Merge pull request #470 from stefanprodan/release-6.11.2

Release 6.11.2
2026-04-07 03:26:54 +00:00 · 2026-03-31 22:52:14 +03:00 · 2026-03-31 22:47:19 +03:00 · 2026-03-31 22:36:36 +03:00 · 2026-03-31 19:32:43 +00:00 · 2026-03-31 22:30:33 +03:00
332 changed files with 36756 additions and 2020 deletions
--- a/.cosign/README.md
+++ b/.cosign/README.md
@@ -0,0 +1,61 @@
+# Podinfo signed releases
+
+Podinfo release assets (container image, Helm chart, Flux artifact, Timoni module)
+are published to GitHub Container Registry and are signed with
+[Cosign v2](https://github.com/sigstore/cosign) keyless & GitHub Actions OIDC.
+
+## Verify podinfo with cosign
+
+Install the [cosign](https://github.com/sigstore/cosign) CLI:
+
+```sh
+brew install sigstore/tap/cosign
+```
+
+### Container image
+
+Verify the podinfo container image hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+Verify the podinfo container image hosted on Docker Hub:
+
+```sh
+cosign verify docker.io/stefanprodan/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Helm chart
+
+Verify the podinfo [Helm](https://helm.sh) chart hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/charts/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Flux artifact
+
+Verify the podinfo [Flux](https://fluxcd.io) artifact hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/manifests/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
+
+### Timoni module
+
+Verify the podinfo [Timoni](https://timoni.sh) module hosted on GHCR:
+
+```sh
+cosign verify ghcr.io/stefanprodan/modules/podinfo:6.5.0 \
+--certificate-identity-regexp="^https://github.com/stefanprodan/podinfo.*$" \
+--certificate-oidc-issuer=https://token.actions.githubusercontent.com
+```
--- a/.cosign/cosign.pub
+++ b/.cosign/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEST+BqQ1XZhhVYx0YWQjdUJYIG5Lt
+iz2+UxRIqmKBqNmce2T+l45qyqOs99qfD7gLNGmkVZ4vtJ9bM7FxChFczg==
+-----END PUBLIC KEY-----
--- a/.gitattributes
+++ b/.gitattributes
@@ -0,0 +1 @@
+timoni/podinfo/cue.mod/** linguist-vendored
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1 @@
+github: stefanprodan
--- a/.github/actions/helm/Dockerfile
+++ b/.github/actions/helm/Dockerfile
@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/helm/action.yml
+++ b/.github/actions/helm/action.yml
@@ -1,15 +0,0 @@
-name: 'helm'
-description: 'A GitHub Action to run helm commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-inputs:
-  helm-version:
-    description: Helm version to use
-    required: true
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.helm-version }}
--- a/.github/actions/helm/entrypoint.sh
+++ b/.github/actions/helm/entrypoint.sh
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-set -o pipefail
-
-HELM_VERSION=$1
-BIN_DIR="$GITHUB_WORKSPACE/bin"
-
-main() {
-  mkdir -p ${BIN_DIR}
-  tmpDir=$(mktemp -d)
-
-  pushd $tmpDir >& /dev/null
-
-  curl -sSL https://get.helm.sh/helm-v${HELM_VERSION}-linux-amd64.tar.gz | tar xz
-  cp linux-amd64/helm ${BIN_DIR}/helm
-
-  popd >& /dev/null
-  rm -rf $tmpDir
-}
-
-main
-echo "::add-path::$BIN_DIR"
-echo "::add-path::$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin"
--- a/.github/actions/kubeconform/action.yml
+++ b/.github/actions/kubeconform/action.yml
@@ -0,0 +1,38 @@
+name: Setup kubeconform
+description: A GitHub Action for running kubeconform commands
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+inputs:
+  version:
+    description: "kubeconform version e.g. 0.5.0 (defaults to latest stable release)"
+    required: false
+  arch:
+    description: "arch can be amd64 or arm64"
+    required: true
+    default: "amd64"
+runs:
+  using: composite
+  steps:
+    - name: "Download binary to the GH runner cache"
+      shell: bash
+      run: |  
+        ARCH=${{ inputs.arch }}
+        VERSION=${{ inputs.version }}
+
+        if [ -z $VERSION ]; then
+          VERSION=$(curl https://api.github.com/repos/yannh/kubeconform/releases/latest -sL | grep tag_name | sed -E 's/.*"([^"]+)".*/\1/' | cut -c 2-)
+        fi
+        
+        BIN_URL="https://github.com/yannh/kubeconform/releases/download/v${VERSION}/kubeconform-linux-${ARCH}.tar.gz"
+        BIN_DIR=$RUNNER_TOOL_CACHE/kubeconform/$VERSION/$ARCH
+        
+        if [[ ! -x "$BIN_DIR/kind" ]]; then
+          mkdir -p $BIN_DIR
+          cd $BIN_DIR
+          curl -sL $BIN_URL | tar xz
+          chmod +x kubeconform
+        fi
+        
+        echo "$BIN_DIR" >> "$GITHUB_PATH"
--- a/.github/actions/release-notes/Dockerfile
+++ b/.github/actions/release-notes/Dockerfile
@@ -1,6 +0,0 @@
-FROM stefanprodan/alpine-base:latest
-
-COPY entrypoint.sh /entrypoint.sh
-RUN chmod +x /entrypoint.sh
-
-ENTRYPOINT ["/entrypoint.sh"]
--- a/.github/actions/release-notes/action.yml
+++ b/.github/actions/release-notes/action.yml
@@ -1,9 +0,0 @@
-name: 'github-release-notes'
-description: 'A GitHub Action to run github-release-notes commands'
-author: 'Stefan Prodan'
-branding:
-  icon: 'command'
-  color: 'blue'
-runs:
-  using: 'docker'
-  image: 'Dockerfile'
--- a/.github/actions/release-notes/entrypoint.sh
+++ b/.github/actions/release-notes/entrypoint.sh
@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -o errexit
-set -o pipefail
-
-VERSION=0.2.0
-BIN_DIR="$GITHUB_WORKSPACE/bin"
-
-main() {
-  mkdir -p ${BIN_DIR}
-  tmpDir=$(mktemp -d)
-
-  pushd $tmpDir >& /dev/null
-
-  curl -sSL https://github.com/buchanae/github-release-notes/releases/download/${VERSION}/github-release-notes-linux-amd64-${VERSION}.tar.gz | tar xz
-  cp github-release-notes ${BIN_DIR}/github-release-notes
-
-  popd >& /dev/null
-  rm -rf $tmpDir
-}
-
-main
-echo "::add-path::$BIN_DIR"
-echo "::add-path::$RUNNER_WORKSPACE/$(basename $GITHUB_REPOSITORY)/bin"
--- a/.github/actions/runner-cleanup/action.yml
+++ b/.github/actions/runner-cleanup/action.yml
@@ -0,0 +1,24 @@
+name: Runner Cleanup
+description: A GitHub Action for removing bloat from Ubuntu GitHub Actions runner.
+author: Stefan Prodan
+branding:
+  color: blue
+  icon: command
+runs:
+  using: composite
+  steps:
+    - name: "Disk Usage Before Cleanup"
+      shell: bash
+      run: |
+        df -h
+    - name: "Remove .NET, Android and Haskell"
+      shell: bash
+      run: |
+        sudo rm -rf /usr/share/dotnet || true
+        sudo rm -rf /usr/local/lib/android || true
+        sudo rm -rf /opt/ghc || true
+        sudo rm -rf /usr/local/.ghcup || true
+    - name: "Disk Usage After Cleanup"
+      shell: bash
+      run: |
+        df -h
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -0,0 +1,11 @@
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    groups:
+      actions:
+        patterns:
+          - "*"
+    schedule:
+      interval: "weekly"
--- a/.github/policy/kubernetes.rego
+++ b/.github/policy/kubernetes.rego
@@ -1,51 +0,0 @@
-package kubernetes
-
-name = input.metadata.name
-
-kind = input.kind
-
-is_service {
-	input.kind = "Service"
-}
-
-is_deployment {
-	input.kind = "Deployment"
-}
-
-is_pod {
-	input.kind = "Pod"
-}
-
-split_image(image) = [image, "latest"] {
-	not contains(image, ":")
-}
-
-split_image(image) = [image_name, tag] {
-	[image_name, tag] = split(image, ":")
-}
-
-pod_containers(pod) = all_containers {
-	keys = {"containers", "initContainers"}
-	all_containers = [c | keys[k]; c = pod.spec[k][_]]
-}
-
-containers[container] {
-	pods[pod]
-	all_containers = pod_containers(pod)
-	container = all_containers[_]
-}
-
-containers[container] {
-	all_containers = pod_containers(input)
-	container = all_containers[_]
-}
-
-pods[pod] {
-	is_deployment
-	pod = input.spec.template
-}
-
-pods[pod] {
-	is_pod
-	pod = input
-}
--- a/.github/policy/rules.rego
+++ b/.github/policy/rules.rego
@@ -1,43 +0,0 @@
-package main
-
-import data.kubernetes
-
-name = input.metadata.name
-
-# Deny containers with latest image tag
-deny[msg] {
-	kubernetes.containers[container]
-	[image_name, "latest"] = kubernetes.split_image(container.image)
-	msg = sprintf("%s in the %s %s has an image %s, using the latest tag", [container.name, kubernetes.kind, kubernetes.name, image_name])
-}
-
-# Deny services without app label selector
-service_labels {
-  input.spec.selector["app"]
-}
-deny[msg] {
-  kubernetes.is_service
-  not service_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Deny deployments without app label selector
-match_labels {
-  input.spec.selector.matchLabels["app"]
-}
-deny[msg] {
-  kubernetes.is_deployment
-  not match_labels
-  msg = sprintf("Service %s should set app label selector", [name])
-}
-
-# Warn if deployments have no prometheus pod annotations
-annotations {
-  input.spec.template.metadata.annotations["prometheus.io/scrape"]
-  input.spec.template.metadata.annotations["prometheus.io/port"]
-}
-warn[msg] {
-  kubernetes.is_deployment
-  not annotations
-  msg = sprintf("Deployment %s should set prometheus.io/scrape and prometheus.io/port pod annotations", [name])
-}
--- a/.github/workflows/cve-scan.yml
+++ b/.github/workflows/cve-scan.yml
@@ -1,23 +1,25 @@
 name: cve-scan

 on:
+  workflow_dispatch:
  push:
    branches:
-      - 'master'
+      - "master"
+  pull_request:
+    branches:
+      - "master"
+
+permissions:
+  contents: read

 jobs:
-  trivy:
+  govulncheck:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Build image
-        id: build
-        run: |
-          IMAGE=test/podinfo:${GITHUB_SHA}
-          docker build -t ${IMAGE} .
-          echo "::set-output name=image::$IMAGE"
-      - name: Scan image
-        uses: docker://docker.io/aquasec/trivy:latest
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/runner-cleanup
+      - name: Vulnerability scan
+        id: govulncheck
+        uses: golang/govulncheck-action@b625fbe08f3bccbe446d94fbf87fcc875a4f50ee # v1.0.4
        with:
-          args: --cache-dir /var/lib/trivy --no-progress --exit-code 1 --severity MEDIUM,HIGH,CRITICAL ${{ steps.build.outputs.image }}
+          repo-checkout: false
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -6,45 +6,75 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
 jobs:
  kind-helm:
-    strategy:
-      matrix:
-        helm-version:
-          - 2.16.6
-          - 3.2.1
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Disk Cleanup
+        uses: ./.github/actions/runner-cleanup
      - name: Setup Kubernetes
-        uses: engineerd/setup-kind@v0.4.0
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        with:
+          cluster_name: kind
      - name: Build container image
        run: |
-          GIT_COMMIT=$(git rev-list -1 HEAD) && \
-          docker build -t test/podinfo:latest --build-arg "REVISION=${GIT_COMMIT}" .
+          ./test/build.sh
          kind load docker-image test/podinfo:latest
      - name: Setup Helm
-        uses: ./.github/actions/helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
        with:
-          helm-version: ${{ matrix.helm-version }}
-      - name: Install Tiller
-        if: ${{ startsWith(matrix.helm-version, '2') }}
-        run: |
-          kubectl --namespace kube-system create sa tiller
-          kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
-          helm init --service-account tiller --upgrade --wait
+          version: v4.1.0
      - name: Deploy
-        run: |
-          helm upgrade -i podinfo ./charts/podinfo \
-          --set image.repository=test/podinfo \
-          --set image.tag=latest \
-          --namespace=default
+        run: ./test/deploy.sh
      - name: Run integration tests
-        run: |
-          kubectl rollout status deployment/podinfo --timeout=1m
-          helm test podinfo
+        run: ./test/test.sh
      - name: Debug failure
        if: failure()
        run: |
          kubectl logs -l app=podinfo || true
+  kind-timoni:
+    runs-on: ubuntu-latest
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    env:
+      PODINFO_IMAGE_URL: "test/podinfo"
+      PODINFO_MODULE_URL: "oci://localhost:5000/podinfo"
+      PODINFO_VERSION: "0.0.0-devel"
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/runner-cleanup
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
+      - name: Setup Kubernetes
+        uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
+        with:
+          cluster_name: kind
+      - name: Build container
+        run: |
+          docker build -t ${PODINFO_IMAGE_URL}:${PODINFO_VERSION} --build-arg "REVISION=${GITHUB_SHA}"  -f Dockerfile.xx .
+          kind load docker-image ${PODINFO_IMAGE_URL}:${PODINFO_VERSION}
+      - name: Vet module
+        run: |
+          timoni mod vet ./timoni/podinfo --debug
+      - name: Build module
+        run: |
+          timoni mod push ./timoni/podinfo ${PODINFO_MODULE_URL} -v ${PODINFO_VERSION}
+      - name: Apply bundle
+        run: |
+          timoni bundle apply -f ./timoni/bundles/test.podinfo.cue --runtime-from-env
+      - name: Verify status
+        run: |
+          timoni -n podinfo status backend
+          timoni -n podinfo status frontend
+      - name: Debug failure
+        if: failure()
+        run: |
+          kubectl -n podinfo get all || true
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,45 +2,170 @@ name: release

 on:
  push:
-    tags: '*'
+    tags:
+      - '*'
+
+permissions:
+  contents: read

 jobs:
  release:
    runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for ghcr access
+      attestations: write # needed for provenance
    steps:
-      - uses: actions/checkout@v2
-      - uses: crazy-max/ghaction-docker-buildx@v1
-      - name: Publish multi-arch image
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/runner-cleanup
+      - uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
+      - uses: fluxcd/flux2/action@871be9b40d53627786d3a3835a3ddba1e3234bd2 # v2.8.3
+      - uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
+      - name: Setup Notation CLI
+        uses: notaryproject/notation-action/setup@b6fee73110795d6793253c673bd723f12bcf9bbb # v1.2.2
+        with:
+          version: "1.1.0"
+      - name: Setup Notation signing keys
        run: |
-          echo "${{ secrets.DOCKER_PASSWORD }}" | docker login --username "${{ secrets.DOCKER_USERNAME }}" --password-stdin
-          docker buildx build --platform "linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64" \
-            --output "type=image,push=true" \
-            --build-arg "REVISION=${GITHUB_SHA}" \
-            --build-arg "VERSION=${GITHUB_REF#refs/tags/}" \
-            --build-arg "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \
-            --tag "docker.io/stefanprodan/podinfo:${GITHUB_REF#refs/tags/}" \
-            --tag "docker.io/stefanprodan/podinfo:latest" \
-            --file Dockerfile .
-      - name: Publish base image
-        uses: docker/build-push-action@v1
+          mkdir -p ~/.config/notation/localkeys/
+          cp ./.notation/signingkeys.json ~/.config/notation/
+          cp ./.notation/notation.crt ~/.config/notation/localkeys/
+          echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key
+        env:
+          NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }}
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          go-version: 1.26.x
+      - name: Setup Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        with:
+          version: v4.1.1
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        with:
+          platforms: all
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Login to Docker Hub
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
-          repository: stefanprodan/podinfo-base
-          tags: latest
+      - name: Prepare
+        id: prep
+        run: |
+          VERSION=sha-${GITHUB_SHA::8}
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            VERSION=${GITHUB_REF/refs\/tags\//}
+          fi
+          echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "VERSION=${VERSION}" >> $GITHUB_OUTPUT
+          echo "REVISION=${GITHUB_SHA}" >> $GITHUB_OUTPUT
+      - name: Generate images meta
+        id: meta
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        with:
+          images: |
+            docker.io/stefanprodan/podinfo
+            ghcr.io/stefanprodan/podinfo
+          tags: |
+            type=raw,value=${{ steps.prep.outputs.VERSION }}
+            type=raw,value=latest
+      - name: Publish multi-arch image
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          sbom: true
+          provenance: true
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          file: ./Dockerfile.xx
+          build-args: |
+            REVISION=${{ steps.prep.outputs.REVISION }}
+          platforms: linux/amd64,linux/arm/v7,linux/arm64
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+      - name: Publish Timoni module to GHCR
+        run: |
+          timoni mod push ./timoni/podinfo oci://ghcr.io/stefanprodan/modules/podinfo \
+          --sign cosign \
+          --version ${{ steps.prep.outputs.VERSION }} \
+          -a 'org.opencontainers.image.source=https://github.com/stefanprodan/podinfo' \
+          -a 'org.opencontainers.image.licenses=Apache-2.0' \
+          -a 'org.opencontainers.image.description=A timoni.sh module for deploying Podinfo.' \
+          -a 'org.opencontainers.image.documentation=https://github.com/stefanprodan/podinfo/blob/main/timoni/podinfo/README.md'
+      - name: Publish Helm chart to GHCR
+        run: |
+          helm package charts/podinfo
+          helm push podinfo-${{ steps.prep.outputs.VERSION }}.tgz oci://ghcr.io/stefanprodan/charts
+          rm podinfo-${{ steps.prep.outputs.VERSION }}.tgz
+      - name: Publish Flux OCI artifact to GHCR
+        run: |
+          flux push artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign artifacts with Cosign
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          cosign sign docker.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }} --yes
+      - name: Publish base image
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        with:
+          push: true
+          builder: ${{ steps.buildx.outputs.name }}
+          context: .
+          platforms: linux/amd64
+          file: ./Dockerfile.base
+          tags: docker.io/stefanprodan/podinfo-base:latest
      - name: Publish helm chart
-        uses: stefanprodan/helm-gh-pages@master
+        uses: stefanprodan/helm-gh-pages@0ad2bb377311d61ac04ad9eb6f252fb68e207260 # v1.7.0
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: ./.github/actions/release-notes
-      - name: Generate release notes
+      - name: Publish config artifact
        run: |
-          echo 'CHANGELOG' > /tmp/release.txt
-          github-release-notes -org stefanprodan -repo podinfo -since-latest-release >> /tmp/release.txt
+          flux push artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} \
+            --path="./kustomize" \
+            --source="${{ github.event.repository.html_url }}" \
+            --revision="${GITHUB_REF_NAME}/${GITHUB_SHA}"
+          flux tag artifact oci://ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --tag latest
+      - name: Sign config artifact with cso
+        run: |
+          echo "$COSIGN_KEY" > /tmp/cosign.key
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }} --yes
+          cosign sign -key /tmp/cosign.key ghcr.io/stefanprodan/podinfo-deploy:latest --yes
+        env:
+          COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
+          COSIGN_KEY: ${{secrets.COSIGN_KEY}}
+      - name: Sign artifacts with Notation
+        run: |
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/charts/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/manifests/podinfo:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:${{ steps.prep.outputs.VERSION }}
+          notation sign --signature-format cose ghcr.io/stefanprodan/podinfo-deploy:latest
      - name: Publish release
-        uses: goreleaser/goreleaser-action@v1
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
        with:
          version: latest
-          args: release --release-notes=/tmp/release.txt
+          args: release --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Attest release
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-checksums: ./dist/podinfo_${{ steps.prep.outputs.VERSION }}_checksums.txt
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -6,38 +6,68 @@ on:
    branches:
      - 'master'

+permissions:
+  contents: read
+
+env:
+  KUBERNETES_VERSION: 1.35.0
+  HELM_VERSION: 4.1.1
+
 jobs:
  test:
    runs-on: ubuntu-latest
    steps:
-      - name: Checkout
-        uses: actions/checkout@v2
-      - name: Restore Go cache
-        uses: actions/cache@v1
-        with:
-          path: ~/go/pkg/mod
-          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: ${{ runner.os }}-go-
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: ./.github/actions/runner-cleanup
      - name: Setup Go
-        uses: actions/setup-go@v2
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        with:
-          go-version: 1.14.x
+          go-version: 1.26.x
+          cache-dependency-path: |
+            **/go.sum
+            **/go.mod
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@15650b3ad78fff148532a140b8a4c821796b2d7b # v5.0.0
+        with:
+          version: v${{ env.KUBERNETES_VERSION }}
+      - name: Setup kubeconform
+        uses: ./.github/actions/kubeconform
+      - name: Setup Helm
+        uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
+        with:
+          version: v${{ env.HELM_VERSION }}
+      - name: Setup CUE
+        uses: cue-lang/setup-cue@a93fa358375740cd8b0078f76355512b9208acb1 # v1.0.1
+      - name: Setup Timoni
+        uses: stefanprodan/timoni/actions/setup@c68e33a34f17c7ca93c7fc6717d61a14819276dc # v0.26.0
      - name: Run unit tests
        run: make test
+      - name: Validate Helm chart
+        run: |
+          helm lint ./charts/podinfo/
+          helm template ./charts/podinfo/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Validate Kustomize overlay
+        run: |
+          kubectl kustomize ./kustomize/ | kubeconform -strict -summary -kubernetes-version ${{ env.KUBERNETES_VERSION }}
+      - name: Verify CUE formatting
+        working-directory: ./timoni/podinfo
+        run: |
+          cue fmt ./...
+          status=$(git status . --porcelain)
+          [[ -z "$status" ]] || {
+            echo "CUE files are not correctly formatted"
+            echo "$status"
+            git diff
+            exit 1
+          }
+      - name: Validate Timoni module
+        working-directory: ./timoni/podinfo
+        run: |
+          timoni mod lint . 
+          timoni build podinfo . -f test_values.cue | kubeconform -strict -summary -skip=ServiceMonitor -kubernetes-version ${{ env.KUBERNETES_VERSION }}
      - name: Check if working tree is dirty
        run: |
          if [[ $(git diff --stat) != '' ]]; then
            echo 'run make test and commit changes'
            exit 1
          fi
-      - name: Validate Helm chart
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            helmv3 template ./charts/podinfo | kubeval --strict
-      - name: Validate kustomization
-        uses: stefanprodan/kube-tools@v1
-        with:
-          command: |
-            kustomize build ./kustomize | kubeval --strict
-            kustomize build ./kustomize | conftest test -p .github/policy -
--- a/.gitignore
+++ b/.gitignore
@@ -19,4 +19,10 @@ release/
 build/
 gcloud/
 dist/
-bin/
+bin/
+cue/cue.mod/gen/
+cue/go.mod
+cue/go.sum
+
+.notation/podinfo.csr
+.notation/podinfo.key
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,3 +1,18 @@
+version: 2
+
+# xref: https://goreleaser.com/customization/project/
+project_name: podinfo
+
+# xref: https://goreleaser.com/customization/hooks/
+before:
+  hooks:
+    - go mod download
+
+# xref: https://goreleaser.com/customization/env/
+env:
+  - CGO_ENABLED=0
+
+# xref: https://goreleaser.com/customization/build/
 builds:
  - main: ./cmd/podcli
    binary: podcli
@@ -8,9 +23,13 @@ builds:
      - linux
    goarch:
      - amd64
-    env:
-      - CGO_ENABLED=0
+
+# xref: https://goreleaser.com/customization/archive/
 archives:
  - name_template: "{{ .Binary }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
    files:
-      - none*
+      - LICENSE
+
+# xref: https://goreleaser.com/customization/changelog/
+changelog:
+  use: github-native
--- a/.notation/README.md
+++ b/.notation/README.md
@@ -0,0 +1,15 @@
+# Podinfo signed releases
+
+Podinfo release assets such as the Helm chart and the Flux artifact
+are published to GitHub Container Registry and are signed with
+[Notation](https://github.com/notaryproject/notation).
+
+## Generate signing keys
+
+Generate a new signing key pair:
+
+```sh
+openssl genrsa -out podinfo.key 2048
+openssl req -new -key podinfo.key -out podinfo.csr -config codesign.cnf
+openssl x509 -req -days 1826 -in podinfo.csr -signkey podinfo.key -out notation.crt -extensions v3_req -extfile codesign.cnf
+```
--- a/.notation/codesign.cnf
+++ b/.notation/codesign.cnf
@@ -0,0 +1,18 @@
+[ req ]
+default_bits           = 2048
+default_keyfile        = privatekey.pem
+distinguished_name     = req_distinguished_name
+req_extensions         = v3_req
+prompt                 = no
+
+[ req_distinguished_name ]
+C                      = RO
+ST                     = BU
+L                      = Bucharest
+O                      = Notary
+CN                     = stefanprodan.com
+
+[ v3_req ]
+keyUsage               = critical,digitalSignature
+extendedKeyUsage       = critical,codeSigning
+#subjectKeyIdentifier  = hash
--- a/.notation/notation.crt
+++ b/.notation/notation.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDbDCCAlSgAwIBAgIUP7zhmTw5XTWLcgBGkBEsErMOkz4wDQYJKoZIhvcNAQEL
+BQAwWjELMAkGA1UEBhMCUk8xCzAJBgNVBAgMAkJVMRIwEAYDVQQHDAlCdWNoYXJl
+c3QxDzANBgNVBAoMBk5vdGFyeTEZMBcGA1UEAwwQc3RlZmFucHJvZGFuLmNvbTAe
+Fw0yNDAyMjUxMDAyMzZaFw0yOTAyMjQxMDAyMzZaMFoxCzAJBgNVBAYTAlJPMQsw
+CQYDVQQIDAJCVTESMBAGA1UEBwwJQnVjaGFyZXN0MQ8wDQYDVQQKDAZOb3Rhcnkx
+GTAXBgNVBAMMEHN0ZWZhbnByb2Rhbi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDtH4oPi3SyX/DGv6NdjIvmApvD9eeSgsmHdwpAly8T9D2me+fx
+Z+wRNJmq4aq/A1anX+Sg28iwHzV+1WKpsHnjYzDAJSEYP2S8A5H1nGRKUoibdijw
+C3QBh5C75rjF/tmZVSX/Vgbf3HJJEsF4WUxWabLxoV2QLo7UlEsQd9+bSeKNMncx
+1+E6FdbRCrYo90iobvZJ8K/S2zCWq/JTeHfTnmSEDhx6nMJcaSjvMPn3zyauWcQw
+dDpkcaGiJ64fEJRT2OFxXv9u+vDmIMKzo/Wjbd+IzFj6YY4VisK88aU7tmDelnk5
+gQB9eu62PFoaVsYJp4VOhblFKvGJpQwbWB9BAgMBAAGjKjAoMA4GA1UdDwEB/wQE
+AwIHgDAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQsFAAOCAQEA
+6x+C6hAIbLwMvkNx4K5p7Qe/pLQR0VwQFAw10yr/5KSN+YKFpon6pQ0TebL7qll+
+uBGZvtQhN6v+DlnVqB7lvJKd+89isgirkkews5KwuXg7Gv5UPIugH0dXISZU8DMJ
+7J4oKREv5HzdFmfsUfNlQcfyVTjKL6UINXfKGdqNNxXxR9b4a1TY2JcmEhzBTHaq
+ZqX6HK784a0dB7aHgeFrFwPCCP4M684Hs7CFbk3jo2Ef4ljnB5AyWpe8pwCLMdRt
+UjSjL5xJWVQvRU+STQsPr6SvpokPCG4rLQyjgeYYk4CCj5piSxbSUZFavq8v1y7Y
+m91USVqfeUX7ZzjDxPHE2A==
+-----END CERTIFICATE-----
--- a/.notation/signingkeys.json
+++ b/.notation/signingkeys.json
@@ -0,0 +1,10 @@
+{
+    "default": "stefanprodan.com",
+    "keys": [
+        {
+            "name": "stefanprodan.com",
+            "keyPath": "/home/runner/.config/notation/localkeys/notation.key",
+            "certPath": "/home/runner/.config/notation/localkeys/notation.crt"
+        }
+    ]
+}
--- a/.notation/trustpolicy.json
+++ b/.notation/trustpolicy.json
@@ -0,0 +1,19 @@
+{
+    "version": "1.0",
+    "trustPolicies": [
+        {
+            "name": "stefanprodan.com",
+            "registryScopes": [
+                "ghcr.io/stefanprodan/podinfo-deploy",
+                "ghcr.io/stefanprodan/charts/podinfo"
+            ],
+            "signatureVerification": {
+                "level" : "strict"
+            },
+            "trustStores": [ "ca:stefanprodan.com" ],
+            "trustedIdentities": [
+                "x509.subject: C=RO, ST=BU, L=Bucharest, O=Notary, CN=stefanprodan.com"
+            ]
+        }
+    ]
+}
--- a/17
+++ b/17
@@ -1,4 +1,4 @@
-FROM golang:1.14-alpine as builder
+FROM golang:1.26-alpine AS builder

 ARG REVISION

@@ -18,25 +18,16 @@ RUN CGO_ENABLED=0 go build -ldflags "-s -w \
    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
    -a -o bin/podcli cmd/podcli/*

-FROM alpine:3.12
+FROM alpine:3.23

 ARG BUILD_DATE
 ARG VERSION
 ARG REVISION

-LABEL maintainer="stefanprodan" \
-  org.opencontainers.image.created=$BUILD_DATE \
-  org.opencontainers.image.url="https://github.com/stefanprodan/podinfo" \
-  org.opencontainers.image.source="https://github.com/stefanprodan/podinfo" \
-  org.opencontainers.image.version=$VERSION \
-  org.opencontainers.image.revision=$REVISION \
-  org.opencontainers.image.vendor="stefanprodan" \
-  org.opencontainers.image.title="podinfo" \
-  org.opencontainers.image.description="Go microservice template for Kubernetes" \
-  org.opencontainers.image.licenses="MIT"
+LABEL maintainer="stefanprodan"

 RUN addgroup -S app \
-    && adduser -S -g app app \
+    && adduser -S -G app app \
    && apk --no-cache add \
    ca-certificates curl netcat-openbsd

--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -1,4 +1,4 @@
-FROM golang:1.14
+FROM golang:1.26

 WORKDIR /workspace

--- a/Dockerfile.xx
+++ b/Dockerfile.xx
@@ -0,0 +1,53 @@
+ARG GO_VERSION=1.26
+ARG XX_VERSION=1.9.0
+
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM golang:${GO_VERSION}-alpine as builder
+
+# Copy the build utilities.
+COPY --from=xx / /
+
+ARG TARGETPLATFORM
+ARG REVISION
+
+RUN mkdir -p /podinfo/
+
+WORKDIR /podinfo
+
+COPY . .
+
+RUN go mod download
+
+ENV CGO_ENABLED=0
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podinfo cmd/podinfo/*
+
+RUN xx-go build -ldflags "-s -w \
+    -X github.com/stefanprodan/podinfo/pkg/version.REVISION=${REVISION}" \
+    -a -o bin/podcli cmd/podcli/*
+
+FROM alpine:3.23
+
+ARG BUILD_DATE
+ARG VERSION
+ARG REVISION
+
+LABEL maintainer="stefanprodan"
+
+RUN addgroup -S app \
+    && adduser -S -G app app \
+    && apk --no-cache add \
+    ca-certificates curl netcat-openbsd
+
+WORKDIR /home/app
+
+COPY --from=builder /podinfo/bin/podinfo .
+COPY --from=builder /podinfo/bin/podcli /usr/local/bin/podcli
+COPY ./ui ./ui
+RUN chown -R app:app ./
+
+USER app
+
+CMD ["./podinfo"]
--- a/214
+++ b/214
@@ -1,21 +1,201 @@
-MIT License
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/

-Copyright (c) 2018 Stefan Prodan
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION

-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
+   1. Definitions.

-The above copyright notice and this permission notice shall be included in all
-copies or substantial portions of the Software.
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.

-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-SOFTWARE.
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/60
+++ b/60
@@ -15,16 +15,22 @@ run:
 	--level=debug --grpc-port=9999 --backend-url=https://httpbin.org/status/401 --backend-url=https://httpbin.org/status/500 \
 	--ui-logo=https://raw.githubusercontent.com/stefanprodan/podinfo/gh-pages/cuddle_clap.gif $(EXTRA_RUN_ARGS)

-test:
-	go test -v -race ./...
+.PHONY: test
+test: tidy fmt vet
+	go test ./... -coverprofile cover.out

 build:
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podinfo ./cmd/podinfo/*
 	GIT_COMMIT=$$(git rev-list -1 HEAD) && CGO_ENABLED=0 go build  -ldflags "-s -w -X github.com/stefanprodan/podinfo/pkg/version.REVISION=$(GIT_COMMIT)" -a -o ./bin/podcli ./cmd/podcli/*

+tidy:
+	rm -f go.sum; go mod tidy -compat=1.26
+
+vet:
+	go vet ./...
+
 fmt:
-	gofmt -l -s -w ./
-	goimports -l -w ./
+	go fmt ./...

 build-charts:
 	helm lint charts/*
@@ -33,6 +39,13 @@ build-charts:
 build-container:
 	docker build -t $(DOCKER_IMAGE_NAME):$(VERSION) .

+build-xx:
+	docker buildx build \
+	--platform=linux/amd64 \
+	-t $(DOCKER_IMAGE_NAME):$(VERSION) \
+	--load \
+	-f Dockerfile.xx .
+
 build-base:
 	docker build -f Dockerfile.base -t $(DOCKER_REPOSITORY)/podinfo-base:latest .

@@ -58,21 +71,34 @@ push-container:
 version-set:
 	@next="$(TAG)" && \
 	current="$(VERSION)" && \
-	sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
-	sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
-	sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
-	sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
-	echo "Version $$next set in code, deployment, chart and kustomize"
+	/usr/bin/sed -i '' "s/$$current/$$next/g" pkg/version/version.go && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values.yaml && \
+	/usr/bin/sed -i '' "s/tag: $$current/tag: $$next/g" charts/podinfo/values-prod.yaml && \
+	/usr/bin/sed -i '' "s/appVersion: $$current/appVersion: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/version: $$current/version: $$next/g" charts/podinfo/Chart.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" kustomize/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/webapp/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/frontend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/backend/deployment.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/statefulset-primary.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/deployment-replica.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-rollup-daily.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-rollup-weekly.yaml && \
+	/usr/bin/sed -i '' "s/podinfo:$$current/podinfo:$$next/g" deploy/bases/database/cronjob-backup-daily.yaml && \
+	/usr/bin/sed -i '' "s/$$current/$$next/g" timoni/podinfo/values.cue && \
+	echo "Version $$next set in code, deployment, module, chart and kustomize"

 release:
-	git tag $(VERSION)
+	git tag -s -m $(VERSION) $(VERSION)
 	git push origin $(VERSION)

 swagger:
-	go get github.com/swaggo/swag/cmd/swag
-	cd pkg/api && $$(go env GOPATH)/bin/swag init -g server.go
+	go install github.com/swaggo/swag/cmd/swag@latest
+	go get github.com/swaggo/swag/gen@latest
+	go get github.com/swaggo/swag/cmd/swag@latest
+	cd pkg/api/http && $$(go env GOPATH)/bin/swag init -g server.go
+
+.PHONY: timoni-build
+timoni-build:
+	@timoni build podinfo ./timoni/podinfo -f ./timoni/podinfo/debug_values.cue
--- a/README.md
+++ b/README.md
@@ -7,24 +7,25 @@
 [![Docker Pulls](https://img.shields.io/docker/pulls/stefanprodan/podinfo)](https://hub.docker.com/r/stefanprodan/podinfo)

 Podinfo is a tiny web application made with Go that showcases best practices of running microservices in Kubernetes.
+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2) and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.

 Specifications:

 * Health checks (readiness and liveness)
 * Graceful shutdown on interrupt signals
 * File watcher for secrets and configmaps
-* Instrumented with Prometheus
-* Tracing with Istio and Jaeger
-* Linkerd service profile
+* Instrumented with Prometheus and Open Telemetry
 * Structured logging with zap 
 * 12-factor app with viper
 * Fault injection (random errors and latency)
 * Swagger docs
-* Helm and Kustomize installers
+* Timoni, Helm and Kustomize installers
 * End-to-End testing with Kubernetes Kind and Helm
-* Kustomize testing with GitHub Actions and Open Policy Agent
-* Multi-arch container image with Docker buildx and Github Actions
-* CVE scanning with trivy
+* Multi-arch container image with Docker buildx and GitHub Actions
+* Container image signing with Sigstore cosign
+* SBOMs and SLSA Provenance embedded in the container image
+* CVE scanning with govulncheck

 Web API:

@@ -56,6 +57,16 @@ Web API:
 gRPC API:

 * `/grpc.health.v1.Health/Check` health checking
+* `/grpc.EchoService/Echo` echos the received content
+* `/grpc.VersionService/Version` returns podinfo version and Git commit hash
+* `/grpc.DelayService/Delay` returns a successful response after the given seconds in the body of gRPC request
+* `/grpc.EnvService/Env` returns environment variables as a JSON array
+* `/grpc.HeaderService/Header` returns the headers present in the gRPC request. Any custom header can also be given as a part of request and that can be returned using this API
+* `/grpc.InfoService/Info` returns the runtime information
+* `/grpc.PanicService/Panic` crashes the process with gRPC status code as '1 CANCELLED'
+* `/grpc.StatusService/Status` returns the gRPC Status code given in the request body
+* `/grpc.TokenService/TokenGenerate` issues a JWT token valid for one minute
+* `/grpc.TokenService/TokenValidate` validates the JWT token

 Web UI:

@@ -65,17 +76,26 @@ To access the Swagger UI open `<podinfo-host>/swagger/index.html` in a browser.

 ### Guides

-* [GitOps Progressive Deliver with Flagger, Helm v3 and Linkerd](https://helm.workshop.flagger.dev/intro/)
-* [GitOps Progressive Deliver on EKS with Flagger and AppMesh](https://eks.handson.flagger.dev/prerequisites/)
-* [Automated canary deployments with Flagger and Istio](https://medium.com/google-cloud/automated-canary-deployments-with-flagger-and-istio-ac747827f9d1)
-* [Kubernetes autoscaling with Istio metrics](https://medium.com/google-cloud/kubernetes-autoscaling-with-istio-metrics-76442253a45a)
-* [Autoscaling EKS on Fargate with custom metrics](https://aws.amazon.com/blogs/containers/autoscaling-eks-on-fargate-with-custom-metrics/)
-* [Managing Helm releases the GitOps way](https://medium.com/google-cloud/managing-helm-releases-the-gitops-way-207a6ac6ff0e)
-* [Securing EKS Ingress With Contour And Let’s Encrypt The GitOps Way](https://aws.amazon.com/blogs/containers/securing-eks-ingress-contour-lets-encrypt-gitops/)
+* [Getting started with Timoni](https://timoni.sh/quickstart/)
+* [Getting started with Flux](https://fluxcd.io/flux/get-started/)
+* [Progressive Deliver with Flagger and Linkerd](https://docs.flagger.app/tutorials/linkerd-progressive-delivery)
+* [Automated canary deployments with Kubernetes Gateway API](https://docs.flagger.app/tutorials/gatewayapi-progressive-delivery)

 ### Install

-Helm:
+To install Podinfo on Kubernetes the minimum required version is **Kubernetes v1.23**.
+
+#### Timoni
+
+Install with [Timoni](https://timoni.sh):
+
+```bash
+timoni -n default apply podinfo oci://ghcr.io/stefanprodan/modules/podinfo
+```
+
+#### Helm
+
+Install from github.io:

 ```bash
 helm repo add podinfo https://stefanprodan.github.io/podinfo
@@ -86,23 +106,107 @@ helm upgrade --install --wait frontend \
 --set backend=http://backend-podinfo:9898/echo \
 podinfo/podinfo

-# Test pods have hook-delete-policy: hook-succeeded
-helm test frontend
+helm test frontend --namespace test

 helm upgrade --install --wait backend \
 --namespace test \
--set hpa.enabled=true \
+--set redis.enabled=true \
 podinfo/podinfo
 ```

-Kustomize:
+Install from ghcr.io:
+
+```bash
+helm upgrade --install --wait podinfo --namespace default \
+oci://ghcr.io/stefanprodan/charts/podinfo
+```
+
+#### Kustomize

 ```bash
 kubectl apply -k github.com/stefanprodan/podinfo//kustomize
 ```

-Docker:
+#### Docker

 ```bash
 docker run -dp 9898:9898 stefanprodan/podinfo
-```
+```
+
+### Continuous Delivery
+
+In order to install podinfo on a Kubernetes cluster and keep it up to date with the latest
+release in an automated manner, you can use [Flux](https://fluxcd.io).
+
+Install the Flux CLI on MacOS and Linux using Homebrew:
+
+```sh
+brew install fluxcd/tap/flux
+```
+
+Install the Flux controllers needed for Helm operations:
+
+```sh
+flux install \
+--namespace=flux-system \
+--network-policy=false \
+--components=source-controller,helm-controller
+```
+
+Add podinfo's Helm repository to your cluster and
+configure Flux to check for new chart releases every ten minutes:
+
+```sh
+flux create source helm podinfo \
+--namespace=default \
+--url=https://stefanprodan.github.io/podinfo \
+--interval=10m
+```
+
+Create a `podinfo-values.yaml` file locally:
+
+```sh
+cat > podinfo-values.yaml <<EOL
+replicaCount: 2
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+EOL
+```
+
+Create a Helm release for deploying podinfo in the default namespace:
+
+```sh
+flux create helmrelease podinfo \
+--namespace=default \
+--source=HelmRepository/podinfo \
+--release-name=podinfo \
+--chart=podinfo \
+--chart-version=">5.0.0" \
+--values=podinfo-values.yaml
+```
+
+Based on the above definition, Flux will upgrade the release automatically
+when a new version of podinfo is released. If the upgrade fails, Flux
+can [rollback](https://toolkit.fluxcd.io/components/helm/helmreleases/#configuring-failure-remediation)
+to the previous working version.
+
+You can check what version is currently deployed with:
+
+```sh
+flux get helmreleases -n default
+```
+
+To delete podinfo's Helm repository and release from your cluster run:
+
+```sh
+flux -n default delete source helm podinfo
+flux -n default delete helmrelease podinfo
+```
+
+If you wish to manage the lifecycle of your applications in a **GitOps** manner, check out
+this [workflow example](https://github.com/fluxcd/flux2-kustomize-helm-example)
+for multi-env deployments with Flux, Kustomize and Helm.
--- a/charts/podinfo/Chart.yaml
+++ b/charts/podinfo/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
-version: 4.0.5
-appVersion: 4.0.5
+version: 6.11.2
+appVersion: 6.11.2
 name: podinfo
 engine: gotpl
 description: Podinfo Helm chart for Kubernetes
@@ -10,3 +10,4 @@ maintainers:
  name: stefanprodan
 sources:
 - https://github.com/stefanprodan/podinfo
+kubeVersion: ">=1.23.0-0"
--- a/charts/podinfo/LICENSE
+++ b/charts/podinfo/LICENSE
@@ -0,0 +1,201 @@
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright 2018 Stefan Prodan. All rights reserved.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
--- a/charts/podinfo/README.md
+++ b/charts/podinfo/README.md
@@ -1,16 +1,38 @@
 # Podinfo

-Podinfo is a tiny web application made with Go 
+Podinfo is a tiny web application made with Go
 that showcases best practices of running microservices in Kubernetes.

+Podinfo is used by CNCF projects like [Flux](https://github.com/fluxcd/flux2)
+and [Flagger](https://github.com/fluxcd/flagger)
+for end-to-end testing and workshops.
+
 ## Installing the Chart

-To install the chart with the release name `my-release`:
+The Podinfo charts are published to
+[GitHub Container Registry](https://github.com/stefanprodan/podinfo/pkgs/container/charts%2Fpodinfo)
+and signed with [Cosign](https://github.com/sigstore/cosign) & GitHub Actions OIDC.
+
+To install the chart with the release name `podinfo` from GHCR:

 ```console
-$ helm repo add podinfo https://stefanprodan.github.io/podinfo
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo
+```

-$ helm upgrade -i my-release podinfo/podinfo 
+To verify a chart version with Cosign:
+
+```console
+$ cosign verify ghcr.io/stefanprodan/charts/podinfo:<VERSION> \
+  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+  --certificate-identity-regexp=^https://github\\.com/stefanprodan/podinfo/.*$
+```
+
+Alternatively, you can install the chart from GitHub pages:
+
+```console
+$ helm repo add stefanprodan https://stefanprodan.github.io/podinfo
+
+$ helm upgrade -i podinfo stefanprodan/podinfo
 ```

 The command deploys podinfo on the Kubernetes cluster in the default namespace.
@@ -18,10 +40,10 @@ The [configuration](#configuration) section lists the parameters that can be con

 ## Uninstalling the Chart

-To uninstall/delete the `my-release` deployment:
+To uninstall the `podinfo` release:

 ```console
-$ helm delete my-release
+$ helm uninstall podinfo
 ```

 The command removes all the Kubernetes components associated with the chart and deletes the release.
@@ -30,77 +52,101 @@ The command removes all the Kubernetes components associated with the chart and

 The following tables lists the configurable parameters of the podinfo chart and their default values.

-Parameter | Default | Description
--- | --- | ---
-`replicaCount` | `1` | Desired number of pods
-`logLevel` | `info` | Log level: `debug`, `info`, `warn`, `error`, `flat` or `panic`
-`backend` | `None` | Echo backend URL
-`backends` | `[]` | Array of echo backend URLs
-`cache` | `None` | Redis address in the format `<host>:<port>`
-`redis.enabled` | `false` | Create Redis deployment for caching purposes
-`ui.color` | `#34577c` |  UI color
-`ui.message` | `None` |  UI greetings message
-`ui.logo` | `None` |  UI logo
-`faults.delay` | `false` | Random HTTP response delays between 0 and 5 seconds
-`faults.error` | `false` | 1/3 chances of a random HTTP response error
-`faults.unhealthy` | `false` | When set, the healthy state is never reached
-`faults.unready` | `false` | When set, the ready state is never reached
-`faults.testFail` | `false` | When set, a helm test is included which always fails
-`faults.testTimeout` | `false` | When set, a helm test is included which always times out
-`h2c.enabled` | `false` | Allow upgrading to h2c
-`image.repository` | `stefanprodan/podinfo` | Image repository
-`image.tag` | `<VERSION>` | Image tag
-`image.pullPolicy` | `IfNotPresent` | Image pull policy
-`service.enabled` | `true` | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)
-`service.type` | `ClusterIP` | Type of the Kubernetes Service
-`service.metricsPort` | `9797` | Prometheus metrics endpoint port
-`service.httpPort` | `9898` | Container HTTP port
-`service.externalPort` | `9898` | ClusterIP HTTP port
-`service.grpcPort` | `9999` | ClusterIP gPRC port
-`service.grpcService` | `podinfo` | gPRC service name
-`service.nodePort` | `31198` | NodePort for the HTTP endpoint
-`hpa.enabled` | `false` | Enables the Kubernetes HPA
-`hpa.maxReplicas` | `10` | Maximum amount of pods
-`hpa.cpu` | `None` | Target CPU usage per pod
-`hpa.memory` | `None` | Target memory usage per pod
-`hpa.requests` | `None` | Target HTTP requests per second per pod
-`serviceAccount.enabled` | `false` | Whether a service account should be created
-`serviceAccount.name` | `None` | The name of the service account to use, if not set and create is true, a name is generated using the fullname template
-`linkerd.profile.enabled` | `false` | Create Linkerd service profile
-`serviceMonitor.enabled` | `false` | Whether a Prometheus Operator service monitor should be created
-`serviceMonitor.interval` | `15s` | Prometheus scraping interval
-`ingress.enabled` | `false` | Enables Ingress
-`ingress.annotations` | `{}` | Ingress annotations
-`ingress.path` | `/*` | Ingress path
-`ingress.hosts` | `[]` | Ingress accepted hosts
-`ingress.tls` | `[]` | Ingress TLS configuration
-`resources.requests.cpu` | `1m` | Pod CPU request
-`resources.requests.memory` | `16Mi` | Pod memory request
-`resources.limits.cpu` | `None` | Pod CPU limit
-`resources.limits.memory` | `None` | Pod memory limit
-`nodeSelector` | `{}` | Node labels for pod assignment
-`tolerations` | `[]` | List of node taints to tolerate
-`affinity` | `None` | Node/pod affinities
-`podAnnotations` | `{}` | Pod annotations
+| Parameter                                        | Default                        | Description                                                                                       |
+|--------------------------------------------------|--------------------------------|---------------------------------------------------------------------------------------------------|
+| `replicaCount`                                   | `1`                            | Desired number of pods                                                                            |
+| `logLevel`                                       | `info`                         | Log level: `debug`, `info`, `warn`, `error`                                                       |
+| `backend`                                        | `None`                         | Echo backend URL                                                                                  |
+| `backends`                                       | `[]`                           | Array of echo backend URLs                                                                        |
+| `cache`                                          | `None`                         | Redis address in the format `tcp://<host>:<port>`                                                 |
+| `redis.enabled`                                  | `false`                        | Create Redis deployment for caching purposes                                                      |
+| `redis.repository`                               | `docker.io/redis`              | Redis image repository                                                                            |
+| `redis.tag`                                      | `<VERSION>`                    | Redis image tag                                                                                   |
+| `redis.imagePullSecrets`                         | `[]`                           | Redis image pull secrets                                                                          |
+| `ui.color`                                       | `#34577c`                      | UI color                                                                                          |
+| `ui.message`                                     | `None`                         | UI greetings message                                                                              |
+| `ui.logo`                                        | `None`                         | UI logo                                                                                           |
+| `faults.delay`                                   | `false`                        | Random HTTP response delays between 0 and 5 seconds                                               |
+| `faults.error`                                   | `false`                        | 1/3 chances of a random HTTP response error                                                       |
+| `faults.unhealthy`                               | `false`                        | When set, the healthy state is never reached                                                      |
+| `faults.unready`                                 | `false`                        | When set, the ready state is never reached                                                        |
+| `faults.testFail`                                | `false`                        | When set, a helm test is included which always fails                                              |
+| `faults.testTimeout`                             | `false`                        | When set, a helm test is included which always times out                                          |
+| `image.repository`                               | `ghcr.io/stefanprodan/podinfo` | Image repository                                                                                  |
+| `image.tag`                                      | `<VERSION>`                    | Image tag                                                                                         |
+| `image.pullPolicy`                               | `IfNotPresent`                 | Image pull policy                                                                                 |
+| `image.pullSecrets`                              | `[]`                           | Image pull secrets                                                                                |
+| `service.enabled`                                | `true`                         | Create a Kubernetes Service, should be disabled when using [Flagger](https://flagger.app)         |
+| `service.type`                                   | `ClusterIP`                    | Type of the Kubernetes Service                                                                    |
+| `service.metricsPort`                            | `9797`                         | Prometheus metrics endpoint port                                                                  |
+| `service.httpPort`                               | `9898`                         | Container HTTP port                                                                               |
+| `service.externalPort`                           | `9898`                         | ClusterIP HTTP port                                                                               |
+| `service.grpcPort`                               | `9999`                         | ClusterIP gPRC port                                                                               |
+| `service.grpcService`                            | `podinfo`                      | gPRC service name                                                                                 |
+| `service.nodePort`                               | `31198`                        | NodePort for the HTTP endpoint                                                                    |
+| `service.trafficDistribution`                    | `""`                           | Traffic distribution strategy                                                                     |
+| `service.additionalLabels`                       | `{}`                           | Additional labels to add to the service                                                           |
+| `service.externalTrafficPolicy`                  | `None`                         | External traffic policy for LoadBalance service                                                   |
+| `h2c.enabled`                                    | `false`                        | Allow upgrading to h2c (non-TLS version of HTTP/2)                                                |
+| `extraArgs`                                      | `[]`                           | Additional command line arguments to pass to podinfo container                                    |
+| `extraEnvs`                                      | `[]`                           | Extra environment variables for the podinfo container                                             |
+| `config.path`                                    | `""`                           | config file path                                                                                  |
+| `config.name`                                    | `""`                           | config file name                                                                                  |
+| `hpa.enabled`                                    | `false`                        | Enables the Kubernetes HPA                                                                        |
+| `hpa.maxReplicas`                                | `10`                           | Maximum amount of pods                                                                            |
+| `hpa.cpu`                                        | `None`                         | Target CPU usage per pod                                                                          |
+| `hpa.memory`                                     | `None`                         | Target memory usage per pod                                                                       |
+| `hpa.requests`                                   | `None`                         | Target HTTP requests per second per pod                                                           |
+| `serviceAccount.enabled`                         | `false`                        | Whether a service account should be created                                                       |
+| `serviceAccount.name`                            | `None`                         | The name of the service account to use, if not set a name is generated using the fullname template|
+| `serviceAccount.imagePullSecrets`                | `[]`                           | List of image pull secrets if pulling from private registries                                     |
+| `securityContext`                                | `{}`                           | The security context to be set on the podinfo container                                           |
+| `podSecurityContext`                             | `{}`                           | The security context to be set on the pod                                                         |
+| `podAnnotations`                                 | `{}`                           | Pod annotations                                                                                   |
+| `serviceMonitor.enabled`                         | `false`                        | Whether a Prometheus Operator service monitor should be created                                   |
+| `serviceMonitor.interval`                        | `15s`                          | Prometheus scraping interval                                                                      |
+| `serviceMonitor.additionalLabels`                | `{}`                           | Add additional labels to the service monitor                                                      |
+| `ingress.enabled`                                | `false`                        | Enables Ingress                                                                                   |
+| `ingress.className`                              | `""`                           | Use ingressClassName                                                                              |
+| `ingress.additionalLabels`                       | `{}`                           | Add additional labels to the ingress                                                              |
+| `ingress.annotations`                            | `{}`                           | Ingress annotations                                                                               |
+| `ingress.hosts`                                  | `[]`                           | Ingress accepted hosts                                                                            |
+| `ingress.tls`                                    | `[]`                           | Ingress TLS configuration                                                                         |
+| `httpRoute.enabled`                              | `false`                        | Enables Gateway API HTTPRoute                                                                     |
+| `httpRoute.additionalLabels`                     | `{}`                           | Add additional labels to the HTTPRoute                                                            |
+| `httpRoute.annotations`                          | `{}`                           | HTTPRoute annotations                                                                             |
+| `httpRoute.parentRefs`                           | `[]`                           | Gateways that this route is attached to                                                           |
+| `httpRoute.hostnames`                            | `["podinfo.local"]`            | Hostnames matching HTTP header                                                                    |
+| `httpRoute.rules`                                | `[]`                           | List of rules and filters applied                                                                 |
+| `hooks.<hookType>.job.enabled`                   | `false`                        | Create a Helm hook job for testing (hookType: see values.yaml for available hooks)                |
+| `hooks.<hookType>.job.hookDeletePolicy`          | `hook-succeeded,hook-failed`   | Helm hook delete policy                                                                           |
+| `hooks.<hookType>.job.ttlSecondsAfterFinished`   | `None`                         | Job TTL after finished                                                                            |
+| `hooks.<hookType>.job.sleepSeconds`              | `None`                         | Sleep duration before job exits                                                                   |
+| `hooks.<hookType>.job.exitCode`                  | `0`                            | Job exit code                                                                                     |
+| `resources.requests.cpu`                         | `1m`                           | Pod CPU request                                                                                   |
+| `resources.requests.memory`                      | `16Mi`                         | Pod memory request                                                                                |
+| `resources.limits.cpu`                           | `None`                         | Pod CPU limit                                                                                     |
+| `resources.limits.memory`                        | `None`                         | Pod memory limit                                                                                  |
+| `nodeSelector`                                   | `{}`                           | Node labels for pod assignment                                                                    |
+| `tolerations`                                    | `[]`                           | List of node taints to tolerate                                                                   |
+| `affinity`                                       | `None`                         | Node/pod affinities                                                                               |

-Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
+Specify each parameter using the `--set key=value[,key=value]` argument:

 ```console
-$ helm install my-release podinfo/podinfo \
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo \
  --set=serviceMonitor.enabled=true,serviceMonitor.interval=5s
 ```

 To add custom annotations you need to escape the annotation key string:

 ```console
-$ helm upgrade -i my-release podinfo/podinfo \
--set podAnnotations."appmesh\.k8s\.aws\/preview"=enabled
+$ helm upgrade -i podinfo oci://ghcr.io/stefanprodan/charts/podinfo \
+--set podAnnotations."toolkit\.fluxcd\.io\/tenant"=dev-team
 ```

-Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart:

 ```console
-$ helm install my-release podinfo/podinfo -f values.yaml
+$ helm upgrade -i my-release oci://ghcr.io/stefanprodan/charts/podinfo -f values.yaml
 ```
-
-> **Tip**: You can use the default [values.yaml](values.yaml)
--- a/charts/podinfo/templates/NOTES.txt
+++ b/charts/podinfo/templates/NOTES.txt
@@ -1,18 +1,20 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
-{{- range .Values.ingress.hosts }}
-  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ . }}{{ $.Values.ingress.path }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
+  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
-  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
-  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  export NODE_PORT=$(kubectl get --namespace {{ include "podinfo.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ template "podinfo.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ include "podinfo.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get svc -w {{ template "podinfo.fullname" . }}'
-  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  export SERVICE_IP=$(kubectl get svc --namespace {{ include "podinfo.namespace" . }} {{ template "podinfo.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
  echo http://$SERVICE_IP:{{ .Values.service.externalPort }}
 {{- else if contains "ClusterIP" .Values.service.type }}
  echo "Visit http://127.0.0.1:8080 to use your application"
-  kubectl -n {{ .Release.Namespace }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }}
+  kubectl -n {{ include "podinfo.namespace" . }} port-forward deploy/{{ template "podinfo.fullname" . }} 8080:{{ .Values.service.externalPort }}
 {{- end }}
--- a/charts/podinfo/templates/_helpers.tpl
+++ b/charts/podinfo/templates/_helpers.tpl
@@ -1,10 +1,9 @@
-{{/* vim: set filetype=mustache: */}}
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "podinfo.name" -}}
-{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}

 {{/*
 Create a default fully qualified app name.
@@ -12,32 +11,66 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "podinfo.fullname" -}}
-{{- if .Values.fullnameOverride -}}
-{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- $name := default .Chart.Name .Values.nameOverride -}}
-{{- if contains $name .Release.Name -}}
-{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
-{{- else -}}
-{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
-{{- end -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Allow the release namespace to be overridden for multi-namespace deployments in combined charts.
+*/}}
+{{- define "podinfo.namespace" -}}
+{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
 {{- end -}}

 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "podinfo.chart" -}}
-{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
-{{- end -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "podinfo.labels" -}}
+helm.sh/chart: {{ include "podinfo.chart" . }}
+{{ include "podinfo.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "podinfo.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "podinfo.fullname" . }}
+{{- end }}

 {{/*
 Create the name of the service account to use
 */}}
 {{- define "podinfo.serviceAccountName" -}}
-{{- if .Values.serviceAccount.enabled -}}
-    {{ default (include "podinfo.fullname" .) .Values.serviceAccount.name }}
-{{- else -}}
-    {{ default "default" .Values.serviceAccount.name }}
-{{- end -}}
-{{- end -}}
+{{- if .Values.serviceAccount.enabled }}
+{{- default (include "podinfo.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the name of the tls secret for secure port
+*/}}
+{{- define "podinfo.tlsSecretName" -}}
+{{- $fullname := include "podinfo.fullname" . -}}
+{{- default (printf "%s-tls" $fullname) .Values.tls.secretName }}
+{{- end }}
--- a/charts/podinfo/templates/certificate.yaml
+++ b/charts/podinfo/templates/certificate.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.certificate.create -}}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ template "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+  {{- range .Values.certificate.dnsNames }}
+    - {{ . | quote }}
+  {{- end }}
+  secretName: {{ template "podinfo.tlsSecretName" . }}
+  issuerRef:
+  {{- .Values.certificate.issuerRef | toYaml | trimSuffix "\n" | nindent 4 }}
+{{- end }}
--- a/charts/podinfo/templates/deployment.yaml
+++ b/charts/podinfo/templates/deployment.yaml
@@ -2,11 +2,9 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ template "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    app: {{ template "podinfo.fullname" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
 spec:
  {{- if not .Values.hpa.enabled }}
  replicas: {{ .Values.replicaCount }}
@@ -17,11 +15,11 @@ spec:
      maxUnavailable: 1
  selector:
    matchLabels:
-      app: {{ template "podinfo.fullname" . }}
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      labels:
-        app: {{ template "podinfo.fullname" . }}
+        {{- include "podinfo.selectorLabels" . | nindent 8 }}
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "{{ .Values.service.httpPort }}"
@@ -33,13 +31,37 @@ spec:
      {{- if .Values.serviceAccount.enabled }}
      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
      {{- end }}
+      {{- if .Values.image.pullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.image.pullSecrets | nindent 8 }}
+      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- else if (or .Values.service.hostPort .Values.tls.hostPort) }}
+          securityContext:
+            allowPrivilegeEscalation: true
+            capabilities:
+              drop:
+                - ALL
+              add:
+                - NET_BIND_SERVICE
+          {{- end }}
          command:
            - ./podinfo
            - --port={{ .Values.service.httpPort | default 9898 }}
+            {{- if .Values.host }}
+            - --host={{ .Values.host }}
+            {{- end }}
+            {{- if .Values.tls.enabled }}
+            - --secure-port={{ .Values.tls.port }}
+            {{- end }}
+            {{- if .Values.tls.certPath }}
+            - --cert-path={{ .Values.tls.certPath }}
+            {{- end }}
            {{- if .Values.service.metricsPort }}
            - --port-metrics={{ .Values.service.metricsPort }}
            {{- end }}
@@ -55,7 +77,7 @@ spec:
            {{- if .Values.cache }}
            - --cache-server={{ .Values.cache }}
            {{- else if .Values.redis.enabled }}
-            - --cache-server={{ template "podinfo.fullname" . }}:6379
+            - --cache-server=tcp://{{ template "podinfo.fullname" . }}-redis:6379
            {{- end }}
            - --level={{ .Values.logLevel }}
            - --random-delay={{ .Values.faults.delay }}
@@ -69,6 +91,15 @@ spec:
            {{- if .Values.h2c.enabled }}
            - --h2c
            {{- end }}
+            {{- with .Values.config.path }}
+            - --config-path={{ . }}
+            {{- end }}
+            {{- with .Values.config.name }}
+            - --config={{ . }}
+            {{- end }}
+            {{- with .Values.extraArgs }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
          env:
          {{- if .Values.ui.message }}
          - name: PODINFO_UI_MESSAGE
@@ -80,16 +111,30 @@ spec:
          {{- end }}
          {{- if .Values.ui.color }}
          - name: PODINFO_UI_COLOR
-            value: {{ .Values.ui.color }}
+            value: {{ quote .Values.ui.color }}
          {{- end }}
          {{- if .Values.backend }}
          - name: PODINFO_BACKEND_URL
            value: {{ .Values.backend }}
          {{- end }}
+          {{- if .Values.extraEnvs }}
+{{ toYaml .Values.extraEnvs | indent 10 }}
+          {{- end }}
          ports:
            - name: http
              containerPort: {{ .Values.service.httpPort | default 9898 }}
              protocol: TCP
+              {{- if .Values.service.hostPort }}
+              hostPort: {{ .Values.service.hostPort }}
+              {{- end }}
+            {{- if .Values.tls.enabled }}
+            - name: https
+              containerPort: {{ .Values.tls.port | default 9899 }}
+              protocol: TCP
+              {{- if .Values.tls.hostPort }}
+              hostPort: {{ .Values.tls.hostPort }}
+              {{- end }}
+            {{- end }}
            {{- if .Values.service.metricsPort }}
            - name: http-metrics
              containerPort: {{ .Values.service.metricsPort }}
@@ -100,6 +145,22 @@ spec:
              containerPort: {{ .Values.service.grpcPort }}
              protocol: TCP
            {{- end }}
+          {{- if .Values.probes.startup.enable }}
+          startupProbe:
+            exec:
+              command:
+              - podcli
+              - check
+              - http
+              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
+            {{- with .Values.probes.startup }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
+            {{- end }}
          livenessProbe:
            exec:
              command:
@@ -107,8 +168,13 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/healthz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.liveness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          readinessProbe:
            exec:
              command:
@@ -116,13 +182,27 @@ spec:
              - check
              - http
              - localhost:{{ .Values.service.httpPort | default 9898 }}/readyz
-            initialDelaySeconds: 1
-            timeoutSeconds: 5
+            {{- with .Values.probes.readiness }}
+            initialDelaySeconds: {{ .initialDelaySeconds | default 1 }}
+            timeoutSeconds: {{ .timeoutSeconds | default 5 }}
+            failureThreshold: {{ .failureThreshold | default 3 }}
+            successThreshold: {{ .successThreshold | default 1 }}
+            periodSeconds: {{ .periodSeconds | default 10 }}
+            {{- end }}
          volumeMounts:
          - name: data
            mountPath: /data
+          {{- if .Values.tls.enabled }}
+          - name: tls
+            mountPath: {{ .Values.tls.certPath | default "/data/cert" }}
+            readOnly: true
+          {{- end }}
          resources:
 {{ toYaml .Values.resources | indent 12 }}
+    {{- with .Values.podSecurityContext }}
+      securityContext:
+{{ toYaml . | indent 8 }}
+    {{- end }}
    {{- with .Values.nodeSelector }}
      nodeSelector:
 {{ toYaml . | indent 8 }}
@@ -138,3 +218,12 @@ spec:
      volumes:
      - name: data
        emptyDir: {}
+      {{- if .Values.tls.enabled }}
+      - name: tls
+        secret:
+          secretName: {{ template "podinfo.tlsSecretName" . }}
+      {{- end }}
+    {{- with .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+{{- toYaml . | nindent 8 }}
+    {{- end }}
--- a/charts/podinfo/templates/grpcroute.yaml
+++ b/charts/podinfo/templates/grpcroute.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.grpcRoute.enabled -}}
+{{- $fullName := include "podinfo.fullname" . -}}
+{{- $grpcPort := .Values.service.grpcPort -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: GRPCRoute
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.grpcRoute.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.grpcRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- with .Values.grpcRoute.parentRefs }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.grpcRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.grpcRoute.rules }}
+    - backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $grpcPort }}
+          weight: 1
+    {{- with .matches }}
+      matches:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- end }}
+{{- end }}
--- a/charts/podinfo/templates/hooks/job.yaml
+++ b/charts/podinfo/templates/hooks/job.yaml
@@ -0,0 +1,37 @@
+{{- $hooks := dict "preInstall" "pre-install" "postInstall" "post-install" "preDelete" "pre-delete" "postDelete" "post-delete" "preUpgrade" "pre-upgrade" "postUpgrade" "post-upgrade" "preRollback" "pre-rollback" "postRollback" "post-rollback" }}
+{{- range $hookName, $hookType := $hooks }}
+{{- $hookConfig := index $.Values.hooks $hookName }}
+{{- if and $hookConfig $hookConfig.job $hookConfig.job.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ template "podinfo.fullname" $ }}-{{ $hookType }}
+  namespace: {{ include "podinfo.namespace" $ }}
+  labels:
+    {{- include "podinfo.labels" $ | nindent 4 }}
+  annotations:
+    "helm.sh/hook": {{ $hookType }}
+    "helm.sh/hook-delete-policy": {{ $hookConfig.job.hookDeletePolicy }}
+spec:
+  {{- if kindIs "float64" $hookConfig.job.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ $hookConfig.job.ttlSecondsAfterFinished | int }}
+  {{- end }}
+  template:
+    spec:
+      containers:
+        - name: job
+          image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag }}"
+          imagePullPolicy: {{ $.Values.image.pullPolicy }}
+          command:
+            - sh
+            - -c
+            - |
+              {{- if kindIs "float64" $hookConfig.job.sleepSeconds }}
+              sleep {{ $hookConfig.job.sleepSeconds | int }}
+              {{- end }}
+              exit {{ $hookConfig.job.exitCode | default 0 }}
+      restartPolicy: Never
+  backoffLimit: 1
+{{- end }}
+{{- end }}
--- a/charts/podinfo/templates/hpa.yaml
+++ b/charts/podinfo/templates/hpa.yaml
@@ -1,8 +1,11 @@
 {{- if .Values.hpa.enabled -}}
-apiVersion: autoscaling/v2beta1
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ template "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}  
 spec:
  scaleTargetRef:
    apiVersion: apps/v1
@@ -15,18 +18,25 @@ spec:
  - type: Resource
    resource:
      name: cpu
-      targetAverageUtilization: {{ .Values.hpa.cpu }}
+      target:
+        type: Utilization
+        averageUtilization: {{ .Values.hpa.cpu }}
  {{- end }}
  {{- if .Values.hpa.memory }}
  - type: Resource
    resource:
      name: memory
-      targetAverageValue: {{ .Values.hpa.memory }}
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.memory }}
  {{- end }}
  {{- if .Values.hpa.requests }}
-  - type: Pod
-      pods:
-        metricName: http_requests
-        targetAverageValue: {{ .Values.hpa.requests }}
+  - type: Pods
+    pods:
+      metric:
+        name: http_requests
+      target:
+        type: AverageValue
+        averageValue: {{ .Values.hpa.requests }}
  {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/httproute.yaml
+++ b/charts/podinfo/templates/httproute.yaml
@@ -0,0 +1,42 @@
+{{- if .Values.httpRoute.enabled -}}
+{{- $fullName := include "podinfo.fullname" . -}}
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.httpRoute.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.httpRoute.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  parentRefs:
+    {{- with .Values.httpRoute.parentRefs }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.httpRoute.hostnames }}
+  hostnames:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    {{- range .Values.httpRoute.rules }}
+    {{- with .matches }}
+    - matches:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .filters }}
+      filters:
+      {{- toYaml . | nindent 8 }}
+    {{- end }}
+      backendRefs:
+        - name: {{ $fullName }}
+          port: {{ $svcPort }}
+          weight: 1
+    {{- end }}
+{{- end }}
--- a/charts/podinfo/templates/ingress.yaml
+++ b/charts/podinfo/templates/ingress.yaml
@@ -1,46 +1,45 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "podinfo.fullname" . -}}
-{{- $ingressPath := .Values.ingress.path -}}
-apiVersion: networking.k8s.io/v1beta1
+{{- $svcPort := .Values.service.externalPort -}}
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
-{{- with .Values.ingress.annotations }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.ingress.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.ingress.annotations }}
  annotations:
-{{ toYaml . | indent 4 }}
-{{- end }}
-spec:
-{{- if .Values.ingress.tls }}
-  tls:
-  {{- range .Values.ingress.tls }}
-    - hosts:
-      {{- range .hosts }}
-        - {{ . }}
-      {{- end }}
-      secretName: {{ .secretName }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
  {{- end }}
-{{- end }}
  rules:
-  {{- range .Values.ingress.hosts }}
-    - host: {{ . }}
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
      http:
        paths:
-          - path: {{ $ingressPath }}
+          {{- range .paths }}
+          - path: {{ .path }}
+            pathType: {{ .pathType }}
            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
-  {{- if not .Values.ingress.hosts }}
-    - http:
-        paths:
-          - path: {{ $ingressPath }}
-            backend:
-              serviceName: {{ $fullName }}
-              servicePort: http
-  {{- end }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
 {{- end }}
--- a/charts/podinfo/templates/linkerd.yaml
+++ b/charts/podinfo/templates/linkerd.yaml
@@ -1,96 +0,0 @@
-{{- if .Values.linkerd.profile.enabled -}}
-apiVersion: linkerd.io/v1alpha2
-kind: ServiceProfile
-metadata:
-  name: {{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local
-spec:
-  routes:
-    - condition:
-        method: GET
-        pathRegex: /
-      name: GET /
-    - condition:
-        method: POST
-        pathRegex: /api/echo
-      name: POST /api/echo
-    - condition:
-        method: GET
-        pathRegex: /api/info
-      name: GET /api/info
-    - condition:
-        method: GET
-        pathRegex: /chunked/[^/]*
-      name: GET /chunked/{seconds}
-    - condition:
-        method: GET
-        pathRegex: /delay/[^/]*
-      name: GET /delay/{seconds}
-    - condition:
-        method: GET
-        pathRegex: /env
-      name: GET /env
-    - condition:
-        method: GET
-        pathRegex: /headers
-      name: GET /headers
-    - condition:
-        method: GET
-        pathRegex: /healthz
-      name: GET /healthz
-    - condition:
-        method: GET
-        pathRegex: /metrics
-      name: GET /metrics
-    - condition:
-        method: GET
-        pathRegex: /panic
-      name: GET /panic
-    - condition:
-        method: GET
-        pathRegex: /readyz
-      name: GET /readyz
-    - condition:
-        method: POST
-        pathRegex: /readyz/disable
-      name: POST /readyz/disable
-    - condition:
-        method: POST
-        pathRegex: /readyz/enable
-      name: POST /readyz/enable
-    - condition:
-        method: GET
-        pathRegex: /status/[^/]*
-      name: GET /status/{code}
-    - condition:
-        method: POST
-        pathRegex: /cache
-      name: POST /cache
-    - condition:
-        method: GET
-        pathRegex: /cache/[^/]*
-      name: GET /cache/{hash}
-    - condition:
-        method: POST
-        pathRegex: /store
-      name: POST /store
-    - condition:
-        method: GET
-        pathRegex: /store/[^/]*
-      name: GET /store/{hash}
-    - condition:
-        method: POST
-        pathRegex: /token
-      name: POST /token
-    - condition:
-        method: POST
-        pathRegex: /token/validate
-      name: POST /token/validate
-    - condition:
-        method: GET
-        pathRegex: /version
-      name: GET /version
-    - condition:
-        method: POST
-        pathRegex: /ws/echo
-      name: POST /ws/echo
-{{- end }}
--- a/charts/podinfo/templates/pdb.yaml
+++ b/charts/podinfo/templates/pdb.yaml
@@ -0,0 +1,14 @@
+{{- if and .Values.podDisruptionBudget (gt (int .Values.replicaCount) 1) }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
+  {{- toYaml .Values.podDisruptionBudget | nindent 2 }}
+{{- end }}
--- a/charts/podinfo/templates/redis/deployment.yaml
+++ b/charts/podinfo/templates/redis/deployment.yaml
@@ -21,6 +21,9 @@ spec:
      {{- if .Values.serviceAccount.enabled }}
      serviceAccountName: {{ template "podinfo.serviceAccountName" . }}
      {{- end }}
+      {{- if .Values.redis.imagePullSecrets }}
+      imagePullSecrets: {{ toYaml .Values.redis.imagePullSecrets | nindent 8 }}
+      {{- end }}
      containers:
        - name: redis
          image: "{{ .Values.redis.repository }}:{{ .Values.redis.tag }}"
--- a/charts/podinfo/templates/redis/service.yaml
+++ b/charts/podinfo/templates/redis/service.yaml
@@ -14,4 +14,5 @@ spec:
      port: 6379
      protocol: TCP
      targetPort: redis
+      appProtocol: redis
 {{- end }}
--- a/charts/podinfo/templates/service.yaml
+++ b/charts/podinfo/templates/service.yaml
@@ -3,11 +3,16 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ template "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.service.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.service.annotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
 spec:
  type: {{ .Values.service.type }}
  ports:
@@ -18,6 +23,12 @@ spec:
      {{- if (and (eq .Values.service.type "NodePort") (not (empty .Values.service.nodePort))) }}
      nodePort: {{ .Values.service.nodePort }}
      {{- end }}
+    {{- if .Values.tls.enabled }}
+    - port: {{ .Values.tls.port | default 9899 }}
+      targetPort: https
+      protocol: TCP
+      name: https
+    {{- end }}
    {{- if .Values.service.grpcPort }}
    - port: {{ .Values.service.grpcPort }}
      targetPort: grpc
@@ -25,5 +36,11 @@ spec:
      name: grpc
    {{- end }}
  selector:
-    app: {{ template "podinfo.fullname" . }}
-{{- end }}
+    {{- include "podinfo.selectorLabels" . | nindent 4 }}
+  {{- if .Values.service.trafficDistribution }}
+  trafficDistribution: {{ .Values.service.trafficDistribution }}
+  {{- end }}
+  {{- if ( and (.Values.service.externalTrafficPolicy) (eq .Values.service.type "LoadBalancer") ) }}
+  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy }}
+  {{- end }}
+{{- end }}
--- a/charts/podinfo/templates/serviceaccount.yaml
+++ b/charts/podinfo/templates/serviceaccount.yaml
@@ -4,8 +4,9 @@ kind: ServiceAccount
 metadata:
  name: {{ template "podinfo.serviceAccountName" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+{{- with .Values.serviceAccount.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
 {{- end -}}
+{{- end -}}
--- a/charts/podinfo/templates/servicemonitor.yaml
+++ b/charts/podinfo/templates/servicemonitor.yaml
@@ -3,17 +3,21 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ template "podinfo.fullname" . }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    app: {{ template "podinfo.name" . }}
-    chart: {{ template "podinfo.chart" . }}
-    release: {{ .Release.Name }}
-    heritage: {{ .Release.Service }}
+    {{- include "podinfo.labels" . | nindent 4 }}
+    {{- with .Values.serviceMonitor.additionalLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
 spec:
  endpoints:
    - path: /metrics
      port: http
      interval: {{ .Values.serviceMonitor.interval }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "podinfo.namespace" . }}
  selector:
    matchLabels:
-      app: {{ template "podinfo.fullname" . }}
+      {{- include "podinfo.selectorLabels" . | nindent 6 }}
 {{- end }}
--- a/charts/podinfo/templates/tests/cache.yaml
+++ b/charts/podinfo/templates/tests/cache.yaml
@@ -3,11 +3,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-cache-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -27,6 +25,6 @@ spec:
          curl -s -XDELETE ${PODINFO_SVC}/cache/test
      env:
      - name: PODINFO_SVC
-        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+        value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
 {{- end }}
--- a/charts/podinfo/templates/tests/fail.yaml
+++ b/charts/podinfo/templates/tests/fail.yaml
@@ -3,11 +3,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
--- a/charts/podinfo/templates/tests/grpc.yaml
+++ b/charts/podinfo/templates/tests/grpc.yaml
@@ -2,11 +2,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-grpc-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -18,5 +16,5 @@ spec:
    - name: grpc-health-probe
      image: stefanprodan/grpc_health_probe:v0.3.0
      command: ['grpc_health_probe']
-      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.grpcPort }}']
+      args:  ['-addr={{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.grpcPort }}']
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/jwt.yaml
+++ b/charts/podinfo/templates/tests/jwt.yaml
@@ -2,11 +2,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-jwt-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -25,5 +23,5 @@ spec:
          curl -sH "Authorization: Bearer ${TOKEN}" ${PODINFO_SVC}/token/validate | grep test
      env:
      - name: PODINFO_SVC
-        value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+        value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/service.yaml
+++ b/charts/podinfo/templates/tests/service.yaml
@@ -2,11 +2,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-service-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
@@ -24,5 +22,5 @@ spec:
          curl -s ${PODINFO_SVC}/api/info | grep version
      env:
        - name: PODINFO_SVC
-          value: "{{ template "podinfo.fullname" . }}.{{ .Release.Namespace }}:{{ .Values.service.externalPort }}"
+          value: "{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.service.externalPort }}"
  restartPolicy: Never
--- a/charts/podinfo/templates/tests/timeout.yaml
+++ b/charts/podinfo/templates/tests/timeout.yaml
@@ -3,11 +3,9 @@ apiVersion: v1
 kind: Pod
 metadata:
  name: {{ template "podinfo.fullname" . }}-fault-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
  labels:
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    app: {{ template "podinfo.name" . }}
+    {{- include "podinfo.labels" . | nindent 4 }}
  annotations:
    "helm.sh/hook": test-success
    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
--- a/charts/podinfo/templates/tests/tls.yaml
+++ b/charts/podinfo/templates/tests/tls.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.tls.enabled -}}
+apiVersion: v1
+kind: Pod
+metadata:
+  name: {{ template "podinfo.fullname" . }}-tls-test-{{ randAlphaNum 5 | lower }}
+  namespace: {{ include "podinfo.namespace" . }}
+  labels:
+    {{- include "podinfo.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test-success
+    "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded
+    sidecar.istio.io/inject: "false"
+    linkerd.io/inject: disabled
+    appmesh.k8s.aws/sidecarInjectorWebhook: disabled
+spec:
+  containers:
+    - name: curl
+      image: curlimages/curl:7.69.0
+      command:
+        - sh
+        - -c
+        - |
+          curl -sk ${PODINFO_SVC}/api/info | grep version
+      env:
+        - name: PODINFO_SVC
+          value: "https://{{ template "podinfo.fullname" . }}.{{ include "podinfo.namespace" . }}:{{ .Values.tls.port }}"
+  restartPolicy: Never
+{{- end }}
--- a/charts/podinfo/values-prod.yaml
+++ b/charts/podinfo/values-prod.yaml
@@ -0,0 +1,210 @@
+# Production values for podinfo.
+# Includes Redis deployment and memory limits.
+
+replicaCount: 1
+logLevel: info
+backend: #http://backend-podinfo:9898/echo
+backends: []
+
+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.11.2
+  pullPolicy: IfNotPresent
+
+ui:
+  color: "#34577c"
+  message: ""
+  logo: ""
+
+# failure conditions
+faults:
+  delay: false
+  error: false
+  unhealthy: false
+  unready: false
+  testFail: false
+  testTimeout: false
+
+# Kubernetes Service settings
+service:
+  enabled: true
+  annotations: {}
+  additionalLabels: { }
+  type: ClusterIP
+  metricsPort: 9797
+  httpPort: 9898
+  externalPort: 9898
+  grpcPort: 9999
+  grpcService: podinfo
+  nodePort: 31198
+  trafficDistribution: ""
+  externalTrafficPolicy: ""
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# config file settings
+config:
+  # config file path
+  path: ""
+  # config file name
+  name: ""
+
+# Additional command line arguments to pass to podinfo container
+extraArgs: []
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
+
+# metrics-server add-on required
+hpa:
+  enabled: true
+  maxReplicas: 5
+  # average total CPU usage per pod (1-100)
+  cpu: 99
+  # average memory usage per pod (100Mi-1Gi)
+  memory:
+  # average http requests per second per pod (k8s-prometheus-adapter)
+  requests:
+
+# Redis address in the format tcp://<host>:<port>
+cache: ""
+# Redis deployment
+redis:
+  enabled: true
+  repository: redis
+  tag: 8.6.1
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  enabled: false
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []
+
+# set container security context
+securityContext: {}
+
+# set pod security context
+podSecurityContext: {}
+
+# -- Expose the service via Kubernetes Ingress
+# Requires an Ingress controller
+# Docs https://kubernetes.io/docs/concepts/services-networking/ingress/
+ingress:
+  enabled: false
+  className: ""
+  additionalLabels: {}
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+  # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+# -- Expose the service via Gateway HTTPRoute
+# Requires a Gateway controller
+# Docs https://gateway-api.sigs.k8s.io/guides/
+httpRoute:
+  # HTTPRoute enabled.
+  enabled: false
+  # Add additional labels to the HTTPRoute.
+  additionalLabels: {}
+  # HTTPRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+      # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - podinfo.local
+  # List of rules and filters applied.
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
+resources:
+  limits:
+    memory: 256Mi
+  requests:
+    cpu: 100m
+    memory: 64Mi
+
+# Extra environment variables for the podinfo container
+extraEnvs: []
+# Example on how to configure extraEnvs
+#  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
+#    value: "http://otel:4317"
+#  - name: MULTIPLE_VALUES
+#    value: TEST
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  startup:
+    enable: false
+    initialDelaySeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 20
+    successThreshold: 1
+    periodSeconds: 10
--- a/charts/podinfo/values.yaml
+++ b/charts/podinfo/values.yaml
@@ -2,14 +2,22 @@

 replicaCount: 1
 logLevel: info
+host: #0.0.0.0
 backend: #http://backend-podinfo:9898/echo
 backends: []

+image:
+  repository: ghcr.io/stefanprodan/podinfo
+  tag: 6.11.2
+  pullPolicy: IfNotPresent
+  pullSecrets: []
+
 ui:
  color: "#34577c"
  message: ""
  logo: ""

+# failure conditions
 faults:
  delay: false
  error: false
@@ -18,16 +26,11 @@ faults:
  testFail: false
  testTimeout: false

-h2c:
-  enabled: false
-
-image:
-  repository: stefanprodan/podinfo
-  tag: 4.0.5
-  pullPolicy: IfNotPresent
-
+# Kubernetes Service settings
 service:
  enabled: true
+  annotations: {}
+  additionalLabels: { }
  type: ClusterIP
  metricsPort: 9797
  httpPort: 9898
@@ -35,6 +38,119 @@ service:
  grpcPort: 9999
  grpcService: podinfo
  nodePort: 31198
+  # the port used to bind the http port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+  # Stable from Kubernetes v1.33+ with a value of PreferClose. Additional values are PreferSameZone and PreferSameNode from v1.34+. Empty string means it's disabled.
+  trafficDistribution: ""
+  externalTrafficPolicy: ""
+
+# enable h2c protocol (non-TLS version of HTTP/2)
+h2c:
+  enabled: false
+
+# config file settings
+config:
+  # config file path
+  path: ""
+  # config file name
+  name: ""
+
+# Additional command line arguments to pass to podinfo container
+extraArgs: []
+
+# Extra environment variables for the podinfo container
+extraEnvs: []
+# Example on how to configure extraEnvs
+#  - name: OTEL_EXPORTER_OTLP_TRACES_ENDPOINT
+#    value: "http://otel:4317"
+#  - name: MULTIPLE_VALUES
+#    value: TEST
+
+# enable tls on the podinfo service
+tls:
+  enabled: false
+  # the name of the secret used to mount the certificate key pair
+  secretName:
+  # the path where the certificate key pair will be mounted
+  certPath: /data/cert
+  # the port used to host the tls endpoint on the service
+  port: 9899
+  # the port used to bind the tls port to the host
+  # NOTE: requires privileged container with NET_BIND_SERVICE capability -- this is useful for testing
+  # in local clusters such as kind without port forwarding
+  hostPort:
+
+# create a certificate manager certificate (cert-manager required)
+certificate:
+  create: false
+  # the issuer used to issue the certificate
+  issuerRef:
+    kind: ClusterIssuer
+    name: self-signed
+  # the hostname / subject alternative names for the certificate
+  dnsNames:
+    - podinfo
+
+# Helm hooks (for testing purposes)
+hooks:
+  preInstall:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  postInstall:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  preDelete:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  postDelete:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  preUpgrade:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  postUpgrade:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  preRollback:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0
+  postRollback:
+    job:
+      enabled: false
+      hookDeletePolicy: hook-succeeded,hook-failed
+      ttlSecondsAfterFinished:
+      sleepSeconds:
+      exitCode: 0

 # metrics-server add-on required
 hpa:
@@ -47,13 +163,14 @@ hpa:
  # average http requests per second per pod (k8s-prometheus-adapter)
  requests:

-# Redis address in the format <host>:<port>
+# Redis address in the format tcp://<host>:<port>
 cache: ""
 # Redis deployment
 redis:
  enabled: false
-  repository: redis
-  tag: 6.0.1
+  repository: docker.io/redis
+  tag: 8.6.1
+  imagePullSecrets: []

 serviceAccount:
  # Specifies whether a service account should be created
@@ -61,28 +178,88 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name:
+  # List of image pull secrets if pulling from private registries
+  imagePullSecrets: []

-linkerd:
-  profile:
-    enabled: false
+# set container security context
+securityContext: {}

-serviceMonitor:
-  enabled: false
-  interval: 15s
+# set pod security context
+podSecurityContext: {}

+# -- Expose the service via Kubernetes Ingress
+# Requires an Ingress controller
+# Docs https://kubernetes.io/docs/concepts/services-networking/ingress/
 ingress:
  enabled: false
+  className: ""
+  additionalLabels: {}
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
-  path: /*
-  hosts: []
-#    - podinfo.local
+  hosts:
+    - host: podinfo.local
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

+# -- Expose the service via Gateway HTTPRoute
+# Requires a Gateway controller
+# Docs https://gateway-api.sigs.k8s.io/guides/
+httpRoute:
+  # HTTPRoute enabled.
+  enabled: false
+  # Add additional labels to the HTTPRoute.
+  additionalLabels: {}
+  # HTTPRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+      # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - podinfo.local
+  # List of rules and filters applied.
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+
+# -- Expose the gRPC service via Gateway GRPCRoute
+# Requires a Gateway controller with GRPCRoute support
+# Docs https://gateway-api.sigs.k8s.io/guides/grpc-routing/
+grpcRoute:
+  # GRPCRoute enabled.
+  enabled: false
+  # Add additional labels to the GRPCRoute.
+  additionalLabels: {}
+  # GRPCRoute annotations.
+  annotations: {}
+  # Which Gateways this Route is attached to.
+  parentRefs:
+    - name: gateway
+      sectionName: http
+      # namespace: default
+  # Hostnames matching HTTP header.
+  hostnames:
+    - podinfo.local
+  # List of rules applied.
+  rules:
+    - {}
+
+# create Prometheus Operator monitor
+serviceMonitor:
+  enabled: false
+  interval: 15s
+  additionalLabels: {}
+
 resources:
  limits:
  requests:
@@ -96,3 +273,32 @@ tolerations: []
 affinity: {}

 podAnnotations: {}
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
+topologySpreadConstraints: []
+
+# Disruption budget will be configured only when the replicaCount is greater than 1
+podDisruptionBudget: {}
+#  maxUnavailable: 1
+
+# https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes
+probes:
+  readiness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  liveness:
+    initialDelaySeconds: 1
+    timeoutSeconds: 5
+    failureThreshold: 3
+    successThreshold: 1
+    periodSeconds: 10
+  startup:
+    enable: false
+    initialDelaySeconds: 10
+    timeoutSeconds: 5
+    failureThreshold: 20
+    successThreshold: 1
+    periodSeconds: 10
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -1,4 +0,0 @@
-steps:
- name: 'gcr.io/cloud-builders/docker'
-  args: ['build','-f' , 'Dockerfile', '-t', 'gcr.io/$PROJECT_ID/podinfo:$BRANCH_NAME-$SHORT_SHA', '.']
-images: ['gcr.io/$PROJECT_ID/podinfo:$BRANCH_NAME-$SHORT_SHA']
--- a/cmd/podcli/check.go
+++ b/cmd/podcli/check.go
@@ -12,10 +12,13 @@ import (
 	"strings"
 	"time"

+	"github.com/gorilla/websocket"
 	"github.com/spf13/cobra"
 	"go.uber.org/zap"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/grpc/credentials/insecure"
 	"google.golang.org/grpc/health/grpc_health_v1"
 	"google.golang.org/grpc/status"
 )
@@ -27,6 +30,7 @@ var (
 	body            string
 	timeout         time.Duration
 	grpcServiceName string
+	grpcTLS         bool
 )

 var checkCmd = &cobra.Command{
@@ -63,6 +67,13 @@ var checkgRPCCmd = &cobra.Command{
 	RunE:    runCheckgPRC,
 }

+var checkWsCmd = &cobra.Command{
+	Use:     `ws [address]`,
+	Short:   "WebSocket round-trip health check",
+	Example: `  check ws ws://localhost:9898/ws/echo --retry=1 --delay=2s --timeout=5s`,
+	RunE:    runCheckWs,
+}
+
 func init() {
 	checkUrlCmd.Flags().StringVar(&method, "method", "GET", "HTTP method")
 	checkUrlCmd.Flags().StringVar(&body, "body", "", "HTTP POST/PUT content")
@@ -80,10 +91,16 @@ func init() {
 	checkgRPCCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
 	checkgRPCCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
 	checkgRPCCmd.Flags().StringVar(&grpcServiceName, "service", "", "gRPC service name")
+	checkgRPCCmd.Flags().BoolVar(&grpcTLS, "tls", false, "use TLS for gRPC connection")
 	checkCmd.AddCommand(checkgRPCCmd)

 	checkCmd.AddCommand(checkCertCmd)

+	checkWsCmd.Flags().IntVar(&retryCount, "retry", 0, "times to retry the WebSocket check")
+	checkWsCmd.Flags().DurationVar(&retryDelay, "delay", 1*time.Second, "wait duration between retries")
+	checkWsCmd.Flags().DurationVar(&timeout, "timeout", 5*time.Second, "timeout")
+	checkCmd.AddCommand(checkWsCmd)
+
 	rootCmd.AddCommand(checkCmd)
 }

@@ -262,6 +279,72 @@ func fmtContentLength(b int64) string {
 	return fmt.Sprintf("%.1f %cB", float64(b)/float64(div), "kMGTPE"[exp])
 }

+func runCheckWs(cmd *cobra.Command, args []string) error {
+	if retryCount < 0 {
+		return fmt.Errorf("--retry is required")
+	}
+	if len(args) < 1 {
+		return fmt.Errorf("address is required! example: check ws wss://localhost:9898/ws/echo")
+	}
+
+	address := args[0]
+	if !strings.HasPrefix(address, "ws://") && !strings.HasPrefix(address, "wss://") {
+		return fmt.Errorf("address must start with ws:// or wss://")
+	}
+
+	for n := 0; n <= retryCount; n++ {
+		if n != 0 {
+			time.Sleep(retryDelay)
+		}
+
+		dialer := websocket.Dialer{
+			HandshakeTimeout: timeout,
+		}
+
+		conn, _, err := dialer.Dial(address, nil)
+		if err != nil {
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		msg := "podinfo-check"
+		start := time.Now()
+
+		conn.SetWriteDeadline(start.Add(timeout))
+		if err := conn.WriteMessage(websocket.TextMessage, []byte(msg)); err != nil {
+			conn.Close()
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		conn.SetReadDeadline(time.Now().Add(timeout))
+		_, resp, err := conn.ReadMessage()
+		if err != nil {
+			conn.Close()
+			logger.Info("check failed",
+				zap.String("address", address),
+				zap.Error(err))
+			continue
+		}
+
+		rtt := time.Since(start)
+		conn.Close()
+
+		logger.Info("check succeed",
+			zap.String("address", address),
+			zap.Duration("round-trip", rtt),
+			zap.Int("response size", len(resp)))
+		os.Exit(0)
+	}
+
+	os.Exit(1)
+	return nil
+}
+
 func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	if retryCount < 0 {
 		return fmt.Errorf("--retry is required")
@@ -271,12 +354,19 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 	}
 	address := args[0]

+	var creds grpc.DialOption
+	if grpcTLS {
+		creds = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{}))
+	} else {
+		creds = grpc.WithTransportCredentials(insecure.NewCredentials())
+	}
+
 	for n := 0; n <= retryCount; n++ {
-		if n != 1 {
+		if n != 0 {
 			time.Sleep(retryDelay)
 		}

-		conn, err := grpc.Dial(address, grpc.WithInsecure())
+		conn, err := grpc.NewClient(address, creds)
 		if err != nil {
 			logger.Info("check failed",
 				zap.String("address", address),
@@ -291,13 +381,14 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {

 		if err != nil {
 			if stat, ok := status.FromError(err); ok && stat.Code() == codes.Unimplemented {
-				logger.Info("gPRC health protocol not implemented")
+				logger.Info("gRPC health protocol not implemented")
 				os.Exit(1)
 			} else {
 				logger.Info("check failed",
 					zap.String("address", address),
 					zap.Error(err))
 			}
+			conn.Close()
 			continue
 		}

@@ -305,7 +396,6 @@ func runCheckgPRC(cmd *cobra.Command, args []string) error {
 		logger.Info("check succeed",
 			zap.String("status", resp.GetStatus().String()))
 		os.Exit(0)
-
 	}

 	os.Exit(1)
--- a/cmd/podcli/code.go
+++ b/cmd/podcli/code.go
@@ -1,365 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"io"
-	"io/ioutil"
-	"log"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"strings"
-
-	"github.com/hashicorp/go-getter"
-	"github.com/spf13/cobra"
-)
-
-var (
-	codeProjectName string
-	codeGitUser     string
-	codeVersion     string
-	codeProjectPath string
-)
-
-var codeCmd = &cobra.Command{
-	Use:   `code`,
-	Short: "Code commands",
-}
-
-var codeInitCmd = &cobra.Command{
-	Use:     `init [name]`,
-	Short:   "initialize podinfo code repo",
-	Example: `  code init demo-app --version=v1.2.0 --git-user=stefanprodan`,
-	RunE:    runCodeInit,
-}
-
-func init() {
-	codeInitCmd.Flags().StringVar(&codeGitUser, "git-user", "", "GitHub user or org")
-	codeInitCmd.Flags().StringVar(&codeVersion, "version", "master", "podinfo repo tag or branch name")
-	codeInitCmd.Flags().StringVar(&codeProjectPath, "path", ".", "destination repo")
-
-	codeCmd.AddCommand(codeInitCmd)
-
-	rootCmd.AddCommand(codeCmd)
-}
-
-func runCodeInit(cmd *cobra.Command, args []string) error {
-
-	if len(codeGitUser) < 0 {
-		return fmt.Errorf("--git-user is required")
-	}
-	if len(args) < 1 {
-		return fmt.Errorf("project name is required")
-	}
-
-	codeProjectName = args[0]
-
-	pwd, err := os.Getwd()
-	if err != nil {
-		log.Fatalf("Error getting pwd: %s", err)
-		os.Exit(1)
-	}
-
-	tmpPath := "/tmp/k8s-podinfo"
-	versionName := fmt.Sprintf("k8s-podinfo-%s", codeVersion)
-
-	downloadURL := fmt.Sprintf("https://github.com/stefanprodan/podinfo/archive/%s.zip", codeVersion)
-	client := &getter.Client{
-		Src:  downloadURL,
-		Dst:  tmpPath,
-		Pwd:  pwd,
-		Mode: getter.ClientModeAny,
-	}
-
-	fmt.Printf("Downloading %s\n", downloadURL)
-
-	if err := client.Get(); err != nil {
-		log.Fatalf("Error downloading: %s", err)
-		os.Exit(1)
-	}
-
-	pkgFrom := "github.com/stefanprodan/podinfo"
-	pkgTo := fmt.Sprintf("github.com/%s/%s", codeGitUser, codeProjectName)
-
-	if err := replaceImports(tmpPath, pkgFrom, pkgTo); err != nil {
-		log.Fatalf("Error parsing imports: %s", err)
-		os.Exit(1)
-	}
-
-	dirs := []string{"pkg", "cmd", "ui", "vendor", ".github"}
-	for _, dir := range dirs {
-
-		err = os.MkdirAll(path.Join(codeProjectPath, dir), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-		if err := copyDir(path.Join(tmpPath, versionName, dir), path.Join(codeProjectPath, dir)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	files := []string{"Gopkg.toml", "Gopkg.lock"}
-	for _, file := range files {
-		if err := copyFile(path.Join(tmpPath, versionName, file), path.Join(codeProjectPath, file)); err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), pkgFrom, pkgTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	projFrom := "stefanprodan/podinfo"
-	projTo := fmt.Sprintf("%s/%s", codeGitUser, codeProjectName)
-
-	makeFiles := []string{"Makefile.gh", "Dockerfile.gh"}
-	for _, file := range makeFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, ".gh", "", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	workflows := []string{".github/main.workflow"}
-	for _, file := range workflows {
-		fileContent, err := ioutil.ReadFile(path.Join(codeProjectPath, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), "Dockerfile.gh", "Dockerfile", -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	dockerFiles := []string{"Dockerfile.ci"}
-	for _, file := range dockerFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, file), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	travisFiles := []string{"travis.lite.yml"}
-	for _, file := range travisFiles {
-		fileContent, err := ioutil.ReadFile(path.Join(tmpPath, versionName, file))
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-
-		destFile := strings.Replace(file, "travis.lite.yml", ".travis.yml", -1)
-		newContent := strings.Replace(string(fileContent), projFrom, projTo, -1)
-		err = ioutil.WriteFile(path.Join(codeProjectPath, destFile), []byte(newContent), os.ModePerm)
-		if err != nil {
-			log.Fatalf("Error: %s", err)
-			os.Exit(1)
-		}
-	}
-
-	err = gitPush()
-	if err != nil {
-		log.Fatalf("git push error: %s", err)
-		os.Exit(1)
-	}
-
-	fmt.Println("Initialization finished")
-	return nil
-}
-
-func gitPush() error {
-	cmdPush := fmt.Sprintf("git add . && git commit -m \"sync %s\" && git push", codeVersion)
-	cmd := exec.Command("sh", "-c", cmdPush)
-	output, err := cmd.Output()
-	if err != nil {
-		return err
-	}
-	fmt.Println(string(output))
-	return nil
-}
-
-func replaceImports(projectPath string, pkgFrom string, pkgTo string) error {
-	regexImport, err := regexp.Compile(`(?s)(import(.*?)\)|import.*$)`)
-	if err != nil {
-		return err
-	}
-
-	regexImportedPackage, err := regexp.Compile(`"(.*?)"`)
-	if err != nil {
-		return err
-	}
-
-	found := []string{}
-
-	err = filepath.Walk(projectPath, func(path string, info os.FileInfo, err error) error {
-		if filepath.Ext(path) == ".go" {
-			bts, err := ioutil.ReadFile(path)
-			if err != nil {
-				return err
-			}
-
-			content := string(bts)
-			matches := regexImport.FindAllString(content, -1)
-			isExists := false
-
-		isReplaceable:
-			for _, each := range matches {
-				for _, eachLine := range strings.Split(each, "\n") {
-					matchesInline := regexImportedPackage.FindAllString(eachLine, -1)
-					if err != nil {
-						return err
-					}
-
-					for _, eachSubline := range matchesInline {
-						if strings.Contains(eachSubline, pkgFrom) {
-							isExists = true
-							break isReplaceable
-						}
-					}
-				}
-			}
-
-			if isExists {
-				content = strings.Replace(content, `"`+pkgFrom+`"`, `"`+pkgTo+`"`, -1)
-				content = strings.Replace(content, `"`+pkgFrom+`/`, `"`+pkgTo+`/`, -1)
-				found = append(found, path)
-			}
-
-			err = ioutil.WriteFile(path, []byte(content), info.Mode())
-			if err != nil {
-				return err
-			}
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		fmt.Println("ERROR", err.Error())
-	}
-
-	if len(found) == 0 {
-		fmt.Println("Nothing replaced")
-	} else {
-		fmt.Printf("Go imports total %d file replaced\n", len(found))
-	}
-
-	return nil
-}
-
-func copyDir(src string, dst string) error {
-	si, err := os.Stat(src)
-	if err != nil {
-		return err
-	}
-	if !si.IsDir() {
-		return fmt.Errorf("source is not a directory")
-	}
-
-	err = os.MkdirAll(dst, si.Mode())
-	if err != nil {
-		return err
-	}
-
-	entries, err := ioutil.ReadDir(src)
-	if err != nil {
-		return err
-	}
-
-	for _, entry := range entries {
-		srcPath := filepath.Join(src, entry.Name())
-		dstPath := filepath.Join(dst, entry.Name())
-
-		if entry.IsDir() {
-			err = copyDir(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		} else {
-			// Skip symlinks.
-			if entry.Mode()&os.ModeSymlink != 0 {
-				continue
-			}
-
-			err = copyFile(srcPath, dstPath)
-			if err != nil {
-				return err
-			}
-		}
-	}
-	return nil
-}
-
-func copyFile(src, dst string) (err error) {
-	in, err := os.Open(src)
-	if err != nil {
-		return
-	}
-	defer in.Close()
-
-	out, err := os.Create(dst)
-	if err != nil {
-		return
-	}
-	defer func() {
-		if e := out.Close(); e != nil {
-			err = e
-		}
-	}()
-
-	_, err = io.Copy(out, in)
-	if err != nil {
-		return
-	}
-
-	err = out.Sync()
-	if err != nil {
-		return
-	}
-
-	si, err := os.Stat(src)
-	if err != nil {
-		return
-	}
-	err = os.Chmod(dst, si.Mode())
-	if err != nil {
-		return
-	}
-
-	return
-}
--- a/cmd/podinfo/main.go
+++ b/cmd/podinfo/main.go
@@ -1,8 +1,8 @@
 package main

 import (
+	"context"
 	"fmt"
-	"io/ioutil"
 	"os"
 	"path/filepath"
 	"strconv"
@@ -11,42 +11,55 @@ import (

 	"github.com/spf13/pflag"
 	"github.com/spf13/viper"
+	"go.opentelemetry.io/contrib/bridges/otelzap"
+	"go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploggrpc"
+	sdklog "go.opentelemetry.io/otel/sdk/log"
+	"go.opentelemetry.io/otel/sdk/resource"
+	semconv "go.opentelemetry.io/otel/semconv/v1.7.0"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"

-	"github.com/stefanprodan/podinfo/pkg/api"
-	"github.com/stefanprodan/podinfo/pkg/grpc"
+	"github.com/stefanprodan/podinfo/pkg/api/grpc"
+	"github.com/stefanprodan/podinfo/pkg/api/http"
 	"github.com/stefanprodan/podinfo/pkg/signals"
 	"github.com/stefanprodan/podinfo/pkg/version"
+	go_grpc "google.golang.org/grpc"
 )

 func main() {
 	// flags definition
 	fs := pflag.NewFlagSet("default", pflag.ContinueOnError)
-	fs.Int("port", 9898, "HTTP port")
+	fs.String("host", "", "Host to bind service to")
+	fs.Int("port", 9898, "HTTP port to bind service to")
+	fs.Int("secure-port", 0, "HTTPS port")
 	fs.Int("port-metrics", 0, "metrics port")
 	fs.Int("grpc-port", 0, "gRPC port")
 	fs.String("grpc-service-name", "podinfo", "gPRC service name")
-	fs.String("level", "info", "log level debug, info, warn, error, flat or panic")
+	fs.String("level", "info", "log level debug, info, warn, error, fatal or panic")
 	fs.StringSlice("backend-url", []string{}, "backend service URL")
 	fs.Duration("http-client-timeout", 2*time.Minute, "client timeout duration")
 	fs.Duration("http-server-timeout", 30*time.Second, "server read and write timeout duration")
-	fs.Duration("http-server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
+	fs.Duration("server-shutdown-timeout", 5*time.Second, "server graceful shutdown timeout duration")
 	fs.String("data-path", "/data", "data local path")
 	fs.String("config-path", "", "config dir path")
+	fs.String("cert-path", "/data/cert", "certificate path for HTTPS port")
 	fs.String("config", "config.yaml", "config file name")
 	fs.String("ui-path", "./ui", "UI local path")
 	fs.String("ui-logo", "", "UI logo")
 	fs.String("ui-color", "#34577c", "UI color")
 	fs.String("ui-message", fmt.Sprintf("greetings from podinfo v%v", version.VERSION), "UI message")
 	fs.Bool("h2c", false, "allow upgrading to H2C")
-	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay")
+	fs.Bool("random-delay", false, "between 0 and 5 seconds random delay by default")
+	fs.String("random-delay-unit", "s", "either s(seconds) or ms(milliseconds")
+	fs.Int("random-delay-min", 0, "min for random delay: 0 by default")
+	fs.Int("random-delay-max", 5, "max for random delay: 5 by default")
 	fs.Bool("random-error", false, "1/3 chances of a random response error")
 	fs.Bool("unhealthy", false, "when set, healthy state is never reached")
 	fs.Bool("unready", false, "when set, ready state is never reached")
 	fs.Int("stress-cpu", 0, "number of CPU cores with 100 load")
 	fs.Int("stress-memory", 0, "MB of data to load into memory")
-	fs.String("cache-server", "", "Redis address in the format <host>:<port>")
+	fs.String("cache-server", "", "Redis address in the format 'tcp://<host>:<port>'")
+	fs.String("otel-service-name", "", "service name for OpenTelemetry, when not set tracing and log export are disabled")

 	versionFlag := fs.BoolP("version", "v", false, "get version number")

@@ -78,16 +91,26 @@ func main() {
 	viper.AutomaticEnv()

 	// load config from file
-	if _, err := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); err == nil {
+	if _, fileErr := os.Stat(filepath.Join(viper.GetString("config-path"), viper.GetString("config"))); fileErr == nil {
 		viper.SetConfigName(strings.Split(viper.GetString("config"), ".")[0])
 		viper.AddConfigPath(viper.GetString("config-path"))
-		if err := viper.ReadInConfig(); err != nil {
-			fmt.Printf("Error reading config file, %v\n", err)
+		if readErr := viper.ReadInConfig(); readErr != nil {
+			fmt.Printf("Error reading config file, %v\n", readErr)
+		}
+	}
+
+	// initialize OTel log provider if service name is set
+	var loggerProvider *sdklog.LoggerProvider
+	if otelServiceName := viper.GetString("otel-service-name"); otelServiceName != "" {
+		var err error
+		loggerProvider, err = initLoggerProvider(context.Background(), otelServiceName)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error initializing OTel log provider: %s\n", err.Error())
 		}
 	}

 	// configure logging
-	logger, _ := initZap(viper.GetString("level"))
+	logger, _ := initZap(viper.GetString("level"), loggerProvider)
 	defer logger.Sync()
 	stdLog := zap.RedirectStdLog(logger)
 	defer stdLog()
@@ -101,6 +124,26 @@ func main() {
 		viper.Set("port", strconv.Itoa(port))
 	}

+	// validate secure port
+	if _, err := strconv.Atoi(viper.GetString("secure-port")); err != nil {
+		securePort, _ := fs.GetInt("secure-port")
+		viper.Set("secure-port", strconv.Itoa(securePort))
+	}
+
+	// validate random delay options
+	if viper.GetInt("random-delay-max") < viper.GetInt("random-delay-min") {
+		logger.Panic("`--random-delay-max` should be greater than `--random-delay-min`")
+	}
+
+	switch delayUnit := viper.GetString("random-delay-unit"); delayUnit {
+	case
+		"s",
+		"ms":
+		break
+	default:
+		logger.Panic("`random-delay-unit` accepted values are: s|ms")
+	}
+
 	// load gRPC server config
 	var grpcCfg grpc.Config
 	if err := viper.Unmarshal(&grpcCfg); err != nil {
@@ -108,13 +151,16 @@ func main() {
 	}

 	// start gRPC server
+	var grpcServer *go_grpc.Server
 	if grpcCfg.Port > 0 {
 		grpcSrv, _ := grpc.NewServer(&grpcCfg, logger)
-		go grpcSrv.ListenAndServe()
+		//grpcinfoSrv, _ := grpc.NewInfoServer(&grpcCfg)
+
+		grpcServer = grpcSrv.ListenAndServe()
 	}

 	// load HTTP server config
-	var srvCfg api.Config
+	var srvCfg http.Config
 	if err := viper.Unmarshal(&srvCfg); err != nil {
 		logger.Panic("config unmarshal failed", zap.Error(err))
 	}
@@ -127,12 +173,35 @@ func main() {
 	)

 	// start HTTP server
-	srv, _ := api.NewServer(&srvCfg, logger)
+	srv, _ := http.NewServer(&srvCfg, logger)
+	httpServer, httpsServer, healthy, ready := srv.ListenAndServe()
+
+	// graceful shutdown
 	stopCh := signals.SetupSignalHandler()
-	srv.ListenAndServe(stopCh)
+	sd, _ := signals.NewShutdown(srvCfg.ServerShutdownTimeout, logger)
+	sd.SetLoggerProvider(loggerProvider)
+	sd.Graceful(stopCh, httpServer, httpsServer, grpcServer, healthy, ready)
 }

-func initZap(logLevel string) (*zap.Logger, error) {
+func initLoggerProvider(ctx context.Context, serviceName string) (*sdklog.LoggerProvider, error) {
+	exporter, err := otlploggrpc.New(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("creating OTLP log exporter: %w", err)
+	}
+
+	provider := sdklog.NewLoggerProvider(
+		sdklog.WithProcessor(sdklog.NewBatchProcessor(exporter)),
+		sdklog.WithResource(resource.NewWithAttributes(
+			semconv.SchemaURL,
+			semconv.ServiceNameKey.String(serviceName),
+			semconv.ServiceVersionKey.String(version.VERSION),
+		)),
+	)
+
+	return provider, nil
+}
+
+func initZap(logLevel string, loggerProvider *sdklog.LoggerProvider) (*zap.Logger, error) {
 	level := zap.NewAtomicLevelAt(zapcore.InfoLevel)
 	switch logLevel {
 	case "debug":
@@ -176,7 +245,21 @@ func initZap(logLevel string) (*zap.Logger, error) {
 		ErrorOutputPaths: []string{"stderr"},
 	}

-	return zapConfig.Build()
+	logger, err := zapConfig.Build()
+	if err != nil {
+		return nil, err
+	}
+
+	if loggerProvider != nil {
+		otelCore := otelzap.NewCore("github.com/stefanprodan/podinfo",
+			otelzap.WithLoggerProvider(loggerProvider),
+		)
+		logger = logger.WithOptions(zap.WrapCore(func(core zapcore.Core) zapcore.Core {
+			return zapcore.NewTee(core, otelCore)
+		}))
+	}
+
+	return logger, nil
 }

 var stressMemoryPayload []byte
@@ -211,12 +294,12 @@ func beginStressTest(cpus int, mem int, logger *zap.Logger) {
 			logger.Error("memory stress failed", zap.Error(err))
 		}

-		stressMemoryPayload, err = ioutil.ReadFile(path)
+		stressMemoryPayload, err = os.ReadFile(path)
 		f.Close()
 		os.Remove(path)
 		if err != nil {
 			logger.Error("memory stress failed", zap.Error(err))
 		}
-		logger.Info("starting CPU stress", zap.Int("memory", len(stressMemoryPayload)))
+		logger.Info("starting MEMORY stress", zap.Int("memory", len(stressMemoryPayload)))
 	}
 }
--- a/deploy/README.md
+++ b/deploy/README.md
@@ -1,6 +1,7 @@
-# Deploy demo webapp 
+# Deploy demo webapp

 Demo webapp manifests:
+
 - [common](webapp/common)
 - [frontend](webapp/frontend)
 - [backend](webapp/backend)
@@ -30,3 +31,15 @@ Deploy the demo in the `production` namespace:
 ```bash
 kustomize build ./overlays/production | kubectl apply -f-
 ```
+
+## Testing Locally Using Kind
+
+> NOTE: You can install [kind from here](https://kind.sigs.k8s.io/docs/user/quick-start/#installation)
+
+The following will create a new cluster called "podinfo" and configure host ports on 80 and 443. You can access the
+endpoints on localhost. The example also deploys cert-manager within the cluster along with a self-signed cluster issuer
+used to generate the certificate to validate the secure port.
+
+```sh
+./kind.sh
+```
--- a/deploy/bases/backend/deployment.yaml
+++ b/deploy/bases/backend/deployment.yaml
@@ -12,18 +12,18 @@ spec:
    type: RollingUpdate
  selector:
    matchLabels:
-      app: backend
+      app.kubernetes.io/name: backend
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9797"
      labels:
-        app: backend
+        app.kubernetes.io/name: backend
    spec:
      containers:
      - name: backend
-        image: stefanprodan/podinfo:4.0.5
+        image: ghcr.io/stefanprodan/podinfo:6.11.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
@@ -42,7 +42,7 @@ spec:
        - --grpc-port=9999
        - --grpc-service-name=backend
        - --level=info
-        - --cache-server=cache:6379
+        - --cache-server=tcp://cache:6379
        env:
        - name: PODINFO_UI_COLOR
          value: "#34577c"
--- a/deploy/bases/backend/hpa.yaml
+++ b/deploy/bases/backend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: backend
--- a/deploy/bases/backend/service.yaml
+++ b/deploy/bases/backend/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: backend
+    app.kubernetes.io/name: backend
  ports:
    - name: http
      port: 9898
--- a/deploy/bases/cache/deployment.yaml
+++ b/deploy/bases/cache/deployment.yaml
@@ -5,15 +5,15 @@ metadata:
 spec:
  selector:
    matchLabels:
-      app: cache
+      app.kubernetes.io/name: cache
  template:
    metadata:
      labels:
-        app: cache
+        app.kubernetes.io/name: cache
    spec:
      containers:
        - name: redis
-          image: redis:6.0.1
+          image: docker.io/redis:8.6.1
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
--- a/deploy/bases/cache/service.yaml
+++ b/deploy/bases/cache/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: cache
+    app.kubernetes.io/name: cache
  ports:
    - name: redis
      port: 6379
--- a/deploy/bases/database/README.md
+++ b/deploy/bases/database/README.md
@@ -0,0 +1,76 @@
+# Database Setup
+
+This directory contains the Kubernetes manifests to simulate a database setup
+with a primary database, read replicas, and scheduled maintenance tasks using CronJobs.
+
+## Components
+
+### Core Resources
+
+| Resource | File | Description |
+|----------|------|-------------|
+| ServiceAccount | `serviceaccount.yaml` | Shared service account for all database workloads |
+| PVC | `pvc-primary.yaml` | 1Gi persistent storage for primary database |
+| StatefulSet | `statefulset-primary.yaml` | Primary database with persistent storage at `/data` |
+| Deployment | `deployment-replica.yaml` | Read replica deployment |
+| Service (Headless) | `service-primary.yaml` | Headless service for StatefulSet |
+| Service | `service-replica.yaml` | ClusterIP service for replicas |
+| HPA | `hpa-replica.yaml` | Autoscaler for replicas (2-3 pods, 99% CPU) |
+
+### CronJobs
+
+| CronJob | Schedule | Duration | TTL Cleanup | Description |
+|---------|----------|----------|-------------|-------------|
+| `rollup-daily` | Every 10 min | ~1 min | 1 hour | Daily rollup simulation (6 iterations) |
+| `rollup-weekly` | Every 30 min | ~2 min | 1 day | Weekly rollup simulation (12 iterations) |
+| `backup-daily` | Daily at midnight | ~1 min | 1 day | Backup simulation (configured to fail) |
+
+### Scripts
+
+Located in `scripts/` directory:
+
+- `rollup.sh` - Rollup simulation script with configurable steps via `ROLLUP_STEPS` env var
+- `backup.sh` - Backup simulation script with configurable exit code via `BACKUP_EXIT` env var
+
+## Labels
+
+All resources use Kubernetes recommended labels:
+
+- `app.kubernetes.io/name` - Component name
+- `app.kubernetes.io/part-of: database` - Part of database application
+
+## Configuration
+
+### Primary Database
+- **Port**: 3306 (MySQL standard)
+- **Storage**: 1Gi PersistentVolumeClaim mounted at `/data`
+- **Service**: Headless (`clusterIP: None`) for StatefulSet
+
+### Replica Database
+- **Port**: 3306
+- **Scaling**: HPA with 2-3 replicas at 99% CPU utilization
+- **Service**: ClusterIP
+
+### CronJob Scripts
+
+The scripts check database-replica health before running:
+
+```sh
+podcli check http database-replica:3306/readyz
+```
+
+## Usage
+
+Deploy with Kustomize:
+
+```bash
+kubectl apply -k deploy/bases/database
+```
+
+Or include in an overlay:
+
+```yaml
+# kustomization.yaml
+resources:
+  - ../../bases/database
+```
--- a/deploy/bases/database/cronjob-backup-daily.yaml
+++ b/deploy/bases/database/cronjob-backup-daily.yaml
@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backup-daily
+spec:
+  # Runs every day at midnight for 1 minute
+  schedule: "0 0 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      # Cleanup after 1 day
+      ttlSecondsAfterFinished: 86400
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: backup-daily
+            app.kubernetes.io/part-of: database
+        spec:
+          serviceAccountName: database
+          restartPolicy: Never
+          containers:
+          - name: backup
+            image: ghcr.io/stefanprodan/podinfo:6.11.2
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - /scripts/backup.sh
+            env:
+            - name: BACKUP_EXIT
+              value: "1"
+            resources:
+              limits:
+                cpu: 100m
+                memory: 32Mi
+              requests:
+                cpu: 10m
+                memory: 16Mi
+            volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+          volumes:
+          - name: scripts
+            configMap:
+              name: backup-script
+              defaultMode: 0755
--- a/deploy/bases/database/cronjob-rollup-daily.yaml
+++ b/deploy/bases/database/cronjob-rollup-daily.yaml
@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: rollup-daily
+spec:
+  # Runs every 10 minutes for 1 minute
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      # Cleanup after 1 hour
+      ttlSecondsAfterFinished: 3600
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: rollup-daily
+            app.kubernetes.io/part-of: database
+        spec:
+          serviceAccountName: database
+          restartPolicy: OnFailure
+          containers:
+          - name: healthcheck
+            image: ghcr.io/stefanprodan/podinfo:6.11.2
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - /scripts/rollup.sh
+            env:
+            - name: ROLLUP_STEPS
+              value: "6"
+            resources:
+              limits:
+                cpu: 100m
+                memory: 32Mi
+              requests:
+                cpu: 10m
+                memory: 16Mi
+            volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+          volumes:
+          - name: scripts
+            configMap:
+              name: rollup-script
+              defaultMode: 0755
--- a/deploy/bases/database/cronjob-rollup-weekly.yaml
+++ b/deploy/bases/database/cronjob-rollup-weekly.yaml
@@ -0,0 +1,48 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: rollup-weekly
+spec:
+  # Runs every 30 minutes for 2 minutes
+  schedule: "*/30 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 1
+  jobTemplate:
+    spec:
+      # Cleanup after 1 day
+      ttlSecondsAfterFinished: 86400
+      backoffLimit: 3
+      template:
+        metadata:
+          labels:
+            app.kubernetes.io/name: rollup-weekly
+            app.kubernetes.io/part-of: database
+        spec:
+          serviceAccountName: database
+          restartPolicy: OnFailure
+          containers:
+          - name: healthcheck
+            image: ghcr.io/stefanprodan/podinfo:6.11.2
+            imagePullPolicy: IfNotPresent
+            command:
+            - /bin/sh
+            - /scripts/rollup.sh
+            env:
+            - name: ROLLUP_STEPS
+              value: "12"
+            resources:
+              limits:
+                cpu: 100m
+                memory: 32Mi
+              requests:
+                cpu: 10m
+                memory: 16Mi
+            volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+          volumes:
+          - name: scripts
+            configMap:
+              name: rollup-script
+              defaultMode: 0755
--- a/deploy/bases/database/deployment-replica.yaml
+++ b/deploy/bases/database/deployment-replica.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: database-replica
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: database-replica
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app.kubernetes.io/name: database-replica
+        app.kubernetes.io/part-of: database
+    spec:
+      serviceAccountName: database
+      containers:
+      - name: database
+        image: ghcr.io/stefanprodan/podinfo:6.11.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: db
+          containerPort: 3306
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=3306
+        - --port-metrics=9797
+        - --level=info
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:3306/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:3306/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
--- a/deploy/bases/database/hpa-replica.yaml
+++ b/deploy/bases/database/hpa-replica.yaml
@@ -0,0 +1,18 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: database-replica
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: database-replica
+  minReplicas: 2
+  maxReplicas: 3
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 99
--- a/deploy/bases/database/kustomization.yaml
+++ b/deploy/bases/database/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - serviceaccount.yaml
+  - pvc-primary.yaml
+  - statefulset-primary.yaml
+  - deployment-replica.yaml
+  - service-primary.yaml
+  - service-replica.yaml
+  - hpa-replica.yaml
+  - cronjob-rollup-daily.yaml
+  - cronjob-rollup-weekly.yaml
+  - cronjob-backup-daily.yaml
+configMapGenerator:
+  - name: rollup-script
+    files:
+      - scripts/rollup.sh
+    options:
+      disableNameSuffixHash: true
+  - name: backup-script
+    files:
+      - scripts/backup.sh
+    options:
+      disableNameSuffixHash: true
--- a/deploy/bases/database/pvc-primary.yaml
+++ b/deploy/bases/database/pvc-primary.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: database-primary
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
--- a/deploy/bases/database/scripts/backup.sh
+++ b/deploy/bases/database/scripts/backup.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+set -e
+
+# This is a simulation of a backup process.
+
+EXIT_CODE=${BACKUP_EXIT:-0}
+
+echo "Starting backup (estimated run time: 60s)"
+podcli check http database-replica:3306/readyz
+sleep 60
+echo "Backup finished"
+exit $EXIT_CODE
--- a/deploy/bases/database/scripts/rollup.sh
+++ b/deploy/bases/database/scripts/rollup.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+set -e
+
+# This is a simulation of a rollup process.
+
+STEPS=${ROLLUP_STEPS:-6}
+echo "Starting rollup with $STEPS steps (estimated run time: $((STEPS * 10))s)"
+podcli check http database-replica:3306/readyz
+i=1
+while [ $i -le $STEPS ]; do
+  echo "Running rollup iteration $i of $STEPS"
+  sleep 10
+  i=$((i + 1))
+done
+echo "Rollup finished"
--- a/deploy/bases/database/service-primary.yaml
+++ b/deploy/bases/database/service-primary.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: database-primary
+spec:
+  type: ClusterIP
+  clusterIP: None
+  selector:
+    app.kubernetes.io/name: database-primary
+  ports:
+    - name: db
+      port: 3306
+      protocol: TCP
+      targetPort: db
--- a/deploy/bases/database/service-replica.yaml
+++ b/deploy/bases/database/service-replica.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: database-replica
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: database-replica
+  ports:
+    - name: db
+      port: 3306
+      protocol: TCP
+      targetPort: db
--- a/deploy/bases/database/serviceaccount.yaml
+++ b/deploy/bases/database/serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: database
--- a/deploy/bases/database/statefulset-primary.yaml
+++ b/deploy/bases/database/statefulset-primary.yaml
@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: database-primary
+spec:
+  serviceName: database-primary
+  replicas: 1
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: database-primary
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app.kubernetes.io/name: database-primary
+        app.kubernetes.io/part-of: database
+    spec:
+      serviceAccountName: database
+      containers:
+      - name: database
+        image: ghcr.io/stefanprodan/podinfo:6.11.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: db
+          containerPort: 3306
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=3306
+        - --port-metrics=9797
+        - --level=info
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:3306/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:3306/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
+        volumeMounts:
+        - name: data
+          mountPath: /data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: database-primary
--- a/deploy/bases/frontend/deployment.yaml
+++ b/deploy/bases/frontend/deployment.yaml
@@ -12,18 +12,18 @@ spec:
    type: RollingUpdate
  selector:
    matchLabels:
-      app: frontend
+      app.kubernetes.io/name: frontend
  template:
    metadata:
      annotations:
        prometheus.io/scrape: "true"
        prometheus.io/port: "9797"
      labels:
-        app: frontend
+        app.kubernetes.io/name: frontend
    spec:
      containers:
      - name: frontend
-        image: stefanprodan/podinfo:4.0.5
+        image: ghcr.io/stefanprodan/podinfo:6.11.2
        imagePullPolicy: IfNotPresent
        ports:
        - name: http
@@ -41,7 +41,7 @@ spec:
        - --port-metrics=9797
        - --level=info
        - --backend-url=http://backend:9898/echo
-        - --cache-server=cache:6379
+        - --cache-server=tcp://cache:6379
        env:
        - name: PODINFO_UI_COLOR
          value: "#34577c"
--- a/deploy/bases/frontend/hpa.yaml
+++ b/deploy/bases/frontend/hpa.yaml
@@ -1,4 +1,4 @@
-apiVersion: autoscaling/v2beta2
+apiVersion: autoscaling/v2
 kind: HorizontalPodAutoscaler
 metadata:
  name: frontend
--- a/deploy/bases/frontend/service.yaml
+++ b/deploy/bases/frontend/service.yaml
@@ -5,7 +5,7 @@ metadata:
 spec:
  type: ClusterIP
  selector:
-    app: frontend
+    app.kubernetes.io/name: frontend
  ports:
    - name: http
      port: 80
--- a/deploy/kind.sh
+++ b/deploy/kind.sh
@@ -0,0 +1,48 @@
+#! /usr/bin/env sh
+
+mkdir -p bin
+cat > ./bin/kind.yaml <<EOF
+apiVersion: kind.x-k8s.io/v1alpha4
+kind: Cluster
+nodes:
+- role: control-plane
+  extraPortMappings:
+  - containerPort: 80
+    hostPort: 80
+    protocol: TCP
+  - containerPort: 443
+    hostPort: 443
+    protocol: TCP
+EOF
+
+# create the kind cluster
+kind create cluster --config=kind.yaml
+
+# add certificate manager
+kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.yaml
+
+# wait for cert manager
+kubectl rollout status --namespace cert-manager deployment/cert-manager --timeout=2m
+kubectl rollout status --namespace cert-manager deployment/cert-manager-webhook --timeout=2m
+kubectl rollout status --namespace cert-manager deployment/cert-manager-cainjector --timeout=2m
+
+# # apply the secure webapp
+kubectl apply -f ./secure/common
+kubectl apply -f ./secure/backend
+kubectl apply -f ./secure/frontend
+
+# # wait for the podinfo frontend to come up
+kubectl rollout status --namespace secure deployment/frontend --timeout=1m
+
+# curl the endpoints (responds with info due to header regexp on route handler)
+echo
+echo "http enpdoint:"
+echo "curl http://localhost"
+echo
+curl http://localhost
+
+echo
+echo "https (secure) enpdoint:"
+echo "curl --insecure https://localhost"
+echo
+curl --insecure https://localhost
--- a/deploy/overlays/dev/kustomization.yaml
+++ b/deploy/overlays/dev/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
  - ../../bases/backend
  - ../../bases/frontend
  - ../../bases/cache
+  - ../../bases/database
  - namespace.yaml
 transformers:
  - labels.yaml
--- a/deploy/overlays/dev/labels.yaml
+++ b/deploy/overlays/dev/labels.yaml
@@ -3,8 +3,8 @@ kind: LabelTransformer
 metadata:
  name: labels
 labels:
-  env: dev
-  instance: webapp
+  app.kubernetes.io/environment: dev
+  app.kubernetes.io/instance: webapp
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/deploy/overlays/production/kustomization.yaml
+++ b/deploy/overlays/production/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
  - ../../bases/backend
  - ../../bases/frontend
  - ../../bases/cache
+  - ../../bases/database
  - namespace.yaml
 transformers:
  - labels.yaml
--- a/deploy/overlays/production/labels.yaml
+++ b/deploy/overlays/production/labels.yaml
@@ -3,8 +3,8 @@ kind: LabelTransformer
 metadata:
  name: labels
 labels:
-  env: production
-  instance: webapp
+  app.kubernetes.io/environment: production
+  app.kubernetes.io/instance: webapp
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/deploy/overlays/staging/kustomization.yaml
+++ b/deploy/overlays/staging/kustomization.yaml
@@ -5,6 +5,7 @@ resources:
  - ../../bases/backend
  - ../../bases/frontend
  - ../../bases/cache
+  - ../../bases/database
  - namespace.yaml
 transformers:
  - labels.yaml
--- a/deploy/overlays/staging/labels.yaml
+++ b/deploy/overlays/staging/labels.yaml
@@ -3,8 +3,8 @@ kind: LabelTransformer
 metadata:
  name: labels
 labels:
-  env: staging
-  instance: webapp
+  app.kubernetes.io/environment: staging
+  app.kubernetes.io/instance: webapp
 fieldSpecs:
  - path: metadata/labels
    create: true
--- a/deploy/secure/backend/deployment.yaml
+++ b/deploy/secure/backend/deployment.yaml
@@ -0,0 +1,74 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  minReadySeconds: 3
+  revisionHistoryLimit: 5
+  progressDeadlineSeconds: 60
+  strategy:
+    rollingUpdate:
+      maxUnavailable: 0
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      annotations:
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9797"
+      labels:
+        app: backend
+    spec:
+      serviceAccountName: secure
+      containers:
+      - name: backend
+        image: ghcr.io/stefanprodan/podinfo:5.0.3
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: http
+          containerPort: 9898
+          protocol: TCP
+        - name: http-metrics
+          containerPort: 9797
+          protocol: TCP
+        - name: grpc
+          containerPort: 9999
+          protocol: TCP
+        command:
+        - ./podinfo
+        - --port=9898
+        - --port-metrics=9797
+        - --grpc-port=9999
+        - --grpc-service-name=backend
+        - --level=info
+        env:
+        - name: PODINFO_UI_COLOR
+          value: "#34577c"
+        livenessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/healthz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        readinessProbe:
+          exec:
+            command:
+            - podcli
+            - check
+            - http
+            - localhost:9898/readyz
+          initialDelaySeconds: 5
+          timeoutSeconds: 5
+        resources:
+          limits:
+            cpu: 2000m
+            memory: 512Mi
+          requests:
+            cpu: 100m
+            memory: 32Mi
--- a/deploy/secure/backend/hpa.yaml
+++ b/deploy/secure/backend/hpa.yaml
@@ -0,0 +1,19 @@
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: backend
+  minReplicas: 1
+  maxReplicas: 2
+  metrics:
+  - type: Resource
+    resource:
+      name: cpu
+      target:
+        type: Utilization
+        averageUtilization: 99
--- a/deploy/secure/backend/service.yaml
+++ b/deploy/secure/backend/service.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: secure
+spec:
+  type: ClusterIP
+  selector:
+    app: backend
+  ports:
+    - name: http
+      port: 9898
+      protocol: TCP
+      targetPort: http
+    - port: 9999
+      targetPort: grpc
+      protocol: TCP
+      name: grpc
--- a/deploy/secure/common/cluster-issuer.yaml
+++ b/deploy/secure/common/cluster-issuer.yaml
@@ -0,0 +1,6 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: self-signed
+spec:
+  selfSigned: {}
--- a/deploy/secure/common/namespace.yaml
+++ b/deploy/secure/common/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: secure
--- a/deploy/secure/common/reconciler-rbac.yaml
+++ b/deploy/secure/common/reconciler-rbac.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: reconciler
+  namespace: secure
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: reconciler
+  namespace: secure
+rules:
+  - apiGroups: ['*']
+    resources: ['*']
+    verbs: ['*']
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: reconciler
+  namespace: secure
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: reconciler
+subjects:
+  - kind: ServiceAccount
+    name: reconciler
+    namespace: secure
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`timoni/podinfo/cue.mod/** linguist-vendored`