diff --git a/helm/dbrepo/Chart.lock b/helm/dbrepo/Chart.lock
index 1dca92612fdef3f2c5e5b3b0163b664b18d01d82..edc00037f5219098a25e16c6cf978acc92b62c2e 100644
--- a/helm/dbrepo/Chart.lock
+++ b/helm/dbrepo/Chart.lock
@@ -7,18 +7,15 @@ dependencies:
   version: 21.6.1
 - name: mariadb
   repository: https://charts.bitnami.com/bitnami
-  version: 14.1.4
+  version: 19.0.3
 - name: mariadb-galera
   repository: https://charts.bitnami.com/bitnami
-  version: 10.1.3
+  version: 13.2.3
 - name: rabbitmq
   repository: https://charts.bitnami.com/bitnami
-  version: 14.0.0
-- name: tusd
-  repository: https://charts.sagikazarmark.dev
-  version: 0.1.2
+  version: 14.4.2
 - name: openldap-stack-ha
   repository: https://jp-gouin.github.io/helm-openldap/
   version: 4.2.5
-digest: sha256:d22946b1f2caf2daabe045afe08a892d609a9ed1e4c12d6dbf70014f3272aedc
-generated: "2024-07-30T21:10:24.891252492+02:00"
+digest: sha256:0e5b13ddfd50c6d7b22de57db4b9c15401aa25c447b274567209083481a104f2
+generated: "2024-07-31T21:17:50.377126847+02:00"
diff --git a/helm/dbrepo/Chart.yaml b/helm/dbrepo/Chart.yaml
index 7b37d25f8a9009c4f7fea507ccae1745d1c822e6..f6a537ce7e48a4b6b12414e929471a5b829ea95d 100644
--- a/helm/dbrepo/Chart.yaml
+++ b/helm/dbrepo/Chart.yaml
@@ -28,24 +28,19 @@ dependencies:
     condition: authservice.enabled
   - name: mariadb
     alias: datadb
-    version: 14.1.4  # app version: 11.1.3
+    version: 19.0.3
     repository: https://charts.bitnami.com/bitnami
     condition: datadb.enabled
   - name: mariadb-galera
     alias: metadatadb
-    version: 10.1.3  # app version: 11.1.3
+    version: 13.2.3
     repository: https://charts.bitnami.com/bitnami
     condition: metadatadb.enabled
   - name: rabbitmq
     alias: brokerservice
-    version: 14.0.0
+    version: 14.4.2
     repository: https://charts.bitnami.com/bitnami
     condition: brokerservice.enabled
-  - name: tusd
-    alias: uploadservice
-    version: 0.1.2
-    repository: https://charts.sagikazarmark.dev
-    condition: uploadservice.enabled
   - name: openldap-stack-ha
     alias: identityservice
     version: 4.2.5
diff --git a/helm/dbrepo/charts/mariadb-14.1.4.tgz b/helm/dbrepo/charts/mariadb-14.1.4.tgz
deleted file mode 100644
index 83f470bdcade4fdfc13b0d1f4f46095b877e3bcd..0000000000000000000000000000000000000000
Binary files a/helm/dbrepo/charts/mariadb-14.1.4.tgz and /dev/null differ
diff --git a/helm/dbrepo/charts/mariadb-19.0.3.tgz b/helm/dbrepo/charts/mariadb-19.0.3.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..8de5085544fbe5098783b9149ff506bd72e0a60e
Binary files /dev/null and b/helm/dbrepo/charts/mariadb-19.0.3.tgz differ
diff --git a/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz b/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz
deleted file mode 100644
index c906aaf7634b20f0eaf9358b435b01086bdc4f55..0000000000000000000000000000000000000000
Binary files a/helm/dbrepo/charts/mariadb-galera-10.1.3.tgz and /dev/null differ
diff --git a/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz b/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..01633c7fa452fd12b0eb071a2cdf448909272e46
Binary files /dev/null and b/helm/dbrepo/charts/mariadb-galera-13.2.3.tgz differ
diff --git a/helm/dbrepo/charts/rabbitmq-14.0.0.tgz b/helm/dbrepo/charts/rabbitmq-14.0.0.tgz
deleted file mode 100644
index 39ea3aaef2a94fe507a08242bbfe37209eb9fa53..0000000000000000000000000000000000000000
Binary files a/helm/dbrepo/charts/rabbitmq-14.0.0.tgz and /dev/null differ
diff --git a/helm/dbrepo/charts/rabbitmq-14.4.2.tgz b/helm/dbrepo/charts/rabbitmq-14.4.2.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..4527ae9df492f94a489938db7881faf8fb145296
Binary files /dev/null and b/helm/dbrepo/charts/rabbitmq-14.4.2.tgz differ
diff --git a/helm/dbrepo/charts/tusd-0.1.2.tgz b/helm/dbrepo/charts/tusd-0.1.2.tgz
deleted file mode 100644
index 61032d920f3e057c7826491088745b3087a01a79..0000000000000000000000000000000000000000
Binary files a/helm/dbrepo/charts/tusd-0.1.2.tgz and /dev/null differ
diff --git a/helm/dbrepo/templates/data-deployment.yaml b/helm/dbrepo/templates/data-deployment.yaml
index d46f6d6573e7b8703037bab3acf6fc9c63e31d59..ecfd391213423789ff1850c20cce2158a07a42fa 100644
--- a/helm/dbrepo/templates/data-deployment.yaml
+++ b/helm/dbrepo/templates/data-deployment.yaml
@@ -82,6 +82,8 @@ spec:
             periodSeconds: 30
           {{- if .Values.dataservice.resources }}
           resources: {{- toYaml .Values.dataservice.resources | nindent 12 }}
+          {{- else if .Values.resourcesWStorage }}
+          resources: {{- toYaml .Values.resourcesWStorage | nindent 12 }}
           {{- end }}
           volumeMounts: []
       volumes: []
diff --git a/helm/dbrepo/templates/metadata-deployment.yaml b/helm/dbrepo/templates/metadata-deployment.yaml
index f0f5b2eb3c4d137892294187ca14098d9f9f2e81..4254741ddd8d4ee5dc6d7b17a5d756a0dde2eee0 100644
--- a/helm/dbrepo/templates/metadata-deployment.yaml
+++ b/helm/dbrepo/templates/metadata-deployment.yaml
@@ -82,5 +82,7 @@ spec:
             periodSeconds: 30
           {{- if .Values.metadataservice.resources }}
           resources: {{- toYaml .Values.metadataservice.resources | nindent 12 }}
+          {{- else if .Values.resourcesWStorage }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
           {{- end }}
 {{- end }}
diff --git a/helm/dbrepo/templates/ui-deployment.yaml b/helm/dbrepo/templates/ui-deployment.yaml
index 64cea9bf103dd3c66446ba353528b9ddb96b42a7..4639e81dc6c590b2de88186be84f3655279ed295 100644
--- a/helm/dbrepo/templates/ui-deployment.yaml
+++ b/helm/dbrepo/templates/ui-deployment.yaml
@@ -40,87 +40,87 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-api-server
+                  key: NUXT_PUBLIC_API_SERVER
             - name: NUXT_PUBLIC_API_CLIENT
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-api-server
+                  key: NUXT_PUBLIC_API_CLIENT
             - name: NUXT_PUBLIC_TITLE
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-title
+                  key: NUXT_PUBLIC_TITLE
             - name: NUXT_PUBLIC_LOGO
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-logo
+                  key: NUXT_PUBLIC_LOGO
             - name: NUXT_PUBLIC_ICON
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-icon
+                  key: NUXT_PUBLIC_ICON
             - name: NUXT_PUBLIC_TOUCH
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-touch
+                  key: NUXT_PUBLIC_TOUCH
             - name: NUXT_PUBLIC_BROKER_HOST
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-broker-host
+                  key: NUXT_PUBLIC_BROKER_HOST
             - name: NUXT_PUBLIC_BROKER_PORT
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-broker-port
+                  key: NUXT_PUBLIC_BROKER_PORT
             - name: NUXT_PUBLIC_BROKER_EXTRA
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-broker-extra
+                  key: NUXT_PUBLIC_BROKER_EXTRA
             - name: NUXT_PUBLIC_DATABASE_EXTRA
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-database-extra
+                  key: NUXT_PUBLIC_DATABASE_EXTRA
             - name: NUXT_PUBLIC_LINKS_KEYCLOAK_HREF
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-links-keycloak-href
+                  key: NUXT_PUBLIC_LINKS_KEYCLOAK_HREF
             - name: NUXT_PUBLIC_LINKS_KEYCLOAK_TEXT
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-links-keycloak-text
+                  key: NUXT_PUBLIC_LINKS_KEYCLOAK_TEXT
             - name: NUXT_PUBLIC_LINKS_RABBITMQ_HREF
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-links-rabbitmq-href
+                  key: NUXT_PUBLIC_LINKS_RABBITMQ_HREF
             - name: NUXT_PUBLIC_LINKS_RABBITMQ_TEXT
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-links-rabbitmq-text
+                  key: NUXT_PUBLIC_LINKS_RABBITMQ_TEXT
             - name: NUXT_PUBLIC_PID_DEFAULT_PUBLISHER
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-pid-default-publisher
+                  key: NUXT_PUBLIC_PID_DEFAULT_PUBLISHER
             - name: NUXT_PUBLIC_DOI_ENABLED
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-doi-enabled
+                  key: NUXT_PUBLIC_DOI_ENABLED
             - name: NUXT_PUBLIC_DOI_ENDPOINT
               valueFrom:
                 secretKeyRef:
                   name: ui-secret
-                  key: public-doi-endpoint
+                  key: NUXT_PUBLIC_DOI_ENDPOINT
           volumeMounts:
             {{- if .Values.ui.extraVolumeMounts }}
             {{- .Values.ui.extraVolumeMounts | toYaml | nindent 12 }}
diff --git a/helm/dbrepo/templates/upload-deployment.yaml b/helm/dbrepo/templates/upload-deployment.yaml
index 0e757b14e9c7fe66ec0b56153149db383fd2b200..85e3fc7ca05450328c2fae95bccd352c9851a401 100644
--- a/helm/dbrepo/templates/upload-deployment.yaml
+++ b/helm/dbrepo/templates/upload-deployment.yaml
@@ -40,8 +40,7 @@ spec:
             capabilities:
               drop:
                 - ALL
-          resources: 
-          {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
       containers:
         - name: upload-service
           image: "{{ .Values.uploadservice.image.repository }}:{{ .Values.uploadservice.image.tag }}"
@@ -72,8 +71,7 @@ spec:
                 secretKeyRef:
                   name: s3-dbrepo-upload-bucket-secret
                   key: AWS_REGION
-          resources: 
-          {{- toYaml .Values.resources | nindent 12 }}
+          resources: {{- toYaml .Values.resources | nindent 12 }}
       volumes:
         - name: tusd-data
           emptyDir: {}
diff --git a/helm/dbrepo/values.yaml b/helm/dbrepo/values.yaml
index 0d4ea185e72991a0e6b67258054c026c5a020a5b..316dcbb6b343e6f73c75a8948d0754edb9f43208 100644
--- a/helm/dbrepo/values.yaml
+++ b/helm/dbrepo/values.yaml
@@ -11,7 +11,35 @@ global:
       ## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
       adaptSecurityContext: auto
   ## @param global.storageClass Global StorageClass for Persistent Volume(s)
-  storageClass: ""
+  storageClass: "rbd-storagepool-cluster"
+
+
+## resource limits required by ares cluster
+resources:
+  limits:
+    cpu: 500m
+    memory: 756Mi
+  requests:
+    cpu: 100m
+    memory: 256Mi
+
+resourcesWStorage:
+  limits:
+    cpu: 500m
+    ephemeral-storage: 50Mi
+    memory: 756Mi
+  requests:
+    cpu: 100m
+    ephemeral-storage: 20Mi
+    memory: 256Mi
+
+resourcesLittle:
+  limits:
+    cpu: 100m
+    memory: 512Mi
+  requests:
+    cpu: 50m
+    memory: 256Mi
 
 ## @section Common parameters
 
@@ -35,6 +63,11 @@ metadatadb:
   enabled: true
   ## @skip metadatadb.fullnameOverride
   fullnameOverride: metadata-db
+  global:
+    compatibility:
+      openshift:
+        adaptSecurityContext: force
+    storageClass: "rbd-storagepool-cluster"
   ## @param metadatadb.host The hostname for the microservices.
   host: metadata-db
   rootUser:
@@ -70,6 +103,27 @@ metadatadb:
   persistence:
     ## @param metadatadb.persistence.enabled Enable persistent storage.
     enabled: true
+  securityContext:
+    capabilities:
+      drop:
+        - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsUser: null
+  podSecurityContext:
+    runAsNonRoot: true
+    fsGroup: null
+    runAsUser: null
+  resources:
+    requests:
+      cpu: 50m
+      ephemeral-storage: 10Mi
+      memory: 512Mi
+    limits:
+      cpu: 150m
+      ephemeral-storage: 20Mi
+      memory: 768Mi
 
 ## @section Auth Service
 
@@ -126,6 +180,16 @@ authservice:
     - name: config-map
       mountPath: /opt/bitnami/keycloak/data/import
   ## @skip authservice.replicaCount The number of replicas.
+  resources:
+    requests:
+      cpu: 50m
+      ephemeral-storage: 10Mi
+      memory: 512Mi
+    limits:
+      cpu: 250m
+      ephemeral-storage: 10Mi
+      memory: 768Mi
+
   replicaCount: 2
 
 ## @section Data Database
@@ -148,8 +212,26 @@ datadb:
   metrics:
     ## @skip datadb.metrics.enabled
     enabled: true
+    resources:
+      requests:
+        cpu: 50m
+        ephemeral-storage: 10Mi
+        memory: 512Mi
+      limits:
+        cpu: 150m
+        ephemeral-storage: 10Mi
+        memory: 768Mi
   ## @skip datadb.primary
   primary:
+    resources:
+      requests:
+        cpu: 25m
+        ephemeral-storage: 10Mi
+        memory: 512Mi
+      limits:
+        cpu: 100m
+        ephemeral-storage: 10Mi
+        memory: 768Mi
     service:
       extraPorts:
         - name: "sidecar"
@@ -161,8 +243,8 @@ datadb:
         image: registry.datalab.tuwien.ac.at/dbrepo/data-db-sidecar:1.4.5
         imagePullPolicy: Always
         securityContext:
-          runAsUser: 1001
-          runAsGroup: 0
+          # runAsUser: 1001
+          # runAsGroup: 0
           runAsNonRoot: true
           allowPrivilegeEscalation: false
           seccompProfile:
@@ -170,6 +252,15 @@ datadb:
           capabilities:
             drop:
               - ALL
+        resources:
+          requests:
+            cpu: 25m
+            ephemeral-storage: 10Mi
+            memory: 512Mi
+          limits:
+            cpu: 100m
+            ephemeral-storage: 10Mi
+            memory: 768Mi
         ports:
           - name: "sidecar"
             containerPort: 8080
@@ -204,6 +295,15 @@ datadb:
         emptyDir: { }
     persistence:
       enabled: true
+  resources:
+    requests:
+      cpu: 25m
+      ephemeral-storage: 10Mi
+      memory: 512Mi
+    limits:
+      cpu: 100m
+      ephemeral-storage: 10Mi
+      memory: 768Mi
   ## @skip datadb.secondary
   secondary:
     replicaCount: 2
@@ -243,8 +343,8 @@ uploadservice:
   ## @skip uploadservice.securityContext
   securityContext:
     allowPrivilegeEscalation: false
-    runAsUser: 1000
-    runAsGroup: 1000
+    # runAsUser: 1000
+    # runAsGroup: 1000
     runAsNonRoot: true
     seccompProfile:
       type: RuntimeDefault
@@ -337,6 +437,15 @@ brokerservice:
     managerPortEnabled: true
     # loadBalancerIP:
   ## @param brokerservice.replicaCount The number of replicas.
+  resources:
+    requests:
+      cpu: 50m
+      ephemeral-storage: 10Mi
+      memory: 512Mi
+    limits:
+      cpu: 300m
+      ephemeral-storage: 100Mi
+      memory: 768Mi
   replicaCount: 1
 
 ## @section Analyse Service
@@ -358,20 +467,20 @@ analyseservice:
     ## @param analyseservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
     fsGroupChangePolicy: Always
     ## @param analyseservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
-    sysctls: [ ]
+    # sysctls: [ ]
     ## @param analyseservice.podSecurityContext.supplementalGroups Set filesystem extra groups
     supplementalGroups: [ ]
     ## @param analyseservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    fsGroup: 1001
+    # fsGroup: 1001
   containerSecurityContext:
     ## @param analyseservice.containerSecurityContext.enabled Enabled containers' Security Context
     enabled: true
     ## @param analyseservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
     seLinuxOptions: { }
     ## @param analyseservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    runAsUser: 1001
+    # runAsUser: 1001
     ## @param analyseservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    # runAsGroup: 1001
     ## @param analyseservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param analyseservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -420,20 +529,20 @@ metadataservice:
     ## @param metadataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
     fsGroupChangePolicy: Always
     ## @param metadataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
-    sysctls: [ ]
+    # sysctls: [ ]
     ## @param metadataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
     supplementalGroups: [ ]
     ## @param metadataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    fsGroup: 1001
+    # fsGroup: 1001
   containerSecurityContext:
     ## @param metadataservice.containerSecurityContext.enabled Enabled containers' Security Context
     enabled: true
     ## @param metadataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
     seLinuxOptions: { }
     ## @param metadataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    runAsUser: 1001
+    # runAsUser: 1001
     ## @param metadataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    #รค runAsGroup: 1001
     ## @param metadataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param metadataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -446,14 +555,13 @@ metadataservice:
     seccompProfile:
       ## @param metadataservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip metadataservice.resources
   resources:
     requests:
       cpu: 250m
       memory: 512Mi
     limits:
-      cpu: 1000m
-      memory: 2048Mi
+      cpu: 500m
+      memory: 1024Mi
   ## @param metadataservice.endpoint The Metadata Service endpoint.
   endpoint: http://metadata-service
   crossref:
@@ -486,16 +594,9 @@ metadataservice:
     ## @param metadataservice.sparql.connectionTimeout The connection timeout for sparql queries fetching remote data in ms.
     connectionTimeout: 10000
   s3:
-    ## @param metadataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-    endpoint: http://storage-service-s3:8333
     bucket:
       import: dbrepo-upload
       export: dbrepo-download
-    auth:
-      ## @param metadataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-      username: seaweedfsadmin
-      ## @param metadataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-      password: seaweedfsadmin
   ## @param metadataservice.replicaCount The number of replicas.
   replicaCount: 2
 
@@ -520,20 +621,20 @@ dataservice:
     ## @param dataservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
     fsGroupChangePolicy: Always
     ## @param dataservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
-    sysctls: [ ]
+    # sysctls: [ ]
     ## @param dataservice.podSecurityContext.supplementalGroups Set filesystem extra groups
     supplementalGroups: [ ]
     ## @param dataservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    fsGroup: 1001
+    # fsGroup: 1001
   containerSecurityContext:
     ## @param dataservice.containerSecurityContext.enabled Enabled containers' Security Context
     enabled: true
     ## @param dataservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
     seLinuxOptions: { }
     ## @param dataservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    runAsUser: 1001
+    # runAsUser: 1001
     ## @param dataservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    # runAsGroup: 1001
     ## @param dataservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param dataservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -572,16 +673,9 @@ dataservice:
       ## @param dataservice.rabbitmq.consumer.password The user password for the consumer to read tuples from the broker service. In many cases this value is equal to `identityservice.userPasswords`.
       password: admin
   s3:
-    ## @param dataservice.s3.endpoint The S3-capable endpoint the microservice connects to.
-    endpoint: http://storage-service-s3:8333
     bucket:
       import: dbrepo-upload
       export: dbrepo-download
-    auth:
-      ## @param dataservice.s3.auth.username The S3-capable endpoint username (or access key id).
-      username: seaweedfsadmin
-      ## @param dataservice.s3.auth.password The S3-capable endpoint user password (or access key secret).
-      password: seaweedfsadmin
     ## @param dataservice.s3.filePath The local location to download/upload files from/to S3-capable endpoint.
     filePath: /s3
   ## @param dataservice.replicaCount The number of replicas.
@@ -608,20 +702,20 @@ searchservice:
     ## @param searchservice.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
     fsGroupChangePolicy: Always
     ## @param searchservice.podSecurityContext.sysctls Set kernel settings using the sysctl interface
-    sysctls: [ ]
+    # sysctls: [ ]
     ## @param searchservice.podSecurityContext.supplementalGroups Set filesystem extra groups
     supplementalGroups: [ ]
     ## @param searchservice.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    fsGroup: 1001
+    # fsGroup: 1001
   containerSecurityContext:
     ## @param searchservice.containerSecurityContext.enabled Enabled containers' Security Context
     enabled: true
     ## @param searchservice.containerSecurityContext.seLinuxOptions Set SELinux options in container
     seLinuxOptions: { }
     ## @param searchservice.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    runAsUser: 1001
+    # runAsUser: 1001
     ## @param searchservice.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    # runAsGroup: 1001
     ## @param searchservice.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param searchservice.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -634,14 +728,13 @@ searchservice:
     seccompProfile:
       ## @param searchservice.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip searchservice.resources
   resources:
     requests:
       cpu: 250m
       memory: 512Mi
     limits:
-      cpu: 1000m
-      memory: 2048Mi
+      cpu: 500m
+      memory: 1024Mi
   ## @skip searchservice.init
   init:
     image:
@@ -698,6 +791,19 @@ identityservice:
   enabled: true
   ## @skip identityservice.fullnameOverride
   fullnameOverride: identity-service
+  podSecurityContext:
+    runAsNonRoot: true
+    fsGroup: null
+    runAsUser: null
+  containerSecurityContext:
+    enabled: true
+    capabilities:
+      drop:
+        - ALL
+    runAsNonRoot: true
+    readOnlyRootFilesystem: true
+    allowPrivilegeEscalation: false
+    runAsUser: null #todo: does not overwrite
   global:
     ## @param identityservice.global.ldapDomain The LDAP domain name in domain "dbrepo.at" form or explicit in "dc=dbrepo,dc=at" form.
     ldapDomain: dc=dbrepo,dc=at
@@ -763,20 +869,20 @@ ui:
     ## @param ui.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
     fsGroupChangePolicy: Always
     ## @param ui.podSecurityContext.sysctls Set kernel settings using the sysctl interface
-    sysctls: [ ]
+    # sysctls: [ ]
     ## @param ui.podSecurityContext.supplementalGroups Set filesystem extra groups
     supplementalGroups: [ ]
     ## @param ui.podSecurityContext.fsGroup Set RabbitMQ pod's Security Context fsGroup
-    fsGroup: 1001
+    # fsGroup: 1001
   containerSecurityContext:
     ## @param ui.containerSecurityContext.enabled Enabled containers' Security Context
     enabled: true
     ## @param ui.containerSecurityContext.seLinuxOptions Set SELinux options in container
     seLinuxOptions: { }
     ## @param ui.containerSecurityContext.runAsUser Set RabbitMQ containers' Security Context runAsUser
-    runAsUser: 1001
+    # runAsUser: 1001
     ## @param ui.containerSecurityContext.runAsGroup Set RabbitMQ containers' Security Context runAsGroup
-    runAsGroup: 1001
+    # runAsGroup: 1001
     ## @param ui.containerSecurityContext.runAsNonRoot Set RabbitMQ container's Security Context runAsNonRoot
     runAsNonRoot: true
     ## @param ui.containerSecurityContext.allowPrivilegeEscalation Set container's privilege escalation
@@ -789,14 +895,13 @@ ui:
     seccompProfile:
       ## @param ui.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
       type: "RuntimeDefault"
-  ## @skip ui.resources
   resources:
     requests:
       cpu: 250m
       memory: 512Mi
     limits:
-      cpu: 1000m
-      memory: 2048Mi
+      cpu: 500m
+      memory: 1024Mi
   public:
     api:
       ## @param ui.public.api.client The endpoint for the client api. Defaults to the value of `gateway`.
@@ -860,44 +965,30 @@ ui:
 ## @section Ingress
 
 ingress:
-  ## @param ingress.enabled Enable the ingress.
-  enabled: false
-  ## @param ingress.className The ingress class name.
+  enabled: true
   className: nginx
   tls:
-    ## @param ingress.tls.enabled Enable the ingress.
     enabled: true
-    ## @param ingress.tls.secretName The secret holding the SSL/TLS certificate. Needs to have keys `tls.crt` and `tls.key` and optionally `ca.crt`.
-    secretName: ingress-cert
+    secretName: dbrepo-ingress-tls-cert
   annotations:
-    ## @skip ingress.annotations.basic The ingress rules for proxying requests directly to services.
-    basic: { }
-    #      nginx.org/path-regex: "case_sensitive"
-    #      nginx.ingress.kubernetes.io/use-regex: "true"
-    #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
-    ## @skip ingress.annotations.rewriteApi The ingress rules for rewriting certain paths to /api/.
+    basic:
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+      nginx.ingress.kubernetes.io/use-regex: "true"
     rewriteApi:
-      #      nginx.org/path-regex: "case_sensitive"
-      #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /api/$1
-    ## @skip ingress.annotations.rewriteRoot The ingress rules for rewriting certain paths to /.
     rewriteRoot:
-      #      nginx.org/path-regex: "case_sensitive"
-      #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /$1
-    ## @skip ingress.annotations.rewriteRootSecure The ingress rules for rewriting certain paths to / and force SSL/TLS encrypted traffic.
     rewriteRootSecure:
-      #      nginx.org/path-regex: "case_sensitive"
-      #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
       nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /$1
-    ## @skip ingress.annotations.rewritePid The ingress rules for rewriting certain paths to /api/identifier/.
     rewritePid:
-      #      nginx.org/path-regex: "case_sensitive"
-      #      cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
+#        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
       nginx.ingress.kubernetes.io/use-regex: "true"
       nginx.ingress.kubernetes.io/rewrite-target: /api/identifier/$1