end }}
+          resources:
+            requests:
+              cpu: {{ mulf .Values.thingsSearch.resources.cpu 1000 }}m
+              memory: {{ .Values.thingsSearch.resources.memoryMi }}Mi
+            limits:
+              # ## no cpu limit to avoid CFS scheduler limits
+              # ref: https://doc.akka.io/docs/akka/snapshot/additional/deploy.html#in-kubernetes
+              # cpu: ""
+              memory: {{ .Values.thingsSearch.resources.memoryMi }}Mi
+          {{- if .Values.openshift.enabled }}
+          {{- with .Values.openshift.securityContext }}
+          securityContext:
+            {{- toYaml . | nindent 8 }}
+          {{- end }}
+          {{- else }}
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            allowPrivilegeEscalation: false
+          {{- end }}
+      {{- with .Values.thingsSearch.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.thingsSearch.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.thingsSearch.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      volumes:
+        {{- if .Values.global.logging.customConfigFile.enabled }}
+        - name: ditto-custom-log-config
+          configMap:
+            name: {{ .Release.Name }}-logback-config-thingssearch-xml
+        {{- end }}
+        {{- if .Values.global.logging.logFiles.enabled }}
+        - name: ditto-log-files-directory
+          hostPath:
+            path: /var/log/ditto
+            type: DirectoryOrCreate
+        {{- end }}
+{{- end }}
diff --git a/deployment/helm/templates/thingssearch-networkpolicy.yaml b/deployment/helm/templates/thingssearch-networkpolicy.yaml
new file mode 100644
index 00000000000..607616e42b2
--- /dev/null
+++ b/deployment/helm/templates/thingssearch-networkpolicy.yaml
@@ -0,0 +1,42 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if .Values.thingsSearch.networkPolicy.enabled -}}
+---
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-thingssearch
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+  # Allow inner cluster communication
+  - from:
+    - podSelector:
+        matchLabels:
+          actorSystemName: {{ .Values.akka.actorSystemName }}
+    ports:
+    - protocol: TCP
+      port: {{ .Values.akka.remoting.port }}
+    - protocol: TCP
+      port: {{ .Values.akka.mgmthttp.port }}
+  # Open all egress
+  egress:
+  - {}
+{{- end }}
diff --git a/deployment/helm/templates/thingssearch-pdb.yaml b/deployment/helm/templates/thingssearch-pdb.yaml
new file mode 100644
index 00000000000..c7651415a06
--- /dev/null
+++ b/deployment/helm/templates/thingssearch-pdb.yaml
@@ -0,0 +1,26 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.things.podDisruptionBudget.enabled (gt .Values.things.replicaCount 1.0) -}}
+---
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "ditto.fullname" . }}-thingssearch
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  minAvailable: {{ .Values.things.podDisruptionBudget.minAvailable }}
+{{- end }}
diff --git a/deployment/helm/templates/thingssearch-podmonitor.yaml b/deployment/helm/templates/thingssearch-podmonitor.yaml
new file mode 100644
index 00000000000..7f83efb6a58
--- /dev/null
+++ b/deployment/helm/templates/thingssearch-podmonitor.yaml
@@ -0,0 +1,38 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+{{- if and .Values.thingsSearch.podMonitor.enabled .Values.global.prometheus.port -}}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" -}}
+---
+kind: PodMonitor
+apiVersion: monitoring.coreos.com/v1
+metadata:
+  name: {{ include "ditto.fullname" . }}-thingssearch
+  labels:
+    app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+{{ include "ditto.labels" . | indent 4 }}
+spec:
+  podMetricsEndpoints:
+  - targetPort: {{ .Values.global.prometheus.port }}
+    path: "/"
+    {{- if .Values.thingsSearch.podMonitor.interval }}
+    interval: {{ .Values.thingsSearch.podMonitor.interval }}
+    {{- end }}
+    {{- if .Values.thingsSearch.podMonitor.scrapeTimeout }}
+    scrapeTimeout: {{ .Values.thingsSearch.podMonitor.scrapeTimeout }}
+    {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "ditto.name" . }}-thingssearch
+  namespaceSelector:
+    matchNames:
+      - {{ $.Release.Namespace | quote }}
+{{- end }}
+{{- end }}
diff --git a/deployment/helm/values.yaml b/deployment/helm/values.yaml
new file mode 100644
index 00000000000..69728dcab3e
--- /dev/null
+++ b/deployment/helm/values.yaml
@@ -0,0 +1,1575 @@
+# Copyright (c) 2023 Contributors to the Eclipse Foundation
+#
+# See the NOTICE file(s) distributed with this work for additional
+# information regarding copyright ownership.
+#
+# This program and the accompanying materials are made available under the
+# terms of the Eclipse Public License 2.0 which is available at
+# http://www.eclipse.org/legal/epl-2.0
+#
+# SPDX-License-Identifier: EPL-2.0
+---
+# Default values for ditto.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+serviceAccount:
+  # create controls whether a service account should be created
+  create: true
+  # name is the name of the service account to use
+  #  If not set and create is true, a name is generated using the fullname template
+  name:
+
+rbac:
+  # enabled controls whether RBAC resources will be created
+  enabled: true
+
+nameOverride: ""
+fullnameOverride: ""
+
+## ----------------------------------------------------------------------------
+## global configuration shared by all components
+global:
+  # cluster holds the configuration for the Ditto/Akka cluster
+  cluster:
+    # requiredContactPoints defines the total amount of replicas in the Ditto cluster
+    #  only if this amount is "seen" during cluster formation, the cluster can form itself
+    requiredContactPoints: 5
+    # ddata holds the "Distributed Data" configuration:
+    ddata:
+      # numberOfShards defines whether ddata structures should be shared (if >1)
+      #  this is needed in case a lot of event subscribers (thousands) are connected simultaneously
+      numberOfShards: 1
+      # maxDeltaElements defines how many elements should be synced with a single cluster message
+      #  if numberOfShards is > 1, it makes sense to keep maxDeltaElements lower
+      #  so that the message size for remoting is not exceeding the configured max message size
+      maxDeltaElements: 1
+    # numberOfShards configures the sharding applied for things/policies/connections based on their ID
+    #  as a rule of thumb: should be factor ten of the amount of cluster replicas for an entity
+    numberOfShards: 50
+    # downingStableAfter is a configuration of the Akka SBR (split brain resolver)
+    #  how to find the right value: https://doc.akka.io/docs/akka/current/split-brain-resolver.html
+    downingStableAfter: 15s
+    # downAllWhenUnstable is a configuration of the Akka SBR (split brain resolver)
+    downAllWhenUnstable: "on"
+  # basicAuthUsers configures (as a map) several user/password combinations which the nginx of the Ditto chart will authenticate
+  basicAuthUsers: {}
+  # ditto:
+  #   user: ditto
+  #   password: ditto
+  # hashedBasicAuthUsers configures a list of hashed .htpasswd username/password entries
+  hashedBasicAuthUsers: []
+  # jwtOnly controls whether only OpenID-Connect authentication is supported
+  #  if false, both OpenID-Connect and basicAuth via nginx (see above "basicAuthUsers" and "hashedBasicAuthUsers") is used
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#openid-connect
+  jwtOnly: true
+  # jvmOptions defines the JVM options applied to all Ditto services running in the JVM, it is put in JAVA_TOOL_OPTIONS
+  jvmOptions: >
+    -XX:+ExitOnOutOfMemoryError
+    -XX:+UseContainerSupport
+    -XX:+UseStringDeduplication
+    -Xss512k
+    -XX:MaxMetaspaceSize=256m
+    -XX:+UseG1GC
+    -Djava.net.preferIPv4Stack=true
+  akkaOptions: >
+    -Dakka.management.cluster.bootstrap.contact-point-discovery.port-name=management
+    -Dakka.cluster.failure-detector.threshold=15.0
+    -Dakka.cluster.failure-detector.expected-response-after=3s
+    -Dakka.cluster.failure-detector.acceptable-heartbeat-pause=7s
+    -Dakka.persistence.journal-plugin-fallback.recovery-event-timeout=30s
+    -Dakka.persistence.max-concurrent-recoveries=100
+    -Dakka.cluster.sharding.updating-state-timeout=20s
+    -Dakka.cluster.shutdown-after-unsuccessful-join-seed-nodes=120s
+  # timezone defines the timezone to configure the JVM with
+  timezone: Europe/Berlin
+  # imagePullSecrets will be added to every deployment
+  imagePullSecrets: []
+  # proxyPart configures a reverse proxy part to be added in front of the Ditto API endpoints:
+  proxyPart: ""
+  # prometheus holds the Prometheus specific configuration
+  prometheus:
+    # enabled controls whether scrape config annotation will be added to pod templates
+    enabled: true
+    # path where prometheus metric will be provided
+    path: "/"
+    # port where prometheus metrics will be provided
+    port: 9095
+  # logging the logging configuration for Ditto
+  logging:
+    # sysout holds the logging to SYSOUT config
+    sysout:
+      # enabled defines whether to log to SYSOUT
+      enabled: true
+    # logstash configures if logs should be pushed to a logstash endpoint
+    logstash:
+      # enabled defines whether to log to logstash
+      enabled: false
+      # endpoint configures the logstash endpoint to send logs to
+      endpoint: ""
+    # logFiles defines logging to log files config
+    logFiles:
+      # enabled whether to write logs to log files
+      #  log files can be found on the host under /var/log/ditto
+      enabled: false
+    # customConfigFile configures that a custom "Logback" config file should be used instead of the one bundled
+    #  with Ditto on the classpath
+    customConfigFile:
+      # enabled if enabled, a custom logback.xml file added to the Ditto containers will be used for logging configuration
+      enabled: true
+      # fileName passed as Java system property "-Dlogback.configurationFile"
+      fileName: logback.xml
+  # tracing configuration for Ditto
+  tracing:
+    # enabled whether tracing (via OpenTelemetry) is enabled
+    enabled: false
+    # otelExporterOtlpEndpoint the OTLP endpoint to report traces to
+    otelExporterOtlpEndpoint: "http://localhost:4317"
+    # sampler the tracing sampler to use
+    #  can be one of:
+    #   - always: report all traces.
+    #   - never:  don't report any trace.
+    #   - random: randomly decide using the probability defined in the random-sampler.probability setting.
+    #   - adaptive: keeps dynamic samplers for each operation while trying to achieve a set throughput goal.
+    sampler: never
+    # randomSampler configures the 'random' sampler
+    randomSampler:
+      # probability configures the probability of a span being sampled, must be a value between 0 and 1
+      probability: 0.01
+    # adaptiveSampler configures the 'adaptive' sampler
+    adaptiveSampler:
+      # throughput the throughput goal trying to achieve with the adaptive sampler
+      throughput: 600
+
+## ----------------------------------------------------------------------------
+## dbconfig for mongodb connections
+##  will be handled as k8s secret as connection uri might contain auth credentials
+dbconfig:
+  # policies the MongoDB configuration for Ditto "policies" service
+  policies:
+    uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
+    ssl: false
+  # things the MongoDB configuration for Ditto "things" service
+  things:
+    uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
+    ssl: false
+  # connectivity the MongoDB configuration for Ditto "connectivity" service
+  connectivity:
+    uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
+    ssl: false
+  # thingsSearch the MongoDB configuration for Ditto "things-search" service
+  thingsSearch:
+    uri: mongodb://#{PLACEHOLDER_MONGODB_HOSTNAME}#:27017/ditto
+    ssl: false
+  ## If following property is set, an existing secret will be used to retrieve the mongodb connectionUris from.
+  # uriSecret: my-uri-secret
+
+## ----------------------------------------------------------------------------
+## ingress configures the Ingress
+ingress:
+  # enabled whether Ingress should be enabled as alternative to the contained nginx
+  enabled: false
+  # className is the 'ingressClassName' to configure in the Ingress spec
+  className: nginx
+  # host the hostname of the Ingress shared for all: api, ws and ui
+  host: localhost
+  # defaultBackendSuffix the suffix to add to the internal fullname to use as Ingress "defaultBackend"
+  defaultBackendSuffix: nginx
+  # annotations common annotations for all 3 Ingresses of Ditto
+  annotations:
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      charset utf-8;
+      default_type application/json;
+      chunked_transfer_encoding off;
+      
+      send_timeout 70; # seconds, default: 60
+      client_header_buffer_size 8k; # allow longer URIs + headers (default: 1k)
+      large_client_header_buffers 4 16k;
+      
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-Host $http_host;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Host $host;
+  # api the /api, /devops, /status, /overall and /health Ingress configuration
+  api:
+    # paths configures ingress paths
+    paths:
+      - path: /api
+        backendSuffix: gateway
+      - path: /devops
+        backendSuffix: gateway
+      - path: /status
+        backendSuffix: gateway
+      - path: /stats
+        backendSuffix: gateway
+      - path: /overall
+        backendSuffix: gateway
+      - path: /health
+        backendSuffix: gateway
+    # annotations defines k8s annotations to add to the Ingress
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "10" # seconds, default: 60
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "70" # seconds, default: 60
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "70" # seconds, default: 60
+      nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_502"
+      nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "4"
+      nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "50"
+      nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        set $cors '1';
+        
+        if ($request_method = 'OPTIONS') {
+          set $cors "${cors}o";
+        }
+        
+        if ($cors = '1') {
+          add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
+          add_header 'Access-Control-Allow-Credentials' 'true' always;
+          add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
+          add_header 'Access-Control-Expose-Headers' '*' always;
+        }
+        
+        if ($cors = '1o') {
+          # Tell client that this pre-flight info is valid for 20 days
+          add_header 'Access-Control-Max-Age' 1728000;
+          add_header 'Access-Control-Allow-Origin' '$http_origin' always;
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE, OPTIONS' always;
+          add_header 'Access-Control-Allow-Credentials' 'true' always;
+          add_header 'Access-Control-Allow-Headers' '$http_access_control_request_headers' always;
+          add_header 'Access-Control-Expose-Headers' '*' always;
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          add_header 'Content-Length' 0;
+          return 200;
+        }
+        
+        if ($request_method = 'OPTIONS') {
+          add_header 'Content-Type' 'text/plain charset=UTF-8';
+          return 405 "Origin $http_origin is not in CORS allow-list, contact your admin to get it added";
+        }
+        
+        # security relevant headers:
+        add_header "Content-Security-Policy" "default-src 'none'; frame-ancestors 'none'" always;
+        add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
+        add_header "Cache-Control" "no-cache" always;
+        add_header "X-Content-Type-Options" "nosniff" always;
+        add_header "X-Frame-Options" "SAMEORIGIN" always;
+        add_header "X-XSS-Protection" "1; mode=block" always;
+  # ws the /ws (WebSocket) Ingress configuration
+  ws:
+    # paths configures ingress paths
+    paths:
+      - path: /ws
+        backendSuffix: gateway
+    # annotations defines k8s annotations to add to the Ingress
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-send-timeout: "86400" # seconds, default: 60
+      nginx.ingress.kubernetes.io/proxy-read-timeout: "86400" # seconds, default: 60
+      nginx.ingress.kubernetes.io/proxy-next-upstream: "error timeout http_502"
+      nginx.ingress.kubernetes.io/proxy-next-upstream-tries: "4"
+      nginx.ingress.kubernetes.io/proxy-next-upstream-timeout: "50"
+      nginx.ingress.kubernetes.io/proxy-buffering: "off"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+  # the / Ingress configuration for serving the landing page and static resources
+  root:
+    # paths configures ingress paths
+    paths:
+      - path: /
+        pathType: Exact
+        backendSuffix: nginx
+      - path: /index.html
+        pathType: Exact
+        backendSuffix: nginx
+      - path: /ditto-up.svg
+        pathType: Exact
+        backendSuffix: nginx
+      - path: /ditto-down.svg
+        pathType: Exact
+        backendSuffix: nginx
+    # annotations defines k8s annotations to add to the Ingress
+    annotations:
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        # security relevant headers:
+        add_header "Content-Security-Policy" "default-src 'self'; script-src-elem 'self' 'sha256-Kq9eqc/CtX2tgHPLJUEf8vDO9eNiGaRBrwAYYXTroVc='  https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; worker-src 'self' blob:; object-src 'none';" always;
+        add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
+        add_header "Cache-Control" "no-cache" always;
+        add_header "X-Content-Type-Options" "nosniff" always;
+        add_header "X-Frame-Options" "SAMEORIGIN" always;
+        add_header "X-XSS-Protection" "1; mode=block" always;
+  # ui the /ui and /apidoc Ingress configuration
+  ui:
+    # paths configures ingress paths
+    paths:
+      - path: /
+        pathType: Exact
+        backendSuffix: nginx
+      - path: /apidoc(/|$)(.*)
+        backendSuffix: swaggerui
+      - path: /ui(/|$)(.*)
+        backendSuffix: dittoui
+    # annotations defines k8s annotations to add to the Ingress
+    annotations:
+      nginx.ingress.kubernetes.io/use-regex: "true"
+      nginx.ingress.kubernetes.io/rewrite-target: /$2
+      nginx.ingress.kubernetes.io/proxy-connect-timeout: "10"
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        # security relevant headers:
+        add_header "Content-Security-Policy" "default-src 'self'; script-src-elem 'self' 'sha256-Ve/Ec/6YDEeTc+9y+QCJ+e9OhyGWAj3bYxCzNGfOn6U=' 'sha256-Kq9eqc/CtX2tgHPLJUEf8vDO9eNiGaRBrwAYYXTroVc=' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com; img-src 'self' data: https://raw.githubusercontent.com; font-src 'self' https://cdnjs.cloudflare.com; worker-src 'self' blob:; connect-src 'self' localhost http://localhost:8080; object-src 'none';" always;
+        add_header "Strict-Transport-Security" "max-age=63072000; includeSubdomains;" always;
+        add_header "Cache-Control" "no-cache" always;
+        add_header "X-Content-Type-Options" "nosniff" always;
+        add_header "X-Frame-Options" "SAMEORIGIN" always;
+        add_header "X-XSS-Protection" "1; mode=block" always;
+  # tls configures the TLS for ingress
+  tls: []
+  #  - secretName: ditto-tls
+  #    hosts:
+  #      - localhost
+
+
+## ----------------------------------------------------------------------------
+## openshift configures the OpenShift deployment
+openshift:
+  # enabled whether to deploy to OpenShift
+  enabled: false
+  # routes the OpenShift Routes
+  routes:
+    # enabled whether OpenShift routes are enabled
+    enabled: false
+    # annotations define k8s annotations to apply for the routes
+    annotations: {}
+    # host: ""
+    # targetPort configures the target port
+    targetPort: http
+    # tlsTermination: "edge"
+    # tlsInsecurePolicy: "Redirect"
+  # securityContext the security context for OpenShift
+  securityContext: {}
+
+## ----------------------------------------------------------------------------
+## akka holds the Akka actor configuration
+##  ref: https://doc.akka.io/docs/akka/current/typed/index.html
+akka:
+  # actorSystemName defines the actor/cluster name of the Ditto cluster
+  actorSystemName: ditto-cluster
+  # remoting holds configuration for the Akka cluster remoting
+  remoting:
+    # port defines the Port to use for remoting
+    port: 2551
+  # mgmthttp holds configuration for the Akka cluster management
+  mgmthttp:
+    # port defines the Port to use for akka http management
+    port: 8558
+
+# Set "dittoTag" in order to specify another Ditto version to use for all Ditto services:
+# you may also use "1" (for latest Ditto 1.x.x) or "1.5" (for latest Ditto 1.5.x)
+# dittoTag: 3.2.0
+
+
+## ----------------------------------------------------------------------------
+## policies configuration
+##  ref: https://www.eclipse.org/ditto/architecture-services-policies.html
+policies:
+  # enabled controls whether policies related resources should be created
+  enabled: true
+  # replicaCount configuration for policies
+  replicaCount: 1
+  # updateStrategy configuration for policies
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
+  #  of its containers crashing, for it to be considered available
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
+  minReadySeconds: 10
+  # additionalLabels configuration for policies
+  additionalLabels: {}
+  # additionalAnnotations configuration for policies
+  additionalAnnotations: {}
+  image:
+    # repository for the policies docker image
+    repository: docker.io/eclipse/ditto-policies
+    # tag for the policies docker image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the policies docker image
+    pullPolicy: IfNotPresent
+  # additionalJvmOptions JVM options to put into JAVA_TOOL_OPTIONS
+  additionalJvmOptions: ""
+  # systemProps used to define arbitrary system properties for policies service
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#configuration
+  systemProps:
+  # extraEnv to add arbitrary environment variable to policies container
+  extraEnv:
+  # - name: LOG_LEVEL_APPLICATION
+  #   value: "DEBUG"
+  # resources configures the resources available/to use for the policies service
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.5
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 1024
+  # jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
+  jvm:
+    # activeProcessorCount defines how many processors the JVM should be configured to use
+    #  this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
+    activeProcessorCount: 2
+    # heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
+    #  be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
+    heapRamPercentage: 60
+    # maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
+    #  default (by JVM if not set): 200
+    maxGcPauseMillis: 150
+  # readinessProbe configuration for policies
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 3
+    successThreshold: 1
+    failureThreshold: 3
+  # livenessProbe configuration for policies
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe:
+    initialDelaySeconds: 160
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 4
+  # networkPolicy configuration for policies
+  #  ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether policies related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget configuration for policies
+  #  ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether policies related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # nodeSelector configuration for policies
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for policies
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for policies
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # podMonitor configuration for policies
+  podMonitor:
+    # enabled configures whether Pod Monitor is enabled, then a resource to scrape policies metrics will be created
+    enabled: false
+    # interval: 30s
+    # scrapeTimeout: 15s
+  # config holds policies specific configuration
+  config:
+    # mongodb holds mongodb specific configuration of policies
+    mongodb:
+      # minPoolSize configures the minimum number of connections in the connection pool
+      minPoolSize: 10
+      # maxPoolSize configures the minimum number of connections in the connection pool
+      maxPoolSize: 200
+      # maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
+      maxPoolIdleTime: 10m
+      # journalWriteConcern the MongoDB write concern to apply for writing operations on the event journal
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      journalWriteConcern: "Journaled"
+      # snapsWriteConcern the MongoDB write concern to apply for writing operations on the snapshots persistence
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      snapsWriteConcern: "Journaled"
+      # journalCircuitBreaker configures the circuit breaker for MongoDB operations on the event journal
+      journalCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting an event occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 10s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 5s
+      # snapsCircuitBreaker configures the circuit breaker for MongoDB operations on the snapshots persistence
+      snapsCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting a snapshot occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 20s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 8s
+    # cleanup contains the configuration for the background cleanup of stale snapshots and events
+    cleanup:
+      # enabled configures whether background cleanup is enabled or not
+      #  if enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process:
+      enabled: false
+      # quietPeriod defines how long to stay in a state where the background cleanup is not yet started
+      quietPeriod: 5m
+      # history contains configuration regarding the event history
+      history:
+        # retentionDuration configures the duration of how long to "keep" events and snapshots before being allowed to remove them in scope of cleanup
+        retentionDuration: 30d
+      # metricsReporter config of MongoMetricsReporter which is used by policies in order to report current persistence
+      #  roundtrip times in order to determine credits to cleanup stale data (journal entries, snapshots)
+      metricsReporter:
+        # resolution configures how far apart each measurement should be done
+        resolution: 1s
+        # history configures how many historical items to keep
+        history: 5
+      # interval configures how often a "credit decision" is made
+      interval: 1s
+      # timerThreshold configures the maximum database latency to give out credit for cleanup actions
+      timerThreshold: 100ms
+      # creditsPerBatch configures how many "cleanup credits" should be generated per "interval" as long as the
+      creditsPerBatch: 5
+    # persistence holds configuration regarding (akka) persistence of policies (event journal and snapshots)
+    persistence:
+      # activityCheckInterval configures to keep policies for that amount of time in memory when no other use did happen:
+      activityCheckInterval: 2d
+      # pingRate used to throttle pinging of PolicyPersistenceActors, so that not all PolicyPersistenceActors are recovered at the same time:
+      pingRate:
+        # frequency the frequency of sent "pings" to PolicyPersistenceActors
+        frequency: 1s
+        # entities the amount of entities to wake up per "frequency" interval
+        entities: 50
+      # events contains event journal specific configuration
+      events:
+        # historicalHeadersToPersist define the DittoHeaders to persist when persisting events to the journal
+        # those can e.g. be retrieved as additional "audit log" information when accessing a historical Policy revision
+        historicalHeadersToPersist:
+        # - "ditto-originator"
+        # - "ditto-origin"
+        # - "correlation-id"
+      # snapshots contains snapshots persistence specific configuration
+      snapshots:
+        # interval configures the interval when to do snapshot for a Policy which had changes to it
+        interval: 15m
+        # threshold configures the threshold after how many changes to a Policy to do a snapshot
+        threshold: 5
+
+## ----------------------------------------------------------------------------
+## things configuration
+##  ref: https://www.eclipse.org/ditto/architecture-services-things.html
+things:
+  # enabled controls whether things related resources should be created
+  enabled: true
+  # replicaCount configuration for things
+  replicaCount: 1
+  # updateStrategy configuration for things
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
+  #  of its containers crashing, for it to be considered available
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
+  minReadySeconds: 10
+  # additionalLabels configuration for things
+  additionalLabels: {}
+  # additionalAnnotations configuration for things
+  additionalAnnotations: {}
+  image:
+    # repository for the things docker image
+    repository: docker.io/eclipse/ditto-things
+    # tag for the things docker image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the things docker image
+    pullPolicy: IfNotPresent
+  # additionalJvmOptions JVM options to put into JAVA_TOOL_OPTIONS
+  additionalJvmOptions: ""
+  # systemProps used to define arbitrary system properties for things service
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#configuration
+  systemProps:
+  # extraEnv to add arbitrary environment variable to things container
+  extraEnv:
+  # - name: LOG_LEVEL_APPLICATION
+  #   value: "DEBUG"
+  # resources configures the resources available/to use for the things service
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.5
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 1024
+  # jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
+  jvm:
+    # activeProcessorCount defines how many processors the JVM should be configured to use
+    #  this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
+    activeProcessorCount: 2
+    # heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
+    #  be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
+    heapRamPercentage: 60
+    # maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
+    #  default (by JVM if not set): 200
+    maxGcPauseMillis: 150
+  # readinessProbe configuration for things
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 3
+    successThreshold: 1
+    failureThreshold: 3
+  # livenessProbe configuration for things
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe:
+    initialDelaySeconds: 160
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 4
+  # networkPolicy configuration for things
+  #  ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether things related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget configuration for things
+  #  ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether things related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # nodeSelector configuration for things
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for things
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for things
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # podMonitor configuration for things
+  podMonitor:
+    # enabled configures whether Pod Monitor is enabled, then a resource to scrape things metrics will be created
+    enabled: false
+    # interval: 30s
+    # scrapeTimeout: 15s
+  # config holds things specific configuration
+  config:
+    # mongodb holds mongodb specific configuration of things
+    mongodb:
+      # minPoolSize configures the minimum number of connections in the connection pool
+      minPoolSize: 10
+      # maxPoolSize configures the minimum number of connections in the connection pool
+      maxPoolSize: 200
+      # maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
+      maxPoolIdleTime: 10m
+      # journalWriteConcern the MongoDB write concern to apply for writing operations on the event journal
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      journalWriteConcern: "Acknowledged"
+      # snapsWriteConcern the MongoDB write concern to apply for writing operations on the snapshots persistence
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      snapsWriteConcern: "Acknowledged"
+      # journalCircuitBreaker configures the circuit breaker for MongoDB operations on the event journal
+      journalCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting an event occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 10s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 5s
+      # snapsCircuitBreaker configures the circuit breaker for MongoDB operations on the snapshots persistence
+      snapsCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting a snapshot occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 20s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 8s
+    # cleanup contains the configuration for the background cleanup of stale snapshots and events
+    cleanup:
+      # enabled configures whether background cleanup is enabled or not
+      #  if enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process:
+      enabled: true
+      # quietPeriod defines how long to stay in a state where the background cleanup is not yet started
+      quietPeriod: 5m
+      # history contains configuration regarding the event history
+      history:
+        # retentionDuration configures the duration of how long to "keep" events and snapshots before being allowed to remove them in scope of cleanup
+        retentionDuration: 30d
+      # metricsReporter config of MongoMetricsReporter which is used by policies in order to report current persistence
+      #  roundtrip times in order to determine credits to cleanup stale data (journal entries, snapshots)
+      metricsReporter:
+        # resolution configures how far apart each measurement should be done
+        resolution: 1s
+        # history configures how many historical items to keep
+        history: 5
+      # interval configures how often a "credit decision" is made
+      interval: 1s
+      # timerThreshold configures the maximum database latency to give out credit for cleanup actions
+      timerThreshold: 100ms
+      # creditsPerBatch configures how many "cleanup credits" should be generated per "interval" as long as the
+      creditsPerBatch: 5
+    # persistence holds configuration regarding (akka) persistence of things (event journal and snapshots)
+    persistence:
+      # activityCheckInterval configures to keep things for that amount of time in memory when no other use did happen
+      activityCheckInterval: 2d
+      # events contains event journal specific configuration
+      events:
+        # historicalHeadersToPersist define the DittoHeaders to persist when persisting events to the journal
+        #  those can e.g. be retrieved as additional "audit log" information when accessing a historical Thing revision
+        historicalHeadersToPersist:
+        # - "ditto-originator"
+        # - "ditto-origin"
+        # - "correlation-id"
+      # snapshots contains snapshots persistence specific configuration
+      snapshots:
+        # the interval when to do snapshot for a Thing which had changes to it
+        interval: 15m
+        # the threshold after how many changes to a Thing to do a snapshot
+        threshold: 50
+    # policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
+    policiesEnforcer:
+      # cache holds the configuration of policy enforcer caching
+      cache:
+        # enabled whether caching of policy enforcers should be enabled
+        enabled: true
+        # maxSize the maximum size of policy enforcers to keep in the cache
+        maxSize: 50000
+        # expireAfterWrite the maximum duration of inconsistency after losing a cache invalidation
+        expireAfterWrite: 8h
+        # expireAfterAccess prolonged on each cache access by that duration
+        expireAfterAccess: 4h
+    # wot contains Web of Things (WoT) specific configuration
+    wot:
+      # tdBasePrefix is the base to use where the Ditto endpoint is located in order to be injected into TDs:
+      tdBasePrefix: "http://localhost:8080"
+      # tdJsonTemplate contains a json template added to generated TDs, e.g. containing security information:
+      tdJsonTemplate: >-
+        {
+          "securityDefinitions": {
+            "basic_sc": {
+              "scheme": "basic",
+              "in": "header"
+            }
+          },
+          "security": "basic_sc",
+          "support": "https://www.eclipse.org/ditto/"
+        }
+
+## ----------------------------------------------------------------------------
+## things-search configuration
+##  ref: https://www.eclipse.org/ditto/architecture-services-things-search.html
+thingsSearch:
+  # enabled controls whether things-search related resources should be created
+  enabled: true
+  # replicaCount configuration for things-search
+  replicaCount: 1
+  # updateStrategy configuration for things-search
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
+  #  of its containers crashing, for it to be considered available
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
+  minReadySeconds: 10
+  # additionalLabels configuration for things-search
+  additionalLabels: {}
+  # additionalAnnotations configuration for things-search
+  additionalAnnotations: {}
+  image:
+    # repository for the things-search docker image
+    repository: docker.io/eclipse/ditto-things-search
+    # tag for the things-search docker image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the things-search docker image
+    pullPolicy: IfNotPresent
+  # additional JVM options to put into JAVA_TOOL_OPTIONS
+  additionalJvmOptions: ""
+  # systemProps used to define arbitrary system properties for things-search service
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#configuration
+  systemProps:
+  # extraEnv to add arbitrary environment variable to things-search container
+  extraEnv:
+  # - name: LOG_LEVEL_APPLICATION
+  #   value: "DEBUG"
+  # resources configures the resources available/to use for the things search service
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.5
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 1024
+  # jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
+  jvm:
+    # activeProcessorCount defines how many processors the JVM should be configured to use
+    #  this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
+    activeProcessorCount: 2
+    # heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
+    #  be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
+    heapRamPercentage: 60
+    # maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
+    #  default (by JVM if not set): 200
+    maxGcPauseMillis: 150
+  # readinessProbe configuration for things-search
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 3
+    successThreshold: 1
+    failureThreshold: 3
+  # livenessProbe configuration for things-search
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe:
+    initialDelaySeconds: 160
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 4
+  # networkPolicy configuration for things-search
+  #  ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether things-search related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget configuration for things-search
+  #  ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether things-search related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # nodeSelector configuration for things-search
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for things-search
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for things-search
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # podMonitor configuration for things-search
+  podMonitor:
+    # enabled configures whether Pod Monitor is enabled, then a resource to scrape things search metrics will be created
+    enabled: false
+    # interval: 30s
+    # scrapeTimeout: 15s
+  # config holds things-search specific configuration
+  config:
+    # mongodb holds mongodb specific configuration of things-search
+    mongodb:
+      # minPoolSize configures the minimum number of connections in the connection pool
+      minPoolSize: 10
+      # maxPoolSize configures the minimum number of connections in the connection pool
+      maxPoolSize: 100
+      # maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
+      maxPoolIdleTime: 10m
+      # searchReadPreference configures the overall MongoDB read preference
+      #  one of: primary | primaryPreferred | secondary | secondaryPreferred | nearest
+      searchReadPreference: "primary"
+      # searchWriteConcern configures the overall MongoDB write concern
+      #  one of: unacknowledged | acknowledged | majority | journaled | w1 | w2 | w3
+      searchWriteConcern: "acknowledged"
+      # searchWithAcksWriteConcern configures the MongoDB write concern for commands sent with "search-persisted" ACK
+      #  ref: https://www.eclipse.org/ditto/basic-acknowledgements.html#built-in-acknowledgement-labels
+      #  one of: unacknowledged | acknowledged | majority | journaled | w1 | w2 | w3
+      searchWithAcksWriteConcern: "majority"
+      # queryReadConcern configures the MongoDB read concern for doing queries / performing searches
+      #  only if this is "linearizable" in combination with the searchWithAcksWriteConcern: "majority" a strong consistency
+      #  for commands using the "search-persisted" requested ACK is guaranteed
+      #  one of: default | local | majority | linearizable | snapshot | available
+      queryReadConcern: "linearizable"
+      # updaterPersistenceReadConcern configures the MongoDB read concern for the "ThingUpdater"
+      #  one of: default | local | majority | linearizable | snapshot | available
+      updaterPersistenceReadConcern: "local"
+      # updaterPersistenceReadPreference configures the MongoDB read preference for the "ThingUpdater"
+      updaterPersistenceReadPreference: "primaryPreferred"
+    # updater contains configuration for the "Things Updater" of things-search service
+    updater:
+      # activityCheckInterval configures to keep thing updaters for that amount of time in memory when no update did happen:
+      activityCheckInterval: 2h
+      # stream contains streaming configuration settings of the things-search service
+      stream:
+        # retrievalParallelism configures the upper bound of parallel SudoRetrieveThing commands
+        #  (by extension, parallel loads of policy enforcer cache)
+        retrievalParallelism: 64
+        persistence:
+          # parallelism configures how much bulk writes to request in parallel - must be a power of 2
+          parallelism: 16
+        # policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
+        policiesEnforcer:
+          # cache holds the configuration of policy enforcer caching
+          cache:
+            # maxSize the maximum size of policy enforcers to keep in the cache
+            maxSize: 30000
+            # expireAfterWrite the maximum duration of inconsistency after losing a cache invalidation
+            expireAfterWrite: 12h
+            # expireAfterAccess prolonged on each cache access by that duration
+            expireAfterAccess: 6h
+        # thingCache configures the cache configuration for caching of things in things-search
+        thingCache:
+          # maxSize defines how many things to cache
+          maxSize: 30000
+          # expireAfterWrite defines how long at most to keep things in the cache after loading them into the cache
+          expireAfterWrite: 12h
+          # expireAfterWrite defines how long at most to keep things in the cache after last accessing them from the cache
+          expireAfterAccess: 6h
+      # backgroundSync contains the configuration for the "background sync" responsible for continuously streaming
+      #  over snapshot entries of things to ensure the eventual consistency of the search index
+      backgroundSync:
+        # enabled whether background sync is turned on
+        enabled: true
+        # quietPeriod the duration between service start-up and the beginning of background sync
+        quietPeriod: 5m
+        # idleTimeout how soon to close the remote stream if no element passed through it
+        idleTimeout: 5m
+        # toleranceWindow how long to wait before reacting to out-of-date search index entries
+        toleranceWindow: 20m
+        # keepEvents how many events to keep in the actor state
+        keepEvents: 2
+        # throttle contains the background sync throttling configuration
+        throttle:
+          # throughput how many things to update per throttle period
+          throughput: 100
+          # period the throttle period
+          period: 30s
+
+
+## ----------------------------------------------------------------------------
+## connectivity configuration
+##  ref: https://www.eclipse.org/ditto/architecture-services-connectivity.html
+connectivity:
+  # enabled controls whether connectivity related resources should be created
+  enabled: true
+  # replicaCount configuration for connectivity
+  replicaCount: 1
+  # updateStrategy configuration for connectivity
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
+  #  of its containers crashing, for it to be considered available
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
+  minReadySeconds: 10
+  # additionalLabels configuration for connectivity
+  additionalLabels: {}
+  # additionalAnnotations configuration for connectivity
+  additionalAnnotations: {}
+  image:
+    # repository for the connectivity docker image
+    repository: docker.io/eclipse/ditto-connectivity
+    # tag for the connectivity docker image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the connectivity docker image
+    pullPolicy: IfNotPresent
+  # additional JVM options to put into JAVA_TOOL_OPTIONS
+  additionalJvmOptions: ""
+  # systemProps used to define arbitrary system properties for connectivity service
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#configuration
+  systemProps:
+  # extraEnv to add arbitrary environment variable to connectivity container
+  extraEnv:
+  # - name: LOG_LEVEL_APPLICATION
+  #   value: "DEBUG"
+  # resources configures the resources available/to use for the connectivity service
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.5
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 1024
+  # jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
+  jvm:
+    # activeProcessorCount defines how many processors the JVM should be configured to use
+    #  this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
+    activeProcessorCount: 2
+    # heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
+    #  be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
+    heapRamPercentage: 60
+    # maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
+    #  default (by JVM if not set): 200
+    maxGcPauseMillis: 150
+  # readinessProbe configuration for connectivity
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 3
+    successThreshold: 1
+    failureThreshold: 3
+  # livenessProbe configuration for connectivity
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe:
+    initialDelaySeconds: 160
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 4
+  # networkPolicy configuration for connectivity
+  #  ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether connectivity related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget configuration for connectivity
+  #  ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether connectivity related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # nodeSelector configuration for connectivity
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for connectivity
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for connectivity
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # podMonitor configuration for connectivity
+  podMonitor:
+    # enabled configures whether Pod Monitor is enabled, then a resource to scrape connectivity metrics will be created
+    enabled: false
+    # interval: 30s
+    # scrapeTimeout: 15s
+  # config holds connectivity specific configuration
+  config:
+    # mongodb holds mongodb specific configuration of connectivity
+    mongodb:
+      # minPoolSize configures the minimum number of connections in the connection pool
+      minPoolSize: 10
+      # maxPoolSize configures the minimum number of connections in the connection pool
+      maxPoolSize: 50
+      # maxPoolIdleTime configures the maximum amount of time a pooled connection is allowed to idle before closing the connection
+      maxPoolIdleTime: 10m
+      # journalWriteConcern the MongoDB write concern to apply for writing operations on the event journal
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      journalWriteConcern: "Journaled"
+      # snapsWriteConcern the MongoDB write concern to apply for writing operations on the snapshots persistence
+      #  one of: Unacknowledged | Acknowledged | Journaled | ReplicaAcknowledged
+      snapsWriteConcern: "Journaled"
+      # journalCircuitBreaker configures the circuit breaker for MongoDB operations on the event journal
+      journalCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting an event occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 10s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 5s
+      # snapsCircuitBreaker configures the circuit breaker for MongoDB operations on the snapshots persistence
+      snapsCircuitBreaker:
+        # maxTries opens the circuit breaker if an exception during persisting a snapshot occurs this often
+        #  a successful write resets the counter
+        maxTries: 10
+        # timeout configures the MongoDB write timeouts also causing the circuit breaker to open
+        timeout: 20s
+        # reset after this time in "Open" state, the circuit breaker is "Half-opened" again
+        reset: 8s
+    # policiesEnforcer contains configuration for Ditto "Policy Enforcers", e.g. regarding caching
+    policiesEnforcer:
+      # cache holds the configuration of policy enforcer caching
+      cache:
+        # enabled whether caching of policy enforcers should be enabled
+        enabled: true
+        # maxSize the maximum size of policy enforcers to keep in the cache
+        maxSize: 1000
+        # expireAfterWrite the maximum duration of inconsistency after losing a cache invalidation
+        expireAfterWrite: 8h
+        # expireAfterAccess prolonged on each cache access by that duration
+        expireAfterAccess: 4h
+    # cleanup contains the configuration for the background cleanup of stale snapshots and events
+    cleanup:
+      # enabled configures whether background cleanup is enabled or not
+      #  if enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process:
+      enabled: false
+      # quietPeriod defines how long to stay in a state where the background cleanup is not yet started
+      quietPeriod: 5m
+      # history contains configuration regarding the event history
+      history:
+        # retentionDuration configures the duration of how long to "keep" events and snapshots before being allowed to remove them in scope of cleanup
+        retentionDuration: 30d
+      # metricsReporter config of MongoMetricsReporter which is used by policies in order to report current persistence
+      #  roundtrip times in order to determine credits to cleanup stale data (journal entries, snapshots)
+      metricsReporter:
+        # resolution configures how far apart each measurement should be done
+        resolution: 1s
+        # history configures how many historical items to keep
+        history: 5
+      # interval configures how often a "credit decision" is made
+      interval: 10s
+      # timerThreshold configures the maximum database latency to give out credit for cleanup actions
+      timerThreshold: 100ms
+      # creditsPerBatch configures how many "cleanup credits" should be generated per "interval" as long as the
+      creditsPerBatch: 5
+    # persistence holds configuration regarding (akka) persistence of connections (event journal and snapshots)
+    persistence:
+      # keep closed, inactive connections for that amount of time in memory when no other use did happen:
+      activityCheckInterval: 45m
+      # events contains event journal specific configuration
+      events:
+        # historicalHeadersToPersist define the DittoHeaders to persist when persisting events to the journal
+        # those can e.g. be retrieved as additional "audit log" information when accessing a historical Connection revision
+        historicalHeadersToPersist:
+        # - "ditto-originator"
+        # - "ditto-origin"
+        # - "correlation-id"
+      # snapshots contains snapshots persistence specific configuration
+      snapshots:
+        # interval the interval when to do snapshot for a Connection which had changes to it
+        interval: 15m
+        # threshold the threshold after how many changes to a Connection to do a snapshot
+        threshold: 5
+    # connections holds configuration regarding connections
+    connections:
+      # reconnect configures pinging of connections, so that not all connections are recovered at the same time
+      reconnect:
+        # rate configures the rate in which frequency to ping/wake up how many entities (connections)
+        rate:
+          # frequency the frequency of how often to wake up connections after restart
+          frequency: 1s
+          # entities the amount of entities to wake up per "frequency" interval
+          entities: 10
+      # allowedHostnames contains a comma separated list of explicitly allowed hostnames
+      allowedHostnames: ""
+      # blockedHostnames contains a comma separated list of blocked hostnames
+      blockedHostnames: "localhost"
+      # blockedSubnets holds a comma separated string of blocked subnets
+      #  specify subnets to block in CIDR format e.g. "11.1.0.0/16"
+      blockedSubnets: ""
+      # blockedHostRegex contains the regex for blocked hostnames
+      blockedHostRegex: ^.*\\.svc.cluster.local$
+      limits:
+        # maxSources contains the max number of sources per connection
+        maxSources: 5
+        # maxTargets contains the max number of targets per connection
+        maxTargets: 5
+      enrichment:
+        # the buffer size used for the queue in the message mapping processor actor
+        bufferSize: 200
+      # kafka contains the configuration specific to Ditto connections to Apache Kafka
+      kafka:
+        # consumer contains configuration for consuming messages from Kafka
+        consumer:
+          # throttling contains configuration for applying throttling when consuming from a single Kafka connection
+          throttling:
+            # enabled defines whether throttling should be applied when consuming messages from a Kafka source
+            enabled: true
+            # interval the interval at which the consumer is throttled - must be > 0s
+            interval: 1s
+            # limit defines the maximum number of messages the consumer is allowed to receive within the configured
+            #  throttling "interval" e.g. 100 msgs/s - must be > 0
+            limit: 500
+            # maxInflightFactor configures how many unacknowledged messages are allowed at any time as factor of
+            #  ${limit} - must be >= 1.0
+            #  This limit couples latency with throughput (long latency before ack -> lower throughput)
+            maxInflightFactor: 2.0
+        # producer contains configuration for publishing messages to Kafka
+        producer:
+          # If a message can't be published it is put in a queue. Further messages are dropped when the queue is full.
+          queueSize: 1000
+          # Messages to publish in parallel per Kafka-Publisher (one per connectivity client)
+          parallelism: 10
+
+## ----------------------------------------------------------------------------
+## gateway configuration
+##  ref: https://www.eclipse.org/ditto/architecture-services-gateway.html
+gateway:
+  # enabled controls whether gateway related resources should be created
+  enabled: true
+  # replicaCount configuration for gateway
+  replicaCount: 1
+  # updateStrategy configuration for gateway
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # minReadySeconds configures the minimum number of seconds for which a newly created Pod should be ready without any
+  #  of its containers crashing, for it to be considered available
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#min-ready-seconds
+  minReadySeconds: 10
+  # additionalLabels configuration for gateway
+  additionalLabels: {}
+  # additionalAnnotations configuration for gateway
+  additionalAnnotations: {}
+  # additional JVM options to put into JAVA_TOOL_OPTIONS
+  additionalJvmOptions: ""
+  image:
+    # repository for the gateway docker image
+    repository: docker.io/eclipse/ditto-gateway
+    # tag for the gateway docker image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the gateway docker image
+    pullPolicy: IfNotPresent
+  # systemProps used to define arbitrary system properties configuration for gateway
+  #  ref: https://www.eclipse.org/ditto/installation-operating.html#configuration
+  systemProps:
+    - "-Dditto.protocol.blocklist.0=raw-request-uri"
+    - "-Dditto.protocol.blocklist.1=cache-control"
+    - "-Dditto.protocol.blocklist.2=connection"
+    - "-Dditto.protocol.blocklist.3=timeout-access"
+    - "-Dditto.protocol.blocklist.4=accept-encoding"
+    - "-Dditto.protocol.blocklist.5=x-forwarded-scheme"
+    - "-Dditto.protocol.blocklist.6=x-forwarded-port"
+    - "-Dditto.protocol.blocklist.7=x-forwarded-for"
+    - "-Dditto.protocol.blocklist.8=forwarded=for"
+    - "-Dditto.protocol.blocklist.9=sec-fetch-mode"
+    - "-Dditto.protocol.blocklist.10=sec-fetch-site"
+    - "-Dditto.protocol.blocklist.11=authorization"
+    - "-Dditto.protocol.blocklist.12=accept-language"
+    - "-Dditto.protocol.blocklist.13=host"
+    - "-Dditto.protocol.blocklist.14=via"
+    - "-Dditto.protocol.blocklist.15=sec-ch-ua"
+    - "-Dditto.protocol.blocklist.16=sec-ch-ua-mobile"
+    - "-Dditto.protocol.blocklist.17=sec-ch-ua-platform"
+    - "-Dditto.protocol.blocklist.18=sec-fetch-dest"
+    - "-Dditto.protocol.blocklist.19=user-agent"
+  # extraEnv to add arbitrary environment variables to gateway container
+  extraEnv:
+  # - name: LOG_LEVEL_APPLICATION
+  #   value: "DEBUG"
+  # resources configures the resources available/to use for the gateway service
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.5
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 1024
+  # jvm contains JVM specific scaling/tuning configuration of e.g. processors and garbage collector settings
+  jvm:
+    # activeProcessorCount defines how many processors the JVM should be configured to use
+    #  this is e.g. relevant for the GC which calculates the amount of asynchronous threads for GC based on the processor count
+    activeProcessorCount: 2
+    # heapRamPercentage defines how much memory of the configured "resources.memoryMi" can be used by the JVM heap space
+    #  be aware that the JVM also requires memory for "off heap" (and also stack) space + the container needs memory as well
+    heapRamPercentage: 60
+    # maxGcPauseMillis configures the used G1 GC "target for the maximum GC pause time"
+    #  default (by JVM if not set): 200
+    maxGcPauseMillis: 150
+  # readinessProbe configuration for gateway
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe:
+    initialDelaySeconds: 30
+    periodSeconds: 10
+    timeoutSeconds: 3
+    successThreshold: 1
+    failureThreshold: 3
+  # livenessProbe configuration for gateway
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe:
+    initialDelaySeconds: 160
+    periodSeconds: 10
+    timeoutSeconds: 5
+    successThreshold: 1
+    failureThreshold: 4
+  # service configuration of the k8s service of the gateway
+  service:
+    # port number configuration for gateway
+    port: 8080
+    # annotations to add arbitrary annotations to nginx service
+    annotations: {}
+  # networkPolicy configuration for gateway
+  #  ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether gateway related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget configuration for gateway
+  #  ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether gateway related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # nodeSelector configuration for gateway
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for gateway
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for gateway
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # podMonitor configuration for gateway
+  podMonitor:
+    # enabled configures whether Pod Monitor is enabled, then a resource to scrape gateway metrics will be created
+    enabled: false
+    # interval: 30s
+    # scrapeTimeout: 15s
+  # config holds gateway specific configuration
+  config:
+    # authentication contains the settings regarding authentication against the gateway
+    authentication:
+      # enablePreAuthentication whether Ditto "pre-authentication" should be enabled
+      #  ref: https://www.eclipse.org/ditto/installation-operating.html#pre-authentication
+      enablePreAuthentication: false
+      # oauth contains the OAuth2.0 / OpenID Connect related configuration
+      oauth:
+        # allowedClockSkew configures the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims
+        allowedClockSkew: 20s
+        # openidConnectIssuers holds a map of issuer-prefixes as key (e.g. "example")
+        #  and OAuth "issuer" and "authSubjects" list containing which claims to extract from a JWT issued by the issuer
+        openidConnectIssuers:
+        #  example:
+        #    issuer: "example.com"
+        #    authSubjects:
+        #    - "{{ jwt:sub }}"
+        #    - "{{ jwt:groups }}"
+      # devops contains the configuration of the gateway's "/devops" API, e.g. access to it
+      devops:
+        # secured this controls whether "/devops" and "/api/2/connections" resources are secured or not
+        secured: true
+        # authMethod declares the authentication method to apply for authenticating the "/devops" and "/api/2/connections" resources
+        #  one of: "basic" | "oauth2"
+        authMethod: "basic"
+        # oauth contains the OAuth2.0 / OpenID Connect related configuration applied when "authMethod" above is "oauth2"
+        oauth:
+          # allowedClockSkew configures the amount of clock skew in seconds to tolerate when verifying the local time against the exp and nbf claims
+          allowedClockSkew: 20s
+          # openidConnectIssuers holds a map of issuer-prefixes as key (e.g. "example")
+          #  and OAuth "issuer" and "authSubjects" list containing which claims to extract from a JWT issued by the issuer
+          openidConnectIssuers:
+          #  example-ops:
+          #    issuer: "example.com"
+          #    authSubjects:
+          #    - "{{ jwt:sub }}"
+          #    - "{{ jwt:groups }}"
+        # oauthSubjects contains list of subjects authorized to use "/devops" and "/api/2/connections" resources
+        oauthSubjects:
+        # - "example-ops:devops-admin"
+        # statusSecured controls whether the "/status" and "/status/health" resources are secured or not
+        statusSecured: true
+        # statusAuthMethod declares the authentication method to apply for authenticating the "/status" and "/status/health" resources
+        #  one of: "basic" | "oauth2"
+        statusAuthMethod: "basic"
+        # statusOauthSubjects contains list of subjects authorized to use "/status" API
+        statusOauthSubjects:
+        # - "example-ops:devops-admin"
+        # existingSecret contains the name of existing secret containing status and devops passwords
+        #  if not set then default secret is created - useful for managing secrets with external secrets manager
+        existingSecret:
+        # devopsPassword the password to use for accessing "/devops" and "/api/2/connections" resources
+        #  when "authMethod": "basic" (with username: devops)
+        #  if not set a random password will be generated and used
+        devopsPassword:
+        # statusPassword will be used for accessing "/status" and "/status/health" resources
+        #  when "statusAuthMethod": "basic" (with username: devops)
+        #  if not set a random password will be set
+        statusPassword:
+    # websocket contains the gateway websocket configuration
+    websocket:
+      # subscriber contains the configuration for receiving data via the websocket
+      subscriber:
+        # backpressureQueueSize is the max queue size of how many inflight commands a single websocket client can have
+        backpressureQueueSize: 100
+      # publisher contains the configuration for sending/publishing data via the websocket
+      publisher:
+        # backpressureBufferSize is the max buffer size of how many outstanding CommandResponses and Events a single
+        #  websocket client can have - additional CommandResponses and Events are dropped if this size is reached
+        backpressureBufferSize: 200
+      # throttling contains the throttling configuration of a single websocket session
+      throttling:
+        # enabled whether throttling message consumption via a single websocket session is enabled
+        enabled: true
+        # interval is the interval at which a single websocket session is rate-limited - must be > 0s
+        interval: 1s
+        # limit is the maximum number of messages the websocket session is allowed to receive within the configured
+        #  throttling interval e.g. 100 msgs/s
+        limit: 100
+    # websocket contains the gateway SSE (server sent events) configuration
+    sse:
+      # throttling contains the throttling configuration of a single SSE session (only applies for search via SSE)
+      throttling:
+        # enabled whether throttling message publishing via a single websocket session is enabled
+        enabled: true
+        # interval is the interval at which a single SSE session is rate-limited - must be > 0s
+        interval: 1s
+        # limit is the maximum number of messages the SSE session is allowed to receive within the configured
+        #  throttling interval e.g. 100 msgs/s
+        limit: 100
+
+## ----------------------------------------------------------------------------
+## nginx configuration
+nginx:
+  # enabled controls whether nginx related resources should be created
+  enabled: true
+  # replicaCount for nginx
+  replicaCount: 1
+  # updateStrategy for nginx
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # additionalLabels on nginx pods
+  additionalLabels: {}
+  # additionalAnnotations on nginx pods
+  additionalAnnotations: {}
+  image:
+    # repository for the nginx docker image
+    repository: docker.io/nginx
+    # tag for the nginx docker image
+    tag: 1.23
+    # pullPolicy for the nginx docker image
+    pullPolicy: IfNotPresent
+  # extraEnv to add arbitrary environment variables to nginx container
+  extraEnv: []
+  # resources configures the resources available/to use for nginx
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.2
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 64
+  # readinessProbe configuration for nginx
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  readinessProbe: {}
+  # livenessProbe configuration for nginx
+  #  ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes
+  livenessProbe: {}
+  # service configuration of the k8s service of the nginx
+  service:
+    # type of the nginx service
+    type: ClusterIP
+    # port of the nginx service
+    port: 8080
+    # in case of <type> NodePort the <nodePort> may additionally be set
+    #  type: NodePort
+    #  nodePort: 30080
+    # annotations to add arbitrary annotations to nginx service
+    annotations: {}
+  # networkPolicy ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether policies related NetworkPolicy should be created
+    enabled: true
+  # nodeSelector configuration for nginx
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
+  nodeSelector: {}
+  # tolerations configuration for nginx
+  #  ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
+  tolerations: []
+  # affinity configuration for nginx
+  #  ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
+  affinity: {}
+  # init containers for nginx
+  initContainers:
+    waitForGateway:
+      enabled: true
+      name: wait-for-gateway
+      image: curlimages/curl:latest
+
+## ----------------------------------------------------------------------------
+## Ditto UI configuration
+dittoui:
+  enabled: true
+  # replicaCount for Ditto UI service
+  replicaCount: 1
+  # updateStrategy for Ditto UI service
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # additionalLabels on Ditto UI pods
+  additionalLabels: { }
+  # additionalAnnotations on Ditto UI pods
+  additionalAnnotations: { }
+  image:
+    # repository for the Ditto UI docker image
+    repository: docker.io/eclipse/ditto-ui
+    # tag for the Ditto UI image - overwrite to specify something else than Chart.AppVersion
+    # tag: 3.2.0
+    # pullPolicy for the Ditto UI docker image
+    pullPolicy: IfNotPresent
+  # extraEnv to add arbitrary environment variable to Ditto UI container
+  extraEnv: []
+  # resources configures the resources available/to use for the Ditto UI container
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.1
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 64
+  # networkPolicy ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether Ditto UI related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether Ditto UI related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # service configuration of the k8s service of the Ditto UI
+  service:
+    # port of the Ditto UI service
+    port: 8080
+    # annotations to add arbitrary annotations to Ditto UI service
+    annotations: { }
+
+## ----------------------------------------------------------------------------
+## swaggerui configuration
+swaggerui:
+  # enabled controls whether swagger ui related resources should be created
+  enabled: true
+  # replicaCount for swagger ui service
+  replicaCount: 1
+  # updateStrategy for swagger ui service
+  #  ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 1
+      maxUnavailable: 0
+  # additionalLabels on swagger ui pods
+  additionalLabels: {}
+  # additionalAnnotations on swagger ui pods
+  additionalAnnotations: {}
+  image:
+    # repository for the swagger ui docker image
+    repository: docker.io/swaggerapi/swagger-ui
+    # tag for the swagger ui docker image
+    tag: v4.15.5
+    # pullPolicy for the swagger ui docker image
+    pullPolicy: IfNotPresent
+  # extraEnv to add arbitrary environment variable to swagger ui container
+  extraEnv: []
+  # resources configures the resources available/to use for the swagger ui container
+  resources:
+    # cpu defines the "required" CPU of a node so that the service is placed there
+    cpu: 0.1
+    # memoryMi defines the memory in mebibyte (MiB) used as "required" and "limit" in k8s
+    memoryMi: 64
+  # networkPolicy ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
+  networkPolicy:
+    # enabled controls whether swagger ui related NetworkPolicy should be created
+    enabled: true
+  # podDisruptionBudget ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
+  podDisruptionBudget:
+    # enabled controls whether swagger ui related PodDisruptionBudget should be created
+    enabled: true
+    # minAvailable number of replicas during voluntary disruptions
+    minAvailable: 1
+  # service configuration of the k8s service of the swagger ui
+  service:
+    # port of the swagger ui service
+    port: 8080
+    # annotations to add arbitrary annotations to swagger ui service
+    annotations: {}
+
+## ----------------------------------------------------------------------------
+## mongodb dependency chart configuration
+mongodb:
+  # enabled controls whether mongodb should be started as part of the Helm chart or not
+  enabled: true
+  # fullnameOverride: ditto-mongodb
+  auth:
+    enabled: false
+  securityContext:
+    enabled: false
+  persistence:
+    enabled: false