New chart: Chainloop (#27100)

* New chart: Chainloop Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Fix README links Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Modify license headers Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Fix README.md linter Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update README.md with readme-generator-for-helm Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * More changes on linter Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * remove links Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update chart dependency Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Generate README.md Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * chore: update chart Signed-off-by: Miguel <miguel@chainloop.dev> * chore: update chart Signed-off-by: Miguel <miguel@chainloop.dev> * chore: update chart Signed-off-by: Miguel <miguel@chainloop.dev> * Update chart with bitnami standards Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Fix linter Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Fix README and values.yaml Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Remove dex subchart and push it one level up Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * change readme Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * templates and values.yaml feedback Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * Include chainloop bitnami images Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update readme Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * add networkpolicies and reduce number of extra and skip params Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * skip .tag params Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * fix tests Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * fix networkpolicy and add pdb Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * fix readme Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * increase test time Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * add missing parameter to verify step Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * add vpa to cas and controlplane Signed-off-by: Javier Rodriguez <javier@chainloop.dev> * Update CHANGELOG.md Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> * tackle feedback Signed-off-by: Javier Rodriguez <javier@chainloop.dev> --------- Signed-off-by: Javier Rodriguez <javier@chainloop.dev> Signed-off-by: Bitnami Containers <bitnami-bot@vmware.com> Signed-off-by: Miguel <miguel@chainloop.dev> Co-authored-by: Bitnami Containers <bitnami-bot@vmware.com> Co-authored-by: Miguel <miguel@chainloop.dev>
2026-02-19 19:47:22 +08:00 · 2024-08-09 10:05:30 +02:00
parent da5f1c5478
commit f192ad3943
58 changed files with 6632 additions and 0 deletions
--- a/.vib/chainloop/ginkgo/chainloop_suite_test.go
+++ b/.vib/chainloop/ginkgo/chainloop_suite_test.go
@@ -0,0 +1,31 @@
+package chainloop_test
+
+import (
+	"flag"
+	"testing"
+	"time"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var (
+	kubeconfig     string
+	releaseName    string
+	namespace      string
+	timeoutSeconds int
+	timeout        time.Duration
+)
+
+func init() {
+	flag.StringVar(&kubeconfig, "kubeconfig", "", "absolute path to the kubeconfig file")
+	flag.StringVar(&releaseName, "name", "", "name of the primary statefulset")
+	flag.StringVar(&namespace, "namespace", "", "namespace where the application is running")
+	flag.IntVar(&timeoutSeconds, "timeout", 500, "timeout in seconds")
+	timeout = time.Duration(timeoutSeconds) * time.Second
+}
+
+func TestChainloop(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Chainloop Persistence Test Suite")
+}
--- a/.vib/chainloop/ginkgo/chainloop_test.go
+++ b/.vib/chainloop/ginkgo/chainloop_test.go
@@ -0,0 +1,159 @@
+package chainloop_test
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	utils "github.com/bitnami/charts/.vib/common-tests/ginkgo-utils"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	appsv1 "k8s.io/api/apps/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+)
+
+const (
+	PollingInterval = 1 * time.Second
+)
+
+// portDefinition is a struct to define a port in a service
+type portDefinition struct {
+	name   string
+	number string
+}
+
+var _ = Describe("Chainloop", Ordered, func() {
+	var c *kubernetes.Clientset
+	var ctx context.Context
+	var cancel context.CancelFunc
+
+	BeforeEach(func() {
+		ctx, cancel = context.WithCancel(context.Background())
+
+		conf := utils.MustBuildClusterConfig(kubeconfig)
+		c = kubernetes.NewForConfigOrDie(conf)
+	})
+
+	When("Chainloop chart is fully deployed", func() {
+		It("cas deployment is running", func() {
+			getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas }
+			getOpts := metav1.GetOptions{}
+
+			By("checking all the replicas are available")
+			stsName := fmt.Sprintf("%s-cas", releaseName)
+			dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(dpl.Status.Replicas).NotTo(BeZero())
+			origReplicas := *dpl.Spec.Replicas
+
+			Eventually(func() (*appsv1.Deployment, error) {
+				return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts)
+			}, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas)))
+
+			By("checking all the services are available")
+			svcs := []struct {
+				name  string
+				ports []portDefinition
+			}{
+				{
+					name: "cas",
+					ports: []portDefinition{
+						{
+							name:   "http",
+							number: "80",
+						},
+					},
+				},
+				{
+					name: "cas-api",
+					ports: []portDefinition{
+						{
+							name:   "grpc",
+							number: "80",
+						},
+					},
+				},
+			}
+
+			for _, inSvc := range svcs {
+				svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name)
+				svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{})
+				Expect(err).NotTo(HaveOccurred())
+
+				for _, port := range inSvc.ports {
+					outPort, err := utils.SvcGetPortByName(svc, port.name)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(outPort).NotTo(BeNil())
+					Expect(outPort).To(Equal(port.number))
+				}
+			}
+
+			By("checking main container image is running")
+			_, err = utils.DplGetContainerImage(dpl, "cas")
+			Expect(err).NotTo(HaveOccurred())
+		})
+
+		It("controlplane deployment is running", func() {
+			getReadyReplicas := func(ss *appsv1.Deployment) int32 { return ss.Status.ReadyReplicas }
+			getOpts := metav1.GetOptions{}
+
+			By("checking all the replicas are available")
+			stsName := fmt.Sprintf("%s-controlplane", releaseName)
+			dpl, err := c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts)
+			Expect(err).NotTo(HaveOccurred())
+			Expect(dpl.Status.Replicas).NotTo(BeZero())
+			origReplicas := *dpl.Spec.Replicas
+
+			Eventually(func() (*appsv1.Deployment, error) {
+				return c.AppsV1().Deployments(namespace).Get(ctx, stsName, getOpts)
+			}, timeout, PollingInterval).Should(WithTransform(getReadyReplicas, Equal(origReplicas)))
+
+			By("checking all the services are available")
+			svcs := []struct {
+				name  string
+				ports []portDefinition
+			}{
+				{
+					name: "controlplane",
+					ports: []portDefinition{
+						{
+							name:   "http",
+							number: "80",
+						},
+					},
+				},
+				{
+					name: "controlplane-api",
+					ports: []portDefinition{
+						{
+							name:   "grpc",
+							number: "80",
+						},
+					},
+				},
+			}
+
+			for _, inSvc := range svcs {
+				svcName := fmt.Sprintf("%v-%v", releaseName, inSvc.name)
+				svc, err := c.CoreV1().Services(namespace).Get(ctx, svcName, metav1.GetOptions{})
+				Expect(err).NotTo(HaveOccurred())
+
+				for _, port := range inSvc.ports {
+					outPort, err := utils.SvcGetPortByName(svc, port.name)
+					Expect(err).NotTo(HaveOccurred())
+					Expect(outPort).NotTo(BeNil())
+					Expect(outPort).To(Equal(port.number))
+				}
+			}
+
+			By("checking main container image is running")
+			_, err = utils.DplGetContainerImage(dpl, "controlplane")
+			Expect(err).NotTo(HaveOccurred())
+		})
+	})
+
+	AfterEach(func() {
+		cancel()
+	})
+})
--- a/.vib/chainloop/ginkgo/go.mod
+++ b/.vib/chainloop/ginkgo/go.mod
@@ -0,0 +1,57 @@
+module test-chainloop-chart
+
+go 1.20
+
+replace github.com/bitnami/charts/.vib/common-tests/ginkgo-utils => ../../common-tests/ginkgo-utils
+
+require (
+	github.com/bitnami/charts/.vib/common-tests/ginkgo-utils v0.0.0-00010101000000-000000000000
+	github.com/onsi/ginkgo/v2 v2.11.0
+	github.com/onsi/gomega v1.27.8
+	k8s.io/api v0.28.0
+	k8s.io/apimachinery v0.28.0
+	k8s.io/client-go v0.28.0
+)
+
+require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
+	github.com/go-logr/logr v1.2.4 // indirect
+	github.com/go-openapi/jsonpointer v0.19.6 // indirect
+	github.com/go-openapi/jsonreference v0.20.2 // indirect
+	github.com/go-openapi/swag v0.22.3 // indirect
+	github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/gnostic-models v0.6.8 // indirect
+	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
+	github.com/google/uuid v1.3.0 // indirect
+	github.com/imdario/mergo v0.3.6 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/spf13/pflag v1.0.5 // indirect
+	golang.org/x/net v0.23.0 // indirect
+	golang.org/x/oauth2 v0.8.0 // indirect
+	golang.org/x/sys v0.18.0 // indirect
+	golang.org/x/term v0.18.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/tools v0.9.3 // indirect
+	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/protobuf v1.33.0 // indirect
+	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	k8s.io/klog/v2 v2.100.1 // indirect
+	k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect
+	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
+	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
+	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
+)
--- a/.vib/chainloop/ginkgo/go.sum
+++ b/.vib/chainloop/ginkgo/go.sum
@@ -0,0 +1,160 @@
+github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
+github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
+github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE=
+github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
+github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
+github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE=
+github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
+github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
+github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
+github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g=
+github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
+github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
+github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
+github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
+github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
+github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
+github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
+github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28=
+github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
+github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU=
+github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM=
+github.com/onsi/gomega v1.27.8 h1:gegWiwZjBsf2DgiSbf5hpokZ98JVDMcWkUiigk6/KXc=
+github.com/onsi/gomega v1.27.8/go.mod h1:2J8vzI/s+2shY9XHRApDkdgPo1TKT7P2u6fXeJKFnNQ=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
+github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
+github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.10.0 h1:lFO9qtOdlre5W1jxS3r/4szv2/6iXxScdzjoBMXNhYk=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8=
+golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
+golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
+golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
+golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
+golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.9.3 h1:Gn1I8+64MsuTb/HpH+LmQtNas23LhUVr3rYZ0eKuaMM=
+golang.org/x/tools v0.9.3/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
+google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
+google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
+google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
+google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
+gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/api v0.28.0 h1:3j3VPWmN9tTDI68NETBWlDiA9qOiGJ7sdKeufehBYsM=
+k8s.io/api v0.28.0/go.mod h1:0l8NZJzB0i/etuWnIXcwfIv+xnDOhL3lLW919AWYDuY=
+k8s.io/apimachinery v0.28.0 h1:ScHS2AG16UlYWk63r46oU3D5y54T53cVI5mMJwwqFNA=
+k8s.io/apimachinery v0.28.0/go.mod h1:X0xh/chESs2hP9koe+SdIAcXWcQ+RM5hy0ZynB+yEvw=
+k8s.io/client-go v0.28.0 h1:ebcPRDZsCjpj62+cMk1eGNX1QkMdRmQ6lmz5BLoFWeM=
+k8s.io/client-go v0.28.0/go.mod h1:0Asy9Xt3U98RypWJmU1ZrRAGKhP6NqDPmptlAzK2kMc=
+k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
+k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ=
+k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk=
+k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
+sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
+sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
--- a/.vib/chainloop/runtime-parameters.yaml
+++ b/.vib/chainloop/runtime-parameters.yaml
@@ -0,0 +1,7 @@
+development: true
+controlplane:
+  auth:
+    oidc:
+      url: http://chainloop-dex:5556/dex
+      clientID: chainloop-dev
+      clientSecret: ZXhhbXBsZS1hcHAtc2VjcmV0
--- a/.vib/chainloop/vib-publish.json
+++ b/.vib/chainloop/vib-publish.json
@@ -0,0 +1,38 @@
+{
+  "phases": {
+    "package": {
+      "context": {
+        "resources": {
+          "url": "{SHA_ARCHIVE}",
+          "path": "/bitnami/chainloop"
+        }
+      },
+      "actions": [
+        {
+          "action_id": "helm-package"
+        },
+        {
+          "action_id": "helm-lint"
+        }
+      ]
+    },
+    "publish": {
+      "actions": [
+        {
+          "action_id": "helm-publish",
+          "params": {
+            "repository": {
+              "kind": "S3",
+              "url": "{VIB_ENV_S3_URL}",
+              "authn": {
+                "access_key_id": "{VIB_ENV_S3_ACCESS_KEY_ID}",
+                "secret_access_key": "{VIB_ENV_S3_SECRET_ACCESS_KEY}",
+                "role": "{VIB_ENV_S3_ROLE_ARN}"
+              }
+            }
+          }
+        }
+      ]
+    }
+  }
+}
--- a/.vib/chainloop/vib-verify.json
+++ b/.vib/chainloop/vib-verify.json
@@ -0,0 +1,49 @@
+{
+  "phases": {
+    "package": {
+      "context": {
+        "resources": {
+          "url": "{SHA_ARCHIVE}",
+          "path": "/bitnami/chainloop"
+        }
+      },
+      "actions": [
+        {
+          "action_id": "helm-package"
+        },
+        {
+          "action_id": "helm-lint"
+        }
+      ]
+    },
+    "verify": {
+      "context": {
+        "resources": {
+          "url": "{SHA_ARCHIVE}",
+          "path": "/bitnami/chainloop"
+        },
+        "target_platform": {
+          "target_platform_id": "{VIB_ENV_TARGET_PLATFORM}",
+          "size": {
+            "name": "S4"
+          }
+        }
+      },
+      "actions": [
+        {
+          "action_id": "ginkgo",
+          "params": {
+            "resources": {
+              "path": "/.vib/chainloop/ginkgo"
+            },
+            "params": {
+              "kubeconfig": "{{kubeconfig}}",
+              "namespace": "{{namespace}}",
+              "name": "chainloop"
+            }
+          }
+        }
+      ]
+    }
+  }
+}
--- a/bitnami/chainloop/.helmignore
+++ b/bitnami/chainloop/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
--- a/bitnami/chainloop/CHANGELOG.md
+++ b/bitnami/chainloop/CHANGELOG.md
@@ -0,0 +1,5 @@
+# Changelog
+
+## 0.1.0 (2024-08-08)
+
+* New chart: Chainloop ([#27100](https://github.com/bitnami/charts/pull/27100))
--- a/bitnami/chainloop/Chart.lock
+++ b/bitnami/chainloop/Chart.lock
@@ -0,0 +1,12 @@
+dependencies:
+- name: common
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 2.21.0
+- name: postgresql
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 15.5.20
+- name: vault
+  repository: oci://registry-1.docker.io/bitnamicharts
+  version: 1.4.18
+digest: sha256:3c8f91b4005b34cdb16f4e4603cc641d4f8c1b2107be8b8499af72ff6a540015
+generated: "2024-08-08T18:05:43.024689+02:00"
--- a/bitnami/chainloop/Chart.yaml
+++ b/bitnami/chainloop/Chart.yaml
@@ -0,0 +1,66 @@
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+
+annotations:
+  category: DeveloperTools
+  license: Apache-2.0
+  images: |
+    - image: docker.io/bitnami/chainloop-artifact-cas:0.95.3-debian-12-r0
+      name: artifact-cas
+    - image: docker.io/bitnami/chainloop-control-plane:0.95.3-debian-12-r0
+      name: control-plane
+    - image: docker.io/bitnami/chainloop-control-plane-migrations:0.95.3-debian-12-r0
+      name: control-plane-migrations
+    - image: docker.io/bitnami/dex:2.40.0-debian-12-r1
+      name: dex
+apiVersion: v2
+appVersion: 0.95.3
+dependencies:
+  - name: common
+    repository: oci://registry-1.docker.io/bitnamicharts
+    tags:
+      - bitnami-common
+    version: 2.x.x
+  - condition: postgresql.enabled
+    name: postgresql
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 15.x.x
+  - condition: development
+    name: vault
+    repository: oci://registry-1.docker.io/bitnamicharts
+    version: 1.4.x
+description: Chainloop is an open source software supply chain control plane, a single source of truth for artifacts plus a declarative attestation crafting process.
+home: https://bitnami.com
+icon: https://bitnami.com/assets/stacks/chainloop/img/chainloop-stack-220x234.png
+keywords:
+  - chainloop
+  - evidence-store
+  - supply-chain-security
+  - devops
+  - devsecops
+  - security
+  - compliance
+  - cyclonedx
+  - spdx
+  - sbom
+  - attestation
+  - oss-compliance
+  - in-toto
+  - slsa
+  - sbom-distribution
+  - open-source-licensing
+  - slsa-provenance
+  - metadata-platform
+  - sbom-discovery
+  - regulated-industry
+maintainers:
+  - name: Broadcom, Inc. All Rights Reserved.
+    url: https://github.com/bitnami/charts
+name: chainloop
+sources:
+  - https://github.com/bitnami/charts/tree/main/bitnami/chainloop
+  - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane
+  - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-control-plane-migrations
+  - https://github.com/bitnami/containers/tree/main/bitnami/chainloop-artifact-cas
+  - https://github.com/chainloop-dev/chainloop
+version: 0.1.0
--- a/bitnami/chainloop/README.md
+++ b/bitnami/chainloop/README.md
--- a/bitnami/chainloop/templates/NOTES.txt
+++ b/bitnami/chainloop/templates/NOTES.txt
@@ -0,0 +1,66 @@
+CHART NAME: {{ .Chart.Name  }}
+CHART VERSION: {{ .Chart.Version  }}
+APP VERSION: {{ .Chart.AppVersion  }}
+
+** Please be patient while the chart is being deployed **
+
+{{- if .Values.development }}
+
+###########################################################################
+  DEVELOPMENT MODE
+###########################################################################
+
+██████╗ ███████╗██╗    ██╗ █████╗ ██████╗ ███████╗
+██╔══██╗██╔════╝██║    ██║██╔══██╗██╔══██╗██╔════╝
+██████╔╝█████╗  ██║ █╗ ██║███████║██████╔╝█████╗
+██╔══██╗██╔══╝  ██║███╗██║██╔══██║██╔══██╗██╔══╝
+██████╔╝███████╗╚███╔███╔╝██║  ██║██║  ██║███████╗
+╚═════╝ ╚══════╝ ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝  ╚══════╝
+
+Instance running in development mode!
+
+Development mode, by default
+
+- Runs an insecure, unsealed, non-persistent instance of Vault
+- Is configured with development authentication keys
+
+###########################################################################
+Pre-configured static users
+###########################################################################
+
+Development configuration comes with two pre-setup users:
+- username: sarah@chainloop.local
+- password: password
+
+- username: john@chainloop.local
+- password: password
+
+DO NOT USE IT FOR PRODUCTION PURPOSES
+
+{{- end }}
+
+###########################################################################
+  CONFIGURE CLI
+###########################################################################
+
+Configure the CLI to point to this instance, for example
+
+  chainloop --insecure config save \
+    --control-plane {{ include "chainloop.controlplane.grpc_url" . }} \
+    --artifact-cas {{ include "chainloop.cas.grpc_url" . }}
+
+Refer to this link for more information
+https://docs.chainloop.dev/getting-started/installation#configure-cli-optional
+
+###########################################################################
+  USEFUL LINKS
+###########################################################################
+
+- GitHub repository: https://github.com/chainloop-dev/chainloop
+- Documentation: https://docs.chainloop.dev
+
+
+{{- include "common.warnings.rollingTag" .Values.controlplane.image }}
+{{- include "common.warnings.rollingTag" .Values.cas.image }}
+{{- include "common.warnings.rollingTag" .Values.controlplane.migration.image }}
+{{- include "common.warnings.modifiedImages" (dict "images" (list .Values.controlplane.image .Values.cas.image .Values.controlplane.migration.image) "context" $) }}
--- a/bitnami/chainloop/templates/_helpers.tpl
+++ b/bitnami/chainloop/templates/_helpers.tpl
@@ -0,0 +1,466 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- define "chainloop.postgresql.fullname" -}}
+{{- include "common.names.dependency.fullname" (dict "chartName" "postgresql" "chartValues" .Values.postgresql "context" $) -}}
+{{- end -}}
+
+{{- define "chainloop.vault.fullname" -}}
+{{- include "common.names.dependency.fullname" (dict "chartName" "vault" "chartValues" .Values.vault "context" $) -}}
+{{- end -}}
+
+{{/*
+Returns a private key used for CAS <-> Controlplane communication
+If we are running ind development mode we add a default one otherwise we require providing it
+*/}}
+{{- define "chainloop.casjwt.private_key" -}}
+  {{- if .Values.development }}
+    {{- coalesce .Values.casJWTPrivateKey (include "chainloop.casjwt.private_key.devel" .) }}
+  {{- else }}
+  {{- required "Authentication Private Key \"casJWTPrivateKey\" required" .Values.casJWTPrivateKey }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Returns a public key used for CAS <-> Controlplane communication
+If we are running ind development mode we add a default one otherwise we require providing it
+*/}}
+{{- define "chainloop.casjwt.public_key" -}}
+  {{- if .Values.development }}
+    {{- coalesce .Values.casJWTPublicKey (include "chainloop.casjwt.public_key.devel" .) }}
+  {{- else }}
+  {{- required "Authentication Public Key \"casJWTPublicKey\" required" .Values.casJWTPublicKey }}
+  {{- end }}
+{{- end }}
+
+{{/*
+DEVELOPMENT ONLY PRIVATE KEY
+NOTE: It can not be generated by HELM because we also need a public key
+*/}}
+{{- define "chainloop.casjwt.private_key.devel" -}}
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIA762MbJK9IBnaqG0sd9uFRM+Z7Y+Aq5UfmbWf0+acKMYpYoy/8kBE
+tI6cpcA2KvmW5qurOjIMh5ISr+P2GmzSZX+gBwYFK4EEACOhgYkDgYYABAFzPMcM
+NUnPoC7b+s+/OyxRC7V/+elthj6Cq85WCj0KZ2qDvmd4QsYnsTIQ7NM7E+9WztdP
+rJBaMdfauMarLlc7/AAHqoa0lv7HNIa0PpupZD4VXmnIe/ZkhHvKOuw0Bdoq2D2B
+3U25sylQQto3nZ4IqnsXmrtYGIFI9om3PoliT9/J7g==
+-----END EC PRIVATE KEY-----
+{{- end -}}
+
+{{/*
+DEVELOPMENT ONLY PUBLIC KEY
+*/}}
+{{- define "chainloop.casjwt.public_key.devel" -}}
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBczzHDDVJz6Au2/rPvzssUQu1f/np
+bYY+gqvOVgo9Cmdqg75neELGJ7EyEOzTOxPvVs7XT6yQWjHX2rjGqy5XO/wAB6qG
+tJb+xzSGtD6bqWQ+FV5pyHv2ZIR7yjrsNAXaKtg9gd1NubMpUELaN52eCKp7F5q7
+WBiBSPaJtz6JYk/fye4=
+-----END PUBLIC KEY-----
+{{- end -}}
+
+{{- define "chainloop.credentials_service_settings" -}}
+{{- with .Values.secretsBackend }}
+secretPrefix: {{ required "secret prefix required" .secretPrefix | quote }}
+{{- if eq .backend "vault" }}
+{{- $tokenEnvVar := "" }}
+{{- range $.Values.vault.server.extraEnvVars }}
+  {{- if eq .name "VAULT_DEV_ROOT_TOKEN_ID" }}
+    {{- $tokenEnvVar = .value }}
+  {{- end }}
+{{- end }}
+vault:
+  {{- if and $.Values.development (or (not .vault) (not .vault.address)) }}
+  address: {{ printf "http://%s-server:8200" (include "chainloop.vault.fullname" $) | quote }}
+  {{- if $tokenEnvVar }}
+  token: {{ $tokenEnvVar | quote }}
+  {{- else }}
+  {{- required "VAULT_DEV_ROOT_TOKEN_ID environment variable is required when development mode is enabled" (index $.Values.vault.server.extraEnvVars "VAULT_DEV_ROOT_TOKEN_ID") }}
+  {{- end }}
+{{- else if (required "vault backend selected but configuration not provided" .vault ) }}
+  address: {{ required "vault address required" .vault.address | quote }}
+  token: {{ required "vault token required" .vault.token | quote }}
+{{- end }}
+
+{{- else if eq .backend "awsSecretManager" }}
+awsSecretManager:
+  region: {{ required "region required" .awsSecretManager.region | quote }}
+  creds:
+    accessKey: {{ required "access key required" .awsSecretManager.accessKey | quote }}
+    secretKey: {{ required "secret key required" .awsSecretManager.secretKey | quote }}
+
+{{- else if eq .backend "gcpSecretManager" }}
+gcpSecretManager:
+  projectId: {{ required "project id required" .gcpSecretManager.projectId | quote }}
+  serviceAccountKey: "/gcp-secrets/serviceAccountKey.json"
+  {{- if eq .gcpSecretManager.serviceAccountKey "" }}
+  {{- fail ".Values.secretsBackend.gcpSecretManager.serviceAccountKey not set" }}
+  {{- end }}
+{{- else if eq .backend "azureKeyVault" }}
+azure_key_vault:
+  tenant_id: {{ required "AD tenantID required" .azureKeyVault.tenantID | quote }}
+  client_id: {{ required "Service principal ID required" .azureKeyVault.clientID | quote }}
+  client_secret: {{ required "Service principal secret required" .azureKeyVault.clientSecret | quote }}
+  vault_uri: {{ required "Azure Vault URL required" .azureKeyVault.vaultURI | quote }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{- define "chainloop.node_port" -}}
+{{- if (and (or (eq .type "NodePort") (eq .type "LoadBalancer")) .nodePorts (not (empty .nodePorts.http))) }}
+{{- .nodePorts.http }}
+{{- else -}}
+null
+{{- end -}}
+{{- end -}}
+
+{{/*
+##############################################################################
+Controlplane helpers
+##############################################################################
+*/}}
+
+{{- define "chainloop.controlplane.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Chainloop Controlplane release name
+*/}}
+{{- define "chainloop.controlplane.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) "controlplane" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Chainloop Controlplane Chart fullname
+*/}}
+{{- define "chainloop.controlplane.name" -}}
+{{- printf "%s-%s" (include "common.names.name" .) "controlplane" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "chainloop.controlplane.labels" -}}
+{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }}
+app.kubernetes.io/component: controlplane
+{{- end }}
+
+-{{/*
+-Selector labels
+-*/}}
+{{- define "chainloop.controlplane.selectorLabels" -}}
+{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }}
+{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }}
+app.kubernetes.io/component: controlplane
+{{- end }}
+
+{{- define "chainloop.controlplane.migration.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.controlplane.migration.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Migration labels
+*/}}
+{{- define "chainloop.controlplane.migration.labels" -}}
+{{- include "common.labels.standard" . }}
+app.kubernetes.io/component: controlplane-migration
+{{- end }}
+
+
+{{/*
+OIDC settings, will fallback to development settings if needed
+*/}}
+{{- define "controlplane.oidc_settings" -}}
+  {{- if .Values.development }}
+    {{- with .Values.controlplane.auth }}
+    domain: "{{ coalesce .oidc.url "http://chainloop-dex:5556/dex" }}"
+    client_id: "{{ coalesce .oidc.clientID "chainloop-dev" }}"
+    client_secret: "{{ coalesce .oidc.clientSecret "ZXhhbXBsZS1hcHAtc2VjcmV0" }}"
+    {{- if .oidc.loginURLOverride }}
+    login_url_override: "{{ .oidc.loginURLOverride }}"
+    {{- end }}
+    {{- end }}
+  {{- else }}
+    {{- with .Values.controlplane.auth }}
+    domain: "{{ required "oidc URL endpoint required" .oidc.url }}"
+    client_id: "{{ required "oidc clientID required" .oidc.clientID }}"
+    client_secret: "{{ required "oidc clientSecret required" .oidc.clientSecret }}"
+    {{- if .oidc.loginURLOverride }}
+    login_url_override: "{{ .oidc.loginURLOverride }}"
+    {{- end }}
+    {{- end }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "controlplane.serviceAccountName" -}}
+{{- if .Values.controlplane.serviceAccount.create }}
+{{- default (include "chainloop.controlplane.fullname" .) .Values.controlplane.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.controlplane.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+Return the Postgresql connection string
+*/}}
+{{- define "controlplane.database.connection_string" -}}
+{{- printf "postgresql://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }}
+{{- end -}}
+
+{{/*
+Return the Postgresql connection string for Atlas migration
+*/}}
+{{- define "controlplane.database.atlas_connection_string" -}}
+{{- $connStr := printf "postgres://%s:%s@%s:%s/%s" (include "controlplane.database.user" .) (include "controlplane.database.escapedPassword" .) (include "controlplane.database.host" .) (include "controlplane.database.port" .) (include "controlplane.database.name" .) }}
+{{- .Values.controlplane.migration.ssl | ternary $connStr (printf "%s?sslmode=disable" $connStr) }}
+{{- end -}}
+
+{{/*
+Return the Postgresql hostname
+*/}}
+{{- define "controlplane.database.host" -}}
+{{- ternary (include "chainloop.postgresql.fullname" .) .Values.controlplane.externalDatabase.host .Values.postgresql.enabled -}}
+{{- end -}}
+
+{{/*
+Return the Postgresql port
+*/}}
+{{- define "controlplane.database.port" -}}
+{{- ternary 5432 .Values.controlplane.externalDatabase.port .Values.postgresql.enabled -}}
+{{- end -}}
+
+{{/*
+Return the Postgresql password
+*/}}
+{{- define "controlplane.database.password" -}}
+{{- if .Values.postgresql.enabled }}
+    {{- if .Values.global.postgresql }}
+        {{- if .Values.global.postgresql.auth }}
+            {{- coalesce .Values.global.postgresql.auth.password .Values.postgresql.auth.password -}}
+        {{- else -}}
+            {{- .Values.postgresql.auth.password -}}
+        {{- end -}}
+    {{- else -}}
+        {{- .Values.postgresql.auth.password -}}
+    {{- end -}}
+{{- else -}}
+    {{- .Values.controlplane.externalDatabase.password -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Return the URL-scaped Postgresql password 
+*/}}
+{{ define "controlplane.database.escapedPassword" -}}
+  {{- include "controlplane.database.password" . | urlquery | replace "+" "%20" -}}
+{{- end -}}
+
+{{/*
+Return the Postgresql database name
+*/}}
+{{- define "controlplane.database.name" -}}
+{{- if .Values.postgresql.enabled }}
+    {{- if .Values.global.postgresql }}
+        {{- if .Values.global.postgresql.auth }}
+            {{- coalesce .Values.global.postgresql.auth.database .Values.postgresql.auth.database -}}
+        {{- else -}}
+            {{- .Values.postgresql.auth.database -}}
+        {{- end -}}
+    {{- else -}}
+        {{- .Values.postgresql.auth.database -}}
+    {{- end -}}
+{{- else -}}
+    {{- .Values.controlplane.externalDatabase.database -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Postgresql user
+*/}}
+{{- define "controlplane.database.user" -}}
+{{- if .Values.postgresql.enabled }}
+    {{- if .Values.global.postgresql }}
+        {{- if .Values.global.postgresql.auth }}
+            {{- coalesce .Values.global.postgresql.auth.username .Values.postgresql.auth.username -}}
+        {{- else -}}
+            {{- .Values.postgresql.auth.username -}}
+        {{- end -}}
+    {{- else -}}
+        {{- .Values.postgresql.auth.username -}}
+    {{- end -}}
+{{- else -}}
+    {{- .Values.controlplane.externalDatabase.user -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Figure out the external URL the controlplane can be reached at
+This endpoint is used for the CLI to know where to go for log in
+NOTE: Load balancer service type is not supported
+*/}}
+{{- define "chainloop.controlplane.external_url" -}}
+{{- $service := .Values.controlplane.service }}
+{{- $ingress := .Values.controlplane.ingress }}
+
+{{- if .Values.controlplane.auth.oidc.externalURL }}
+{{- .Values.controlplane.auth.oidc.externalURL }}
+{{- else if (and $ingress $ingress.enabled $ingress.hostname) }}
+{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }}
+{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }}
+{{- printf "http://localhost:%s" $service.nodePorts.http }}
+{{- else -}}
+null
+{{- end -}}
+{{- end -}}
+
+{{/*
+Figure out the gRPC URL the controlplane can be reached at
+*/}}
+{{- define "chainloop.controlplane.grpc_url" -}}
+{{- $service := .Values.controlplane.serviceAPI }}
+{{- $ingress := .Values.controlplane.ingress }}
+
+{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
+{{- printf "api.%s" $ingress.hostname }}
+{{- else if (not (empty $service.ports.https)) }}
+{{- printf "localhost:%d" ($service.ports.https | int) }}
+{{- else  }}
+{{- printf "localhost:%d" ($service.ports.http | int) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "chainloop.sentry" -}}
+observability:
+  sentry:
+    dsn: {{ required "Sentry DSN required" .dsn | quote }}
+    environment: {{ required "Sentry environment required" .environment | quote }}
+{{- end -}}
+
+{{/*
+##############################################################################
+CAS Helpers
+##############################################################################
+*/}}
+
+{{- define "chainloop.cas.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.cas.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Chainloop CAS release name
+*/}}
+{{- define "chainloop.cas.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) "cas" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Chainloop CAS Chart fullname
+*/}}
+{{- define "chainloop.cas.name" -}}
+{{- printf "%s-%s" (include "common.names.name" .) "cas" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{/*
+
+Common labels
+*/}}
+{{- define "chainloop.cas.labels" -}}
+{{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" .) }}
+app.kubernetes.io/component: cas
+{{- end }}
+
+-{{/*
+-Selector labels
+-*/}}
+{{- define "chainloop.cas.selectorLabels" -}}
+{{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }}
+{{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" . ) }}
+app.kubernetes.io/component: cas
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chainloop.cas.serviceAccountName" -}}
+{{- if .Values.cas.serviceAccount.create }}
+{{- default (include "chainloop.cas.fullname" .) .Values.cas.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.cas.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{/*
+External URL the CAS can be reached at
+This endpoint is used for the cas to redirect downloads
+NOTE: Load balancer service type is not supported
+*/}}
+{{- define "chainloop.cas.external_url" -}}
+{{- $service := .Values.cas.service }}
+{{- $ingress := .Values.cas.ingress }}
+
+{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
+{{- printf "%s://%s" (ternary "https" "http" $ingress.tls ) $ingress.hostname }}
+{{- else if (and (eq $service.type "NodePort") $service.nodePorts (not (empty $service.nodePorts.http))) }}
+{{- printf "http://localhost:%s" $service.nodePorts.http }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Figure out the gRPC URL the cas can be reached at
+*/}}
+{{- define "chainloop.cas.grpc_url" -}}
+{{- $service := .Values.cas.serviceAPI }}
+{{- $ingress := .Values.cas.ingress }}
+
+{{- if (and $ingress $ingress.enabled $ingress.hostname) }}
+{{- printf "api.%s" $ingress.hostname }}
+{{- else if (not (empty $service.ports.https)) }}
+{{- printf "localhost:%d" ($service.ports.https | int) }}
+{{- else  }}
+{{- printf "localhost:%d" ($service.ports.http | int) }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+##############################################################################
+Dex helpers
+##############################################################################
+*/}}
+
+{{/*
+Return the proper Dex image name
+*/}}
+{{- define "chainloop.dex.image" -}}
+{{ include "common.images.image" (dict "imageRoot" .Values.dex.image "global" .Values.global) }}
+{{- end -}}
+
+{{/*
+Return the proper service name for Dex
+*/}}
+{{- define "chainloop.dex" -}}
+{{- printf "%s-dex" (include "common.names.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use for Dex
+*/}}
+{{- define "chainloop.dex.serviceAccountName" -}}
+{{- if .Values.dex.serviceAccount.create -}}
+    {{ default (printf "%s-dex" (include "common.names.fullname" .)) .Values.dex.serviceAccount.name | trunc 63 | trimSuffix "-" }}
+{{- else -}}
+    {{ default "default" .Values.dex.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Chainloop Dex release name
+*/}}
+{{- define "chainloop.dex.fullname" -}}
+{{- printf "%s-%s" (include "common.names.fullname" .) "dex" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
--- a/bitnami/chainloop/templates/cas/configmap.yaml
+++ b/bitnami/chainloop/templates/cas/configmap.yaml
@@ -0,0 +1,35 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (empty .Values.cas.existingConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  server.yaml: |
+    server:
+      http:
+        addr: "0.0.0.0:{{ .Values.cas.containerPorts.http }}"
+        # Timeouts for http downloads
+        # grpc downloads/uploads don't require this because they don't have timeouts
+        timeout: 300s
+      grpc:
+        {{- if .Values.cas.tls.existingSecret  }}
+        tls_config:
+          certificate: /data/server-certs/tls.crt
+          private_key: /data/server-certs/tls.key
+        {{- end }}
+        addr: "0.0.0.0:{{ .Values.cas.containerPorts.grpc }}"
+        # Some unary RPCs are slow, so we need to increase the timeout
+        timeout: 5s
+      http_metrics:
+        addr: "0.0.0.0:{{ .Values.cas.containerPorts.metrics}}"
+{{- end }}
--- a/bitnami/chainloop/templates/cas/deployment.yaml
+++ b/bitnami/chainloop/templates/cas/deployment.yaml
@@ -0,0 +1,179 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.deploymentAnnotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.deploymentAnnotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.cas.autoscaling.hpa.enabled }}
+  replicas: {{ .Values.cas.replicaCount }}
+  {{- end }}
+  {{- if .Values.cas.updateStrategy }}
+  strategy: {{- toYaml .Values.cas.updateStrategy | nindent 4 }}
+  {{- end }}
+  selector:
+    matchLabels: {{ include "chainloop.cas.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/cas" "/configmap.yaml") . | sha256sum }}
+        checksum/config-secret: {{ include (print $.Template.BasePath "/cas" "/secret-config.yaml") . | sha256sum }}
+        checksum/public-key-secret: {{ include (print $.Template.BasePath "/cas" "/secret-jwt-public-key.yaml") . | sha256sum }}
+      labels: {{ include "chainloop.cas.labels" . | nindent 8 }}
+    spec:
+      {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.cas.image) "context" $) | nindent 6 }}
+      serviceAccountName: {{ include "chainloop.cas.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.cas.automountServiceAccountToken }}
+      {{- if .Values.cas.hostAliases }}
+      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.cas.hostAliases "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cas.affinity }}
+      affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.affinity "context" $) | nindent 8 }}
+      {{- else }}
+      affinity:
+        {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.cas.podLabels .Values.commonLabels) "context" .) }}
+        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }}
+        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.cas.podAntiAffinityPreset "component" "cas" "customLabels" $podLabels "context" $) | nindent 10 }}
+        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.cas.nodeAffinityPreset.type "key" .Values.cas.nodeAffinityPreset.key "values" .Values.cas.nodeAffinityPreset.values) | nindent 10 }}
+      {{- end }}
+      {{- if .Values.cas.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.cas.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cas.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.cas.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cas.priorityClassName }}
+      priorityClassName: {{ .Values.cas.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.cas.schedulerName }}
+      schedulerName: {{ .Values.cas.schedulerName | quote }}
+      {{- end }}
+      {{- if .Values.cas.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.cas.topologySpreadConstraints "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cas.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.cas.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.cas.terminationGracePeriodSeconds }}
+      {{- end }}
+      initContainers:
+        {{- if .Values.cas.initContainers }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.cas.initContainers "context" $) | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: cas
+          {{- if .Values.cas.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.cas.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          image: {{ include "chainloop.cas.image" . }}
+          imagePullPolicy: {{ .Values.cas.image.pullPolicy }}
+          command: [ "./artifact-cas" ]
+          args: [ "--conf", "/data/conf" ]
+          ports:
+            - name: http
+              containerPort: {{ .Values.cas.containerPorts.http }}
+            - name: metrics
+              containerPort: {{ .Values.cas.containerPorts.metrics }}
+            - name: grpc
+              containerPort: {{ .Values.cas.containerPorts.grpc }}
+          startupProbe:
+            httpGet:
+              path: /statusz
+              port: http
+            periodSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /statusz
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /statusz?readiness=1
+              port: http
+          {{- if .Values.cas.resources }}
+          resources: {{- toYaml .Values.cas.resources | nindent 12 }}
+          {{- else if ne .Values.cas.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.cas.resourcesPreset) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.cas.lifecycleHooks }}
+          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.cas.lifecycleHooks "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.cas.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          envFrom:
+            {{- if .Values.cas.extraEnvVarsCM }}
+            - configMapRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsCM "context" $) }}
+            {{- end }}
+            {{- if .Values.cas.extraEnvVarsSecret }}
+            - secretRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.cas.extraEnvVarsSecret "context" $) }}
+            {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: "/data/conf"
+            - name: jwt-public-key
+              mountPath: "/tmp"
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
+            {{- if .Values.cas.tls.existingSecret  }}
+            - name: server-certs
+              mountPath: /data/server-certs
+            {{- end }}
+            {{- if (not (empty .Values.cas.customCAs)) }}
+            - name: custom-cas
+              # NOTE: /etc/ssl/certs already contains the system CA certs
+              # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go
+              mountPath: /etc/pki/tls/certs
+              readOnly: true
+            {{- end }}
+            {{- if .Values.cas.extraVolumeMounts }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumeMounts "context" $) | nindent 12 }}
+            {{- end }}
+        {{- if .Values.cas.sidecars }}
+        {{- include "common.tplvalues.render" ( dict "value" .Values.cas.sidecars "context" $) | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: config
+          projected:
+            sources:
+            - configMap:
+               name: {{ include "chainloop.cas.fullname" . }}
+            - secret:
+               name: {{ include "chainloop.cas.fullname" . }}
+        - name: jwt-public-key
+          secret:
+            secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key
+        {{- if .Values.cas.tls.existingSecret  }}
+        - name: server-certs
+          secret:
+            secretName: {{ .Values.cas.tls.existingSecret  }}
+        {{- end }}
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
+        {{- if (not (empty .Values.cas.customCAs)) }}
+        - name: custom-cas
+          projected:
+            sources:
+              - secret:
+                  name: {{ include "chainloop.cas.fullname" . }}-custom-cas
+        {{- end }}
+        {{- if .Values.cas.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.cas.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
--- a/bitnami/chainloop/templates/cas/hpa.yaml
+++ b/bitnami/chainloop/templates/cas/hpa.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.autoscaling.hpa.enabled }}
+apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  scaleTargetRef:
+    apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+    kind: Deployment
+    name: {{ include "common.names.fullname" . }}
+  minReplicas: {{ .Values.cas.autoscaling.hpa.minReplicas }}
+  maxReplicas: {{ .Values.cas.autoscaling.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.cas.autoscaling.hpa.targetMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+        targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory  }}
+        {{- else }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.cas.autoscaling.hpa.targetMemory }}
+        {{- end }}
+    {{- end }}
+    {{- if .Values.cas.autoscaling.hpa.targetCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+        targetAverageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }}
+        {{- else }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.cas.autoscaling.hpa.targetCPU }}
+        {{- end }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/ingress-grpc.yaml
+++ b/bitnami/chainloop/templates/cas/ingress-grpc.yaml
@@ -0,0 +1,65 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.ingressAPI.enabled }}
+{{- $fullName := printf "%s-%s" (include "chainloop.cas.fullname" .) "api" -}}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.ingressAPI.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.cas.ingressAPI.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingressAPI.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.cas.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.cas.ingressAPI.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.cas.ingressAPI.hostname }}
+    - host: {{ .Values.cas.ingressAPI.hostname }}
+      http:
+        paths:
+          {{- if .Values.cas.ingressAPI.extraPaths }}
+          {{- toYaml .Values.cas.ingressAPI.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.cas.ingressAPI.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.cas.ingressAPI.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.cas.ingressAPI.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.cas.ingressAPI.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned)) .Values.cas.ingressAPI.extraTls }}
+  tls:
+    {{- if and .Values.cas.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingressAPI.annotations )) .Values.cas.ingressAPI.selfSigned) }}
+    - hosts:
+        - {{ .Values.cas.ingressAPI.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.cas.ingressAPI.hostname }}
+    {{- end }}
+    {{- if .Values.cas.ingressAPI.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingressAPI.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/ingress.yaml
+++ b/bitnami/chainloop/templates/cas/ingress.yaml
@@ -0,0 +1,65 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.ingress.enabled }}
+{{- $fullName := include "chainloop.cas.fullname" . -}}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.ingress.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.cas.ingress.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.cas.ingress.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.cas.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.cas.ingress.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.cas.ingress.hostname }}
+    - host: {{ .Values.cas.ingress.hostname }}
+      http:
+        paths:
+          {{- if .Values.cas.ingress.extraPaths }}
+          {{- toYaml .Values.cas.ingress.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.cas.ingress.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.cas.ingress.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.cas.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.cas.ingress.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned)) .Values.cas.ingress.extraTls }}
+  tls:
+    {{- if and .Values.cas.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.cas.ingress.annotations )) .Values.cas.ingress.selfSigned) }}
+    - hosts:
+        - {{ .Values.cas.ingress.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.cas.ingress.hostname }}
+    {{- end }}
+    {{- if .Values.cas.ingress.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.ingress.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/networkpolicy.yaml
+++ b/bitnami/chainloop/templates/cas/networkpolicy.yaml
@@ -0,0 +1,74 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ printf "%s-cas" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: cas
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: cas
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.cas.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow outbound connections to other cluster pods
+    - ports:
+        - port: {{ .Values.controlplane.containerPorts.http }}
+        - port: {{ .Values.controlplane.containerPorts.grpc }}
+        - port: {{ .Values.controlplane.containerPorts.metrics }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+    {{- if .Values.cas.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    - ports:
+        - port: {{ .Values.cas.containerPorts.http }}
+      {{- if not .Values.cas.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels:
+              {{ printf "%s-cas" (include "common.names.fullname" .) }}: "true"
+        {{- if .Values.cas.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.cas.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.cas.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.cas.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.cas.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.cas.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/pdb.yaml
+++ b/bitnami/chainloop/templates/cas/pdb.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.pdb.enabled }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.cas.pdb.minAvailable }}
+  minAvailable: {{ .Values.cas.pdb.minAvailable }}
+  {{- end }}
+  {{- if or .Values.cas.pdb.maxUnavailable ( not .Values.cas.pdb.minAvailable ) }}
+  maxUnavailable: {{ .Values.cas.pdb.maxUnavailable | default 1 }}
+  {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.podLabels .Values.commonLabels ) "context" . ) }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/secret-config.yaml
+++ b/bitnami/chainloop/templates/cas/secret-config.yaml
@@ -0,0 +1,27 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  {{- if and .Values.cas.sentry .Values.cas.sentry.enabled }}
+  config.observability.yaml: |
+    {{- include "chainloop.sentry" .Values.cas.sentry | nindent 4 }}
+  {{- end }}
+  config.secret.yaml: |
+    credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }}
+    auth:
+      public_key_path: "/tmp/cas.public.pem"
+      # Deprecated, use public_key_path instead. Remove option once release of the app 0.15+ is out.
+      robot_account_public_key_path: "/tmp/cas.public.pem"
+    # TODO: add observability
--- a/bitnami/chainloop/templates/cas/secret-customcas.yaml
+++ b/bitnami/chainloop/templates/cas/secret-customcas.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $customCAs := .Values.cas.customCAs }}
+{{- if (not (empty $customCAs)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-custom-cas
+  labels:
+    {{- include "chainloop.cas.labels" . | nindent 4 }}
+data:
+  {{- range $index, $pem := $customCAs }}
+  custom-{{ $index }}.crt: {{ $pem | b64enc | quote }}
+  {{- end -}}
+{{- end -}}
--- a/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml
+++ b/bitnami/chainloop/templates/cas/secret-gcp-secret-manager.yaml
@@ -0,0 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.cas.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
--- a/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml
+++ b/bitnami/chainloop/templates/cas/secret-jwt-public-key.yaml
@@ -0,0 +1,14 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-jwt-public-key
+  labels:
+    {{- include "chainloop.cas.labels" . | nindent 4 }}
+type: Opaque
+data:
+  cas.public.pem: {{ include "chainloop.casjwt.public_key" . | b64enc | quote  }}
--- a/bitnami/chainloop/templates/cas/service-account.yaml
+++ b/bitnami/chainloop/templates/cas/service-account.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.cas.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chainloop.cas.serviceAccountName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.serviceAccount.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAccount.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.cas.serviceAccount.automountServiceAccountToken }}
+  {{- end }}
--- a/bitnami/chainloop/templates/cas/service-grpc.yaml
+++ b/bitnami/chainloop/templates/cas/service-grpc.yaml
@@ -0,0 +1,52 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}-api
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.serviceAPI.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.serviceAPI.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.cas.serviceAPI.type }}
+  {{- if and .Values.cas.serviceAPI.clusterIP (eq .Values.cas.serviceAPI.type "ClusterIP") }}
+  clusterIP: {{ .Values.cas.serviceAPI.clusterIP }}
+  {{- end }}
+  {{- if .Values.cas.serviceAPI.sessionAffinity }}
+  sessionAffinity: {{ .Values.cas.serviceAPI.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.cas.serviceAPI.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if or (eq .Values.cas.serviceAPI.type "LoadBalancer") (eq .Values.cas.serviceAPI.type "NodePort") }}
+  externalTrafficPolicy: {{ .Values.cas.serviceAPI.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerSourceRanges)) }}
+  loadBalancerSourceRanges: {{ .Values.cas.serviceAPI.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if and (eq .Values.cas.serviceAPI.type "LoadBalancer") (not (empty .Values.cas.serviceAPI.loadBalancerIP)) }}
+  loadBalancerIP: {{ .Values.cas.serviceAPI.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: grpc
+      {{- $port := coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http }}
+      port: {{ $port }}
+      {{- if not (eq $port .Values.cas.containerPorts.grpc) }}
+      targetPort: {{ .Values.cas.containerPorts.grpc }}
+      {{- end }}
+      protocol: TCP
+      {{- if and (or (eq .Values.cas.serviceAPI.type "NodePort") (eq .Values.cas.serviceAPI.type "LoadBalancer")) (not (empty .Values.cas.serviceAPI.nodePorts.http)) }}
+      nodePort: {{ .Values.cas.serviceAPI.nodePorts.http }}
+      {{- else if eq .Values.cas.serviceAPI.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    {{- if .Values.cas.serviceAPI.extraPorts }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.serviceAPI.extraPorts "context" $) | nindent 4 }}
+    {{- end }}
+  selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }}
--- a/bitnami/chainloop/templates/cas/service-http.yaml
+++ b/bitnami/chainloop/templates/cas/service-http.yaml
@@ -0,0 +1,52 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.cas.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{ include "chainloop.cas.labels" . | nindent 4 }}
+  {{- if or .Values.cas.service.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.cas.service.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.cas.service.type }}
+  {{- if and .Values.cas.service.clusterIP (eq .Values.cas.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.cas.service.clusterIP }}
+  {{- end }}
+  {{- if .Values.cas.service.sessionAffinity }}
+  sessionAffinity: {{ .Values.cas.service.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.cas.service.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if or (eq .Values.cas.service.type "LoadBalancer") (eq .Values.cas.service.type "NodePort") }}
+  externalTrafficPolicy: {{ .Values.cas.service.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerSourceRanges)) }}
+  loadBalancerSourceRanges: {{ .Values.cas.service.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if and (eq .Values.cas.service.type "LoadBalancer") (not (empty .Values.cas.service.loadBalancerIP)) }}
+  loadBalancerIP: {{ .Values.cas.service.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: http
+      {{- $port := coalesce .Values.cas.service.port .Values.cas.service.ports.http }}
+      port: {{ $port }}
+      {{- if not (eq $port .Values.cas.containerPorts.http) }}
+      targetPort: {{ .Values.cas.containerPorts.http }}
+      {{- end }}
+      protocol: TCP
+      {{- if and (or (eq .Values.cas.service.type "NodePort") (eq .Values.cas.service.type "LoadBalancer")) (not (empty .Values.cas.service.nodePorts.http)) }}
+      nodePort: {{ .Values.cas.service.nodePorts.http }}
+      {{- else if eq .Values.cas.service.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    {{- if .Values.cas.service.extraPorts }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.cas.service.extraPorts "context" $) | nindent 4 }}
+    {{- end }}
+  selector: {{ include "chainloop.cas.selectorLabels" . | nindent 4 }}
--- a/bitnami/chainloop/templates/cas/vpa.yaml
+++ b/bitnami/chainloop/templates/cas/vpa.yaml
@@ -0,0 +1,44 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.cas.autoscaling.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: cas
+  {{- if or .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.cas.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  resourcePolicy:
+    containerPolicies:
+      - containerName: cas
+      {{- with .Values.cas.autoscaling.vpa.controlledResources }}
+        controlledResources:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cas.autoscaling.vpa.maxAllowed }}
+        maxAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cas.autoscaling.vpa.minAllowed }}
+        minAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  targetRef:
+    apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+    kind: Deployment
+    name: {{ include "common.names.fullname" . }}
+  {{- if .Values.cas.autoscaling.vpa.updatePolicy }}
+  updatePolicy:
+    {{- with .Values.cas.autoscaling.vpa.updatePolicy.updateMode }}
+    updateMode: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/configmap.yaml
+++ b/bitnami/chainloop/templates/controlplane/configmap.yaml
@@ -0,0 +1,55 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if (empty .Values.controlplane.existingConfigMap) }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+data:
+  {{- if .Values.controlplane.auth.allowList }}
+  allow_list.yaml: |
+    auth:
+      allow_list:
+        {{- toYaml .Values.controlplane.auth.allowList | nindent 8 }}
+  {{- end }}
+  config.yaml: |
+    server:
+      http:
+        addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.http }}"
+        timeout: 10s
+        external_url: {{ include "chainloop.controlplane.external_url" . }}
+      http_metrics:
+        addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.metrics }}"
+      grpc:
+        addr: "0.0.0.0:{{ .Values.controlplane.containerPorts.grpc }}"
+        timeout: 10s
+        {{- if .Values.controlplane.tls.existingSecret  }}
+        tls_config:
+          certificate: /data/server-certs/tls.crt
+          private_key: /data/server-certs/tls.key
+        {{- end }}
+    cas_server:
+      grpc:
+        addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) (coalesce .Values.cas.serviceAPI.port .Values.cas.serviceAPI.ports.http) }}
+      insecure: {{ empty .Values.cas.tls.existingSecret }}
+      download_url: {{ include "chainloop.cas.external_url" . }}/download
+    plugins_dir: {{ .Values.controlplane.pluginsDir }}
+    referrer_shared_index:
+      {{- toYaml .Values.controlplane.referrerSharedIndex | nindent 6 }}
+    {{ if .Values.controlplane.onboarding }}
+    onboarding:
+      {{- toYaml .Values.controlplane.onboarding | nindent 6 }}
+    {{- end }}
+    {{ if .Values.controlplane.prometheus_org_metrics }}
+    prometheus_integration:
+      {{- toYaml .Values.controlplane.prometheus_org_metrics | nindent 6 }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/deployment.yaml
+++ b/bitnami/chainloop/templates/controlplane/deployment.yaml
@@ -0,0 +1,222 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.deploymentAnnotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.deploymentAnnotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if not .Values.controlplane.autoscaling.hpa.enabled }}
+  replicas: {{ .Values.controlplane.replicaCount }}
+  {{- end }}
+  {{- if .Values.controlplane.updateStrategy }}
+  strategy: {{- toYaml .Values.controlplane.updateStrategy | nindent 4 }}
+  {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) }}
+  selector:
+    matchLabels: {{ include "chainloop.controlplane.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        checksum/config: {{ include (print $.Template.BasePath "/controlplane" "/configmap.yaml") . | sha256sum }}
+        checksum/secret-config: {{ include (print $.Template.BasePath "/controlplane" "/secret-config.yaml") . | sha256sum }}
+        checksum/cas-private-key: {{ include (print $.Template.BasePath "/controlplane" "/secret-jwt-cas-private-key.yaml") . | sha256sum }}
+        kubectl.kubernetes.io/default-container: controlplane
+      labels: {{- include "chainloop.controlplane.labels" . | nindent 8 }}
+    spec:
+      {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.controlplane.image .Values.controlplane.migration.image) "context" $) | nindent 6 }}
+      serviceAccountName: {{ include "controlplane.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controlplane.automountServiceAccountToken }}
+      {{- if .Values.controlplane.hostAliases }}
+      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.hostAliases "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controlplane.affinity }}
+      affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.affinity "context" $) | nindent 8 }}
+      {{- else }}
+      affinity:
+        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }}
+        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.controlplane.podAntiAffinityPreset "component" "controlplane" "customLabels" $podLabels "context" $) | nindent 10 }}
+        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.controlplane.nodeAffinityPreset.type "key" .Values.controlplane.nodeAffinityPreset.key "values" .Values.controlplane.nodeAffinityPreset.values) | nindent 10 }}
+      {{- end }}
+      {{- if .Values.controlplane.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controlplane.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controlplane.priorityClassName }}
+      priorityClassName: {{ .Values.controlplane.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.controlplane.schedulerName }}
+      schedulerName: {{ .Values.controlplane.schedulerName | quote }}
+      {{- end }}
+      {{- if .Values.controlplane.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.topologySpreadConstraints "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controlplane.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.controlplane.terminationGracePeriodSeconds }}
+      terminationGracePeriodSeconds: {{ .Values.controlplane.terminationGracePeriodSeconds }}
+      {{- end }}
+      initContainers:
+        {{- if .Values.controlplane.initContainers }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.initContainers "context" $) | nindent 8 }}
+        {{- end }}
+        - name: migrate
+          image: {{ include "chainloop.controlplane.migration.image" . }}
+          imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }}
+          command: [ "./atlas" ]
+          args:
+            - migrate
+            - apply
+            - --url
+            - $(CONNECTION_STRING)
+            - --dir
+            - file:///migrations
+          env:
+            - name: CONNECTION_STRING
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "chainloop.controlplane.fullname" . }}
+                  key: db_migrate_source
+      containers:
+        - name: controlplane
+          {{- if .Values.controlplane.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.controlplane.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          image: {{ include "chainloop.controlplane.image" . }}
+          imagePullPolicy: {{ .Values.controlplane.image.pullPolicy }}
+          command: [ "./control-plane" ]
+          args: [ "--conf", "/data/conf" ]
+          ports:
+            - name: http
+              containerPort: {{ .Values.controlplane.containerPorts.http }}
+            - name: metrics
+              containerPort: {{ .Values.controlplane.containerPorts.metrics }}
+            - name: grpc
+              containerPort: {{ .Values.controlplane.containerPorts.grpc }}
+          startupProbe:
+            httpGet:
+              path: /statusz
+              port: http
+            periodSeconds: 5
+          livenessProbe:
+            httpGet:
+              path: /statusz
+              port: http
+            periodSeconds: 5
+          readinessProbe:
+            httpGet:
+              path: /statusz?readiness=1
+              port: http
+            periodSeconds: 5
+          {{- if .Values.controlplane.lifecycleHooks }}
+          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.lifecycleHooks "context" $) | nindent 12 }}
+          {{- end }}
+          env:
+            {{- if .Values.controlplane.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          envFrom:
+            {{- if .Values.controlplane.extraEnvVarsCM }}
+            - configMapRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsCM "context" $) }}
+            {{- end }}
+            {{- if .Values.controlplane.extraEnvVarsSecret }}
+            - secretRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.controlplane.extraEnvVarsSecret "context" $) }}
+            {{- end }}
+          {{- if .Values.controlplane.resources }}
+          resources: {{- toYaml .Values.controlplane.resources | nindent 12 }}
+          {{- else if ne .Values.controlplane.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.controlplane.resourcesPreset) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+            - name: config
+              mountPath: /data/conf
+            - name: tmp
+              mountPath: /tmp
+            - name: jwt-cas-private-key
+              mountPath: /secrets
+            {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+            - name: file-ca-cert
+              mountPath: /ca_secrets
+            {{- end }}
+            {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+            - name: ejbca-ca-client
+              mountPath: /ca_secrets
+            {{- end }}
+            {{- if .Values.controlplane.tls.existingSecret  }}
+            - name: server-certs
+              mountPath: /data/server-certs
+            {{- end }}
+            {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+            - name: gcp-secretmanager-serviceaccountkey
+              mountPath: /gcp-secrets
+            {{- end }}
+            {{- if (not (empty .Values.controlplane.customCAs)) }}
+            - name: custom-cas
+              # NOTE: /etc/ssl/certs already contains the system CA certs
+              # Let's use another known path https://go.dev/src/crypto/x509/root_linux.go
+              mountPath: /etc/pki/tls/certs
+              readOnly: true
+            {{- end }}
+            {{- if .Values.controlplane.extraVolumeMounts }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumeMounts "context" $) | nindent 12 }}
+            {{- end }}
+        {{- if .Values.controlplane.sidecars }}
+        {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.sidecars "context" $) | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: config
+          projected:
+            sources:
+            - secret:
+                name: {{ include "chainloop.controlplane.fullname" . }}
+            - configMap:
+               name: {{ include "chainloop.controlplane.fullname" . }}
+        {{- if (not (empty .Values.controlplane.customCAs)) }}
+        - name: custom-cas
+          projected:
+            sources:
+            - secret:
+               name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas
+        {{- end }}
+        # required for the plugins to store the socket files
+        - name: tmp
+          emptyDir: {}
+        - name: jwt-cas-private-key
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
+        {{- if .Values.controlplane.tls.existingSecret }}
+        - name: server-certs
+          secret:
+            secretName: {{ .Values.controlplane.tls.existingSecret  }}
+        {{- end }}
+        {{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+        - name: gcp-secretmanager-serviceaccountkey
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+        {{- end }}
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+        - name: file-ca-cert
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+        {{- end }}
+        {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+        - name: ejbca-ca-client
+          secret:
+            secretName: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
+        {{- end }}
+        {{- if .Values.controlplane.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
--- a/bitnami/chainloop/templates/controlplane/hpa.yaml
+++ b/bitnami/chainloop/templates/controlplane/hpa.yaml
@@ -0,0 +1,48 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.autoscaling.hpa.enabled }}
+apiVersion: {{ include "common.capabilities.hpa.apiVersion" ( dict "context" $ )}}
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  scaleTargetRef:
+    apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+    kind: Deployment
+    name: {{ include "common.names.fullname" . }}
+  minReplicas: {{ .Values.controlplane.autoscaling.hpa.minReplicas }}
+  maxReplicas: {{ .Values.controlplane.autoscaling.hpa.maxReplicas }}
+  metrics:
+    {{- if .Values.controlplane.autoscaling.hpa.targetMemory }}
+    - type: Resource
+      resource:
+        name: memory
+        {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+        targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory  }}
+        {{- else }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetMemory }}
+        {{- end }}
+    {{- end }}
+    {{- if .Values.controlplane.autoscaling.hpa.targetCPU }}
+    - type: Resource
+      resource:
+        name: cpu
+        {{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .) }}
+        targetAverageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }}
+        {{- else }}
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.controlplane.autoscaling.hpa.targetCPU }}
+        {{- end }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml
+++ b/bitnami/chainloop/templates/controlplane/ingress-grpc.yaml
@@ -0,0 +1,65 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.ingressAPI.enabled }}
+{{- $fullName := printf "%s-%s" (include "chainloop.controlplane.fullname" .) "api" -}}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.ingressAPI.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.controlplane.ingressAPI.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingressAPI.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.controlplane.ingressAPI.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.controlplane.ingressAPI.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.controlplane.ingressAPI.hostname }}
+    - host: {{ .Values.controlplane.ingressAPI.hostname }}
+      http:
+        paths:
+          {{- if .Values.controlplane.ingressAPI.extraPaths }}
+          {{- toYaml .Values.controlplane.ingressAPI.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.controlplane.ingressAPI.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.controlplane.ingressAPI.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.controlplane.ingressAPI.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "grpc" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.controlplane.ingressAPI.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned)) .Values.controlplane.ingressAPI.extraTls }}
+  tls:
+    {{- if and .Values.controlplane.ingressAPI.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingressAPI.annotations )) .Values.controlplane.ingressAPI.selfSigned) }}
+    - hosts:
+        - {{ .Values.controlplane.ingressAPI.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.controlplane.ingressAPI.hostname }}
+    {{- end }}
+    {{- if .Values.controlplane.ingressAPI.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingressAPI.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/ingress.yaml
+++ b/bitnami/chainloop/templates/controlplane/ingress.yaml
@@ -0,0 +1,65 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.ingress.enabled }}
+{{- $fullName := include "chainloop.controlplane.fullname" . -}}
+apiVersion: {{ include "common.capabilities.ingress.apiVersion" . }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.ingress.annotations .Values.commonAnnotations }}
+  annotations:
+    {{- if .Values.controlplane.ingress.annotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.ingress.annotations "context" $) | nindent 4 }}
+    {{- end }}
+    {{- if .Values.commonAnnotations }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+spec:
+  {{- if and .Values.controlplane.ingress.ingressClassName (eq "true" (include "common.ingress.supportsIngressClassname" .)) }}
+  ingressClassName: {{ .Values.controlplane.ingress.ingressClassName | quote }}
+  {{- end }}
+  rules:
+    {{- if .Values.controlplane.ingress.hostname }}
+    - host: {{ .Values.controlplane.ingress.hostname }}
+      http:
+        paths:
+          {{- if .Values.controlplane.ingress.extraPaths }}
+          {{- toYaml .Values.controlplane.ingress.extraPaths | nindent 10 }}
+          {{- end }}
+          - path: {{ .Values.controlplane.ingress.path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
+            pathType: {{ .Values.controlplane.ingress.pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $)  | nindent 14 }}
+    {{- end }}
+    {{- range .Values.controlplane.ingress.extraHosts }}
+    - host: {{ .name | quote }}
+      http:
+        paths:
+          - path: {{ default "/" .path }}
+            {{- if eq "true" (include "common.ingress.supportsPathType" $) }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
+            {{- end }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" $fullName "servicePort" "http" "context" $) | nindent 14 }}
+    {{- end }}
+    {{- if .Values.controlplane.ingress.extraRules }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraRules "context" $) | nindent 4 }}
+    {{- end }}
+  {{- if or (and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned)) .Values.controlplane.ingress.extraTls }}
+  tls:
+    {{- if and .Values.controlplane.ingress.tls (or (include "common.ingress.certManagerRequest" ( dict "annotations" .Values.controlplane.ingress.annotations )) .Values.controlplane.ingress.selfSigned) }}
+    - hosts:
+        - {{ .Values.controlplane.ingress.hostname | quote }}
+      secretName: {{ printf "%s-tls" .Values.controlplane.ingress.hostname }}
+    {{- end }}
+    {{- if .Values.controlplane.ingress.extraTls }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.ingress.extraTls "context" $) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/networkpolicy.yaml
+++ b/bitnami/chainloop/templates/controlplane/networkpolicy.yaml
@@ -0,0 +1,74 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ printf "%s-controlplane" (include "common.names.fullname" .) }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: controlplane
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: controlplane
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.controlplane.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    # Allow dns resolution
+    - ports:
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+    # Allow outbound connections to other cluster pods
+    - ports:
+        - port: {{ .Values.controlplane.containerPorts.http }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+    {{- if .Values.controlplane.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    - ports:
+        - port: {{ .Values.controlplane.containerPorts.http }}
+        - port: {{ .Values.controlplane.containerPorts.grpc }}
+        - port: {{ .Values.controlplane.containerPorts.metrics }}
+      {{- if not .Values.controlplane.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels:
+              {{ printf "%s-controlplane" (include "common.names.fullname" .) }}: "true"
+        {{- if .Values.controlplane.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.controlplane.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.controlplane.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.controlplane.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/pdb.yaml
+++ b/bitnami/chainloop/templates/controlplane/pdb.yaml
@@ -0,0 +1,26 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.pdb.enabled }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.controlplane.pdb.minAvailable }}
+  minAvailable: {{ .Values.controlplane.pdb.minAvailable }}
+  {{- end }}
+  {{- if or .Values.controlplane.pdb.maxUnavailable ( not .Values.controlplane.pdb.minAvailable ) }}
+  maxUnavailable: {{ .Values.controlplane.pdb.maxUnavailable | default 1 }}
+  {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.podLabels .Values.commonLabels ) "context" . ) }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/secret-config.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-config.yaml
@@ -0,0 +1,69 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+{{- $hmacpass := include "common.secrets.passwords.manage" (dict "secret" (include "chainloop.controlplane.fullname" .) "key" "generated_jws_hmac_secret" "providedValues" (list "controlplane.auth.passphrase") "context" $) }}
+data:
+  # We store it also as a different key so it can be reused during upgrades by the common.secrets.passwords.manage helper
+  generated_jws_hmac_secret: {{ $hmacpass }}
+  db_migrate_source: {{include "controlplane.database.atlas_connection_string" . | b64enc | quote }}
+stringData:
+  {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }}
+    {{- fail "configuring sentry at the top level is no longer supported. Add the configuration to the controlplane section in the values.yaml file" }}
+  {{- end -}}
+  {{- if and .Values.controlplane.sentry .Values.controlplane.sentry.enabled }}
+  config.observability.yaml: |
+    {{- include "chainloop.sentry" .Values.controlplane.sentry | nindent 4 }}
+  {{- end }}
+  {{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+  fileca.secret.yaml: |
+    {{- with .Values.controlplane.keylessSigning.fileCA }}
+    certificate_authority:
+      file_ca:
+        cert_path: "/ca_secrets/file_ca.cert"
+        key_path:  "/ca_secrets/file_ca.key"
+        key_pass: "{{- required "FileCA keyPass is mandatory" .keyPass }}"
+    {{- end }}
+  {{- end }}
+  {{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+  ejbca.secret.yaml: |
+    {{- with .Values.controlplane.keylessSigning.ejbcaCA }}
+    certificate_authority:
+      ejbca_ca:
+        cert_path: "/ca_secrets/ejbca_client.cert"
+        key_path:  "/ca_secrets/ejbca_client.key"
+        server_url: "{{- required "EJBCA server URL is mandatory" .serverURL }}"
+        certificate_profile_name: "{{- required "EJBCA certificate profile name is mandatory" .certProfileName }}"
+        end_entity_profile_name: "{{- required "EJBCA end entity profile name is mandatory" .endEntityProfileName }}"
+        certificate_authority_name: "{{- required "EJBCA certificate authority name is mandatory" .caName }}"
+    {{- end }}
+  {{- end }}  
+  config.secret.yaml: |
+    data:
+      database:
+        driver: pgx
+        source: {{include "controlplane.database.connection_string" . }}
+
+    credentials_service: {{- include "chainloop.credentials_service_settings" . | indent 6 }}
+
+    auth:
+      oidc: {{- include "controlplane.oidc_settings" . | indent 4 }}
+
+      # HMAC key used to sign the JWTs generated by the controlplane
+      # The helper returns the base64 quoted value of the secret
+      # We need to remove the quotes and then decoding it so it's compatible with the stringData stanza
+      generated_jws_hmac_secret: {{ $hmacpass | replace "\"" "" | b64dec | quote }}
+
+      # Private key used to sign the JWTs meant to be consumed by the CAS
+      cas_robot_account_private_key_path: "/secrets/cas.private.key"
--- a/bitnami/chainloop/templates/controlplane/secret-customcas.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-customcas.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- $customCAs := .Values.controlplane.customCAs }}
+{{- if (not (empty $customCAs)) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-custom-cas
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+data: 
+  {{- range $index, $pem := $customCAs }}
+  custom-{{ $index }}.crt: {{ $pem | b64enc | quote }}
+  {{- end -}}
+{{- end -}}
--- a/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-ejbca-ca.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.controlplane.keylessSigning.enabled (eq "ejbcaCA" .Values.controlplane.keylessSigning.backend) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-keyless-ejbca-ca
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  ejbca_client.cert: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientCert | b64enc | quote }}
+  ejbca_client.key: {{ .Values.controlplane.keylessSigning.ejbcaCA.clientKey | b64enc | quote }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-file-ca.yaml
@@ -0,0 +1,17 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.controlplane.keylessSigning.enabled (eq "fileCA" .Values.controlplane.keylessSigning.backend) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-keyless-file-ca
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  file_ca.cert: {{ .Values.controlplane.keylessSigning.fileCA.cert | b64enc | quote }}
+  file_ca.key: {{ .Values.controlplane.keylessSigning.fileCA.key | b64enc | quote }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-gcp-secret-manager.yaml
@@ -0,0 +1,16 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if eq "gcpSecretManager" .Values.secretsBackend.backend  }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-gcp-secretmanager-serviceaccountkey
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  serviceAccountKey.json: {{ .Values.secretsBackend.gcpSecretManager.serviceAccountKey | b64enc | quote  }}
+{{- end }}
--- a/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml
+++ b/bitnami/chainloop/templates/controlplane/secret-jwt-cas-private-key.yaml
@@ -0,0 +1,14 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas
+  labels:
+    {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+type: Opaque
+data:
+  cas.private.key: {{ include "chainloop.casjwt.private_key" . | b64enc | quote  }}
--- a/bitnami/chainloop/templates/controlplane/service-account.yaml
+++ b/bitnami/chainloop/templates/controlplane/service-account.yaml
@@ -0,0 +1,18 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.controlplane.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "controlplane.serviceAccountName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAccount.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.controlplane.serviceAccount.automountServiceAccountToken }}
+  {{- end }}
--- a/bitnami/chainloop/templates/controlplane/service-grpc.yaml
+++ b/bitnami/chainloop/templates/controlplane/service-grpc.yaml
@@ -0,0 +1,52 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}-api
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.serviceAPI.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.controlplane.serviceAPI.type }}
+  {{- if and .Values.controlplane.serviceAPI.clusterIP (eq .Values.controlplane.serviceAPI.type "ClusterIP") }}
+  clusterIP: {{ .Values.controlplane.serviceAPI.clusterIP }}
+  {{- end }}
+  {{- if .Values.controlplane.serviceAPI.sessionAffinity }}
+  sessionAffinity: {{ .Values.controlplane.serviceAPI.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.controlplane.serviceAPI.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if or (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (eq .Values.controlplane.serviceAPI.type "NodePort") }}
+  externalTrafficPolicy: {{ .Values.controlplane.serviceAPI.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerSourceRanges)) }}
+  loadBalancerSourceRanges: {{ .Values.controlplane.serviceAPI.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if and (eq .Values.controlplane.serviceAPI.type "LoadBalancer") (not (empty .Values.controlplane.serviceAPI.loadBalancerIP)) }}
+  loadBalancerIP: {{ .Values.controlplane.serviceAPI.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: grpc
+      {{- $port := coalesce .Values.controlplane.serviceAPI.port .Values.controlplane.serviceAPI.ports.http }}
+      port: {{ $port }}
+      {{- if not (eq $port .Values.controlplane.containerPorts.grpc) }}
+      targetPort: {{ .Values.controlplane.containerPorts.grpc }}
+      {{- end }}
+      protocol: TCP
+      {{- if and (or (eq .Values.controlplane.serviceAPI.type "NodePort") (eq .Values.controlplane.serviceAPI.type "LoadBalancer")) (not (empty .Values.controlplane.serviceAPI.nodePorts.http)) }}
+      nodePort: {{ .Values.controlplane.serviceAPI.nodePorts.http }}
+      {{- else if eq .Values.controlplane.serviceAPI.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    {{- if .Values.controlplane.serviceAPI.extraPorts }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.serviceAPI.extraPorts "context" $) | nindent 4 }}
+    {{- end }}
+  selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }}
--- a/bitnami/chainloop/templates/controlplane/service-http.yaml
+++ b/bitnami/chainloop/templates/controlplane/service-http.yaml
@@ -0,0 +1,53 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.controlplane.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "chainloop.controlplane.labels" . | nindent 4 }}
+  {{- if or .Values.controlplane.service.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.service.annotations .Values.commonAnnotations) "context" .) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.controlplane.service.type }}
+  {{- if and .Values.controlplane.service.clusterIP (eq .Values.controlplane.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.controlplane.service.clusterIP }}
+  {{- end }}
+  {{- if .Values.controlplane.service.sessionAffinity }}
+  sessionAffinity: {{ .Values.controlplane.service.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.controlplane.service.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  {{- if or (eq .Values.controlplane.service.type "LoadBalancer") (eq .Values.controlplane.service.type "NodePort") }}
+  externalTrafficPolicy: {{ .Values.controlplane.service.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerSourceRanges)) }}
+  loadBalancerSourceRanges: {{ .Values.controlplane.service.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if and (eq .Values.controlplane.service.type "LoadBalancer") (not (empty .Values.controlplane.service.loadBalancerIP)) }}
+  loadBalancerIP: {{ .Values.controlplane.service.loadBalancerIP }}
+  {{- end }}
+  ports:
+    - name: http
+      {{- $port := coalesce .Values.controlplane.service.port .Values.controlplane.service.ports.http }}
+      port: {{ $port }}
+      {{- if not (eq $port .Values.controlplane.containerPorts.http) }}
+      targetPort: {{ .Values.controlplane.containerPorts.http }}
+      {{- end }}
+      protocol: TCP
+      {{- if and (or (eq .Values.controlplane.service.type "NodePort") (eq .Values.controlplane.service.type "LoadBalancer")) (not (empty .Values.controlplane.service.nodePorts.http)) }}
+      nodePort: {{ .Values.controlplane.service.nodePorts.http }}
+      {{- else if eq .Values.controlplane.service.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    {{- if .Values.controlplane.service.extraPorts }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.controlplane.service.extraPorts "context" $) | nindent 4 }}
+    {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.controlplane.podLabels .Values.commonLabels) "context" .) | fromYaml }}
+  selector: {{ include "chainloop.controlplane.selectorLabels" . | nindent 4 }}
--- a/bitnami/chainloop/templates/controlplane/vpa.yaml
+++ b/bitnami/chainloop/templates/controlplane/vpa.yaml
@@ -0,0 +1,44 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and (.Capabilities.APIVersions.Has "autoscaling.k8s.io/v1/VerticalPodAutoscaler") .Values.controlplane.autoscaling.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "common.names.fullname" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: controlplane
+  {{- if or .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.controlplane.autoscaling.vpa.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  resourcePolicy:
+    containerPolicies:
+      - containerName: controlplane
+      {{- with .Values.controlplane.autoscaling.vpa.controlledResources }}
+        controlledResources:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controlplane.autoscaling.vpa.maxAllowed }}
+        maxAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.controlplane.autoscaling.vpa.minAllowed }}
+        minAllowed:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+  targetRef:
+    apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+    kind: Deployment
+    name: {{ include "common.names.fullname" . }}
+  {{- if .Values.controlplane.autoscaling.vpa.updatePolicy }}
+  updatePolicy:
+    {{- with .Values.controlplane.autoscaling.vpa.updatePolicy.updateMode }}
+    updateMode: {{ . }}
+    {{- end }}
+  {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/deployment.yaml
+++ b/bitnami/chainloop/templates/dex/deployment.yaml
@@ -0,0 +1,195 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.development }}
+apiVersion: {{ include "common.capabilities.deployment.apiVersion" . }}
+kind: Deployment
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.dex.replicaCount }}
+  {{- if .Values.dex.updateStrategy }}
+  strategy: {{- toYaml .Values.dex.updateStrategy | nindent 4 }}
+  {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels $versionLabel ) "context" . ) }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: dex
+  template:
+    metadata:
+      {{- if .Values.dex.podAnnotations }}
+      annotations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.podAnnotations "context" $) | nindent 8 }}
+      {{- end }}
+      labels: {{- include "common.labels.standard" ( dict "customLabels" $podLabels "context" $ ) | nindent 8 }}
+        app.kubernetes.io/component: dex
+    spec:
+      serviceAccountName: {{ include "chainloop.dex.serviceAccountName" . }}
+      {{- include "common.images.renderPullSecrets" (dict "images" (list .Values.dex.image) "context" $) | nindent 6 }}
+      automountServiceAccountToken: {{ .Values.dex.automountServiceAccountToken }}
+      {{- if .Values.dex.hostAliases }}
+      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.dex.hostAliases "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dex.affinity }}
+      affinity: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.affinity "context" $) | nindent 8 }}
+      {{- else }}
+      affinity:
+        podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }}
+        podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.dex.podAntiAffinityPreset "component" "dex" "customLabels" $podLabels "context" $) | nindent 10 }}
+        nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.dex.nodeAffinityPreset.type "key" .Values.dex.nodeAffinityPreset.key "values" .Values.dex.nodeAffinityPreset.values) | nindent 10 }}
+      {{- end }}
+      {{- if .Values.dex.nodeSelector }}
+      nodeSelector: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.nodeSelector "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dex.tolerations }}
+      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.dex.tolerations "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dex.schedulerName }}
+      schedulerName: {{ .Values.dex.schedulerName }}
+      {{- end }}
+      {{- if .Values.dex.shareProcessNamespace }}
+      shareProcessNamespace: {{ .Values.dex.shareProcessNamespace }}
+      {{- end }}
+      {{- if .Values.dex.topologySpreadConstraints }}
+      topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.dex.topologySpreadConstraints "context" .) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dex.priorityClassName }}
+      priorityClassName: {{ .Values.dex.priorityClassName | quote }}
+      {{- end }}
+      {{- if .Values.dex.runtimeClassName }}
+      runtimeClassName: {{ .Values.dex.runtimeClassName }}
+      {{- end }}
+      {{- if .Values.dex.podSecurityContext.enabled }}
+      securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.podSecurityContext "context" $) | nindent 8 }}
+      {{- end }}
+      initContainers:
+        {{- if .Values.dex.initContainers }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.dex.initContainers "context" $) | nindent 8 }}
+        {{- end }}
+      containers:
+        - name: dex
+          image: {{ include "chainloop.dex.image" . }}
+          imagePullPolicy: {{ .Values.dex.image.pullPolicy }}
+          {{- if .Values.dex.lifecycleHooks }}
+          lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.dex.lifecycleHooks "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dex.containerSecurityContext.enabled }}
+          securityContext: {{- include "common.compatibility.renderSecurityContext" (dict "secContext" .Values.dex.containerSecurityContext "context" $) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dex.command }}
+          command: {{- include "common.tplvalues.render" (dict "value" .Values.dex.command "context" $) | nindent 12 }}
+          {{- else }}
+          command:
+            - /opt/bitnami/dex/bin/dex
+            - serve
+          {{- end }}
+          {{- if .Values.dex.args }}
+          args: {{- include "common.tplvalues.render" (dict "value" .Values.dex.args "context" $) | nindent 12 }}
+          {{- else }}
+          args:
+            - /data/conf/config.yaml
+            {{- if .Values.dex.extraArgs }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraArgs "context" $) | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.dex.containerPorts.http }}
+              protocol: TCP
+            - name: grpc
+              containerPort: {{ .Values.dex.containerPorts.grpc }}
+              protocol: TCP
+            - name: metrics
+              containerPort: {{ .Values.dex.containerPorts.metrics }}
+              protocol: TCP
+          env:
+            {{- if .Values.dex.extraEnvVars }}
+            {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVars "context" $) | nindent 12 }}
+            {{- end }}
+          envFrom:
+            {{- if .Values.dex.extraEnvVarsCM }}
+            - configMapRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsCM "context" $) }}
+            {{- end }}
+            {{- if .Values.dex.extraEnvVarsSecret }}
+            - secretRef:
+                name: {{ include "common.tplvalues.render" (dict "value" .Values.dex.extraEnvVarsSecret "context" $) }}
+            {{- end }}
+          {{- if .Values.dex.resources }}
+          resources: {{- toYaml .Values.dex.resources | nindent 12 }}
+          {{- else if ne .Values.dex.resourcesPreset "none" }}
+          resources: {{- include "common.resources.preset" (dict "type" .Values.dex.resourcesPreset) | nindent 12 }}
+          {{- end }}
+          {{- if .Values.dex.customStartupProbe }}
+          startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customStartupProbe "context" $) | nindent 12 }}
+          {{- else if .Values.dex.startupProbe.enabled }}
+          startupProbe:
+            httpGet:
+              path: /dex/.well-known/openid-configuration
+              port: http
+            initialDelaySeconds: {{ .Values.dex.startupProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.dex.startupProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.dex.startupProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.dex.startupProbe.successThreshold }}
+            failureThreshold: {{ .Values.dex.startupProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.dex.customLivenessProbe }}
+          livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customLivenessProbe "context" $) | nindent 12 }}
+          {{- else if .Values.dex.livenessProbe.enabled }}
+          livenessProbe:
+            httpGet:
+              path: /dex/.well-known/openid-configuration
+              port: http
+            initialDelaySeconds: {{ .Values.dex.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.dex.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.dex.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.dex.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.dex.livenessProbe.failureThreshold }}
+          {{- end }}
+          {{- if .Values.dex.customReadinessProbe }}
+          readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.dex.customReadinessProbe "context" $) | nindent 12 }}
+          {{- else if .Values.dex.readinessProbe.enabled }}
+          readinessProbe:
+            httpGet:
+              path: /dex/.well-known/openid-configuration
+              port: http
+            initialDelaySeconds: {{ .Values.dex.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.dex.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.dex.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.dex.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.dex.readinessProbe.failureThreshold }}
+          {{- end }}
+          volumeMounts:
+            - name: empty-dir
+              mountPath: /shared
+              subPath: app-static-dir
+            - name: empty-dir
+              mountPath: /tmp
+              subPath: tmp-dir
+            - name: config
+              mountPath: /data/conf
+          {{- if .Values.dex.extraVolumeMounts }}
+          {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumeMounts "context" $) | nindent 12 }}
+          {{- end }}
+        {{- if .Values.dex.sidecars }}
+        {{- include "common.tplvalues.render" ( dict "value" .Values.dex.sidecars "context" $) | nindent 8 }}
+        {{- end }}
+      volumes:
+        - name: empty-dir
+          emptyDir: {}
+        - name: config
+          secret:
+            secretName: {{ include "chainloop.dex.fullname" . }}-config
+        {{- if .Values.dex.extraVolumes }}
+        {{- include "common.tplvalues.render" (dict "value" .Values.dex.extraVolumes "context" $) | nindent 8 }}
+        {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/metrics-svc.yaml
+++ b/bitnami/chainloop/templates/dex/metrics-svc.yaml
@@ -0,0 +1,53 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.metrics.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.dex" . }}-metrics
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if or .Values.commonAnnotations .Values.dex.metrics.service.annotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.metrics.service.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.dex.metrics.service.type }}
+  {{- if and .Values.dex.metrics.service.clusterIP (eq .Values.dex.metrics.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.dex.metrics.service.clusterIP }}
+  {{- end }}
+  {{- if (or (eq .Values.dex.metrics.service.type "LoadBalancer") (eq .Values.dex.metrics.service.type "NodePort")) }}
+  externalTrafficPolicy: {{ .Values.dex.metrics.service.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if eq .Values.dex.metrics.service.type "LoadBalancer" }}
+  loadBalancerSourceRanges: {{ .Values.dex.metrics.service.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if (and (eq .Values.dex.metrics.service.type "LoadBalancer") (not (empty .Values.dex.metrics.service.loadBalancerIP))) }}
+  loadBalancerIP: {{ .Values.dex.metrics.service.loadBalancerIP }}
+  {{- end }}
+  {{- if .Values.dex.metrics.service.sessionAffinity }}
+  sessionAffinity: {{ .Values.dex.metrics.service.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.dex.metrics.service.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.service.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  ports:
+    - name: metrics
+      port: {{ coalesce .Values.dex.metrics.service.port .Values.dex.metrics.service.ports.metrics }}
+      targetPort: metrics
+      protocol: TCP
+      {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty (coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics)))) }}
+      nodePort: {{ coalesce .Values.dex.metrics.service.nodePort .Values.dex.metrics.service.nodePorts.metrics }}
+      {{- else if eq .Values.dex.metrics.service.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }}
+  selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+{{- end }}
--- a/bitnami/chainloop/templates/dex/networkpolicy.yaml
+++ b/bitnami/chainloop/templates/dex/networkpolicy.yaml
@@ -0,0 +1,88 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.networkPolicy.enabled }}
+kind: NetworkPolicy
+apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }}
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }}
+  podSelector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: dex
+  policyTypes:
+    - Ingress
+    - Egress
+  {{- if .Values.dex.networkPolicy.allowExternalEgress }}
+  egress:
+    - {}
+  {{- else }}
+  egress:
+    - ports:
+        # Allow dns resolution
+        - port: 53
+          protocol: UDP
+        - port: 53
+          protocol: TCP
+        # Allow access to kube-apicontroller
+        {{- range $port := .Values.dex.networkPolicy.kubeAPIServerPorts }}
+        - port: {{ $port }}
+        {{- end }}
+    # Allow outbound connections to repo server
+    - ports:
+        - port: {{ .Values.controlplane.containerPorts.grpc }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+              app.kubernetes.io/component: repo-server
+    # Allow outbound connections to server
+    - ports:
+        - port: {{ .Values.controlplane.containerPorts.http }}
+      to:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+              app.kubernetes.io/component: server
+    {{- if .Values.dex.networkPolicy.extraEgress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraEgress "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- end }}
+  ingress:
+    - ports:
+        - port: {{ .Values.dex.containerPorts.http }}
+        - port: {{ .Values.dex.containerPorts.grpc }}
+        - port: {{ .Values.dex.containerPorts.metrics }}
+      {{- if not .Values.dex.networkPolicy.allowExternal }}
+      from:
+        - podSelector:
+            matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 14 }}
+        - podSelector:
+            matchLabels:
+              {{ include "chainloop.dex" . }}-client: "true"
+        {{- if .Values.dex.networkPolicy.ingressNSMatchLabels }}
+        - namespaceSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.dex.networkPolicy.ingressNSMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- if .Values.dex.networkPolicy.ingressNSPodMatchLabels }}
+          podSelector:
+            matchLabels:
+              {{- range $key, $value := .Values.dex.networkPolicy.ingressNSPodMatchLabels }}
+              {{ $key | quote }}: {{ $value | quote }}
+              {{- end }}
+          {{- end }}
+        {{- end }}
+      {{- end }}
+    {{- if .Values.dex.networkPolicy.extraIngress }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.dex.networkPolicy.extraIngress "context" $ ) | nindent 4 }}
+    {{- end }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/pdb.yaml
+++ b/bitnami/chainloop/templates/dex/pdb.yaml
@@ -0,0 +1,28 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.pdb.create }}
+apiVersion: {{ include "common.capabilities.policy.apiVersion" . }}
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.dex.pdb.minAvailable }}
+  minAvailable: {{ .Values.dex.pdb.minAvailable }}
+  {{- end  }}
+  {{- if or .Values.dex.pdb.maxUnavailable (not .Values.dex.pdb.minAvailable) }}
+  maxUnavailable: {{ .Values.dex.pdb.maxUnavailable | default 1 }}
+  {{- end  }}
+  {{- $podLabels := include "common.tplvalues.merge" (dict "values" (list .Values.dex.podLabels .Values.commonLabels) "context" .) }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: dex
+{{- end }}
--- a/bitnami/chainloop/templates/dex/role.yaml
+++ b/bitnami/chainloop/templates/dex/role.yaml
@@ -0,0 +1,28 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.rbac.create }}
+kind: Role
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs:
+      - get
+      - list
+      - watch
+{{- end }}
--- a/bitnami/chainloop/templates/dex/rolebinding.yaml
+++ b/bitnami/chainloop/templates/dex/rolebinding.yaml
@@ -0,0 +1,25 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }}
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "chainloop.dex.serviceAccountName" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "chainloop.dex" . }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/secret.yaml
+++ b/bitnami/chainloop/templates/dex/secret.yaml
@@ -0,0 +1,44 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.development }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "chainloop.dex.fullname" . }}-config
+  namespace: {{ include "common.names.namespace" . | quote }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+stringData:
+  config.yaml: |
+    issuer: http://{{ include "chainloop.dex" . }}:{{ .Values.dex.containerPorts.http }}/dex
+
+    storage:
+      type: memory
+
+    web:
+      http: 0.0.0.0:{{ .Values.dex.containerPorts.http }}
+
+    staticClients:
+      - id: chainloop-dev
+        name: "Chainloop Dev"
+        secret: ZXhhbXBsZS1hcHAtc2VjcmV0
+        redirectURIs:
+          - "http://0.0.0.0:8000/auth/callback"
+          - "http://localhost:8000/auth/callback"
+          {{ $controlPlaneUrl := include "chainloop.controlplane.external_url" . }}
+          {{- if not (eq $controlPlaneUrl "null") -}}
+          - "{{ $controlPlaneUrl }}/auth/callback"
+          {{- end -}}
+
+    # required to enable static passwords
+    enablePasswordDB: true
+
+    staticPasswords: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.staticUsers "context" $ ) | nindent 6 }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/service-account.yaml
+++ b/bitnami/chainloop/templates/dex/service-account.yaml
@@ -0,0 +1,21 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "chainloop.dex.serviceAccountName" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if or .Values.dex.serviceAccount.annotations .Values.commonAnnotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.serviceAccount.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .Values.dex.serviceAccount.automountServiceAccountToken }}
+{{- end }}
--- a/bitnami/chainloop/templates/dex/service.yaml
+++ b/bitnami/chainloop/templates/dex/service.yaml
@@ -0,0 +1,65 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if .Values.development }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ include "common.names.namespace" . | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+  {{- if or .Values.commonAnnotations .Values.dex.service.annotations }}
+  {{- $annotations := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.service.annotations .Values.commonAnnotations ) "context" . ) }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" $annotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.dex.service.type }}
+  {{- if and .Values.dex.service.clusterIP (eq .Values.dex.service.type "ClusterIP") }}
+  clusterIP: {{ .Values.dex.service.clusterIP }}
+  {{- end }}
+  {{- if (or (eq .Values.dex.service.type "LoadBalancer") (eq .Values.dex.service.type "NodePort")) }}
+  externalTrafficPolicy: {{ .Values.dex.service.externalTrafficPolicy | quote }}
+  {{- end }}
+  {{- if eq .Values.dex.service.type "LoadBalancer" }}
+  loadBalancerSourceRanges: {{ .Values.dex.service.loadBalancerSourceRanges }}
+  {{- end }}
+  {{- if (and (eq .Values.dex.service.type "LoadBalancer") (not (empty .Values.dex.service.loadBalancerIP))) }}
+  loadBalancerIP: {{ .Values.dex.service.loadBalancerIP }}
+  {{- end }}
+  {{- if .Values.dex.service.sessionAffinity }}
+  sessionAffinity: {{ .Values.dex.service.sessionAffinity }}
+  {{- end }}
+  {{- if .Values.dex.service.sessionAffinityConfig }}
+  sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.sessionAffinityConfig "context" $) | nindent 4 }}
+  {{- end }}
+  ports:
+    - name: http
+      port: {{ .Values.dex.service.ports.http }}
+      targetPort: http
+      protocol: TCP
+      {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.http))) }}
+      nodePort: {{ .Values.dex.service.nodePorts.http }}
+      {{- else if eq .Values.dex.service.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    - name: grpc
+      port: {{ .Values.dex.service.ports.grpc }}
+      targetPort: grpc
+      protocol: TCP
+      {{- if (and (or (eq .Values.dex.service.type "NodePort") (eq .Values.dex.service.type "LoadBalancer")) (not (empty .Values.dex.service.nodePorts.grpc))) }}
+      nodePort: {{ .Values.dex.service.nodePorts.grpc }}
+      {{- else if eq .Values.dex.service.type "ClusterIP" }}
+      nodePort: null
+      {{- end }}
+    {{- if .Values.dex.service.extraPorts }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.dex.service.extraPorts "context" $) | nindent 4 }}
+    {{- end }}
+  {{- $podLabels := include "common.tplvalues.merge" ( dict "values" ( list .Values.dex.podLabels .Values.commonLabels ) "context" . ) }}
+  selector: {{- include "common.labels.matchLabels" ( dict "customLabels" $podLabels "context" $ ) | nindent 4 }}
+    app.kubernetes.io/component: dex
+{{- end }}
--- a/bitnami/chainloop/templates/dex/servicemonitor.yaml
+++ b/bitnami/chainloop/templates/dex/servicemonitor.yaml
@@ -0,0 +1,49 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- if and .Values.development .Values.dex.metrics.enabled .Values.dex.metrics.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "chainloop.dex" . }}
+  namespace: {{ default include ( "common.names.namespace" . ) .Values.dex.metrics.serviceMonitor.namespace | quote }}
+  {{- $versionLabel := dict "app.kubernetes.io/version" ( include "common.images.version" ( dict "imageRoot" .Values.dex.image "chart" .Chart ) ) }}
+  {{- $labels := include "common.tplvalues.merge" ( dict "values" ( list .Values.commonLabels $versionLabel ) "context" . ) }}
+  labels: {{- include "common.labels.standard" ( dict "customLabels" $labels "context" $ ) | nindent 4 }}
+    {{- if .Values.dex.metrics.serviceMonitor.selector }}
+    {{- include "common.tplvalues.render" (dict "value" .Values.dex.metrics.serviceMonitor.selector "context" $) | nindent 4 }}
+    {{- end }}
+    app.kubernetes.io/component: dex
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" (dict "value" .Values.commonAnnotations "context" $) | nindent 4 }}
+  {{- end }}
+spec:
+  jobLabel: {{ .Values.dex.metrics.serviceMonitor.jobLabel | quote }}
+  endpoints:
+    - port: http-metrics
+      path: /metrics
+      {{- if .Values.dex.metrics.serviceMonitor.interval }}
+      interval: {{ .Values.dex.metrics.serviceMonitor.interval }}
+      {{- end }}
+      {{- if .Values.dex.metrics.serviceMonitor.scrapeTimeout }}
+      scrapeTimeout: {{ .Values.dex.metrics.serviceMonitor.scrapeTimeout }}
+      {{- end }}
+      {{- if .Values.dex.metrics.serviceMonitor.honorLabels }}
+      honorLabels: {{ .Values.dex.metrics.serviceMonitor.honorLabels }}
+      {{- end }}
+      {{- if .Values.dex.metrics.serviceMonitor.metricRelabelings }}
+      metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 8 }}
+      {{- end }}
+      {{- if .Values.dex.metrics.serviceMonitor.relabelings }}
+      relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.dex.metrics.serviceMonitor.relabelings "context" $) | nindent 8 }}
+      {{- end }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "common.names.namespace" . }}
+  selector:
+    matchLabels: {{- include "common.labels.matchLabels" ( dict "customLabels" .Values.commonLabels "context" $ ) | nindent 6 }}
+      app.kubernetes.io/component: dex
+{{- end }}
+
--- a/bitnami/chainloop/templates/extra-list.yaml
+++ b/bitnami/chainloop/templates/extra-list.yaml
@@ -0,0 +1,9 @@
+{{- /*
+Copyright Broadcom, Inc. All Rights Reserved.
+SPDX-License-Identifier: APACHE-2.0
+*/}}
+
+{{- range .Values.extraDeploy }}
+---
+{{ include "common.tplvalues.render" (dict "value" . "context" $) }}
+{{- end }}
--- a/bitnami/chainloop/values.yaml
+++ b/bitnami/chainloop/values.yaml