diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 21e049befd..4fd897b854 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -21,3 +21,7 @@ updates:
     directory: "/probe"
     schedule:
       interval: "weekly"
+  - package-ecosystem: "docker"
+    directory: "/dp-terraform/helm"
+    schedule:
+      interval: "weekly"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index bbf2573d5d..55e8a47c41 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -1,5 +1,4 @@
-# This runs checks to verify if code is properly formatted and that tests (unit and integration against a mocked environment) are passing.
-name: Verify & Test
+name: CI
 
 on:
   push:
@@ -34,32 +33,46 @@ on:
       - 'pkg/api/openapi/docs/**'
       - 'pkg/api/openapi/.openapi-generator-ignore'
 
-# TODO make sure that the secrets are configured for your repository
-env:
-  # set ocm env to integration
-  OCM_ENV: integration
-  # Dummy SSO variables
-  SSO_CLIENT_ID: ${{ secrets.SSO_CLIENT_ID }}
-  SSO_CLIENT_SECRET: ${{ secrets.SSO_CLIENT_SECRET }}
-  OSD_IDP_SSO_CLIENT_ID: ${{ secrets.OSD_IDP_SSO_CLIENT_ID }}
-  OSD_IDP_SSO_CLIENT_SECRET: ${{ secrets.OSD_IDP_SSO_CLIENT_SECRET }}
-  # Dummy AWS credentials
-  AWS_ACCOUNT_ID: aws_accountid
-  AWS_ACCESS_KEY: aws_accesskey
-  AWS_SECRET_ACCESS_KEY: aws_secretaccesskey # pragma: allowlist secret - dummy value
-  ROUTE53_ACCESS_KEY: aws_route53_access_key # pragma: allowlist secret - dummy value
-  ROUTE53_SECRET_ACCESS_KEY: aws_route53_secret_access_key # pragma: allowlist secret - dummy value
-  # Dummy Central TLS env variables
-  CENTRAL_TLS_CERT: central_tls_cert # pragma: allowlist secret - dummy value
-  CENTRAL_TLS_KEY: central_tls_key # pragma: allowlist secret - dummy value
-  # So that OCM secrets are initialised
-  DOCKER_PR_CHECK: true
-  TEST_TIMEOUT: 30m
-
 jobs:
+  # This runs all pre-commit hooks defined within .pre-commit-config.yaml.
+  pre-commit:
+    name: "Run pre-commit hooks"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+      - uses: pre-commit/action@v3.0.0
+      - uses: pre-commit/action@v3.0.0
+        name: Verify generated files are up-to-date
+        with:
+          extra_args: --hook-stage=manual --all-files
+
   verify-test:
     name: "Verify & Test"
     runs-on: ubuntu-latest
+    env:
+      # TODO make sure that the secrets are configured for your repository
+      OCM_ENV: integration
+      # Dummy SSO variables
+      SSO_CLIENT_ID: ${{ secrets.SSO_CLIENT_ID }}
+      SSO_CLIENT_SECRET: ${{ secrets.SSO_CLIENT_SECRET }}
+      OSD_IDP_SSO_CLIENT_ID: ${{ secrets.OSD_IDP_SSO_CLIENT_ID }}
+      OSD_IDP_SSO_CLIENT_SECRET: ${{ secrets.OSD_IDP_SSO_CLIENT_SECRET }}
+      # Dummy AWS credentials
+      AWS_ACCOUNT_ID: aws_accountid
+      AWS_ACCESS_KEY: aws_accesskey
+      AWS_SECRET_ACCESS_KEY: aws_secretaccesskey # pragma: allowlist secret - dummy value
+      ROUTE53_ACCESS_KEY: aws_route53_access_key # pragma: allowlist secret - dummy value
+      ROUTE53_SECRET_ACCESS_KEY: aws_route53_secret_access_key # pragma: allowlist secret - dummy value
+      # Dummy Central TLS env variables
+      CENTRAL_TLS_CERT: central_tls_cert # pragma: allowlist secret - dummy value
+      CENTRAL_TLS_KEY: central_tls_key # pragma: allowlist secret - dummy value
+      # So that OCM secrets are initialised
+      DOCKER_PR_CHECK: true
+      TEST_TIMEOUT: 30m
     services:
       postgres:
         image: postgres:11
@@ -106,21 +119,30 @@ jobs:
           export PATH=${PATH}:$GOPATH/bin
           make verify binary test test/integration
         timeout-minutes: 14
-      - name: Build and publish fleet-manager-tools image to quay.io
-        if: github.event_name == 'push'
-        env:
-          QUAY_USER: ${{ secrets.QUAY_RHACS_ENG_FM_RW_USERNAME }}
-          QUAY_TOKEN: ${{ secrets.QUAY_RHACS_ENG_FM_RW_PASSWORD }}
-          QUAY_IMAGE_REPOSITORY: rhacs-eng/fleet-manager-tools
-        run: |
-          chmod +x ./build_push_fleet_manager_tools.sh
-          ./build_push_fleet_manager_tools.sh
-      - name: Build and publish fleet* image to quay.io
+  build-push-images:
+    name: "Build and push fleet* images to quay.io"
+    runs-on: ubuntu-latest
+    needs: [pre-commit, verify-test]
+    # Skip for external contributions.
+    if: |
+      github.event_name == 'push' || !github.event.pull_request.head.repo.fork
+    steps:
+      - name: Login to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_RHACS_ENG_FM_RW_USERNAME }}
+          password: ${{ secrets.QUAY_RHACS_ENG_FM_RW_PASSWORD }}
+      - name: Checkout
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0 # Critical for correct image detection in Makefile
+      - name: Build and push fleet-manager-tools image to quay.io
         if: github.event_name == 'push'
         env:
-          QUAY_USER: ${{ secrets.QUAY_RHACS_ENG_FM_RW_USERNAME }}
-          QUAY_TOKEN: ${{ secrets.QUAY_RHACS_ENG_FM_RW_PASSWORD }}
-          QUAY_IMAGE_REPOSITORY: rhacs-eng/fleet-manager
-        run: |
-          chmod +x ./build_push_fleet_manager.sh
-          ./build_push_fleet_manager.sh
+          TAG: ${{ github.ref_name }}
+        run: make image/push/fleet-manager-tools
+      - name: Build and push fleetshard-operator image to quay.io
+        run: make image/push/fleetshard-operator
+      - name: Build and push fleet-manager image to quay.io
+        run: make image/push/fleet-manager
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
deleted file mode 100644
index 603a496bcb..0000000000
--- a/.github/workflows/pre-commit.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-# This runs all pre-commit hooks defined within .pre-commit-config.yaml.
-name: Pre-commit hooks
-
-on:
-  push:
-    branches:
-      - main
-  pull_request:
-
-jobs:
-  pre-commit:
-    name: "Run pre-commit hooks"
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v3
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "1.20"
-      - uses: pre-commit/action@v3.0.0
-      - uses: pre-commit/action@v3.0.0
-        name: Verify generated files are up-to-date
-        with:
-          extra_args: --hook-stage=manual --all-files
diff --git a/.secrets.baseline b/.secrets.baseline
index cfe681dafb..6a5d133568 100644
--- a/.secrets.baseline
+++ b/.secrets.baseline
@@ -322,7 +322,7 @@
         "filename": "dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml",
         "hashed_secret": "3e513f12b341ed3327bea645a728401b5d0f9ddb",
         "is_verified": false,
-        "line_number": 15
+        "line_number": 21
       }
     ],
     "dp-terraform/helm/rhacs-terraform/charts/secured-cluster/init-bundle.yaml": [
@@ -564,5 +564,5 @@
       }
     ]
   },
-  "generated_at": "2023-11-06T14:09:00Z"
+  "generated_at": "2023-11-13T13:31:40Z"
 }
diff --git a/Makefile b/Makefile
index 7a8d30a6f0..43c4469495 100644
--- a/Makefile
+++ b/Makefile
@@ -10,18 +10,10 @@ SHELL = bash
 binary:=fleet-manager
 
 # The image tag for building and pushing comes from TAG environment variable by default.
-# If there is no TAG env than CI_TAG is used instead.
-# Otherwise image tag is generated based on git tags.
+# Otherwise image tag is generated based on current commit hash.
+# The version should be a 7-char hash from git. This is what the deployment process in app-interface expects.
 ifeq ($(TAG),)
-ifeq (,$(wildcard CI_TAG))
-ifeq ($(IGNORE_REPOSITORY_DIRTINESS),true)
-TAG=$(shell git describe --tags --abbrev=10 --long)
-else
-TAG=$(shell git describe --tags --abbrev=10 --dirty --long)
-endif
-else
-TAG=$(shell cat CI_TAG)
-endif
+TAG=$(shell git rev-parse --short=7 HEAD)
 endif
 image_tag = $(TAG)
 
@@ -50,9 +42,6 @@ probe_image_repository:=$(PROBE_IMAGE_NAME)
 external_image_registry:= $(IMAGE_REGISTRY)
 internal_image_registry:=image-registry.openshift-image-registry.svc:5000
 
-# Test image name that will be used for PR checks
-test_image:=test/$(IMAGE_NAME)
-
 DOCKER ?= docker
 DOCKER_CONFIG ?= "${HOME}/.docker"
 
@@ -535,17 +524,17 @@ image/build/probe:
 .PHONY: image/build/probe
 
 image/build/fleet-manager-tools: GOOS=linux
-image/build/fleet-manager-tools: IMAGE_REF="$(external_image_registry)/rhacs-eng/fleet-manager-tools:$(image_tag)"
+image/build/fleet-manager-tools: IMAGE_REF="$(external_image_registry)/fleet-manager-tools:$(image_tag)"
 image/build/fleet-manager-tools: fleet-manager fleetshard-sync acsfleetctl
 	DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) build -t $(IMAGE_REF) -f Dockerfile.tools .
 	DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) tag $(IMAGE_REF) fleet-manager-tools:$(image_tag)
 .PHONY: image/build/multi-target/fleet-manager-tools
 
-image/push/fleet-manager-tools: IMAGE_REF="$(external_image_registry)/rhacs-eng/fleet-manager-tools:$(image_tag)"
+image/push/fleet-manager-tools: IMAGE_REF="$(external_image_registry)/fleet-manager-tools:$(image_tag)"
 image/push/fleet-manager-tools: image/build/fleet-manager-tools
 	DOCKER_CONFIG=${DOCKER_CONFIG} $(DOCKER) push $(IMAGE_REF)
 	@echo
-	@echo "Image fleet-manager tools was pushed as $(IMAGE_REF)."
+	@echo "Image fleet-manager-tools was pushed as $(IMAGE_REF)."
 .PHONY: image/push/fleet-manager-tools
 
 # Build and push the image
@@ -574,6 +563,16 @@ image/push/internal: docker/login/internal
 	$(DOCKER) push "$(shell oc get route default-route -n openshift-image-registry -o jsonpath="{.spec.host}")/$(probe_image_repository):$(IMAGE_TAG)"
 .PHONY: image/push/internal
 
+image/build/fleetshard-operator: IMAGE_REF="$(external_image_registry)/fleetshard-operator:$(image_tag)"
+image/build/fleetshard-operator:
+	$(DOCKER) build -t $(IMAGE_REF) ${PROJECT_PATH}/dp-terraform/helm
+.PHONY: image/build/fleetshard-operator
+
+image/push/fleetshard-operator: IMAGE_REF="$(external_image_registry)/fleetshard-operator:$(image_tag)"
+image/push/fleetshard-operator: image/build/fleetshard-operator
+	$(DOCKER) push $(IMAGE_REF)
+.PHONY: image/push/fleetshard-operator
+
 # Run the probe based e2e test in container
 test/e2e/probe/run: image/build/probe
 test/e2e/probe/run: IMAGE_REF="$(external_image_registry)/$(probe_image_repository):$(image_tag)"
diff --git a/build_push_fleet_manager.sh b/build_push_fleet_manager.sh
index 700f17f8a1..8c07e22b8d 100755
--- a/build_push_fleet_manager.sh
+++ b/build_push_fleet_manager.sh
@@ -42,7 +42,6 @@ make \
   DOCKER_CONFIG="${DOCKER_CONFIG}" \
   QUAY_USER="${QUAY_USER}" \
   QUAY_TOKEN="${QUAY_TOKEN}" \
-  TAG="${VERSION}" \
   external_image_registry="quay.io" \
   internal_image_registry="quay.io" \
   image_repository="${IMAGE_REPOSITORY}" \
diff --git a/build_push_fleet_manager_tools.sh b/build_push_fleet_manager_tools.sh
deleted file mode 100755
index bacc66c131..0000000000
--- a/build_push_fleet_manager_tools.sh
+++ /dev/null
@@ -1,49 +0,0 @@
-#!/bin/bash -e
-#
-# Copyright (c) 2018 Red Hat, Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#   http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-# =====================================================================================================================
-# This script builds and pushes the ACS Fleet Manager tools container image which is used by CI pipelines.
-# In order to work, it needs the following variables defined in the CI/CD configuration of the project:
-#
-# QUAY_USER - The name of the robot account used to push images to
-# 'quay.io', for example 'openshift-unified-hybrid-cloud+jenkins'.
-#
-# QUAY_TOKEN - The token of the robot account used to push images to
-# 'quay.io'.
-#
-# The machines that run this script need to have access to internet, so that
-# the built images can be pushed to quay.io.
-# =====================================================================================================================
-
-# Set image repository to default value if it is not passed via env
-IMAGE_REPOSITORY="${QUAY_IMAGE_REPOSITORY:-rhacs-eng/fleet-manager-tools}"
-
-source ./scripts/build_setup.sh
-
-# Push the image:
-echo "Quay.io user and token is set, will push images to $IMAGE_REPOSITORY"
-
-make \
-  DOCKER_CONFIG="${DOCKER_CONFIG}" \
-  QUAY_USER="${QUAY_USER}" \
-  QUAY_TOKEN="${QUAY_TOKEN}" \
-  TAG="${BRANCH}" \
-  external_image_registry="quay.io" \
-  internal_image_registry="quay.io" \
-  image_repository="${IMAGE_REPOSITORY}" \
-  docker/login/fleet-manager \
-  image/push/fleet-manager-tools
diff --git a/build_push_probe.sh b/build_push_probe.sh
index 947c0b7818..f0791f3d8d 100755
--- a/build_push_probe.sh
+++ b/build_push_probe.sh
@@ -39,7 +39,6 @@ make \
   DOCKER_CONFIG="${DOCKER_CONFIG}" \
   QUAY_PROBE_USER="${QUAY_USER}" \
   QUAY_PROBE_TOKEN="${QUAY_TOKEN}" \
-  TAG="${VERSION}" \
   external_image_registry="quay.io" \
   internal_image_registry="quay.io" \
   probe_image_repository="${IMAGE_REPOSITORY}" \
diff --git a/cmd/fleet-manager/main_test.go b/cmd/fleet-manager/main_test.go
index a0bc231d7c..98d2ec9b62 100644
--- a/cmd/fleet-manager/main_test.go
+++ b/cmd/fleet-manager/main_test.go
@@ -38,15 +38,15 @@ func TestInjections(t *testing.T) {
 
 	var bootList []environments.BootService
 	env.MustResolve(&bootList)
-	Expect(len(bootList)).To(Equal(6))
+	Expect(len(bootList)).To(Equal(7))
 
 	_, ok := bootList[0].(*server.APIServer)
 	Expect(ok).To(Equal(true))
 	_, ok = bootList[1].(*server.MetricsServer)
 	Expect(ok).To(Equal(true))
-	_, ok = bootList[2].(*server.HealthCheckServer)
+	_, ok = bootList[3].(*server.HealthCheckServer)
 	Expect(ok).To(Equal(true))
-	_, ok = bootList[3].(*workers.LeaderElectionManager)
+	_, ok = bootList[4].(*workers.LeaderElectionManager)
 	Expect(ok).To(Equal(true))
 
 	var workerList []workers.Worker
diff --git a/deploy/helm/probe/deploy.sh b/deploy/helm/probe/deploy.sh
index 6425bc087c..e4877913a8 100755
--- a/deploy/helm/probe/deploy.sh
+++ b/deploy/helm/probe/deploy.sh
@@ -2,11 +2,12 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+ROOT_DIR="$SCRIPT_DIR/../../.."
 
 # shellcheck source=scripts/lib/external_config.sh
-source "$SCRIPT_DIR/../../../scripts/lib/external_config.sh"
+source "$ROOT_DIR/scripts/lib/external_config.sh"
 # shellcheck source=scripts/lib/helm.sh
-source "$SCRIPT_DIR/../../../scripts/lib/helm.sh"
+source "$ROOT_DIR/scripts/lib/helm.sh"
 
 if [[ $# -ne 2 ]]; then
     echo "Usage: $0 [environment] [cluster]" >&2
@@ -19,8 +20,7 @@ ENVIRONMENT=$1
 CLUSTER_NAME=$2
 PROBE_IMAGE_ORG="rhacs-eng"
 PROBE_IMAGE_NAME="blackbox-monitoring-probe-service"
-# Get HEAD for both main and production. This is the latest merged commit.
-PROBE_IMAGE_TAG="$(git rev-parse --short=7 HEAD)"
+PROBE_IMAGE_TAG="$(make --quiet --no-print-directory -C "${ROOT_DIR}" tag)"
 PROBE_IMAGE="quay.io/${PROBE_IMAGE_ORG}/${PROBE_IMAGE_NAME}:${PROBE_IMAGE_TAG}"
 
 init_chamber
@@ -57,9 +57,9 @@ if [[ $CLUSTER_ENVIRONMENT != "$ENVIRONMENT" ]]; then
 fi
 
 if [[ "${HELM_DRY_RUN:-}" == "true" ]]; then
-    "${SCRIPT_DIR}/../../../scripts/check_image_exists.sh" "${PROBE_IMAGE_ORG}" "${PROBE_IMAGE_NAME}" "${PROBE_IMAGE_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${PROBE_IMAGE_ORG}" "${PROBE_IMAGE_NAME}" "${PROBE_IMAGE_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
 else
-    "${SCRIPT_DIR}/../../../scripts/check_image_exists.sh" "${PROBE_IMAGE_ORG}" "${PROBE_IMAGE_NAME}" "${PROBE_IMAGE_TAG}"
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${PROBE_IMAGE_ORG}" "${PROBE_IMAGE_NAME}" "${PROBE_IMAGE_TAG}"
 fi
 
 load_external_config "cluster-${CLUSTER_NAME}" CLUSTER_
diff --git a/dev/config/dataplane-cluster-configuration-crc.yaml b/dev/config/dataplane-cluster-configuration-crc.yaml
index 5967ecc486..e5cdb418c7 100644
--- a/dev/config/dataplane-cluster-configuration-crc.yaml
+++ b/dev/config/dataplane-cluster-configuration-crc.yaml
@@ -11,7 +11,7 @@ clusters:
    region: standalone
    schedulable: true
    status: ready
-   central_instance_limit: 5
+   central_instance_limit: 9999
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: apps-crc.testing
diff --git a/dev/config/dataplane-cluster-configuration-dockerdesktop.yaml b/dev/config/dataplane-cluster-configuration-dockerdesktop.yaml
index 4d39d94309..5389faf1a7 100644
--- a/dev/config/dataplane-cluster-configuration-dockerdesktop.yaml
+++ b/dev/config/dataplane-cluster-configuration-dockerdesktop.yaml
@@ -14,4 +14,4 @@ clusters:
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: kubernetes.docker.internal
-   central_instance_limit: 5
+   central_instance_limit: 9999
diff --git a/dev/config/dataplane-cluster-configuration-kind.yaml b/dev/config/dataplane-cluster-configuration-kind.yaml
index 15ae940fd8..21b4a322a7 100644
--- a/dev/config/dataplane-cluster-configuration-kind.yaml
+++ b/dev/config/dataplane-cluster-configuration-kind.yaml
@@ -14,4 +14,4 @@ clusters:
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: kubernetes.docker.internal
-   central_instance_limit: 5
+   central_instance_limit: 99999
diff --git a/dev/config/dataplane-cluster-configuration-minikube.yaml b/dev/config/dataplane-cluster-configuration-minikube.yaml
index 92b9781168..34a1267df8 100644
--- a/dev/config/dataplane-cluster-configuration-minikube.yaml
+++ b/dev/config/dataplane-cluster-configuration-minikube.yaml
@@ -24,7 +24,7 @@ clusters:
    region: standalone
    schedulable: true
    status: ready
-   central_instance_limit: 5
+   central_instance_limit: 9999
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: cluster.local
diff --git a/dev/config/dataplane-cluster-configuration-rancherdesktop.yaml b/dev/config/dataplane-cluster-configuration-rancherdesktop.yaml
index 35ba8c03d0..ea6999f240 100644
--- a/dev/config/dataplane-cluster-configuration-rancherdesktop.yaml
+++ b/dev/config/dataplane-cluster-configuration-rancherdesktop.yaml
@@ -24,7 +24,7 @@ clusters:
    region: standalone
    schedulable: true
    status: ready
-   central_instance_limit: 5
+   central_instance_limit: 9999
    provider_type: standalone
    supported_instance_type: "eval,standard"
    cluster_dns: cluster.local
diff --git a/dev/env/defaults/00-defaults.env b/dev/env/defaults/00-defaults.env
index 19d4f21173..9dd477dc06 100644
--- a/dev/env/defaults/00-defaults.env
+++ b/dev/env/defaults/00-defaults.env
@@ -17,7 +17,6 @@ export CENTRAL_VERSION_DEFAULT=$(echo "$STACKROX_VERSION_TAG" | sed -e 's/0-nigh
 export SCANNER_VERSION_DEFAULT="2.30.0" # This one matches the above operator version tag.
 export STACKROX_OPERATOR_NAMESPACE_DEFAULT="rhacs"
 export FLEET_MANAGER_IMAGE_DEFAULT=""
-export IGNORE_REPOSITORY_DIRTINESS_DEFAULT="false"
 export ENABLE_DB_PORT_FORWARDING_DEFAULT="false"
 export ENABLE_FM_PORT_FORWARDING_DEFAULT="false"
 export OPENSHIFT_MARKETPLACE_DEFAULT="false"
diff --git a/dev/env/manifests/fleet-manager/03-fleet-manager-service.yaml b/dev/env/manifests/fleet-manager/03-fleet-manager-service.yaml
index 8975d216f2..32872838e2 100644
--- a/dev/env/manifests/fleet-manager/03-fleet-manager-service.yaml
+++ b/dev/env/manifests/fleet-manager/03-fleet-manager-service.yaml
@@ -16,6 +16,9 @@ spec:
     - name: metrics
       port: 8080
       targetPort: 8080
+    - name: pprof
+      port: 6060
+      targetPort: 6060
   selector:
     application: fleet-manager
 status:
diff --git a/dev/env/manifests/shared/03-configmap-config.yaml b/dev/env/manifests/shared/03-configmap-config.yaml
index a0aa1b4f29..28dbb322cd 100644
--- a/dev/env/manifests/shared/03-configmap-config.yaml
+++ b/dev/env/manifests/shared/03-configmap-config.yaml
@@ -13,7 +13,7 @@ data:
         provider_type: standalone
         supported_instance_type: "eval,standard"
         cluster_dns: "$CLUSTER_DNS"
-        central_instance_limit: 5
+        central_instance_limit: 99999
   fleetshard-authz-org-ids-development.yaml: |-
     # RH ACS Organization (returned for personal tokens obtained by ocm token).
     - "11009103"
diff --git a/dev/env/scripts/lib.sh b/dev/env/scripts/lib.sh
index 505e7b30ea..2c15c7a8f2 100644
--- a/dev/env/scripts/lib.sh
+++ b/dev/env/scripts/lib.sh
@@ -145,7 +145,6 @@ init() {
     export ENABLE_CENTRAL_EXTERNAL_CERTIFICATE=${ENABLE_CENTRAL_EXTERNAL_CERTIFICATE:-$ENABLE_CENTRAL_EXTERNAL_CERTIFICATE_DEFAULT}
     export CENTRAL_DOMAIN_NAME=${CENTRAL_DOMAIN_NAME:-$CENTRAL_DOMAIN_NAME_DEFAULT}
     export FLEET_MANAGER_IMAGE=${FLEET_MANAGER_IMAGE:-$FLEET_MANAGER_IMAGE_DEFAULT}
-    export IGNORE_REPOSITORY_DIRTINESS=${IGNORE_REPOSITORY_DIRTINESS:-$IGNORE_REPOSITORY_DIRTINESS_DEFAULT}
     export RHACS_TARGETED_OPERATOR_UPGRADES=${RHACS_TARGETED_OPERATOR_UPGRADES:-$RHACS_TARGETED_OPERATOR_UPGRADES_DEFAULT}
     export RHACS_GITOPS_ENABLED=${RHACS_GITOPS_ENABLED:-$RHACS_GITOPS_ENABLED_DEFAULT}
 
@@ -229,7 +228,6 @@ SKIP_TESTS: ${SKIP_TESTS}
 ENABLE_CENTRAL_EXTERNAL_CERTIFICATE: ${ENABLE_CENTRAL_EXTERNAL_CERTIFICATE}
 CENTRAL_DOMAIN_NAME: ${CENTRAL_DOMAIN_NAME}
 FLEET_MANAGER_IMAGE: ${FLEET_MANAGER_IMAGE}
-IGNORE_REPOSITORY_DIRTINESS: ${IGNORE_REPOSITORY_DIRTINESS}
 RHACS_TARGETED_OPERATOR_UPGRADES: ${RHACS_TARGETED_OPERATOR_UPGRADES}
 RHACS_GITOPS_ENABLED: ${RHACS_GITOPS_ENABLED}
 FLEET_MANAGER_CONTAINER_COMMAND: ${FLEET_MANAGER_CONTAINER_COMMAND}
diff --git a/dev/env/scripts/up.sh b/dev/env/scripts/up.sh
index 33b7f2089e..567a7deb60 100755
--- a/dev/env/scripts/up.sh
+++ b/dev/env/scripts/up.sh
@@ -21,17 +21,11 @@ else
     export CHAMBER_SECRET_BACKEND=null
 fi
 
-if [[ "$IGNORE_REPOSITORY_DIRTINESS" = "true" ]]; then
-    fleet_manager_image_info="${FLEET_MANAGER_IMAGE} (ignoring repository dirtiness)"
-else
-    fleet_manager_image_info="${FLEET_MANAGER_IMAGE}"
-fi
-
 cat <<EOF
 
 ** Bringing up ACSCS **
 
-Image: ${fleet_manager_image_info}
+Image: ${FLEET_MANAGER_IMAGE}
 Cluster Name: ${CLUSTER_NAME}
 Cluster Type: ${CLUSTER_TYPE}
 Namespace: ${ACSCS_NAMESPACE}
diff --git a/dp-terraform/helm/.dockerignore b/dp-terraform/helm/.dockerignore
new file mode 100644
index 0000000000..fbef79bca2
--- /dev/null
+++ b/dp-terraform/helm/.dockerignore
@@ -0,0 +1,2 @@
+rhacs-terraform/terraform_cluster.sh
+rhacs-terraform/test.sh
diff --git a/dp-terraform/helm/Dockerfile b/dp-terraform/helm/Dockerfile
new file mode 100644
index 0000000000..446e04b9c5
--- /dev/null
+++ b/dp-terraform/helm/Dockerfile
@@ -0,0 +1,6 @@
+FROM quay.io/operator-framework/helm-operator:v1.32.0
+
+ENV HOME=/opt/helm
+COPY watches.yaml ${HOME}/watches.yaml
+COPY rhacs-terraform  ${HOME}/rhacs-terraform
+WORKDIR ${HOME}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml
index fef27c7342..f80dd501a8 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/templates/06-statefulset.yaml
@@ -46,6 +46,12 @@ spec:
                     values:
                       - {{ include "aggregator.fullname" . }}
               topologyKey: topology.kubernetes.io/zone
+      {{- if .Values.tolerations }}
+      tolerations: {{- toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{- toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
       terminationGracePeriodSeconds: 60
       securityContext: {}
       containers:
diff --git a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml
index b4499a6ac1..e5c52266cc 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/audit-logs/values.yaml
@@ -60,3 +60,7 @@ customConfig:
 secrets:
   aws_region: "us-east-1"
   aws_role_arn: ""
+
+nodeSelector: {}
+
+tolerations: []
diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml
index 9f9813e089..f7d3945807 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/templates/01-operator-04-deployment.yaml
@@ -18,6 +18,15 @@ spec:
       labels:
         app: cloudwatch-exporter
     spec:
+      {{- if .Values.affinity }}
+      affinity: {{ toYaml .Values.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.tolerations }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
       containers:
         - name: cloudwatch-exporter
           image: {{ .Values.image | quote }}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml
index 9d81c1f3c0..5aa55a9f7d 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/cloudwatch/values.yaml
@@ -6,3 +6,9 @@ aws:
 clusterName: ""
 environment: ""
 image: "ghcr.io/nerdswords/yet-another-cloudwatch-exporter:v0.55.0"
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/logging/templates/01-logging-03-cluster-logging.yaml b/dp-terraform/helm/rhacs-terraform/charts/logging/templates/01-logging-03-cluster-logging.yaml
index decd389dbd..1956ff5080 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/logging/templates/01-logging-03-cluster-logging.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/logging/templates/01-logging-03-cluster-logging.yaml
@@ -11,5 +11,14 @@ spec:
   managementState: "Managed"
   collection:
     logs:
+      {{- if .Values.tolerations }}
+      tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
+      {{- end }}
+      {{- if .Values.resources }}
+      resources: {{ toYaml .Values.resources | nindent 8 }}
+      {{- end }}
       type: "fluentd"
       fluentd: {}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/logging/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/logging/values.yaml
index d1cb9f2558..814ed9d932 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/logging/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/logging/values.yaml
@@ -7,3 +7,9 @@ aws:
   region: "us-east-1"
   accessKeyId: ""
   secretAccessKey: ""
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml b/dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml
index 27fea658a6..9157abbdf5 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/observability/templates/01-operator-06-cr.yaml
@@ -4,6 +4,12 @@ metadata:
   name: observability-stack
   namespace: {{ include "observability.namespace" . }}
 spec:
+  {{- if .Values.affinity }}
+  affinity: {{ .Values.affinity | toYaml | nindent 4 }}
+  {{- end }}
+  {{- if .Values.tolerations }}
+  tolerations: {{ .Values.tolerations | toYaml | nindent 4 }}
+  {{- end }}
   # The cluster ID is added as a label to all metrics when interacting with external services.
   clusterId: {{ .Values.clusterName | quote }}
   configurationSelector:
diff --git a/dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml
index 1b38e718ce..75fdd21e5e 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/observability/values.yaml
@@ -84,3 +84,9 @@ alertManager:
       memory: 256Mi
     limits:
       memory: 256Mi
+
+affinity: {}
+
+tolerations: []
+
+# observability operator doesn't expose nodeSelector
diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml
index bd7de8366b..729686e5c1 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/templates/secured-cluster-cr.yaml
@@ -16,23 +16,55 @@ spec:
   clusterName: {{ required "clusterName is required when secured-cluster is enabled" .Values.clusterName }}
   centralEndpoint: {{ required "centralEndpoint is required when secured-cluster is enabled" .Values.centralEndpoint }}
   admissionControl:
-    resources:
-      requests:
-        memory: 100Mi
-        cpu: 100m
+    {{- if .Values.admissionControl.resources }}
+    resources: {{ toYaml .Values.admissionControl.resources | nindent 6 }}
+    {{- end }}
+    {{- if .Values.admissionControl.tolerations }}
+    tolerations: {{ toYaml .Values.admissionControl.tolerations | nindent 6 }}
+    {{- end }}
+    {{- if .Values.admissionControl.nodeSelector }}
+    nodeSelector: {{ toYaml .Values.admissionControl.nodeSelector | nindent 6 }}
+    {{- end }}
   sensor:
-    resources:
-      requests:
-        memory: 100Mi
-        cpu: 100m
+    {{- if .Values.sensor.resources }}
+    resources: {{ toYaml .Values.sensor.resources | nindent 6 }}
+    {{- end }}
+    {{- if .Values.sensor.tolerations }}
+    tolerations: {{ toYaml .Values.sensor.tolerations | nindent 6 }}
+    {{- end }}
+    {{- if .Values.sensor.nodeSelector }}
+    nodeSelector: {{ toYaml .Values.sensor.nodeSelector | nindent 6 }}
+    {{- end }}
   perNode:
     collector:
-      resources:
-        requests:
-          memory: 100Mi
-          cpu: 100m
+      {{- if .Values.collector.resources }}
+      resources: {{ toYaml .Values.collector.resources | nindent 8 }}
+      {{- end }}
     compliance:
-      resources:
-        requests:
-          memory: 100Mi
-          cpu: 100m
+      {{- if .Values.compliance.resources }}
+      resources: {{ toYaml .Values.compliance.resources | nindent 8 }}
+      {{- end }}
+  scanner:
+    {{- if .Values.scanner.scannerComponent }}
+    scannerComponent: {{ .Values.scanner.scannerComponent }}
+    {{- end }}
+    analyzer:
+      {{- if .Values.scanner.analyzer.resources }}
+      resources: {{ toYaml .Values.scanner.analyzer.resources | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scanner.analyzer.tolerations }}
+      tolerations: {{ toYaml .Values.scanner.analyzer.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.scanner.analyzer.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.scanner.analyzer.nodeSelector | nindent 8 }}
+      {{- end }}
+      db:
+        {{- if .Values.scanner.analyzer.db.resources }}
+        resources: {{ toYaml .Values.scanner.analyzer.db.resources | nindent 10 }}
+        {{- end }}
+        {{- if .Values.scanner.analyzer.db.tolerations }}
+        tolerations: {{ toYaml .Values.scanner.analyzer.db.tolerations | nindent 10 }}
+        {{- end }}
+        {{- if .Values.scanner.analyzer.db.nodeSelector }}
+        nodeSelector: {{ toYaml .Values.scanner.analyzer.db.nodeSelector | nindent 10 }}
+        {{- end }}
diff --git a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml
index d6a1b63c06..96f255213a 100644
--- a/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/charts/secured-cluster/values.yaml
@@ -8,13 +8,50 @@ admissionControl:
   serviceTLS:
     cert: ""
     key: ""
+  resources:
+    requests:
+      memory: 100Mi
+      cpu: 100m
+  tolerations: []
+  nodeSelector: {}
 ca:
   cert: ""
 collector:
   serviceTLS:
     cert: ""
     key: ""
+  resources:
+    requests:
+      memory: 50Mi
+      cpu: 10m
+compliance:
+  resources:
+    requests:
+      memory: 100Mi
+      cpu: 100m
+scanner:
+  scannerComponent: null
+  analyzer:
+    tolerations: []
+    nodeSelector: {}
+    resources:
+      requests:
+        memory: 100Mi
+        cpu: 100m
+    db:
+      tolerations: []
+      nodeSelector: {}
+      resources:
+        requests:
+          memory: 100Mi
+          cpu: 100m
 sensor:
   serviceTLS:
     cert: ""
     key: ""
+  resources:
+    requests:
+      memory: 100Mi
+      cpu: 10m
+  tolerations: []
+  nodeSelector: {}
diff --git a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml
index 7fc2701449..e3a7855571 100644
--- a/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml
+++ b/dp-terraform/helm/rhacs-terraform/templates/fleetshard-sync.yaml
@@ -20,6 +20,15 @@ spec:
       labels:
         app: fleetshard-sync
     spec:
+      {{- if .Values.fleetshardSync.affinity }}
+      affinity: {{ toYaml .Values.fleetshardSync.affinity | nindent 8 }}
+      {{- end }}
+      {{- if .Values.fleetshardSync.tolerations }}
+      tolerations: {{ toYaml .Values.fleetshardSync.tolerations | nindent 8 }}
+      {{- end }}
+      {{- if .Values.fleetshardSync.nodeSelector }}
+      nodeSelector: {{ toYaml .Values.fleetshardSync.nodeSelector | nindent 8 }}
+      {{- end }}
       serviceAccountName: fleetshard-sync
       containers:
       - name: fleetshard-sync
diff --git a/dp-terraform/helm/rhacs-terraform/templates/scc.yaml b/dp-terraform/helm/rhacs-terraform/templates/scc.yaml
index 835dab32d3..b0a6b17e13 100644
--- a/dp-terraform/helm/rhacs-terraform/templates/scc.yaml
+++ b/dp-terraform/helm/rhacs-terraform/templates/scc.yaml
@@ -4,8 +4,6 @@ metadata:
   annotations:
     kubernetes.io/description: custom-acscs-ephemeral-volumes allows pods to use the node's ephemeral storage. This is needed until the clusters are upgraded to 4.12 where the anyuid SCC allows using ephemeral volumes by default
   name: custom-acscs-ephemeral-volumes
-volumes:
-  - ephemeral
 runAsUser:
   type: RunAsAny
 seLinuxContext:
@@ -19,3 +17,16 @@ allowHostPID: false
 allowHostPorts: false
 allowPrivilegedContainer: false
 readOnlyRootFilesystem: false
+allowPrivilegeEscalation: true
+requiredDropCapabilities:
+  - MKNOD
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - persistentVolumeClaim
+  - projected
+  - secret
+  - ephemeral
diff --git a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh
index edbc871b4c..ab5f1d9a11 100755
--- a/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh
+++ b/dp-terraform/helm/rhacs-terraform/terraform_cluster.sh
@@ -2,11 +2,12 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+ROOT_DIR="$SCRIPT_DIR/../../.."
 
 # shellcheck source=scripts/lib/external_config.sh
-source "$SCRIPT_DIR/../../../scripts/lib/external_config.sh"
+source "$ROOT_DIR/scripts/lib/external_config.sh"
 # shellcheck source=scripts/lib/helm.sh
-source "$SCRIPT_DIR/../../../scripts/lib/helm.sh"
+source "$ROOT_DIR/scripts/lib/helm.sh"
 
 if [[ $# -ne 2 ]]; then
     echo "Usage: $0 [environment] [cluster]" >&2
@@ -29,6 +30,9 @@ load_external_config secured-cluster SECURED_CLUSTER_
 
 AWS_ACCOUNT_ID="${AWS_ACCOUNT_ID:-$(aws sts get-caller-identity --query "Account" --output text)}"
 
+PROMETHEUS_MEMORY_LIMIT=${PROMETHEUS_MEMORY_LIMIT:-"20Gi"}
+PROMETHEUS_MEMORY_REQUEST=${PROMETHEUS_MEMORY_REQUEST:-"20Gi"}
+
 case $ENVIRONMENT in
   dev)
     FM_ENDPOINT="https://nonexistent.api.stage.openshift.com"
@@ -97,6 +101,8 @@ case $ENVIRONMENT in
     FLEETSHARD_SYNC_MEMORY_REQUEST="${FLEETSHARD_SYNC_MEMORY_REQUEST:-"1024Mi"}"
     FLEETSHARD_SYNC_CPU_LIMIT="${FLEETSHARD_SYNC_CPU_LIMIT:-"1000m"}"
     FLEETSHARD_SYNC_MEMORY_LIMIT="${FLEETSHARD_SYNC_MEMORY_LIMIT:-"1024Mi"}"
+    PROMETHEUS_MEMORY_LIMIT="30Gi"
+    PROMETHEUS_MEMORY_REQUEST="30Gi"
     SECURED_CLUSTER_ENABLED="true"
     RHACS_GITOPS_ENABLED="true"
     RHACS_TARGETED_OPERATOR_UPGRADES="true"
@@ -116,13 +122,12 @@ fi
 
 FLEETSHARD_SYNC_ORG="app-sre"
 FLEETSHARD_SYNC_IMAGE="acs-fleet-manager"
-# Get HEAD for both main and production. This is the latest merged commit.
-FLEETSHARD_SYNC_TAG="$(git rev-parse --short=7 HEAD)"
+FLEETSHARD_SYNC_TAG="$(make --quiet --no-print-directory -C "${ROOT_DIR}" tag)"
 
 if [[ "${HELM_DRY_RUN:-}" == "true" ]]; then
-    "${SCRIPT_DIR}/../../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
 else
-    "${SCRIPT_DIR}/../../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}"
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}"
 fi
 
 echo "Loading external config: audit-logs/${CLUSTER_NAME}"
@@ -194,6 +199,8 @@ invoke_helm "${SCRIPT_DIR}" rhacs-terraform \
   --set observability.observatorium.metricsSecret="${OBSERVABILITY_OBSERVATORIUM_METRICS_SECRET}" \
   --set observability.pagerduty.key="${OBSERVABILITY_PAGERDUTY_ROUTING_KEY}" \
   --set observability.deadMansSwitch.url="${OBSERVABILITY_DEAD_MANS_SWITCH_URL}" \
+  --set observability.prometheus.resources.limits.memory="${PROMETHEUS_MEMORY_LIMIT}" \
+  --set observability.prometheus.resources.requests.memory="${PROMETHEUS_MEMORY_REQUEST}" \
   --set audit-logs.enabled=true \
   --set audit-logs.annotations.rhacs\\.redhat\\.com/cluster-name="${CLUSTER_NAME}" \
   --set audit-logs.annotations.rhacs\\.redhat\\.com/environment="${ENVIRONMENT}" \
diff --git a/dp-terraform/helm/rhacs-terraform/values.yaml b/dp-terraform/helm/rhacs-terraform/values.yaml
index e46649bb79..8d173e0eb3 100644
--- a/dp-terraform/helm/rhacs-terraform/values.yaml
+++ b/dp-terraform/helm/rhacs-terraform/values.yaml
@@ -24,7 +24,7 @@ fleetshardSync:
     endpoint: "https://sso.redhat.com"
     realm: "redhat-external"
   egressProxy:
-    image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.11.0-202310101543.p0.gf1330f6.assembly.stream"
+    image: "registry.redhat.io/openshift4/ose-egress-http-proxy:v4.14"
   auditLogs:
     enabled: true
     skipTLSVerify: true
@@ -53,6 +53,13 @@ fleetshardSync:
     enabled: false
   targetedOperatorUpgrades:
     enabled: false
+  nodeSelector:
+    node-role.kubernetes.io/acscs-infra: ""
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
+
 acsOperator:
   enabled: false
   channel: latest
@@ -72,10 +79,27 @@ cloudwatch:
     secretAccessKey: ""
   clusterName: ""
   environment: ""
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    node-role.kubernetes.io/acscs-infra: ""
 
 # See available parameters in charts/observability/values.yaml
 # - enabled flag is used to completely enable/disable observability sub-chart
 observability:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+          - matchExpressions:
+              - key: node-role.kubernetes.io/acscs-infra
+                operator: Exists
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
   enabled: true
   clusterName: ""
   github:
@@ -98,6 +122,12 @@ logging:
   aws:
     accessKeyId: ""
     secretAccessKey: ""
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    node-role.kubernetes.io/acscs-infra: ""
 
 # See available parameters in charts/audit-logs/values.yaml
 # - enabled flag is used to completely enable/disable logging sub-chart
@@ -106,6 +136,12 @@ audit-logs:
   image: 'registry.redhat.io/openshift-logging/vector-rhel8:v0.21'
   annotations: {}
   replicas: 3
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    node-role.kubernetes.io/acscs-infra: ""
   persistence:
     enabled: true
     storageClassName: ""
@@ -157,6 +193,12 @@ secured-cluster:
     serviceTLS:
       cert: ""
       key: ""
+    tolerations:
+      - key: node-role.kubernetes.io/acscs-infra
+        operator: Exists
+        effect: NoSchedule
+    nodeSelector:
+      node-role.kubernetes.io/acscs-infra: ""
   ca:
     cert: ""
   collector:
@@ -167,6 +209,28 @@ secured-cluster:
     serviceTLS:
       cert: ""
       key: ""
+    tolerations:
+      - key: node-role.kubernetes.io/acscs-infra
+        operator: Exists
+        effect: NoSchedule
+    nodeSelector:
+      node-role.kubernetes.io/acscs-infra: ""
+  scanner:
+    scannerComponent: Disabled
+    analyzer:
+      tolerations:
+        - key: node-role.kubernetes.io/acscs-infra
+          operator: Exists
+          effect: NoSchedule
+      nodeSelector:
+        node-role.kubernetes.io/acscs-infra: ""
+      db:
+        tolerations:
+          - key: node-role.kubernetes.io/acscs-infra
+            operator: Exists
+            effect: NoSchedule
+        nodeSelector:
+          node-role.kubernetes.io/acscs-infra: ""
 
 external-secrets:
   fullnameOverride: rhacs-external-secrets
@@ -188,6 +252,12 @@ external-secrets:
     image:
       repository: quay.io/app-sre/external-secrets
       tag: v0.9.5
+  tolerations:
+    - key: node-role.kubernetes.io/acscs-infra
+      operator: Exists
+      effect: NoSchedule
+  nodeSelector:
+    node-role.kubernetes.io/acscs-infra: ""
 
 secretStore:
   aws:
diff --git a/dp-terraform/helm/watches.yaml b/dp-terraform/helm/watches.yaml
new file mode 100644
index 0000000000..4cbba3c9d4
--- /dev/null
+++ b/dp-terraform/helm/watches.yaml
@@ -0,0 +1,4 @@
+- group: cloud.stackrox.io
+  version: v1alpha1
+  kind: Fleetshard
+  chart: rhacs-terraform
diff --git a/dp-terraform/ocm/install_addon.sh b/dp-terraform/ocm/install_addon.sh
index fe2a7ed0ac..90c4b62ebf 100755
--- a/dp-terraform/ocm/install_addon.sh
+++ b/dp-terraform/ocm/install_addon.sh
@@ -2,9 +2,10 @@
 set -euo pipefail
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+ROOT_DIR="$SCRIPT_DIR/../.."
 
 # shellcheck source=scripts/lib/external_config.sh
-source "$SCRIPT_DIR/../../scripts/lib/external_config.sh"
+source "$ROOT_DIR/scripts/lib/external_config.sh"
 
 if [[ $# -ne 2 ]]; then
     echo "Usage: $0 [environment] [cluster]" >&2
@@ -89,13 +90,12 @@ fi
 
 FLEETSHARD_SYNC_ORG="app-sre"
 FLEETSHARD_SYNC_IMAGE="acs-fleet-manager"
-# Get HEAD for both main and production. This is the latest merged commit.
-FLEETSHARD_SYNC_TAG="$(git rev-parse --short=7 HEAD)"
+FLEETSHARD_SYNC_TAG="$(make --quiet --no-print-directory -C "${ROOT_DIR}" tag)"
 
 if [[ "${ADDON_DRY_RUN:-}" == "true" ]]; then
-    "${SCRIPT_DIR}/../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}" 0 || echo >&2 "Ignoring failed image check in dry-run mode."
 else
-    "${SCRIPT_DIR}/../../scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}"
+    "${ROOT_DIR}/scripts/check_image_exists.sh" "${FLEETSHARD_SYNC_ORG}" "${FLEETSHARD_SYNC_IMAGE}" "${FLEETSHARD_SYNC_TAG}"
 fi
 
 echo "Loading external config: audit-logs/${CLUSTER_NAME}"
diff --git a/fleetshard/pkg/central/charts/data/rhacs-operator/templates/rhacs-operator-deployment.yaml b/fleetshard/pkg/central/charts/data/rhacs-operator/templates/rhacs-operator-deployment.yaml
index 9247dc25bd..cce71ba841 100644
--- a/fleetshard/pkg/central/charts/data/rhacs-operator/templates/rhacs-operator-deployment.yaml
+++ b/fleetshard/pkg/central/charts/data/rhacs-operator/templates/rhacs-operator-deployment.yaml
@@ -27,6 +27,15 @@ spec:
         app: rhacs-operator
         control-plane: controller-manager
     spec:
+      {{- if .affinity }}
+      affinity: {{ .affinity | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .nodeSelector }}
+      nodeSelector: {{ .nodeSelector | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .tolerations }}
+      tolerations: {{ .tolerations | toYaml | nindent 8 }}
+      {{- end }}
       containers:
         - args:
             - --secure-listen-address=0.0.0.0:8443
@@ -61,6 +70,12 @@ spec:
             - --health-probe-bind-address=:8081
             - --metrics-bind-address=127.0.0.1:8080
           env:
+            - name: ENABLE_PROFILING
+              value: 'true'
+            - name: HEAP_DUMP_PARENT_DIR
+              value: /dump
+            - name: PROFILING_THRESHOLD_FRACTION
+              value: '0.50'
             - name: ENABLE_WEBHOOKS
               value: "false"
             - name: RELATED_IMAGE_MAIN
@@ -100,6 +115,9 @@ spec:
             {{- end }}
           image: "{{ .image }}"
           imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: dump-volume
+              mountPath: /dump
           livenessProbe:
             failureThreshold: 3
             httpGet:
@@ -143,6 +161,9 @@ spec:
         runAsNonRoot: true
       serviceAccount: rhacs-operator-controller-manager
       serviceAccountName: rhacs-operator-controller-manager
+      volumes:
+        - name: dump-volume
+          emptyDir: {}
       terminationGracePeriodSeconds: 10
 ---
 {{- end }}
diff --git a/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml b/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml
index 102df521c5..029b67ad8e 100644
--- a/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml
+++ b/fleetshard/pkg/central/charts/data/tenant-resources/templates/egress-proxy.yaml
@@ -44,6 +44,7 @@ spec:
               weight: 100
       containers:
       - name: egress-proxy
+        imagePullPolicy: Always
         image: {{ .Values.egressProxy.image }}
         command:
         - "squid"
diff --git a/fleetshard/pkg/central/reconciler/reconciler.go b/fleetshard/pkg/central/reconciler/reconciler.go
index da59818eb1..0c5e287e45 100644
--- a/fleetshard/pkg/central/reconciler/reconciler.go
+++ b/fleetshard/pkg/central/reconciler/reconciler.go
@@ -346,14 +346,17 @@ func (r *CentralReconciler) applyTelemetry(remoteCentral *private.ManagedCentral
 	if central.Spec.Central == nil {
 		central.Spec.Central = &v1alpha1.CentralComponentSpec{}
 	}
-	// Telemetry will only be enabled if the storage key is set _and_ the central is not an "internal" central created
-	// from internal clients such as probe service or others.
-	telemetryEnabled := r.telemetry.StorageKey != "" && !remoteCentral.Metadata.Internal
+	// Telemetry is always enabled, but the key is set to DISABLED for probe and other internal instances.
+	// Cloud-service specificity: empty key also disables telemetry to prevent reporting to the self-managed bucket.
+	key := r.telemetry.StorageKey
+	if remoteCentral.Metadata.Internal || key == "" {
+		key = "DISABLED"
+	}
 	telemetry := &v1alpha1.Telemetry{
-		Enabled: pointer.Bool(telemetryEnabled),
+		Enabled: pointer.Bool(true),
 		Storage: &v1alpha1.TelemetryStorage{
 			Endpoint: &r.telemetry.StorageEndpoint,
-			Key:      &r.telemetry.StorageKey,
+			Key:      &key,
 		},
 	}
 	central.Spec.Central.Telemetry = telemetry
diff --git a/fleetshard/pkg/central/reconciler/reconciler_test.go b/fleetshard/pkg/central/reconciler/reconciler_test.go
index 50cedb8134..866ec6fac3 100644
--- a/fleetshard/pkg/central/reconciler/reconciler_test.go
+++ b/fleetshard/pkg/central/reconciler/reconciler_test.go
@@ -1069,11 +1069,15 @@ func TestTelemetryOptionsAreSetInCR(t *testing.T) {
 			require.NoError(t, err)
 
 			require.NotNil(t, central.Spec.Central.Telemetry.Enabled)
-			assert.Equal(t, tc.enabled, *central.Spec.Central.Telemetry.Enabled)
+			assert.True(t, *central.Spec.Central.Telemetry.Enabled)
 			require.NotNil(t, central.Spec.Central.Telemetry.Storage.Endpoint)
 			assert.Equal(t, tc.telemetry.StorageEndpoint, *central.Spec.Central.Telemetry.Storage.Endpoint)
 			require.NotNil(t, central.Spec.Central.Telemetry.Storage.Key)
-			assert.Equal(t, tc.telemetry.StorageKey, *central.Spec.Central.Telemetry.Storage.Key)
+			if tc.telemetry.StorageKey == "" {
+				assert.Equal(t, "DISABLED", *central.Spec.Central.Telemetry.Storage.Key)
+			} else {
+				assert.Equal(t, tc.telemetry.StorageKey, *central.Spec.Central.Telemetry.Storage.Key)
+			}
 		})
 	}
 }
@@ -1959,23 +1963,25 @@ func Test_getCentralConfig_telemetry(t *testing.T) {
 		assert func(t *testing.T, c *v1alpha1.Central)
 	}{
 		{
-			name: "should disable telemetry when no storage key is set",
+			name: "telemetry enabled, but DISABLED when no storage key is set",
 			args: args{
 				isInternal: false,
 				storageKey: "",
 			},
 			assert: func(t *testing.T, c *v1alpha1.Central) {
-				assert.False(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.True(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.Equal(t, "DISABLED", *c.Spec.Central.Telemetry.Storage.Key)
 			},
 		},
 		{
-			name: "should disable telemetry when managed central is internal",
+			name: "should DISABLE telemetry key when managed central is internal",
 			args: args{
 				isInternal: true,
 				storageKey: "foo",
 			},
 			assert: func(t *testing.T, c *v1alpha1.Central) {
-				assert.False(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.True(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.Equal(t, "DISABLED", *c.Spec.Central.Telemetry.Storage.Key)
 			},
 		},
 		{
@@ -1985,18 +1991,18 @@ func Test_getCentralConfig_telemetry(t *testing.T) {
 				storageKey: "foo",
 			},
 			assert: func(t *testing.T, c *v1alpha1.Central) {
-				assert.False(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.True(t, *c.Spec.Central.Telemetry.Enabled)
+				assert.Equal(t, "foo", *c.Spec.Central.Telemetry.Storage.Key)
 			},
 		},
 	}
 
 	for _, tc := range tcs {
 		t.Run(tc.name, func(t *testing.T) {
-			r := &CentralReconciler{}
-			if tc.args.isInternal {
-				r.telemetry = config.Telemetry{
+			r := &CentralReconciler{
+				telemetry: config.Telemetry{
 					StorageKey: tc.args.storageKey,
-				}
+				},
 			}
 			c := &v1alpha1.Central{}
 			mc := &private.ManagedCentral{
@@ -2011,7 +2017,6 @@ func Test_getCentralConfig_telemetry(t *testing.T) {
 }
 
 func TestReconciler_applyRoutes(t *testing.T) {
-
 	type args struct {
 		useRoutes bool
 	}
@@ -2185,10 +2190,10 @@ metadata:
 							},
 						},
 						Telemetry: &v1alpha1.Telemetry{
-							Enabled: pointer.Bool(false),
+							Enabled: pointer.Bool(true),
 							Storage: &v1alpha1.TelemetryStorage{
 								Endpoint: pointer.String(""),
-								Key:      pointer.String(""),
+								Key:      pointer.String("DISABLED"),
 							},
 						},
 					},
diff --git a/go.mod b/go.mod
index 839b0ef1b0..c5c0d08049 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,7 @@ require (
 	github.com/getsentry/sentry-go v0.20.0
 	github.com/ghodss/yaml v1.0.0
 	github.com/go-gormigrate/gormigrate/v2 v2.1.1
-	github.com/go-logr/logr v1.2.4
+	github.com/go-logr/logr v1.3.0
 	github.com/go-resty/resty/v2 v2.10.0
 	github.com/goava/di v1.11.1
 	github.com/gogo/protobuf v1.3.2
@@ -41,7 +41,7 @@ require (
 	github.com/pmezard/go-difflib v1.0.0
 	github.com/prometheus/client_golang v1.17.0
 	github.com/prometheus/client_model v0.5.0
-	github.com/prometheus/common v0.44.0
+	github.com/prometheus/common v0.45.0
 	github.com/redhat-developer/app-services-sdk-core/app-services-sdk-go/serviceaccountmgmt v0.0.0-20230323122535-49460b57cc45
 	github.com/rs/xid v1.5.0
 	github.com/santhosh-tekuri/jsonschema/v3 v3.1.0
@@ -55,19 +55,19 @@ require (
 	github.com/zgalor/weberr v0.8.2
 	golang.org/x/net v0.17.0
 	golang.org/x/oauth2 v0.13.0
-	golang.org/x/sync v0.4.0
-	golang.org/x/sys v0.13.0
+	golang.org/x/sync v0.5.0
+	golang.org/x/sys v0.14.0
 	gopkg.in/resty.v1 v1.12.0
 	gopkg.in/yaml.v2 v2.4.0
 	gorm.io/driver/postgres v1.5.4
 	gorm.io/gorm v1.25.5
-	helm.sh/helm/v3 v3.13.1
+	helm.sh/helm/v3 v3.13.2
 	k8s.io/api v0.28.3
 	k8s.io/apimachinery v0.28.3
 	k8s.io/client-go v0.28.3
 	k8s.io/utils v0.0.0-20230505201702-9f6742963106
 	sigs.k8s.io/controller-runtime v0.16.3
-	sigs.k8s.io/yaml v1.3.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -128,7 +128,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-runewidth v0.0.14 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
+	github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
 	github.com/microcosm-cc/bluemonday v1.0.23 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
diff --git a/go.sum b/go.sum
index 2e59b65a40..a522062e24 100644
--- a/go.sum
+++ b/go.sum
@@ -185,8 +185,8 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
-github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
 github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
@@ -271,6 +271,7 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
@@ -464,8 +465,8 @@ github.com/mattn/go-runewidth v0.0.14 h1:+xnbZSEeDbOIg5/mE6JF0w6n9duR1l3/WmbinWV
 github.com/mattn/go-runewidth v0.0.14/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.6/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4A/KQRfk6bU=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
-github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
+github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
 github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103 h1:Z/i1e+gTZrmcGeZyWckaLfucYG6KYOXLWo4co8pZYNY=
 github.com/mendsley/gojwk v0.0.0-20141217222730-4d5ec6e58103/go.mod h1:o9YPB5aGP8ob35Vy6+vyq3P3bWe7NQWzf+JLiXCiMaE=
 github.com/microcosm-cc/bluemonday v1.0.18/go.mod h1:Z0r70sCuXHig8YpBzCc5eGHAap2K7e/u082ZUpDRRqM=
@@ -551,8 +552,8 @@ github.com/prometheus/common v0.4.1/go.mod h1:TNfzLD0ON7rHzMJeJkieUDPYmFC7Snx/y8
 github.com/prometheus/common v0.10.0/go.mod h1:Tlit/dnDKsSWFlCLTWaA1cyBgKHSMdTB80sz/V91rCo=
 github.com/prometheus/common v0.26.0/go.mod h1:M7rCNAaPfAosfx8veZJCuw84e35h3Cfd9VFqTh1DIvc=
 github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+M/gUGO4Hls=
-github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY=
-github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
+github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
+github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
 github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
 github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=
 github.com/prometheus/procfs v0.1.3/go.mod h1:lV6e/gmhEcM9IjHGsFOCxxuZ+z1YqCvr4OA4YeYWdaU=
@@ -841,8 +842,8 @@ golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.0.0-20220601150217-0de741cfad7f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
-golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
+golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -931,8 +932,9 @@ golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
 golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1252,8 +1254,8 @@ gorm.io/driver/postgres v1.5.4 h1:Iyrp9Meh3GmbSuyIAGyjkN+n9K+GHX9b9MqsTL4EJCo=
 gorm.io/driver/postgres v1.5.4/go.mod h1:Bgo89+h0CRcdA33Y6frlaHHVuTdOf87pmyzwW9C/BH0=
 gorm.io/gorm v1.25.5 h1:zR9lOiiYf09VNh5Q1gphfyia1JpiClIWG9hQaxB/mls=
 gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
-helm.sh/helm/v3 v3.13.1 h1:DG+XLGzBJeZvMLlMbm6bPDLV1dGaVW9eZsDoUd1/LM0=
-helm.sh/helm/v3 v3.13.1/go.mod h1:TdQRMiq46CSWcc68Hb0uVhvAWusaN90YwAV54cz6JzU=
+helm.sh/helm/v3 v3.13.2 h1:IcO9NgmmpetJODLZhR3f3q+6zzyXVKlRizKFwbi7K8w=
+helm.sh/helm/v3 v3.13.2/go.mod h1:GIHDwZggaTGbedevTlrQ6DB++LBN6yuQdeGj0HNaDx0=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
@@ -1287,5 +1289,5 @@ sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMm
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
-sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
-sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
diff --git a/internal/dinosaur/pkg/gitops/default_central.yaml b/internal/dinosaur/pkg/gitops/default_central.yaml
index 4264d0db57..027a043ffd 100644
--- a/internal/dinosaur/pkg/gitops/default_central.yaml
+++ b/internal/dinosaur/pkg/gitops/default_central.yaml
@@ -55,3 +55,6 @@ spec:
           memory: 2Gi
     monitoring:
       exposeEndpoint: Enabled
+  monitoring:
+    openshift:
+      enabled:  {{ not .IsInternal }}
diff --git a/internal/dinosaur/pkg/gitops/default_central_test.go b/internal/dinosaur/pkg/gitops/default_central_test.go
index 8b01a55413..96aba3e27a 100644
--- a/internal/dinosaur/pkg/gitops/default_central_test.go
+++ b/internal/dinosaur/pkg/gitops/default_central_test.go
@@ -12,16 +12,12 @@ import (
 	"sigs.k8s.io/yaml"
 )
 
-func TestDefaultCentral(t *testing.T) {
-	p := getDummyCentralParams()
-	central, err := renderDefaultCentral(p)
-	assert.NoError(t, err)
-
+func wantCentralForDummyParams(p *CentralParams) *v1alpha1.Central {
 	exposeEndpointEnabled := v1alpha1.ExposeEndpointEnabled
 	autoScalingEnabled := v1alpha1.ScannerAutoScalingEnabled
 	scannerComponentEnabled := v1alpha1.ScannerComponentEnabled
 
-	wantCentral := v1alpha1.Central{
+	return &v1alpha1.Central{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      p.Name,
 			Namespace: p.Namespace,
@@ -102,16 +98,46 @@ func TestDefaultCentral(t *testing.T) {
 					ExposeEndpoint: &exposeEndpointEnabled,
 				},
 			},
-			Monitoring: nil,
+			Monitoring: &v1alpha1.GlobalMonitoring{
+				OpenShiftMonitoring: &v1alpha1.OpenShiftMonitoring{
+					Enabled: true,
+				},
+			},
 		},
 	}
+}
+
+func assertCentralEquality(t *testing.T, wantCentral *v1alpha1.Central, gotCentral *v1alpha1.Central) {
+	assert.Equal(t, wantCentral, gotCentral)
 
 	// compare yaml
 	wantBytes, err := yaml.Marshal(wantCentral)
 	assert.NoError(t, err)
 
-	gotBytes, err := yaml.Marshal(central)
+	gotBytes, err := yaml.Marshal(gotCentral)
 	assert.NoError(t, err)
 
 	assert.YAMLEq(t, string(wantBytes), string(gotBytes))
 }
+
+func TestDefaultCentral(t *testing.T) {
+	p := getDummyCentralParams()
+	gotCentral, err := renderDefaultCentral(p)
+	assert.NoError(t, err)
+
+	wantCentral := wantCentralForDummyParams(&p)
+
+	assertCentralEquality(t, wantCentral, &gotCentral)
+}
+
+func TestInternalCentral(t *testing.T) {
+	p := getDummyCentralParams()
+	p.IsInternal = true
+	gotCentral, err := renderDefaultCentral(p)
+	assert.NoError(t, err)
+
+	wantCentral := wantCentralForDummyParams(&p)
+	wantCentral.Spec.Monitoring.OpenShiftMonitoring.Enabled = false
+
+	assertCentralEquality(t, wantCentral, &gotCentral)
+}
diff --git a/internal/dinosaur/pkg/services/dinosaur.go b/internal/dinosaur/pkg/services/dinosaur.go
index 9e2a78f40a..d66a23d7e2 100644
--- a/internal/dinosaur/pkg/services/dinosaur.go
+++ b/internal/dinosaur/pkg/services/dinosaur.go
@@ -10,6 +10,7 @@ import (
 	"github.com/stackrox/acs-fleet-manager/pkg/client/iam"
 	dynamicClientAPI "github.com/stackrox/acs-fleet-manager/pkg/client/redhatsso/api"
 	"github.com/stackrox/acs-fleet-manager/pkg/client/redhatsso/dynamicclients"
+	"github.com/stackrox/acs-fleet-manager/pkg/environments"
 
 	dinosaurConstants "github.com/stackrox/acs-fleet-manager/internal/dinosaur/constants"
 	"github.com/stackrox/acs-fleet-manager/internal/dinosaur/pkg/api/dbapi"
@@ -212,7 +213,8 @@ func (k *dinosaurService) DetectInstanceType(dinosaurRequest *dbapi.CentralReque
 
 // reserveQuota - reserves quota for the given dinosaur request. If a RHACS quota has been assigned, it will try to reserve RHACS quota, otherwise it will try with RHACSTrial
 func (k *dinosaurService) reserveQuota(ctx context.Context, dinosaurRequest *dbapi.CentralRequest) (subscriptionID string, err *errors.ServiceError) {
-	if dinosaurRequest.InstanceType == types.EVAL.String() {
+	if dinosaurRequest.InstanceType == types.EVAL.String() &&
+		(environments.GetEnvironmentStrFromEnv() == environments.DevelopmentEnv || environments.GetEnvironmentStrFromEnv() == environments.TestingEnv) == false {
 		if !k.dinosaurConfig.Quota.AllowEvaluatorInstance {
 			return "", errors.NewWithCause(errors.ErrorForbidden, err, "central eval instances are not allowed")
 		}
diff --git a/pkg/providers/core.go b/pkg/providers/core.go
index 7ab367c747..538bfa69ab 100644
--- a/pkg/providers/core.go
+++ b/pkg/providers/core.go
@@ -17,6 +17,7 @@ import (
 	"github.com/stackrox/acs-fleet-manager/pkg/logger"
 	"github.com/stackrox/acs-fleet-manager/pkg/quotamanagement"
 	"github.com/stackrox/acs-fleet-manager/pkg/server"
+	"github.com/stackrox/acs-fleet-manager/pkg/server/profiler"
 	"github.com/stackrox/acs-fleet-manager/pkg/services/account"
 	"github.com/stackrox/acs-fleet-manager/pkg/services/authorization"
 	"github.com/stackrox/acs-fleet-manager/pkg/services/sentry"
@@ -98,6 +99,7 @@ func ServiceProviders() di.Option {
 		// Types registered as a BootService are started when the env is started
 		di.Provide(server.NewAPIServer, di.As(new(environments.BootService))),
 		di.Provide(server.NewMetricsServer, di.As(new(environments.BootService))),
+		di.Provide(profiler.SingletonPprofServer, di.As(new(environments.BootService))),
 		di.Provide(server.NewHealthCheckServer, di.As(new(environments.BootService))),
 		di.Provide(workers.NewLeaderElectionManager, di.As(new(environments.BootService))),
 		di.Provide(services.NewTelemetry, di.As(new(environments.BootService))),
diff --git a/pkg/server/profiler/profiler_server.go b/pkg/server/profiler/profiler_server.go
new file mode 100644
index 0000000000..47868f8cef
--- /dev/null
+++ b/pkg/server/profiler/profiler_server.go
@@ -0,0 +1,84 @@
+// Package profiler provides profiling tools for debugging.
+package profiler
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"net/http/pprof"
+	"sync"
+
+	"github.com/pkg/errors"
+
+	"github.com/golang/glog"
+
+	"github.com/gorilla/mux"
+	"github.com/stackrox/acs-fleet-manager/pkg/environments"
+	"github.com/stackrox/acs-fleet-manager/pkg/server"
+)
+
+var _ server.Server = &PprofServer{}
+var _ environments.BootService = &PprofServer{}
+
+// PprofServer ...
+type PprofServer struct {
+	httpServer *http.Server
+}
+
+// Start ...
+func (p *PprofServer) Start() {
+	go p.Run()
+}
+
+var (
+	oncePprofServer     sync.Once
+	pprofServerInstance *PprofServer
+)
+
+// SingletonPprofServer returns the PprofServer
+func SingletonPprofServer() *PprofServer {
+	oncePprofServer.Do(func() {
+		router := mux.NewRouter()
+		router.Handle("/debug/pprof/", http.HandlerFunc(pprof.Index))
+		router.Handle("/debug/pprof/cmdline", http.HandlerFunc(pprof.Cmdline))
+		router.Handle("/debug/pprof/profile", http.HandlerFunc(pprof.Profile))
+		router.Handle("/debug/pprof/symbol", http.HandlerFunc(pprof.Symbol))
+		router.Handle("/debug/pprof/trace", http.HandlerFunc(pprof.Trace))
+		router.Handle("/debug/pprof/{cmd}", http.HandlerFunc(pprof.Index)) // special handling for Gorilla mux
+		httpServer := &http.Server{
+			Addr:    "localhost:6060",
+			Handler: router,
+		}
+
+		pprofServerInstance = &PprofServer{
+			httpServer: httpServer,
+		}
+	})
+	return pprofServerInstance
+}
+
+// Stop ...
+func (p *PprofServer) Stop() {
+	err := p.httpServer.Shutdown(context.Background())
+	if err != nil {
+		glog.Warningf("Unable to stop profiling server: %s", err)
+	}
+}
+
+// Listen ...
+func (p *PprofServer) Listen() (net.Listener, error) {
+	return nil, nil
+}
+
+// Serve ...
+func (p *PprofServer) Serve(listener net.Listener) {
+}
+
+// Run ...
+func (p *PprofServer) Run() {
+	err := p.httpServer.ListenAndServe()
+	if err != nil && !errors.Is(err, http.ErrServerClosed) {
+		glog.Fatalf(fmt.Sprintf("starting pprof server failed %s", err))
+	}
+}
diff --git a/pkg/server/profiler/profiler_server_test.go b/pkg/server/profiler/profiler_server_test.go
new file mode 100644
index 0000000000..70d4204b02
--- /dev/null
+++ b/pkg/server/profiler/profiler_server_test.go
@@ -0,0 +1,30 @@
+package profiler
+
+import (
+	"net"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestPprofProfiler(t *testing.T) {
+	server := SingletonPprofServer()
+	server.Start()
+
+	for {
+		conn, err := net.DialTimeout("tcp", net.JoinHostPort("localhost", "6060"), 5*time.Second)
+		require.NoError(t, err)
+		if conn != nil {
+			require.NoError(t, conn.Close())
+			break
+		}
+		time.Sleep(50 * time.Millisecond)
+	}
+
+	// Test server was stopped
+	server.Stop()
+	conn, err := net.DialTimeout("tcp", net.JoinHostPort("localhost", "6060"), 5*time.Second)
+	require.Error(t, err)
+	require.Nil(t, conn)
+}
diff --git a/scripts/build_setup.sh b/scripts/build_setup.sh
index 12853714ba..36b9267f1e 100755
--- a/scripts/build_setup.sh
+++ b/scripts/build_setup.sh
@@ -1,11 +1,7 @@
 #!/bin/bash -e
 
-# The version should be a 7-char hash from git. This is what the deployment process in app-interface expects.
-VERSION=$(git rev-parse --short=7 HEAD)
-export VERSION
-
 # Set the directory for docker configuration:
-export DOCKER_CONFIG="${PWD}/.docker"
+export DOCKER_CONFIG="${DOCKER_CONFIG:-${PWD}/.docker}"
 
 # Log in to the image registry:
 if [ -z "${QUAY_USER}" ]; then
diff --git a/scripts/create-central.sh b/scripts/create-central.sh
index 39698b5453..d48b7a7e3b 100755
--- a/scripts/create-central.sh
+++ b/scripts/create-central.sh
@@ -1,9 +1,11 @@
 #!/usr/bin/env bash
 set -eo pipefail
+name=${1:-"test-central-1"}
+
+echo "Creating central tenant: $name"
 
-echo "Creating central tenant: test-central-1"
 
 # shellcheck disable=SC1001
 curl -X POST -H "Authorization: Bearer $(ocm token)" -H "Content-Type: application/json" \
   http://127.0.0.1:8000/api/rhacs/v1/centrals\?async\=true \
-  -d '{"name": "test-central-1", "multi_az": true, "cloud_provider": "standalone", "region": "standalone"}'
+  -d '{"name": "'"${name}"'", "multi_az": true, "cloud_provider": "standalone", "region": "standalone"}'
diff --git a/scripts/fmcurl b/scripts/fmcurl
index 58bf9cb7de..cfbf674fd8 100755
--- a/scripts/fmcurl
+++ b/scripts/fmcurl
@@ -14,4 +14,9 @@ shift
 # Normalize
 resource=$(echo "$resource" | sed -e 's/^\///;')
 FM_URL="${FM_URL:-http://localhost:8000}"
-curl -LH "Authorization: Bearer ${OCM_TOKEN}" "$FM_URL/api/${resource}" "$@" | jq .
+
+if [[ "$resource" != "metrics" ]]; then
+  resource="api/$resource"
+fi
+
+curl -LH "Authorization: Bearer ${OCM_TOKEN}" "$FM_URL/${resource}" "$@" | jq .
diff --git a/tools/go.mod b/tools/go.mod
index c4f8e5a6e2..c9af275274 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -5,7 +5,7 @@ go 1.20
 require (
 	github.com/go-bindata/go-bindata/v3 v3.1.4-0.20210427095211-26949cc13d95
 	github.com/matryer/moq v0.3.3
-	github.com/onsi/ginkgo/v2 v2.13.0
+	github.com/onsi/ginkgo/v2 v2.13.1
 	github.com/segmentio/chamber/v2 v2.13.4
 	gotest.tools/gotestsum v1.11.0
 )
@@ -34,12 +34,12 @@ require (
 	github.com/spf13/cobra v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f // indirect
-	golang.org/x/mod v0.12.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.13.0 // indirect
-	golang.org/x/term v0.11.0 // indirect
-	golang.org/x/text v0.12.0 // indirect
-	golang.org/x/tools v0.12.0 // indirect
+	golang.org/x/mod v0.13.0 // indirect
+	golang.org/x/sync v0.4.0 // indirect
+	golang.org/x/sys v0.14.0 // indirect
+	golang.org/x/term v0.13.0 // indirect
+	golang.org/x/text v0.13.0 // indirect
+	golang.org/x/tools v0.14.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/tools/go.sum b/tools/go.sum
index 74b993df1f..5a5036b350 100644
--- a/tools/go.sum
+++ b/tools/go.sum
@@ -21,13 +21,13 @@ github.com/fsnotify/fsnotify v1.5.4 h1:jRbGcIw6P2Meqdwuo0H1p6JVLbL5DHKAKlYndzMwV
 github.com/fsnotify/fsnotify v1.5.4/go.mod h1:OVB6XrOHzAwXMpEM7uPOzcehqUV2UqJxmVXmkdnm1bU=
 github.com/go-bindata/go-bindata/v3 v3.1.4-0.20210427095211-26949cc13d95 h1:uuovnuyoQdZSs6QHG18MJM0c48qER1I2dmqvDYk3F5c=
 github.com/go-bindata/go-bindata/v3 v3.1.4-0.20210427095211-26949cc13d95/go.mod h1:1/zrpXsLD8YDIbhZRqXzm1Ghc7NhEvIN9+Z6R5/xH4I=
-github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38 h1:yAJXTCF9TqKcTiHJAE8dj7HMvPfh66eeA2JYW7eFpSE=
 github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
@@ -60,9 +60,9 @@ github.com/mattn/go-isatty v0.0.19 h1:JITubQf0MOLdlGRuRq+jtsDlekdYPia9ZFsB8h/APP
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
-github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
-github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI=
+github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU=
+github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
+github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
@@ -96,8 +96,9 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.12.0 h1:rmsUpXtvNzj340zd98LZ4KntptpfRHwpFOHG188oHXc=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY=
+golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
@@ -107,13 +108,14 @@ golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.12.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA=
-golang.org/x/net v0.14.0 h1:BONx9s002vGdD9umnlX1Po8vOZmrgH34qlHcD1MfK14=
+golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.3.0 h1:ftCYgMx6zT/asHUrPw8BLLscYtGznsLAnjq5RH9P66E=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ=
+golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -130,16 +132,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.13.0 h1:Af8nKPmuFypiUBjVoU9V20FiaFXOcuZI21p0ycVYYGE=
-golang.org/x/sys v0.13.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.14.0 h1:Vz7Qs629MkJkGyHxUlRHizWJRG2j8fbQKjELVSNhy7Q=
+golang.org/x/sys v0.14.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek=
+golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
@@ -147,8 +149,8 @@ golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -157,8 +159,8 @@ golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
-golang.org/x/tools v0.12.0 h1:YW6HUoUmYBpwSgyaGaZq1fHjrBjX1rlpZ54T6mu2kss=
-golang.org/x/tools v0.12.0/go.mod h1:Sc0INKfu04TlqNoRA1hgpFZbhYXHPr4V5DzpSBTPqQM=
+golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc=
+golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=