Version: v1.1.x

PaletteAI 1.1.0 Release Notes

Summary

PaletteAI 1.1.0 is the stable GA release for the 1.1 line with Traefik as the default ingress controller, tenant-wide governance (settings sharing, GPU limits, admission rules, and Compute Pool deployments at tenant scope), and a redesigned Tenant Settings experience. Operators gain Profile Bundle import in the UI, Workload system outputs, Compute Pool feature flags for deployment wizards, and the PaletteAI CLI paletteai mirror command for airgapped image and pack staging. The stable cut finalizes controller and UI fixes since 1.0.7, including tenant-scoped AIWorkloads, model policy conditions, ComputePool status improvements, and removal of the disabled ingress-nginx defaults from the umbrella chart values.yaml.

Breaking Changes

The following breaking changes apply when upgrading to PaletteAI 1.1.0 from 1.0.x (baseline palette-ai/v1.0.7). Additional details on individual components are listed in the Full Component Release Notes section.

Traefik replaces ingress-nginx as the default bundled ingress controller. The ingress-nginx sub-chart remains in the mural chart but is disabled by default; installations that explicitly enable it continue to work. Helm-based installations that do not delegate Custom Resource Definition (CRD) management to Flux must install Traefik CRDs manually before upgrading from a PaletteAI version that used ingress-nginx (PaletteAI 1.1.0-rc.2 and older, including 1.0.x).
```
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
```
This is not required for all-in-one installations, or for environments where the Mural Helm release is managed using Flux with .spec.upgrade.crds set to CreateReplace.
Definition Revisions are named with a type prefix to disambiguate revisions when listed across resource types. Existing references such as definitionRef values in Workload Profiles and Workloads continue to resolve, but external automation that compares Definition Revision names verbatim must be updated. (Introduced in hue/v0.6.0 and canvas/v0.12.0.)
Profile Bundles authored in PaletteAI Studio use an updated schema. applicationProfile is renamed to workloadProfile, paletteProfile to clusterProfile, and the older compositions structure is replaced with InfrastructureVariants and AddonVariants to align with the ProfileBundle CRD. Bundles authored against the previous schema must be updated before import. (Introduced in hue/v0.12.0.)
deletionPolicy moves to the resource spec on App Deployments, Model Deployments, and Compute Pools (configured once per resource rather than per variant). The previous location is still read as a fallback; new manifests should set it at the spec level.
OpenAI integration removed from CRDs (mural-crds/v0.7.0). Migrate to supported integration types before upgrading CRDs.

Upgrade Notes

Prior to upgrading PaletteAI, obtain the latest version of the PaletteAI CLI and validate your environment via the following steps.

Non-GitOps

Dry-run the migration via the PaletteAI CLI against the cluster.
If the dry-run passes, perform the upgrade. PaletteAI applies all migrations on startup.
If the dry-run fails, review the failure summary and contact support before proceeding.

GitOps

Dry-run the cluster migration via the PaletteAI CLI.
If the cluster migration dry-run passes, dry-run the GitOps manifest migration via the CLI.
If the GitOps manifest migration dry-run passes, run the manifest migration via the CLI to update the Git repository manifests to use the new field shapes.
Upgrade PaletteAI. PaletteAI applies all migrations on startup; any objects not already updated by GitOps are migrated directly in etcd.
If any dry-run fails, review the failure summary and contact support before proceeding.

Upgrade Steps

Read Breaking changes before upgrading clusters or GitOps repos.
You must upgrade the mural-crds chart to 0.7.8 before upgrading the mural chart to 1.1.0.
Read Breaking Changes before upgrading clusters or GitOps repos.
Upgrade the mural-crds chart to 0.7.8 before upgrading the mural chart to 1.1.0. For detailed instructions on how to upgrade PaletteAI, refer to the PaletteAI upgrade guide.

For Helm-based installations that do not use FluxCD to manage the Mural Helm chart, you must manually install the Traefik Custom Resource Definitions (CRDs) before the upgrade. This is not required in AIO installations, or for environments where the Mural Helm release is managed using FluxCD and .spec.upgrade.crds is set to CreateReplace.

Before you upgrade, manually install the Traefik CRDs if you are upgrading from a Mural version that used ingress-nginx (PaletteAI 1.1.0-rc.2 and older, including 1.0.x).

kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.6/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

Before upgrading from PaletteAI 1.0.x, manually install the Traefik CRDs using the command above when applicable.
Set global.instanceName on the hub before upgrading. The hub value propagates to spoke clusters so spoke metrics carry the unique PaletteAI installation name. This is required when multiple PaletteAI installations report metrics to the same Prometheus instance.
After upgrading, verify the migration state with the PaletteAI CLI paletteai migrate command. Migration state is tracked in a ConfigMap, so a failed migration can be retried without manual intervention. Refer to Migrations for more information.

Features

Tenant admins can now author Tenant-scoped configuration via new tabs on the Tenant Settings page. These configurations can be shared with selected Projects through sharedWithProjects and locked to prevent overrides at the Project level. This removes per-Project configuration drift and lets Tenant admins enforce a consistent policy across the organization. Refer to Create Tenants for setup details.
Tenant admins now have a central location at Tenant Settings to set model defaults across all Projects under a Tenant. If necessary, admins can allow per-Project overrides and view model settings from a Project's point of view.
PaletteAI now tracks GPU reservations at the Tenant scope, per-Project GPU limits, and oversubscription so Tenant-scoped and Project-scoped Compute Pools draw from separately delimited pools. Tenant admins can guarantee Project-level GPU allocations without one Project exhausting resources reserved for another.
Tenants can now configure admission rules that govern which namespaces workload resources may be created in on spoke clusters, with defaulting and validation applied through the PaletteAI controller. This is useful for restricting where Tenant-scoped workloads may run on shared spoke clusters.
A new Tenant Overview page summarizes Projects, compute footprint, and policy posture in a single view, allowing Tenant admins to assess the state of their organization at a glance.
Tenant admins can now define integrations (such as HuggingFace and NVIDIA) once at the Tenant scope and use the new Settings Ref tab in Tenant Settings to control which Projects may consume them and whether Projects may override the configured values. Effective settings expose the originating scope (Tenant or Project) so Project users can identify where each integration came from.
Cluster admins can now control which Compute Pool options appear in the App Deployment and Model Deployment wizards using eight new global.featureFlags Helm values. Four flags (enableCreateSharedComputePoolOnAppDeployment, enableCreateSharedComputePoolOnModelDeployment, enableCreateDedicatedComputePoolOnAppDeployment, enableCreateDedicatedComputePoolOnModelDeployment) gate whether end users can create new Compute Pools inline, and four flags (enableDeployAppToSharedComputePool, enableDeployAppToDedicatedComputePool, enableDeployModelToSharedComputePool, enableDeployModelToDedicatedComputePool) gate whether end users can deploy to existing shared or dedicated Compute Pools. This is useful for organizations that require all Compute Pools to be provisioned and selected through a separate, governed workflow.
Workloads now expose system outputs (such as Project name, Tenant name, hub instance name, and spoke cluster name) so Definitions can reference these values without operators wiring them in by hand. This is useful for naming, labels, and telemetry that need to vary by Project or cluster.
Profile Bundles are now displayed and edited consistently across the surfaces where they appear, including the App Deployment wizard, Compute Pool creation, the bundle list view, and the bundle drawer.
Profile Bundles can now be imported from a tarball directly in the PaletteAI UI. Additional enhancements allow base64 and offline logo support so Profile Bundle imagery renders correctly in air-gapped environments.
Operators can now clean up stale Workload Profile and Definition revisions without deleting the whole resource, reducing clutter in long-lived Projects.
The Definition editor center panel now auto-populates when editing Components.
Tenant admins can now clone a Project to stand up a new Project from a known-good baseline without rebuilding settings, integrations, and access.
Operators can now clone a custom Model Deployment from its view page, iterating on a deployment configuration without rebuilding it from scratch. Validation, steps, and pre-fill are handled across the wizard.
Operators can now clone a specific version of a Workload Profile directly from its view page, branching a Workload Profile without reconstructing variables and Profile Bundle references.
The PaletteAI UI now supports multiline variables through a dedicated text input field for values such as keys, certificates, and scripts that previously required workarounds.
Operators can now dry-run a Workload Profile, validating it before committing to a cluster and catching schema and reference errors early instead of at apply time.
The PaletteAI CLI now includes a mirror command with mirror export-images and mirror export-pack subcommands, plus --archive and --extra-image flags. The mirror command is the supported path for staging container images and Packs into air-gapped environments.
The PaletteAI CLI now includes a --version flag for support diagnostics.
paletteai studio import now accepts relative paths, supports infrastructure add-on imports, and populates ProfileBundle.tags, annotations, logo, and deletionPolicy at import time so imported bundles arrive with metadata intact rather than requiring a follow-up edit.
All Flux components now accept optional namespace overrides, and the system namespace is no longer hard-coded in chart values.

Improvements

The Compute Pool experience has been enhanced with additional tooltips, Resource Group Day-2 support, scaling policy visibility, GPU family drop-downs, and more.
The Workload Profile experience has been improved with an all-versions table, version revisit support, and clearer priority labels.
Additional safeguards are now in place when attempting to delete a Project, including a dialog window confirming Project deletion, warnings when a repository is in use, and per-Project permission checks.
The integration settings flow has been unified into a single Deployment settings form. Integration secret updates no longer persist masked values without re-entry, and explicit deletion of an integration also removes its secrets.
Profile Bundle filtering across the PaletteAI UI has been improved: invalid bundle combinations are blocked in the builder, infrastructure-typed bundles are omitted where they do not apply, and bundles are filtered by variant and Workload Profile type consistently.
Compute Pool Day-2 updates now persist Workload Profile variables for infrastructure-typed Profile Bundles, and Workload Profile variables sync with Profile Bundle variables on removal.
Scaling reliability has been improved with refined CPU and GPU Prometheus queries, deterministic compute ordering, allocated-node drift detection and correction, and Day-2 Compute Pool operations that no longer retrigger scaling cool-down periods.
The spoke controller now uses watches in place of timed reconciles, enabling faster reaction to spoke changes.
Tables in the PaletteAI UI now fill the available vertical space and keep their headers visible while scrolling. Login input heights have also been increased for accessibility.
The Project overview has been revamped with reusable generic filters in drawers and a refactored UX across overview cards.
App Deployment and Model Deployment overview pages now link directly to the associated Compute Pool.
Security has been hardened: axios has been updated to 1.15.1, nanoid has been replaced with crypto.randomUUID, Redux has been removed, and shared component dependencies have been bumped to clear CVEs flagged in the PaletteAI UI.
Audit log emission is now non-blocking, so audit pipeline pauses cannot stall the reconcile loop.
Controller error messages no longer expose API keys or JWT tokens in plain text.

Bug fixes

Fixed an issue that prevented Compute Pools from being created when selecting a Profile Bundle without Definition Revisions.
Fixed an issue where the Profile Bundle version dropdown did not render correctly in the Compute Pool creation wizard.
Fixed an issue where failed or deleting Compute Pools could be selected as an existing Compute Pool.
Fixed an issue where a Compute Pool could be marked as deleted before its underlying Palette cluster was fully deleted.
Fixed an issue where Compute Pool creation did not handle invalid settings correctly.
Fixed an issue where Compute Pool deletion did not handle pools that still had compute attached.
Fixed an issue where Workload Deployment Configs generated from pinned Workload Profile references did not load and persist variables correctly.
Fixed an issue where the Variables step did not handle Workload Profile references that include an @version suffix.
Fixed an issue where inline variables defined on a Profile Bundle were rejected.
Fixed an issue where Workload Profile variables did not override Profile Bundle variables in the documented direction.
Fixed an issue where Profile Bundle variable input was not validated before save.
Fixed an issue where condition messages from Workloads did not sync into the aggregated Workload Deployment status.
Fixed an issue where Workload Deployment overall failure was not determined from priority phases.
Fixed an issue where inapplicable Workload Deployment Config conditions were not pruned from status.
Fixed an issue where Model Deployments using NVIDIA NIMs did not handle their variables correctly.
Fixed an issue where Cluster Profile variables were not scoped per profile.
Fixed an issue where Palette pack type imports did not fall back to Open Container Initiative (OCI) registries when a NotFound response was returned.
Fixed an issue where Project deletion did not clean up the Project namespace.
Fixed an issue where protected Project namespaces could be deleted.
Fixed an issue where Project namespace resources did not apply scope and owner labels.
Fixed an issue where pre-existing Project namespaces were not patched with the correct Project and Tenant labels.
Fixed an issue where cross-Project namespace usage was not blocked with explicit validation.
Fixed an issue where Workloads could be created with invalid target Workload metadata.
Fixed an issue where a scaling policy could be configured for a single-node cluster.
Fixed an issue where Workload and Workload Deployment OCI artifacts were not garbage collected on deletion.
Fixed an issue where a Workload Deployment could not be deleted when its meta-reference Workload Profile was no longer present.
Fixed an issue where existing spoke namespaces were overwritten by Open Cluster Management (OCM) or Flux.
Fixed an issue where the spoke controller could not load objects when the Flux inventory was empty.
Fixed an issue that prevented spoke Workload deletion when the Deleting phase was not preserved during parsing.
Fixed an issue where Profile Bundle deletion failed when the Palette integration was missing.
Fixed an issue where the Project admin role was missing delete permissions.
Fixed an issue where dashboards could break when brand logos were served from external image hosts.
Fixed an issue where cluster details displayed an unknown intent.
Fixed an issue where Workload Profile types did not load consistently from both system and Project namespaces when creating, editing, or cloning Profile Bundles.
Fixed an issue where AIWorkload cluster variants were not validated by webhook.
Fixed an issue where Workload Profile homogeneity across shared variants was not enforced by webhook.
Fixed an issue where AddonVariant resources were not automatically named.
Fixed an issue where duplicate Workload Profiles could be created per variant.
Fixed an issue where shared clusters did not support multiple virtual IPs (VIPs).
Fixed an issue where the spoke controller read the Helm release secret from a mounted volume rather than the Kubernetes API.
Fixed an issue where variable inputs in the Workload Profile UI moved the cursor to the end after each keystroke.
Fixed an issue where context extensions did not resolve while rendering Definitions.
Fixed an issue where the Definition editor could corrupt CUE persisted from the UI.
Fixed an issue where Workloads could not be dry-run validated on hub-only clusters.
Fixed an issue where valid Pack archives were rejected during import because OCI manifests did not align with known-good archives.
Fixed an issue where inline counter badges did not render inline correctly.
Fixed an issue where drawer status display truncated long values.
Fixed an issue where Fleet overview card calculations reported incorrect totals.
Fixed an issue where navigation on the Cluster Profile page left stale state.
Fixed an issue where the toast notification shown when bundle deletion failed reported an incorrect error.
Fixed an issue where the Workload Profile version selector dropdown rendered behind sibling elements.
Fixed an issue where the review page version display did not show the correct version string.

Component versions

These core component versions are pinned for this PaletteAI release:

Component	Version
brush	0.5.18
canvas	0.6.9
hue	0.12.12
mural-crds	0.7.8

Mural Helm values

The following diff lists changes to mural/charts/mural/values.yaml between PaletteAI 1.0.7 and 1.1.0

values.yaml
diff --git a/mural/charts/mural/values.yaml b/mural/charts/mural/values.yaml
index 0a6f7eb226..b9effdf9c2 100644
--- a/mural/charts/mural/values.yaml
+++ b/mural/charts/mural/values.yaml
@@ -19,8 +19,9 @@
 ## @param global.certManagerVersion The cert-manager version passed to sub charts - do NOT edit
 ## @param global.muralVersion Umbrella chart version passed to sub charts - do NOT edit
 ## @param global.dns.domain The primary domain to use for the deployment. For example, acme.internal.org.
-## @param global.dns.rootIngress.enabled Whether to create a root ingress for the domain that routes to the primary application. For example, if you want the root domain to automatically route to `/mural`. Disable if ingress-nginx is not used.
+## @param global.dns.rootIngress.enabled Whether to create a root ingress for the domain that routes to the primary application. For example, if you want the root domain to automatically route to `/mural`. Disable if traefik is not used.
 ## @param global.dns.rootIngress.ingressClassName The ingress class name for the root ingress
+## @param global.dns.rootIngress.annotations Additional annotations for the root ingress
 ## @param global.dns.rootIngress.tls A list of TLS configurations for the root ingress
 ## @param global.auth.sessionSecret The session secret to use for encoding and decoding the Mural session cookie. Credentials are not stored in the browser. The cookie is used to map the session to the user so that the server can retrieve the user's credentials.
 ## @param global.auditLogging.enabled Whether to enable audit logging to alertmanager. Default is true.
@@ -66,12 +67,13 @@ global:
   # - use a custom FleetConfig controller image with the `gke-gcloud-auth-plugin` installed
   kubernetesProvider: "Generic"
   certManagerVersion: "v1.19.1"
-  muralVersion: "1.0.7"
+  muralVersion: "1.1.0"
   dns:
     domain: "replace.with.your.domain"
     rootIngress:
       enabled: true
-      ingressClassName: nginx
+      ingressClassName: traefik
+      annotations: {}
       # By default, no TLS. Override with a list of TLS configs if needed.
       # Example:
       # tls:
@@ -106,7 +108,7 @@ global:
     username: ""
     password: ""
     basicAuthSecretName: ""
-  muralCrdsVersion: "0.7.0-hotfix.4"
+  muralCrdsVersion: "0.7.8"

 ## @section certificates
 ## @param certificates.clusterIssuer.spec.selfSigned The spec for the ClusterIssuer used by cert-manager to issue the Mural root CA certificate.
@@ -1004,7 +1006,7 @@ fleetConfig:
   ## cert-manager from being installed in that case.
   ##
   ## Unsupported keys within this map:
-  ## brush, canvas, fleetconfig-controller, fleetConfig, dex, ingress-nginx, flux2
+  ## brush, canvas, fleetconfig-controller, fleetConfig, dex, traefik, flux2
   ## @descriptionEnd
   spokeValuesOverrides:
     enabled: false
@@ -1043,6 +1045,10 @@ alertmanager:
   # extraArgs: {}
   extraArgs:
     web.config.file: "/etc/alertmanager/web-config/web-config.yaml"
+    # By default, this has a value. In multi-replica deployments, the address is used for the gossip clustering among the replicas.
+    # In a single-replica deployment, having it set causes the single replica to queue up messages but since there are no other members,
+    # the messages are never read and the queue overflows. Setting the address to empty disables the gossip clustering.
+    # For multi-replica deployments, the `cluster.listen-address` key can be removed entirely, and the default value will be used.
     cluster.listen-address: ""
   # Uncomment to disable secret mounts if TLS/basic auth are not being used
   # extraSecretMounts: []
@@ -1469,7 +1475,7 @@ brush:
   ## @param brush.image.pullPolicy The pull policy to use for the image
   image:
     repository: public.ecr.aws/mural/brush
-    tag: v0.5.13-hotfix.4
+    tag: v0.5.18
     pullPolicy: IfNotPresent
   ## @param brush.imagePullSecrets The pull secrets to use for the image
   imagePullSecrets: []
@@ -1510,28 +1516,6 @@ brush:
   service:
     type: ClusterIP
     port: 80
-  ## @param brush.ingress.enabled Whether to create an ingress resource
-  ## @param brush.ingress.className The class name for the ingress resource
-  ## @param brush.ingress.annotations Annotations to add to the ingress resource
-  ## @param brush.ingress.hosts[0].host The host to add to the ingress resource
-  ## @param brush.ingress.hosts[0].paths[0].path The path to add to the ingress resource
-  ## @param brush.ingress.hosts[0].paths[0].pathType The path type for the ingress resource
-  ## @param brush.ingress.tls The TLS configuration for the ingress resource
-  ingress:
-    enabled: false
-    className: ""
-    annotations: {}
-    # kubernetes.io/ingress.class: nginx
-    # kubernetes.io/tls-acme: "true"
-    hosts:
-      - host: chart-example.local
-        paths:
-          - path: /
-            pathType: ImplementationSpecific
-    tls: []
-    #  - secretName: chart-example-tls
-    #    hosts:
-    #      - chart-example.local
   ## @param brush.resources The resources to add to the deployment
   resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
@@ -1667,9 +1651,9 @@ brush:
       timeout: 20m
       crdPolicy: "CreateReplace"
       maxHistory: 0
-      # The following values are optional and should not be specified for production use
-      # releaseVersion: "0.1.5"
-      # releaseDigest: sha256:1234567890
+    # The following values are optional and should not be specified for production use
+    # releaseVersion: "0.1.5"
+    # releaseDigest: sha256:1234567890
   ## @section mural-crds parameters

   ## The mural-crds chart is pulled from the same repository as the mural chart.
@@ -1682,9 +1666,9 @@ brush:
     release:
       crdPolicy: "CreateReplace"
       maxHistory: 1
-      # The following values are optional and should not be specified for production use
-      # releaseVersion: "0.0.1"
-      # releaseDigest: sha256:1234567890
+    # The following values are optional and should not be specified for production use
+    # releaseVersion: "0.0.1"
+    # releaseDigest: sha256:1234567890
   ## @section cert-manager parameters

   ## @param brush.certManager.enabled Whether to enable cert-manager installation
@@ -1758,6 +1742,9 @@ brush:
     values:
       crds:
         enabled: true
+  ## @param brush.global.instanceName Hub `global.instanceName` from chart values; passed to Brush and set on spoke Mural installs.
+  global:
+    instanceName: ""

 ## @section canvas
 canvas:
@@ -1777,7 +1764,7 @@ canvas:
   ## @param canvas.image.pullPolicy canvas image pull policy
   image:
     repository: public.ecr.aws/mural/canvas
-    tag: v0.6.0-hotfix.4
+    tag: v0.6.9
     pullPolicy: IfNotPresent
   ## @param canvas.imagePullSecrets Image pull secrets
   imagePullSecrets: []
@@ -1848,7 +1835,7 @@ canvas:
   ingress:
     enabled: false
     annotations: {}
-    ingressClassName: nginx
+    ingressClassName: traefik
     domain: replace.with.your.domain
     matchAllHosts: false
     # By default, no TLS. Override with a list of TLS configs if needed.
@@ -1901,13 +1888,13 @@ canvas:
     items: []
   ## @param canvas.oidc.sessionSecret The OIDC session secret to use when encoding and decoding the Mural session cookie. By default, it uses the session secret from the global configuration.
   ## @param canvas.oidc.sessionDir The directory to store the session files. Requires a volume mount for /app/sessions
-  ## @param canvas.oidc.issuerK8sService The Kubernetes service URL for the Dex server from the perspective of the Canvas pod. The default is https://dex.mural-system.svc.cluster.local:5554/dex
+  ## @param canvas.oidc.issuerK8sService The Kubernetes service URL for the Dex server from the perspective of the Canvas pod.
   ## @param canvas.oidc.skipSSLCertificateVerification Whether to skip SSL certificate verification when interacting with Dex. Set to true to skip verification. Skipping verification is not recommended but needed when using self-signed certificates.
   ## @param canvas.oidc.redirectURL The redirect URL for the Canvas application. The path is required to end with /callback.
   oidc:
     sessionSecret: ""
     sessionDir: "/app/sessions"
-    issuerK8sService: "https://dex.mural-system.svc.cluster.local:5554/dex"
+    issuerK8sService: ""
     skipSSLCertificateVerification: true
     redirectURL: "https://replace.with.your.domain/ai/callback"
   ## @param canvas.impersonationProxy.enabled [default: false] Whether to enable impersonation proxy. Only use if your Mural Hub Kubernetes cluster is not configured to trust Dex as an OIDC provider. Requires `serviceAccount.create` to be `true`.
@@ -1958,19 +1945,23 @@ canvas:
       failureThreshold: 5
   ## @param canvas.devspaceEnabled devspace enabled
   devspaceEnabled: false
-  ## @param canvas.branding.configMapName The name of the branding ConfigMap. Default is "branding".
-  ## @param canvas.branding.namespace The namespace where the branding ConfigMap will be created. Default is "mural-system".
-  ## @param canvas.branding.brandColor Primary brand color; drives the brand-bold token. Leave empty for default.
-  ## @param canvas.branding.headerBackgroundColor Background color for the main header. Default is "rgb(41, 39, 37)".
-  ## @param canvas.branding.sidebarBackgroundColor Background color for the sidebar navigation. Default is "#F3F0EE".
-  ## @param canvas.branding.logoUrl URI of custom logo image (HTTP/HTTPS only). Leave empty for default Spectro Cloud logo.
+  ## @param canvas.branding.configMapName Kubernetes name of the branding ConfigMap (default `branding`).
+  ## @param canvas.branding.namespace Namespace for the ConfigMap; empty string uses the Helm release namespace.
+  ## @param canvas.branding.brandColor Primary brand color; drives the brand-bold token (buttons, links). Leave empty for default.
+  ## @param canvas.branding.headerBackgroundColor Header background; text is derived for contrast. Leave empty for default (`rgb(41, 39, 37)`).
+  ## @param canvas.branding.sidebarBackgroundColor Sidebar background; text is derived for contrast. Leave empty for default (`#F3F0EE`).
+  ## @param canvas.branding.favicon Favicon: PNG, JPEG, or octet-stream base64 data URI, or HTTP(S) URL (proxied; PNG/JPEG/GIF/SVG/WebP/ICO). Recommended source: 32×32 or 48×48 PNG or multi-size ICO; HTTP(S) max 2 MB. Empty = bundled default.
+  ## @param canvas.branding.primaryLogo Primary logo for login + header (see product docs). Data URI (PNG/JPEG/octet-stream base64) or HTTP(S) URL. Recommended: ≥128×128 px square or wide mark (e.g. 256×64) with height ≥64 px; HTTP(S) max 2 MB. Empty = defaults.
+  ## @param canvas.branding.secondaryLogo Secondary header logo; requires `primaryLogo`. Data URI or HTTP(S) URL; displayed up to ~32 px tall. Recommended sizing matches `primaryLogo`; HTTP(S) max 2 MB.
   branding:
     brandColor: ""
     configMapName: "branding"
-    namespace: "mural-system"
+    namespace: ""
+    favicon: ""
     headerBackgroundColor: ""
     sidebarBackgroundColor: ""
-    logoUrl: ""
+    primaryLogo: ""
+    secondaryLogo: ""
   ## @param canvas.fullnameOverride Fullname override
   fullnameOverride: canvas

@@ -2198,7 +2189,7 @@ dex:
     # -- Enable [ingress](https://kubernetes.io/docs/concepts/services-networking/ingress/).
     enabled: false
     # -- Ingress [class name](https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class).
-    className: "nginx"
+    className: "traefik"
     # -- Annotations to be added to the ingress.
     annotations: {}
     # kubernetes.io/ingress.class: nginx
@@ -2620,7 +2611,7 @@ fleetconfig-controller:
   ## @param fleetconfig-controller.image.pullPolicy Image pull policy
   image:
     repository: us-docker.pkg.dev/palette-images-fips/palette/spectro-ocm-bcfips/fleetconfig-controller
-    tag: v0.2.3
+    tag: v0.2.4
     pullPolicy: IfNotPresent
   ## @param fleetconfig-controller.imagePullSecrets Image pull secrets
   imagePullSecrets: []
@@ -3010,7 +3001,7 @@ flux2:
     tolerations: []
     extraEnv: []
   policies:
-    create: true
+    create: false
   rbac:
     create: true
     # -- Grant the Kubernetes view, edit and admin roles access to Flux custom resources
@@ -3278,7 +3269,7 @@ hue:
   ## @param hue.image.pullPolicy Image pull policy
   image:
     repository: public.ecr.aws/mural/hue
-    tag: v0.12.0-hotfix.4
+    tag: v0.12.12
     pullPolicy: IfNotPresent
   ## @param hue.resources.requests.cpu hue controller deployment's cpu request
   ## @param hue.resources.requests.memory hue controller deployment's memory request
@@ -3438,7 +3429,7 @@ hue:
     enabled: true
     image:
       repository: public.ecr.aws/mural/hue-definitions
-      tag: v0.12.0-hotfix.4
+      tag: v0.12.12
       pullPolicy: IfNotPresent
       pullSecrets: []
     job:
@@ -3457,1291 +3448,1351 @@ hue:
       extraEnv: []
   ## @param hue.devspaceEnabled Used for dev.
   devspaceEnabled: false
+  # Placeholder values.yaml for mural-lib chart to appease chart testing (ct)

-## @skip ingress-nginx
-ingress-nginx:
-  enabled: true
-  ## nginx configuration
-  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/index.md
-  ##
-
-  global:
-    image:
-      # -- Registry host to pull images from.
-      registry: registry.k8s.io
-  ## Overrides for generated resource names
-  # See templates/_helpers.tpl
-  # nameOverride:
-  # fullnameOverride:
-
-  # -- Override the deployment namespace; defaults to .Release.Namespace
-  namespaceOverride: ""
-  ## Labels to apply to all resources
-  ##
+## @skip traefik
+traefik:
+  # Default values for Traefik
+  # This is a YAML-formatted file.
+  # Declare variables to be passed into templates
+  image: # @schema additionalProperties: false
+    # -- Traefik image host registry
+    registry: us-docker.pkg.dev/palette-images-fips/palette
+    # -- Traefik image repository
+    repository: traefik
+    # -- defaults to appVersion. It's used for version checking, even prefixed with experimental- or latest-.
+    # When a digest is required, `versionOverride` can be used to set the version.
+    tag: 3.6.11-fips # @schema type:[string, null]
+    # -- Traefik image pull policy
+    pullPolicy: IfNotPresent
+  # -- Add additional label to all resources
   commonLabels: {}
-  # scmhash: abc123
-  # myLabel: aakkmd
-
-  controller:
-    name: controller
-    enableAnnotationValidations: true
-    image:
-      ## Keep false as default for now!
-      chroot: false
-      # registry: registry.k8s.io
-      image: ingress-nginx/controller-fips
-      ## for backwards compatibility consider setting the full image url via the repository value below
-      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-      ## repository:
-      tag: "v1.14.0"
-      digest: ""
-      digestChroot: sha256:d0158a50630981a945325c15a638e52c2d0691bc528caf5c04d2cf2051c5665f
-      pullPolicy: IfNotPresent
-      runAsNonRoot: true
-      # -- This value must not be changed using the official image.
-      # uid=101(www-data) gid=82(www-data) groups=82(www-data)
-      runAsUser: 101
-      # -- This value must not be changed using the official image.
-      # uid=101(www-data) gid=82(www-data) groups=82(www-data)
-      runAsGroup: 82
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      readOnlyRootFilesystem: false
-      registry: us-docker.pkg.dev/palette-images-fips/palette/spectro-ingress-nginx
-    # -- Configures the controller container name
-    containerName: controller
-    # -- Configures the ports that the nginx-controller listens on
-    containerPort:
-      http: 80
-      https: 443
-    # -- Global configuration passed to the ConfigMap consumed by the controller. Values may contain Helm templates.
-    # Ref.: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/
-    config: {}
-    # -- Annotations to be added to the controller config configuration configmap.
-    configAnnotations: {}
-    # -- Will add custom headers before sending traffic to backends according to https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/custom-headers
-    proxySetHeaders: {}
-    # -- Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers
-    addHeaders: {}
-    # -- Optionally customize the pod dnsConfig.
+  deployment:
+    # -- Enable deployment
+    enabled: true
+    # -- Deployment or DaemonSet
+    kind: Deployment
+    # -- Number of pods of the deployment (only applies when kind == Deployment)
+    replicas: 1
+    # -- Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
+    revisionHistoryLimit: # @schema type:[integer, null];minimum:0
+    # -- Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
+    terminationGracePeriodSeconds: 60
+    # -- The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
+    minReadySeconds: 0
+    ## -- Override the liveness/readiness port. This is useful to integrate traefik
+    ## with an external Load Balancer that performs healthchecks.
+    ## Default: ports.traefik.port
+    healthchecksPort: # @schema type:[integer, null];minimum:0
+    ## -- Override the liveness/readiness host. Useful for getting ping to respond on non-default entryPoint.
+    ## Default: ports.traefik.hostIP if set, otherwise Pod IP
+    healthchecksHost: ""
+    ## -- Override the liveness/readiness scheme. Useful for getting ping to
+    ## respond on websecure entryPoint.
+    healthchecksScheme: # @schema enum:[HTTP, HTTPS, null]; type:[string, null]; default: HTTP
+    ## -- Override the readiness path.
+    ## Default: /ping
+    readinessPath: ""
+    # -- Override the liveness path.
+    # Default: /ping
+    livenessPath: ""
+    # -- Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
+    annotations: {}
+    # -- Additional deployment labels (e.g. for filtering deployment by custom labels)
+    labels: {}
+    # -- Additional pod annotations (e.g. for mesh injection or prometheus scraping)
+    # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
+    podAnnotations: {}
+    # -- Additional Pod labels (e.g. for filtering Pod by custom labels)
+    # It supports templating. One can set it with values like traefik/name: '{{ template "traefik.name" . }}'
+    podLabels: {}
+    # -- Additional containers (e.g. for metric offloading sidecars)
+    additionalContainers: []
+    # https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
+    # - name: socat-proxy
+    #   image: alpine/socat:1.0.5
+    #   args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
+    #   volumeMounts:
+    #     - name: dsdsocket
+    #       mountPath: /socket
+    # -- Additional volumes available for use with initContainers and additionalContainers
+    additionalVolumes: []
+    # - name: dsdsocket
+    #   hostPath:
+    #     path: /var/run/statsd-exporter
+    # -- Additional initContainers (e.g. for setting file permission as shown below)
+    initContainers: []
+    # The "volume-permissions" init container is required if you run into permission issues.
+    # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
+    # - name: volume-permissions
+    #   image: busybox:latest
+    #   command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
+    #   volumeMounts:
+    #     - name: data
+    #       mountPath: /data
+    # -- Use process namespace sharing
+    shareProcessNamespace: false
+    # -- Custom pod DNS policy. Apply if `hostNetwork: true`
+    dnsPolicy: ""
+    # -- Custom pod [DNS config](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.30/#poddnsconfig-v1-core)
     dnsConfig: {}
-    # -- Optionally customize the pod hostAliases.
+    # -- Custom [host aliases](https://kubernetes.io/docs/tasks/network/customize-hosts-file-for-pods/)
     hostAliases: []
-    # - ip: 127.0.0.1
-    #   hostnames:
-    #   - foo.local
-    #   - bar.local
-    # - ip: 10.1.2.3
-    #   hostnames:
-    #   - foo.remote
-    #   - bar.remote
-    # -- Optionally customize the pod hostname.
-    hostname: {}
-    # -- Optionally change this to ClusterFirstWithHostNet in case you have 'hostNetwork: true'.
-    # By default, while using host network, name resolution uses the host's DNS. If you wish nginx-controller
-    # to keep resolving names inside the k8s network, use ClusterFirstWithHostNet.
-    dnsPolicy: ClusterFirst
-    # -- Instruct the kubelet to use the named RuntimeClass to run the pod
+    # -- Pull secret for fetching traefik container image
+    imagePullSecrets: []
+    # -- Pod lifecycle actions
+    lifecycle: {}
+    # preStop:
+    #   sleep:
+    #     seconds: 20
+    # postStart:
+    #   httpGet:
+    #     path: /ping
+    #     port: 8080
+    #     host: localhost
+    #     scheme: HTTP
+    # -- Set a runtimeClassName on pod
     runtimeClassName: ""
-    # -- Bare-metal considerations via the host network https://kubernetes.github.io/ingress-nginx/deploy/baremetal/#via-the-host-network
-    # Ingress status was blank because there is no Service exposing the Ingress-Nginx Controller in a configuration using the host network, the default --publish-service flag used in standard cloud setups does not apply
-    reportNodeInternalIp: false
-    # -- Process Ingress objects without ingressClass annotation/ingressClassName field
-    # Overrides value for --watch-ingress-without-class flag of the controller binary
-    # Defaults to false
-    watchIngressWithoutClass: false
-    # -- Process IngressClass per name (additionally as per spec.controller).
-    ingressClassByName: false
-    # -- This configuration enables Topology Aware Routing feature, used together with service annotation service.kubernetes.io/topology-mode="auto"
-    # Defaults to false
-    enableTopologyAwareRouting: false
-    # -- This configuration disable Nginx Controller Leader Election
-    disableLeaderElection: false
-    # -- Duration a leader election is valid before it's getting re-elected, e.g. `15s`, `10m` or `1h`. (Default: 30s)
-    electionTTL: ""
-    # -- This configuration defines if Ingress Controller should allow users to set
-    # their own *-snippet annotations, otherwise this is forbidden / dropped
-    # when users add those annotations.
-    # Global snippets in ConfigMap are still respected
-    allowSnippetAnnotations: false
-    # -- Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
-    # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
-    # is merged
-    hostNetwork: false
-    ## Use host ports 80 and 443
-    ## Disabled by default
-    hostPort:
-      # -- Enable 'hostPort' or not
-      enabled: false
-      ports:
-        # -- 'hostPort' http port
-        http: 80
-        # -- 'hostPort' https port
-        https: 443
-    # NetworkPolicy for controller component.
-    networkPolicy:
-      # -- Enable 'networkPolicy' or not
+    # -- Percentage of memory limit to set for GOMEMLIMIT
+    # -- set as decimal (0.9 = 90%, 0.95 = 95% etc)
+    # -- only takes effect when resources.limits.memory is set
+    goMemLimitPercentage: 0.9
+  # -- [Pod Disruption Budget](https://kubernetes.io/docs/reference/kubernetes-api/policy-resources/pod-disruption-budget-v1/)
+  # @default -- See _values.yaml_
+  podDisruptionBudget: # @schema additionalProperties: false
+    enabled: false
+    maxUnavailable: # @schema type:[string, integer, null];minimum:0
+    minAvailable: # @schema type:[string, integer, null];minimum:0
+  ingressClass: # @schema additionalProperties: false
+    # -- Create a default IngressClass for Traefik
+    enabled: true
+    isDefaultClass: true
+    # when not set, the release name is prepended (eg mural-traefik). hardcoding gives us parity with palette
+    name: "traefik"
+  core: # @schema additionalProperties: false
+    # -- Can be used to use globally v2 router syntax. Deprecated since v3.4 /!\.
+    # See https://doc.traefik.io/traefik/v3.0/migration/v2-to-v3/#new-v3-syntax-notable-changes
+    defaultRuleSyntax: ""
+  # Traefik experimental features
+  experimental:
+    # -- Defines whether all plugins must be loaded successfully for Traefik to start
+    abortOnPluginFailure: false
+    fastProxy:
+      # -- Enables the FastProxy implementation.
       enabled: false
-    # -- Election ID to use for status update, by default it uses the controller name combined with a suffix of 'leader'
-    electionID: ""
-    # -- This section refers to the creation of the IngressClass resource.
-    # IngressClasses are immutable and cannot be changed after creation.
-    # We do not support namespaced IngressClasses, yet, so a ClusterRole and a ClusterRoleBinding is required.
-    ingressClassResource:
-      # -- Name of the IngressClass
-      name: nginx
-      # -- Create the IngressClass or not
-      enabled: true
-      # -- If true, Ingresses without `ingressClassName` get assigned to this IngressClass on creation.
-      # Ingress creation gets rejected if there are multiple default IngressClasses.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#default-ingress-class
-      default: true
-      # -- Annotations to be added to the IngressClass resource.
-      annotations: {}
-      # -- Controller of the IngressClass. An Ingress Controller looks for IngressClasses it should reconcile by this value.
-      # This value is also being set as the `--controller-class` argument of this Ingress Controller.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
-      controllerValue: k8s.io/ingress-nginx
-      # -- Aliases of this IngressClass. Creates copies with identical settings but the respective alias as name.
-      # Useful for development environments with only one Ingress Controller but production-like Ingress resources.
-      # `default` gets enabled on the original IngressClass only.
-      aliases: []
-      # aliases:
-      # - nginx-alias-1
-      # - nginx-alias-2
-      # -- A link to a custom resource containing additional configuration for the controller.
-      # This is optional if the controller consuming this IngressClass does not require additional parameters.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/ingress/#ingress-class
-      parameters: {}
-      # parameters:
-      #   apiGroup: k8s.example.com
-      #   kind: IngressParameters
-      #   name: external-lb
-    # -- For backwards compatibility with ingress.class annotation, use ingressClass.
-    # Algorithm is as follows, first ingressClassName is considered, if not present, controller looks for ingress.class annotation
-    ingressClass: nginx
-    # -- Labels to add to the pod container metadata
-    podLabels: {}
-    #  key: value
-
-    # -- Security context for controller pods
-    podSecurityContext: {}
-    # -- sysctls for controller pods
-    ## Ref: https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
-    sysctls: {}
-    # sysctls:
-    #   "net.core.somaxconn": "8192"
-    # -- Security context for controller containers
-    containerSecurityContext: {}
-    # -- Allows customization of the source of the IP address or FQDN to report
-    # in the ingress status field. By default, it reads the information provided
-    # by the service. If disable, the status field reports the IP address of the
-    # node or nodes where an ingress controller pod is running.
-    publishService:
-      # -- Enable 'publishService' or not
-      enabled: true
-      # -- Allows overriding of the publish service to bind to
-      # Must be <namespace>/<service_name>
-      pathOverride: ""
-    # Limit the scope of the controller to a specific namespace
-    scope:
-      # -- Enable 'scope' or not
+      # -- Enable debug mode for the FastProxy implementation.
+      debug: false
+    kubernetesGateway:
+      # -- Enable traefik experimental GatewayClass CRD
       enabled: false
-      # -- Namespace to limit the controller to; defaults to $(POD_NAMESPACE)
-      namespace: ""
-      # -- When scope.enabled == false, instead of watching all namespaces, we watching namespaces whose labels
-      # only match with namespaceSelector. Format like foo=bar. Defaults to empty, means watching all namespaces.
-      namespaceSelector: ""
-    # -- Allows customization of the configmap / nginx-configmap namespace; defaults to $(POD_NAMESPACE)
-    configMapNamespace: ""
-    tcp:
-      # -- Allows customization of the tcp-services-configmap; defaults to $(POD_NAMESPACE)
-      configMapNamespace: ""
-      # -- Annotations to be added to the tcp config configmap
-      annotations: {}
-    udp:
-      # -- Allows customization of the udp-services-configmap; defaults to $(POD_NAMESPACE)
-      configMapNamespace: ""
-      # -- Annotations to be added to the udp config configmap
-      annotations: {}
-    # -- Maxmind license key to download GeoLite2 Databases.
-    ## https://blog.maxmind.com/2019/12/significant-changes-to-accessing-and-using-geolite2-databases/
-    maxmindLicenseKey: ""
-    # -- Additional command line arguments to pass to Ingress-Nginx Controller
-    # E.g. to specify the default SSL certificate you can use
-    extraArgs: {}
-    ## extraArgs:
-    ##   default-ssl-certificate: "<namespace>/<secret_name>"
-    ##   time-buckets: "0.005,0.01,0.025,0.05,0.1,0.25,0.5,1,2.5,5,10"
-    ##   length-buckets: "10,20,30,40,50,60,70,80,90,100"
-    ##   size-buckets: "10,100,1000,10000,100000,1e+06,1e+07"
-
-    # -- Additional environment variables to set
-    extraEnvs: []
-    # extraEnvs:
-    #   - name: FOO
-    #     valueFrom:
-    #       secretKeyRef:
-    #         key: FOO
-    #         name: secret-resource
-
-    # -- Use a `DaemonSet` or `Deployment`
-    kind: Deployment
-    # -- Annotations to be added to the controller Deployment or DaemonSet
-    ##
+    # -- Enable experimental plugins
+    plugins: {}
+    # -- Enable experimental local plugins
+    localPlugins: {}
+    # -- Enable OTLP logging experimental feature.
+    otlpLogs: false
+    # -- Enable Knative provider experimental feature.
+    knative: false
+  gateway:
+    # -- When providers.kubernetesGateway.enabled, deploy a default gateway
+    enabled: false
+    # -- Set a custom name to gateway
+    name: ""
+    # -- By default, Gateway is created in the same `Namespace` as Traefik.
+    namespace: ""
+    # -- Additional gateway annotations (e.g. for cert-manager.io/issuer)
     annotations: {}
-    #  keel.sh/pollSchedule: "@every 60m"
-
-    # -- Labels to be added to the controller Deployment or DaemonSet and other resources that do not have option to specify labels
-    ##
+    # -- [Infrastructure](https://kubernetes.io/blog/2023/11/28/gateway-api-ga/#gateway-infrastructure-labels)
+    infrastructure: {}
+    # -- Configure this Gateway as a [Default Gateway](https://kubernetes.io/blog/2025/11/06/gateway-api-v1-4/#introducing-default-gateways)
+    # by setting the `defaultScope` field (e.g. `All` or `Namespace`).
+    defaultScope: null # @schema enum:["All", "None", null]; type:[string, null]; default: null
+    listeners:
+      web:
+        # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
+        # The port must match a port declared in ports section.
+        port: 8000
+        # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
+        hostname: ""
+        # Specify expected protocol on this listener. See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
+        protocol: HTTP
+        # -- (object) Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces
+        namespacePolicy: # @schema type:[object, null]
+      # websecure listener is disabled by default because certificateRefs needs to be added,
+      # or you may specify TLS protocol with Passthrough mode and add "--providers.kubernetesGateway.experimentalChannel=true" in additionalArguments section.
+      # websecure:
+      #   # -- Port is the network port. Multiple listeners may use the same port, subject to the Listener compatibility rules.
+      #   # The port must match a port declared in ports section.
+      #   port: 8443
+      #   # -- Optional hostname. See [Hostname](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.Hostname)
+      #   hostname:
+      #   # Specify expected protocol on this listener See [ProtocolType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.ProtocolType)
+      #   protocol: HTTPS
+      #   # -- Routes are restricted to namespace of the gateway [by default](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.FromNamespaces)
+      #   namespacePolicy:
+      #   # -- Add certificates for TLS or HTTPS protocols. See [GatewayTLSConfig](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io%2fv1.GatewayTLSConfig)
+      #   certificateRefs:
+      #   # -- TLS behavior for the TLS session initiated by the client. See [TLSModeType](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.TLSModeType).
+      #   mode:
+  gatewayClass: # @schema additionalProperties: false
+    # -- When providers.kubernetesGateway.enabled and gateway.enabled, deploy a default gatewayClass
+    enabled: false
+    # -- Set a custom name to GatewayClass
+    name: ""
+    # -- Additional gatewayClass labels (e.g. for filtering gateway objects by custom labels)
     labels: {}
-    #  keel.sh/policy: patch
-    #  keel.sh/trigger: poll
-
-    # -- The update strategy to apply to the Deployment or DaemonSet
-    ##
-    updateStrategy: {}
-    #  rollingUpdate:
-    #    maxUnavailable: 1
-    #  type: RollingUpdate
-
-    # -- Specifies the number of seconds you want to wait for the controller deployment to progress before the system reports back that it has failed.
-    # Ref.: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#progress-deadline-seconds
-    progressDeadlineSeconds: 0
-    # -- `minReadySeconds` to avoid killing pods before we are ready
-    ##
-    minReadySeconds: 0
-    # -- Node tolerations for server scheduling to nodes with taints
-    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-    ##
-    tolerations: []
-    #  - key: "key"
-    #    operator: "Equal|Exists"
-    #    value: "value"
-    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
-
-    # -- Affinity and anti-affinity rules for server scheduling to nodes
-    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-    ##
-    affinity: {}
-    # # An example of preferred pod anti-affinity, weight is in the range 1-100
-    # podAntiAffinity:
-    #   preferredDuringSchedulingIgnoredDuringExecution:
-    #   - weight: 100
-    #     podAffinityTerm:
-    #       labelSelector:
-    #         matchExpressions:
-    #         - key: app.kubernetes.io/name
-    #           operator: In
-    #           values:
-    #           - '{{ include "ingress-nginx.name" . }}'
-    #         - key: app.kubernetes.io/instance
-    #           operator: In
-    #           values:
-    #           - '{{ .Release.Name }}'
-    #         - key: app.kubernetes.io/component
-    #           operator: In
-    #           values:
-    #           - controller
-    #       topologyKey: kubernetes.io/hostname
-
-    # # An example of required pod anti-affinity
-    # podAntiAffinity:
-    #   requiredDuringSchedulingIgnoredDuringExecution:
-    #   - labelSelector:
-    #       matchExpressions:
-    #       - key: app.kubernetes.io/name
-    #         operator: In
-    #         values:
-    #         - '{{ include "ingress-nginx.name" . }}'
-    #       - key: app.kubernetes.io/instance
-    #         operator: In
-    #         values:
-    #         - '{{ .Release.Name }}'
-    #       - key: app.kubernetes.io/component
-    #         operator: In
-    #         values:
-    #         - controller
-    #     topologyKey: kubernetes.io/hostname
-
-    # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
-    ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-    ##
-    topologySpreadConstraints: []
-    # - labelSelector:
-    #     matchLabels:
-    #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-    #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-    #       app.kubernetes.io/component: controller
-    #   matchLabelKeys:
-    #   - pod-template-hash
-    #   topologyKey: topology.kubernetes.io/zone
-    #   maxSkew: 1
-    #   whenUnsatisfiable: ScheduleAnyway
-    # - labelSelector:
-    #     matchLabels:
-    #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-    #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-    #       app.kubernetes.io/component: controller
-    #   matchLabelKeys:
-    #   - pod-template-hash
-    #   topologyKey: kubernetes.io/hostname
-    #   maxSkew: 1
-    #   whenUnsatisfiable: ScheduleAnyway
-
-    # -- `terminationGracePeriodSeconds` to avoid killing pods before we are ready
-    ## wait up to five minutes for the drain of connections
-    ##
-    terminationGracePeriodSeconds: 300
-    # -- Node labels for controller pod assignment
-    ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
-    ##
-    nodeSelector:
-      kubernetes.io/os: linux
-    ## Liveness and readiness probe values
-    ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-    ##
-    ## startupProbe:
-    ##   httpGet:
-    ##     # should match container.healthCheckPath
-    ##     path: "/healthz"
-    ##     port: 10254
-    ##     scheme: HTTP
-    ##   initialDelaySeconds: 5
-    ##   periodSeconds: 5
-    ##   timeoutSeconds: 2
-    ##   successThreshold: 1
-    ##   failureThreshold: 5
-    livenessProbe:
-      httpGet:
-        # should match container.healthCheckPath
-        path: "/healthz"
-        port: 10254
-        scheme: HTTP
-      initialDelaySeconds: 10
-      periodSeconds: 10
-      timeoutSeconds: 1
-      successThreshold: 1
-      failureThreshold: 5
-    readinessProbe:
-      httpGet:
-        # should match container.healthCheckPath
-        path: "/healthz"
-        port: 10254
-        scheme: HTTP
-      initialDelaySeconds: 10
-      periodSeconds: 10
-      timeoutSeconds: 1
-      successThreshold: 1
-      failureThreshold: 3
-    # -- Path of the health check endpoint. All requests received on the port defined by
-    # the healthz-port parameter are forwarded internally to this path.
-    healthCheckPath: "/healthz"
-    # -- Address to bind the health check endpoint.
-    # It is better to set this option to the internal node address
-    # if the Ingress-Nginx Controller is running in the `hostNetwork: true` mode.
-    healthCheckHost: ""
-    # -- Annotations to be added to controller pods
-    ##
-    podAnnotations: {}
-    replicaCount: 1
-    # -- Minimum available pods set in PodDisruptionBudget.
-    # Define either 'minAvailable' or 'maxUnavailable', never both.
-    minAvailable: 1
-    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
-    # maxUnavailable: 1
-    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
-    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
-    unhealthyPodEvictionPolicy: ""
-    ## Define requests resources to avoid probe issues due to CPU utilization in busy nodes
-    ## ref: https://github.com/kubernetes/ingress-nginx/issues/4735#issuecomment-551204903
-    ## Ideally, there should be no limits.
-    ## https://engineering.indeedblog.com/blog/2019/12/cpu-throttling-regression-fix/
-    resources:
-      ##  limits:
-      ##    cpu: 100m
-      ##    memory: 90Mi
-      requests:
-        cpu: 100m
-        memory: 90Mi
-    # -- Resize policy for controller containers.
-    # Ref: https://kubernetes.io/docs/tasks/configure-pod-container/resize-container-resources
-    resizePolicy: []
-    # - resourceName: cpu
-    #   restartPolicy: NotRequired
-    # - resourceName: memory
-    #   restartPolicy: RestartContainer
-    # Mutually exclusive with keda autoscaling
-    autoscaling:
+  api: # @schema additionalProperties: false
+    # -- Enable the dashboard
+    dashboard: true
+    # -- Enable the insecure API (HTTP)
+    insecure: # @schema type:[boolean, null]
+    # -- Enable the debug API
+    debug: # @schema type:[boolean, null]
+    # -- Configure API basePath
+    basePath: "" # @schema type:[string, null]; default: "/"
+  # -- Only dashboard & healthcheck IngressRoute are supported.
+  # It's recommended to create workloads CR outside of this Chart.
+  # @default -- See _values.yaml_
+  ingressRoute:
+    dashboard:
+      # -- Create an IngressRoute for the dashboard
       enabled: false
+      # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
       annotations: {}
-      minReplicas: 1
-      maxReplicas: 11
-      targetCPUUtilizationPercentage: 50
-      targetMemoryUtilizationPercentage: 50
-      behavior: {}
-      # scaleDown:
-      #   stabilizationWindowSeconds: 300
-      #   policies:
-      #   - type: Pods
-      #     value: 1
-      #     periodSeconds: 180
-      # scaleUp:
-      #   stabilizationWindowSeconds: 300
-      #   policies:
-      #   - type: Pods
-      #     value: 2
-      #     periodSeconds: 60
-    autoscalingTemplate: []
-    # Custom or additional autoscaling metrics
-    # ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#support-for-custom-metrics
-    # - type: Pods
-    #   pods:
-    #     metric:
-    #       name: nginx_ingress_controller_nginx_process_requests_total
-    #     target:
-    #       type: AverageValue
-    #       averageValue: 10000m
-
-    # Mutually exclusive with hpa autoscaling
-    keda:
-      apiVersion: "keda.sh/v1alpha1"
-      ## apiVersion changes with keda 1.x vs 2.x
-      ## 2.x = keda.sh/v1alpha1
-      ## 1.x = keda.k8s.io/v1alpha1
+      # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
+      labels: {}
+      # -- The router match rule used for the dashboard ingressRoute
+      matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+      # -- The internal service used for the dashboard ingressRoute
+      # @default -- api@internal
+      services:
+        - name: api@internal
+          kind: TraefikService
+      # -- Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
+      # By default, it's using traefik entrypoint, which is not exposed.
+      # /!\ Do not expose your dashboard without any protection over the internet /!\
+      entryPoints: ["traefik"]
+      # -- Additional ingressRoute middlewares (e.g. for authentication)
+      middlewares: []
+      # -- TLS options (e.g. secret containing certificate)
+      tls: {}
+    healthcheck:
+      # -- Create an IngressRoute for the healthcheck probe
       enabled: false
-      minReplicas: 1
-      maxReplicas: 11
-      pollingInterval: 30
-      cooldownPeriod: 300
-      # fallback:
-      #   failureThreshold: 3
-      #   replicas: 11
-      restoreToOriginalReplicaCount: false
-      scaledObject:
-        annotations: {}
-        # Custom annotations for ScaledObject resource
-        #  annotations:
-        # key: value
-      triggers: []
-      # - type: prometheus
-      #   metadata:
-      #     serverAddress: http://<prometheus-host>:9090
-      #     metricName: http_requests_total
-      #     threshold: '100'
-      #     query: sum(rate(http_requests_total{deployment="my-deployment"}[2m]))
-
-      behavior: {}
-      # scaleDown:
-      #   stabilizationWindowSeconds: 300
-      #   policies:
-      #   - type: Pods
-      #     value: 1
-      #     periodSeconds: 180
-      # scaleUp:
-      #   stabilizationWindowSeconds: 300
-      #   policies:
-      #   - type: Pods
-      #     value: 2
-      #     periodSeconds: 60
-    # -- Enable mimalloc as a drop-in replacement for malloc.
-    ## ref: https://github.com/microsoft/mimalloc
-    ##
-    enableMimalloc: true
-    ## Override NGINX template
-    customTemplate:
-      configMapName: ""
-      configMapKey: ""
-    service:
-      # -- Enable controller services or not. This does not influence the creation of either the admission webhook or the metrics service.
-      enabled: true
-      external:
-        # -- Enable the external controller service or not. Useful for internal-only deployments.
-        enabled: true
-        # -- Labels to be added to the external controller service.
-        labels: {}
-      # -- Annotations to be added to the external controller service. See `controller.service.internal.annotations` for annotations to be added to the internal controller service.
+      # -- Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
       annotations: {}
-      # -- Labels to be added to both controller services.
+      # -- Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
       labels: {}
-      # -- Type of the external controller service.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-      type: LoadBalancer
-      # -- Pre-defined cluster internal IP address of the external controller service. Take care of collisions with existing services.
-      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
-      clusterIP: ""
-      # -- Pre-defined cluster internal IP addresses of the external controller service. Take care of collisions with existing services.
-      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
-      clusterIPs: []
-      # -- List of node IP addresses at which the external controller service is available.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
-      externalIPs: []
-      # -- Deprecated: Pre-defined IP address of the external controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
-      loadBalancerIP: ""
-      # -- Restrict access to the external controller service. Values must be CIDRs. Allows any source address by default.
-      loadBalancerSourceRanges: []
-      # -- Load balancer class of the external controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
-      loadBalancerClass: ""
-      # -- Enable node port allocation for the external controller service or not. Applies to type `LoadBalancer` only.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
-      # allocateLoadBalancerNodePorts: true
-
-      # -- External traffic policy of the external controller service. Set to "Local" to preserve source IP on providers supporting it.
-      # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-      externalTrafficPolicy: ""
-      # -- Session affinity of the external controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
-      # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
-      sessionAffinity: ""
-      # -- Specifies the health check node port (numeric port number) for the external controller service.
-      # If not specified, the service controller allocates a port from your cluster's node port range.
-      # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-      # healthCheckNodePort: 0
-
-      # -- Traffic distribution policy of the external controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
-      trafficDistribution: ""
-      # -- Represents the dual-stack capabilities of the external controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
-      # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-      ipFamilyPolicy: SingleStack
-      # -- List of IP families (e.g. IPv4, IPv6) assigned to the external controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-      ipFamilies:
-        - IPv4
-      # -- Enable the HTTP listener on both controller services or not.
-      enableHttp: true
-      # -- Enable the HTTPS listener on both controller services or not.
-      enableHttps: true
-      ports:
-        # -- Port the external HTTP listener is published with.
-        http: 80
-        # -- Port the external HTTPS listener is published with.
-        https: 443
-      targetPorts:
-        # -- Port of the ingress controller the external HTTP listener is mapped to.
-        http: http
-        # -- Port of the ingress controller the external HTTPS listener is mapped to.
-        https: https
-      # -- Declare the app protocol of the external HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
-      appProtocol: true
-      nodePorts:
-        # -- Node port allocated for the external HTTP listener. If left empty, the service controller allocates one from the configured node port range.
-        http: ""
-        # -- Node port allocated for the external HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
-        https: ""
-        # -- Node port mapping for external TCP listeners. If left empty, the service controller allocates them from the configured node port range.
-        # Example:
-        # tcp:
-        #   8080: 30080
-        tcp: {}
-        # -- Node port mapping for external UDP listeners. If left empty, the service controller allocates them from the configured node port range.
-        # Example:
-        # udp:
-        #   53: 30053
-        udp: {}
-      internal:
-        # -- Enable the internal controller service or not. Remember to configure `controller.service.internal.annotations` when enabling this.
-        enabled: false
-        # -- Labels to be added to the internal controller service.
-        labels: {}
-        # -- Annotations to be added to the internal controller service. Mandatory for the internal controller service to be created. Varies with the cloud service.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer
-        annotations: {}
-        # -- Type of the internal controller service.
-        # Defaults to the value of `controller.service.type`.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types
-        type: ""
-        # -- Pre-defined cluster internal IP address of the internal controller service. Take care of collisions with existing services.
-        # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
-        clusterIP: ""
-        # -- Pre-defined cluster internal IP addresses of the internal controller service. Take care of collisions with existing services.
-        # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
-        clusterIPs: []
-        # -- List of node IP addresses at which the internal controller service is available.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
-        externalIPs: []
-        # -- Deprecated: Pre-defined IP address of the internal controller service. Used by cloud providers to connect the resulting load balancer service to a pre-existing static IP.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#loadbalancer
-        loadBalancerIP: ""
-        # -- Restrict access to the internal controller service. Values must be CIDRs. Allows any source address by default.
-        loadBalancerSourceRanges: []
-        # -- Load balancer class of the internal controller service. Used by cloud providers to select a load balancer implementation other than the cloud provider default.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-class
-        loadBalancerClass: ""
-        # -- Enable node port allocation for the internal controller service or not. Applies to type `LoadBalancer` only.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#load-balancer-nodeport-allocation
-        # allocateLoadBalancerNodePorts: true
-
-        # -- External traffic policy of the internal controller service. Set to "Local" to preserve source IP on providers supporting it.
-        # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-        externalTrafficPolicy: ""
-        # -- Session affinity of the internal controller service. Must be either "None" or "ClientIP" if set. Defaults to "None".
-        # Ref: https://kubernetes.io/docs/reference/networking/virtual-ips/#session-affinity
-        sessionAffinity: ""
-        # -- Specifies the health check node port (numeric port number) for the internal controller service.
-        # If not specified, the service controller allocates a port from your cluster's node port range.
-        # Ref: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip
-        # healthCheckNodePort: 0
-
-        # -- Traffic distribution policy of the internal controller service. Set to "PreferClose" to route traffic to endpoints that are topologically closer to the client.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#traffic-distribution
-        trafficDistribution: ""
-        # -- Represents the dual-stack capabilities of the internal controller service. Possible values are SingleStack, PreferDualStack or RequireDualStack.
-        # Fields `ipFamilies` and `clusterIP` depend on the value of this field.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-        ipFamilyPolicy: SingleStack
-        # -- List of IP families (e.g. IPv4, IPv6) assigned to the internal controller service. This field is usually assigned automatically based on cluster configuration and the `ipFamilyPolicy` field.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-        ipFamilies:
-          - IPv4
-        ports: {}
-        # -- Port the internal HTTP listener is published with.
-        # Defaults to the value of `controller.service.ports.http`.
-        # http: 80
-        # -- Port the internal HTTPS listener is published with.
-        # Defaults to the value of `controller.service.ports.https`.
-        # https: 443
-
-        targetPorts: {}
-        # -- Port of the ingress controller the internal HTTP listener is mapped to.
-        # Defaults to the value of `controller.service.targetPorts.http`.
-        # http: http
-        # -- Port of the ingress controller the internal HTTPS listener is mapped to.
-        # Defaults to the value of `controller.service.targetPorts.https`.
-        # https: https
-
-        # -- Declare the app protocol of the internal HTTP and HTTPS listeners or not. Supersedes provider-specific annotations for declaring the backend protocol.
-        # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol
-        appProtocol: true
-        nodePorts:
-          # -- Node port allocated for the internal HTTP listener. If left empty, the service controller allocates one from the configured node port range.
-          http: ""
-          # -- Node port allocated for the internal HTTPS listener. If left empty, the service controller allocates one from the configured node port range.
-          https: ""
-          # -- Node port mapping for internal TCP listeners. If left empty, the service controller allocates them from the configured node port range.
-          # Example:
-          # tcp:
-          #   8080: 30080
-          tcp: {}
-          # -- Node port mapping for internal UDP listeners. If left empty, the service controller allocates them from the configured node port range.
-          # Example:
-          # udp:
-          #   53: 30053
-          udp: {}
-    # shareProcessNamespace enables process namespace sharing within the pod.
-    # This can be used for example to signal log rotation using `kill -USR1` from a sidecar.
-    shareProcessNamespace: false
-    # -- Additional containers to be added to the controller pod.
-    # See https://github.com/lemonldap-ng-controller/lemonldap-ng-controller as example.
-    extraContainers: []
-    #  - name: my-sidecar
-    #    image: nginx:latest
-    #  - name: lemonldap-ng-controller
-    #    image: lemonldapng/lemonldap-ng-controller:0.2.0
-    #    args:
-    #      - /lemonldap-ng-controller
-    #      - --alsologtostderr
-    #      - --configmap=$(POD_NAMESPACE)/lemonldap-ng-configuration
-    #    env:
-    #      - name: POD_NAME
-    #        valueFrom:
-    #          fieldRef:
-    #            fieldPath: metadata.name
-    #      - name: POD_NAMESPACE
-    #        valueFrom:
-    #          fieldRef:
-    #            fieldPath: metadata.namespace
-    #    volumeMounts:
-    #    - name: copy-portal-skins
-    #      mountPath: /srv/var/lib/lemonldap-ng/portal/skins
-
-    # -- Additional volumeMounts to the controller main container.
-    extraVolumeMounts: []
-    #  - name: copy-portal-skins
-    #   mountPath: /var/lib/lemonldap-ng/portal/skins
-
-    # -- Additional volumes to the controller pod.
-    extraVolumes: []
-    #  - name: copy-portal-skins
-    #    emptyDir: {}
-
-    # -- Containers, which are run before the app containers are started. Values may contain Helm templates.
-    extraInitContainers: []
-    # - name: init-myservice
-    #   image: busybox
-    #   command: ['sh', '-c', 'until nslookup myservice; do echo waiting for myservice; sleep 2; done;']
-    # - name: init-dynamic
-    #   image: busybox
-    #   command:
-    #     - sh
-    #     - -c
-    #     - echo "Release={{ .Release.Name }} Namespace={{ .Release.Namespace }}"
-
-    # -- Modules, which are mounted into the core nginx image.
-    extraModules: []
-    # - name: mytestmodule
-    #   image:
-    #     # registry: registry.k8s.io
-    #     image: ingress-nginx/mytestmodule
-    #     ## for backwards compatibility consider setting the full image url via the repository value below
-    #     ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-    #     ## repository:
-    #     tag: "v1.0.0"
-    #     digest: ""
-    #     distroless: false
-    #   containerSecurityContext:
-    #     runAsNonRoot: true
-    #     runAsUser: <user-id>
-    #     runAsGroup: <group-id>
-    #     allowPrivilegeEscalation: false
-    #     seccompProfile:
-    #       type: RuntimeDefault
-    #     capabilities:
-    #       drop:
-    #       - ALL
-    #     readOnlyRootFilesystem: true
-    #   resources: {}
-    #
-    # The image must contain a `/usr/local/bin/init_module.sh` executable, which
-    # will be executed as initContainers, to move its config files within the
-    # mounted volume.
-
-    admissionWebhooks:
-      name: admission
-      annotations: {}
-      # ignore-check.kube-linter.io/no-read-only-rootfs: "This deployment needs write access to root filesystem".
-
-      ## Additional annotations to the admission webhooks.
-      ## These annotations will be added to the ValidatingWebhookConfiguration and
-      ## the Jobs Spec of the admission webhooks.
+      # -- The router match rule used for the healthcheck ingressRoute
+      matchRule: PathPrefix(`/ping`)
+      # -- The internal service used for the healthcheck ingressRoute
+      # @default -- ping@internal
+      services:
+        - name: ping@internal
+          kind: TraefikService
+      # -- Specify the allowed entrypoints to use for the healthcheck ingress route, (e.g. traefik, web, websecure).
+      # By default, it's using traefik entrypoint, which is not exposed.
+      entryPoints: ["traefik"]
+      # -- Additional ingressRoute middlewares (e.g. for authentication)
+      middlewares: []
+      # -- TLS options (e.g. secret containing certificate)
+      tls: {}
+  updateStrategy: # @schema additionalProperties: false
+    # -- Customize updateStrategy of Deployment or DaemonSet
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 0 # @schema type:[integer, string, null]
+      maxSurge: 1 # @schema type:[integer, string, null]
+  readinessProbe: # @schema additionalProperties: false
+    # -- The number of consecutive failures allowed before considering the probe as failed.
+    failureThreshold: 1
+    # -- The number of seconds to wait before starting the first probe.
+    initialDelaySeconds: 2
+    # -- The number of seconds to wait between consecutive probes.
+    periodSeconds: 10
+    # -- The minimum consecutive successes required to consider the probe successful.
+    successThreshold: 1
+    # -- The number of seconds to wait for a probe response before considering it as failed.
+    timeoutSeconds: 2
+  livenessProbe: # @schema additionalProperties: false
+    # -- The number of consecutive failures allowed before considering the probe as failed.
+    failureThreshold: 3
+    # -- The number of seconds to wait before starting the first probe.
+    initialDelaySeconds: 2
+    # -- The number of seconds to wait between consecutive probes.
+    periodSeconds: 10
+    # -- The minimum consecutive successes required to consider the probe successful.
+    successThreshold: 1
+    # -- The number of seconds to wait for a probe response before considering it as failed.
+    timeoutSeconds: 2
+  # -- Define [Startup Probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-startup-probes)
+  startupProbe: {}
+  # @schema additionalProperties: false
+  providers:
+    # @schema additionalProperties: false
+    kubernetesCRD:
+      # -- Load Kubernetes IngressRoute provider
       enabled: true
-      # -- Additional environment variables to set
-      extraEnvs: []
-      # extraEnvs:
-      #   - name: FOO
-      #     valueFrom:
-      #       secretKeyRef:
-      #         key: FOO
-      #         name: secret-resource
-      # -- Admission Webhook failure policy to use
-      failurePolicy: Fail
-      # timeoutSeconds: 10
-      port: 8443
-      certificate: "/usr/local/certificates/cert"
-      key: "/usr/local/certificates/key"
-      namespaceSelector: {}
-      objectSelector: {}
-      # -- Labels to be added to admission webhooks
-      labels: {}
-      service:
-        annotations: {}
-        # clusterIP: ""
-        externalIPs: []
-        # loadBalancerIP: ""
-        loadBalancerSourceRanges: []
-        servicePort: 443
-        type: ClusterIP
-      createSecretJob:
-        name: create
-        # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced.
-        activeDeadlineSeconds: 0
-        # -- Security context for secret creation containers
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: 65532
-          runAsGroup: 65532
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
-        resources: {}
-        # limits:
-        #   cpu: 10m
-        #   memory: 20Mi
-        # requests:
-        #   cpu: 10m
-        #   memory: 20Mi
-        # -- Volume mounts for secret creation containers
-        volumeMounts: []
-        # - name: certs
-        #   mountPath: /etc/webhook/certs
-        #   readOnly: true
-        # -- Volumes for secret creation pod
-        volumes: []
-        # - name: certs
-        #   secret:
-        #     secretName: my-webhook-secret
-      patchWebhookJob:
-        name: patch
-        # -- Deadline in seconds for the job to complete. Must be greater than 0 to enforce. If unset or 0, no deadline is enforced.
-        activeDeadlineSeconds: 0
-        # -- Security context for webhook patch containers
-        securityContext:
-          runAsNonRoot: true
-          runAsUser: 65532
-          runAsGroup: 65532
-          allowPrivilegeEscalation: false
-          seccompProfile:
-            type: RuntimeDefault
-          capabilities:
-            drop:
-              - ALL
-          readOnlyRootFilesystem: true
-        resources: {}
-        # -- Volume mounts for webhook patch containers
-        volumeMounts: []
-        # - name: certs
-        #   mountPath: /etc/webhook/certs
-        #   readOnly: true
-        # -- Volumes for webhook patch pod
-        volumes: []
-        # - name: certs
-        #   secret:
-        #     secretName: my-webhook-secret
-      patch:
+      # -- Allows IngressRoute to reference resources in namespace other than theirs
+      allowCrossNamespace: false
+      # -- Allows to reference ExternalName services in IngressRoute
+      allowExternalNameServices: false
+      # -- Allows to return 503 when there are no endpoints available
+      allowEmptyServices: true
+      # -- When the parameter is set, only resources containing an annotation with the same value are processed. Otherwise, resources missing the annotation, having an empty value, or the value traefik are processed. It will also set required annotation on Dashboard and Healthcheck IngressRoute when enabled.
+      ingressClass: ""
+      # -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/providers/kubernetes/kubernetes-ingress/#opt-providers-kubernetesIngress-labelselector)
+      labelSelector: ""
+      # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
+      namespaces: []
+      # -- Defines whether to use Native Kubernetes load-balancing mode by default.
+      nativeLBByDefault: false
+    # @schema additionalProperties: false
+    kubernetesIngress:
+      # -- Load Kubernetes Ingress provider
+      enabled: true
+      # -- Allows to reference ExternalName services in Ingress
+      allowExternalNameServices: false
+      # -- Allows to return 503 when there are no endpoints available
+      allowEmptyServices: true
+      # -- Only for Traefik v3.0, Deprecated since v3.1. See [upstream documentation](https://doc.traefik.io/traefik/v3.0/providers/kubernetes-ingress/#disableingressclasslookup)
+      disableIngressClassLookup: false
+      # -- When ingressClass is set, only Ingresses containing an annotation with the same value are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value traefik are processed.
+      ingressClass: traefik # @schema type:[string, null]
+      labelSelector: # @schema type:[string, null]
+      # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
+      namespaces: []
+      # IP used for Kubernetes Ingress endpoints
+      publishedService:
+        # -- Enable [publishedService](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#publishedservice),
+        # usually with the Service provided by this Chart. It's possible to use it with an external Service using pathOverride.
         enabled: true
-        image:
-          # registry: registry.k8s.io
-          image: ingress-nginx/kube-webhook-certgen
-          ## for backwards compatibility consider setting the full image url via the repository value below
-          ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-          ## repository:
-          tag: v1.6.4
-          digest: ""
-          pullPolicy: IfNotPresent
-          registry: us-docker.pkg.dev/palette-images-fips/palette/spectro-ingress-nginx-bcfips
-        # -- Provide a priority class name to the webhook patching job
-        ##
-        priorityClassName: ""
-        # -- Instruct the kubelet to use the named RuntimeClass to run the pod
-        runtimeClassName: ""
-        podAnnotations: {}
-        # NetworkPolicy for webhook patch
-        networkPolicy:
-          # -- Enable 'networkPolicy' or not
-          enabled: false
-        nodeSelector:
-          kubernetes.io/os: linux
-        tolerations: []
-        # -- Labels to be added to patch job resources
-        labels: {}
-        # -- Security context for secret creation & webhook patch pods
-        securityContext: {}
-        # -- Admission webhook patch job RBAC
-        rbac:
-          # -- Create RBAC or not
-          create: true
-        # -- Admission webhook patch job service account
-        serviceAccount:
-          # -- Create a service account or not
-          create: true
-          # -- Custom service account name
+        # -- Override path of Kubernetes Service used to copy status from. Format: namespace/servicename.
+        # Default to Service deployed with this Chart.
+        pathOverride: ""
+      # -- Defines whether to use Native Kubernetes load-balancing mode by default.
+      nativeLBByDefault: false
+      # -- Defines whether to make prefix matching strictly comply with the Kubernetes Ingress specification.
+      strictPrefixMatching: false
+    # @schema additionalProperties: false
+    kubernetesGateway:
+      # -- Enable Traefik Gateway provider for Gateway API
+      enabled: false
+      # -- Toggles support for the Experimental Channel resources (Gateway API release channels documentation).
+      # This option currently enables support for TCPRoute and TLSRoute.
+      experimentalChannel: false
+      # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
+      namespaces: []
+      # -- A label selector can be defined to filter on specific GatewayClass objects only.
+      labelSelector: ""
+      # -- Defines whether to use Native Kubernetes load-balancing mode by default.
+      nativeLBByDefault: false
+      statusAddress:
+        # -- This IP will get copied to the Gateway status.addresses, and currently only supports one IP value (IPv4 or IPv6).
+        ip: ""
+        # -- This Hostname will get copied to the Gateway status.addresses.
+        hostname: ""
+        service:
+          # -- The Kubernetes service to copy status addresses from. When using third parties tools like External-DNS, this option can be used to copy the service loadbalancer.status (containing the service's endpoints IPs) to the gateways. Default to Service of this Chart.
+          enabled: true
           name: ""
-          # -- Auto-mount service account token or not
-          automountServiceAccountToken: true
-      # Use certmanager to generate webhook certs
-      certManager:
+          namespace: ""
+    # @schema additionalProperties: false
+    file:
+      # -- Create a file provider
+      enabled: false
+      # -- Allows Traefik to automatically watch for file changes
+      watch: true
+      # -- File content (YAML format, go template supported) (see https://doc.traefik.io/traefik/providers/file/)
+      content: ""
+    # @schema additionalProperties: false
+    kubernetesIngressNginx:
+      # -- Enable Kubernetes Ingress NGINX provider (experimental)
+      enabled: false
+      # -- Ingress Class Controller value this controller satisfies
+      controllerClass: "k8s.io/ingress-nginx"
+      # -- Name of the ingress class this controller satisfies
+      ingressClass: "nginx"
+      # -- Define if Ingress Controller should watch for Ingress Class by Name together with Controller Class
+      ingressClassByName: false
+      # -- Define if Ingress Controller should also watch for Ingresses without an IngressClass or the annotation specified
+      watchIngressWithoutClass: false
+      # -- Namespace the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespaceSelector.
+      watchNamespace: ""
+      # -- Select namespaces the controller watches for updates to Kubernetes objects. Mutually exclusive with watchNamespace.
+      watchNamespaceSelector: ""
+      publishService:
+        # -- Service fronting the Ingress controller. Takes the form 'namespace/name'
         enabled: false
-        # self-signed root certificate
-        rootCert:
-          # default to be 5y
-          duration: ""
-          # -- Revision history limit of the root certificate.
-          # Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
-          revisionHistoryLimit: 0
-        admissionCert:
-          # default to be 1y
-          duration: ""
-          # -- Revision history limit of the webhook certificate.
-          # Ref.: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
-          revisionHistoryLimit: 0
-          # issuerRef:
-          #   name: "issuer"
-          #   kind: "ClusterIssuer"
-    metrics:
-      port: 10254
-      portName: metrics
-      # if this port is changed, change healthz-port: in extraArgs: accordingly
+        pathOverride: ""
+      # -- Customized address (or addresses, separated by comma) to set as the load-balancer status of Ingress objects this controller satisfies
+      publishStatusAddress: ""
+      # -- Service used to serve HTTP requests not matching any known server name (catch-all). Takes the form 'namespace/name'
+      defaultBackendService: ""
+      # -- Disable support for Services of type ExternalName
+      disableSvcExternalName: false
+      # -- Ingress refresh throttle duration
+      throttleDuration: ""
+      # -- Kubernetes certificate authority file path (not needed for in-cluster client)
+      certAuthFilePath: ""
+      # -- Kubernetes server endpoint (required for external cluster client)
+      endpoint: ""
+      # -- Kubernetes bearer token (not needed for in-cluster client). It accepts either a token value or a file path to the token
+      token: ""
+    # @schema additionalProperties: false
+    knative:
+      # -- Enable Knative provider
       enabled: false
+      # -- Array of namespaces to watch. If left empty, Traefik watches all namespaces. . When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
+      namespaces: []
+      # -- Allow filtering Knative Ingress objects
+      labelSelector: ""
+  # -- Add volumes to the traefik pod. The volume name will be passed to tpl.
+  # This can be used to mount a cert pair or a configmap that holds a config.toml file.
+  # After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
+  # `additionalArguments:
+  # - "--providers.file.filename=/config/dynamic.toml"
+  # - "--ping"
+  # - "--ping.entrypoint=web"`
+  volumes: []
+  # - name: public-cert
+  #   mountPath: "/certs"
+  #   type: secret
+  # - name: '{{ printf "%s-configs" .Release.Name }}'
+  #   mountPath: "/config"
+  #   type: configMap
+
+  # -- Additional volumeMounts to add to the Traefik container
+  additionalVolumeMounts: []
+  # -- For instance when using a logshipper for access logs
+  # - name: traefik-logs
+  #   mountPath: /var/log/traefik
+
+  logs:
+    general:
+      # -- Set [logs format](https://doc.traefik.io/traefik/observability/logs/#format)
+      format: # @schema enum:["common", "json", null]; type:[string, null]; default: "common"
+      # By default, the level is set to INFO.
+      # -- Alternative logging levels are TRACE, DEBUG, INFO, WARN, ERROR, FATAL, and PANIC.
+      level: "INFO" # @schema enum:[TRACE,DEBUG,INFO,WARN,ERROR,FATAL,PANIC]; default: "INFO"
+      # -- To write the logs into a log file, use the filePath option.
+      filePath: ""
+      # -- When set to true and format is common, it disables the colorized output.
+      noColor: false
+      otlp:
+        # -- Set to true in order to enable OpenTelemetry on logs. Note that experimental.otlpLogs needs to be enabled.
+        enabled: false
+        # -- Service name used in OTLP backend. Default: traefik.
+        serviceName: # @schema type:[string, null]
+        http:
+          # -- Set to true in order to send logs to the OpenTelemetry Collector using HTTP.
+          enabled: false
+          # -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
+          endpoint: ""
+          # -- Additional headers sent with logs by the reporter to the OpenTelemetry Collector.
+          headers: {}
+          ## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
+          tls:
+            # -- The path to the certificate authority, it defaults to the system bundle.
+            ca: ""
+            # -- The path to the public certificate. When using this option, setting the key option is required.
+            cert: ""
+            # -- The path to the private key. When using this option, setting the cert option is required.
+            key: ""
+            # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+            insecureSkipVerify: # @schema type:[boolean, null]
+        grpc:
+          # -- Set to true in order to send logs  to the OpenTelemetry Collector using gRPC
+          enabled: false
+          # -- Format: <host>:<port>. Default: "localhost:4317"
+          endpoint: ""
+          # -- Allows reporter to send logs to the OpenTelemetry Collector without using a secured protocol.
+          insecure: false
+          ## Defines the TLS configuration used by the reporter to send logs to the OpenTelemetry Collector.
+          tls:
+            # -- The path to the certificate authority, it defaults to the system bundle.
+            ca: ""
+            # -- The path to the public certificate. When using this option, setting the key option is required.
+            cert: ""
+            # -- The path to the private key. When using this option, setting the cert option is required.
+            key: ""
+            # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+            insecureSkipVerify: # @schema type:[boolean, null]
+        # -- Defines additional resource attributes to be sent to the collector.
+        resourceAttributes: {}
+    access:
+      # -- To enable access logs
+      enabled: false
+      # -- Set [access log format](https://doc.traefik.io/traefik/observability/access-logs/#format)
+      format: # @schema enum:["common", "genericCLF", "json", null]; type:[string, null]; default: "common"
+      # filePath: "/var/log/traefik/access.log
+      # -- Set [bufferingSize](https://doc.traefik.io/traefik/observability/access-logs/#bufferingsize)
+      bufferingSize: # @schema type:[integer, null]
+      # -- Set [timezone](https://doc.traefik.io/traefik/observability/access-logs/#time-zones)
+      timezone: ""
+      # -- Set [filtering](https://docs.traefik.io/observability/access-logs/#filtering)
+      # @default -- See below
+      filters: # @schema additionalProperties: false
+        # -- Set statusCodes, to limit the access logs to requests with a status codes in the specified range
+        statuscodes: ""
+        # -- Set retryAttempts, to keep the access logs when at least one retry has happened
+        retryattempts: false
+        # -- Set minDuration, to keep access logs when requests take longer than the specified duration
+        minduration: ""
+      # -- Enables accessLogs for internal resources. Default: false.
+      addInternals: false
+      fields:
+        general:
+          # -- Set default mode for fields.names
+          defaultmode: keep # @schema enum:[keep, drop, redact]; default: keep
+          # -- Names of the fields to limit.
+          names: {}
+        headers:
+          # -- [Limit logged fields or headers](https://doc.traefik.io/traefik/observability/access-logs/#limiting-the-fieldsincluding-headers)
+          defaultmode: drop # @schema enum:[keep, drop, redact]; default: drop
+          names: {}
+      otlp:
+        # -- Set to true in order to enable OpenTelemetry on access logs. Note that experimental.otlpLogs needs to be enabled.
+        enabled: false
+        # -- Service name used in OTLP backend. Default: traefik.
+        serviceName: # @schema type:[string, null]
+        http:
+          # -- Set to true in order to send access logs to the OpenTelemetry Collector using HTTP.
+          enabled: false
+          # -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/logs
+          endpoint: ""
+          # -- Additional headers sent with access logs by the reporter to the OpenTelemetry Collector.
+          headers: {}
+          ## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
+          tls:
+            # -- The path to the certificate authority, it defaults to the system bundle.
+            ca: ""
+            # -- The path to the public certificate. When using this option, setting the key option is required.
+            cert: ""
+            # -- The path to the private key. When using this option, setting the cert option is required.
+            key: ""
+            # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+            insecureSkipVerify: # @schema type:[boolean, null]
+        grpc:
+          # -- Set to true in order to send access logs to the OpenTelemetry Collector using gRPC
+          enabled: false
+          # -- Format: <host>:<port>. Default: "localhost:4317"
+          endpoint: ""
+          # -- Allows reporter to send access logs to the OpenTelemetry Collector without using a secured protocol.
+          insecure: false
+          ## Defines the TLS configuration used by the reporter to send access logs to the OpenTelemetry Collector.
+          tls:
+            # -- The path to the certificate authority, it defaults to the system bundle.
+            ca: ""
+            # -- The path to the public certificate. When using this option, setting the key option is required.
+            cert: ""
+            # -- The path to the private key. When using this option, setting the cert option is required.
+            key: ""
+            # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+            insecureSkipVerify: # @schema type:[boolean, null]
+        # -- Defines additional resource attributes to be sent to the collector.
+        resourceAttributes: {}
+  metrics:
+    # -- Enable metrics for internal resources. Default: false
+    addInternals: false
+    ## Prometheus is enabled by default.
+    ## It can be disabled by setting "prometheus: null"
+    prometheus:
+      # -- Entry point used to expose metrics.
+      entryPoint: metrics
+      # -- Enable metrics on entry points. Default: true
+      addEntryPointsLabels: # @schema type:[boolean, null]
+      # -- Enable metrics on routers. Default: false
+      addRoutersLabels: # @schema type:[boolean, null]
+      # -- Enable metrics on services. Default: true
+      addServicesLabels: # @schema type:[boolean, null]
+      # -- Buckets for latency metrics. Default="0.1,0.3,1.2,5.0"
+      buckets: ""
+      # -- When manualRouting is true, it disables the default internal router in
+      ## order to allow creating a custom router for prometheus@internal service.
+      manualRouting: false
+      # -- Add HTTP header labels to metrics. See EXAMPLES.md or upstream doc for usage.
+      headerLabels: {} # @schema type:[object, null]
       service:
-        # -- Enable the metrics service or not.
-        enabled: true
-        annotations: {}
-        # prometheus.io/scrape: "true"
-        # prometheus.io/port: "10254"
-        # -- Labels to be added to the metrics service resource
+        # -- Create a dedicated metrics service to use with ServiceMonitor
+        enabled: false
         labels: {}
-        # clusterIP: ""
-
-        # -- List of IP addresses at which the stats-exporter service is available
-        ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
-        ##
-        externalIPs: []
-        # loadBalancerIP: ""
-        loadBalancerSourceRanges: []
-        servicePort: 10254
-        type: ClusterIP
-        # externalTrafficPolicy: ""
-        # nodePort: ""
+        annotations: {}
+      # -- When set to true, it won't check if Prometheus Operator CRDs are deployed
+      disableAPICheck: # @schema type:[boolean, null]
       serviceMonitor:
+        # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
         enabled: false
+        apiVersion: "monitoring.coreos.com/v1"
+        metricRelabelings: []
+        relabelings: []
+        jobLabel: ""
+        interval: ""
+        honorLabels: false
+        scrapeTimeout: ""
+        honorTimestamps: false
+        enableHttp2: false
+        followRedirects: false
         additionalLabels: {}
-        # -- Annotations to be added to the ServiceMonitor.
-        annotations: {}
-        ## The label to use to retrieve the job name from.
-        ## jobLabel: "app.kubernetes.io/name"
         namespace: ""
         namespaceSelector: {}
-        ## Default: scrape .Release.Namespace or namespaceOverride only
-        ## To scrape all, use the following:
-        ## namespaceSelector:
-        ##   any: true
-        scrapeInterval: 30s
-        # -- Timeout after which the scrape is ended. Not being set if empty and therefore defaults to the global Prometheus scrape timeout.
-        scrapeTimeout: ""
-        # honorLabels: true
-        targetLabels: []
-        relabelings: []
-        metricRelabelings: []
-        # -- Per-scrape limit on number of labels that will be accepted for a sample.
-        labelLimit: 0
-        # -- Per-scrape limit on length of labels name that will be accepted for a sample.
-        labelNameLengthLimit: 0
-        # -- Per-scrape limit on length of labels value that will be accepted for a sample.
-        labelValueLengthLimit: 0
-        # -- Defines a per-scrape limit on the number of scraped samples that will be accepted.
-        sampleLimit: 0
-        # -- Defines a limit on the number of scraped targets that will be accepted.
-        targetLimit: 0
       prometheusRule:
+        # -- Enable optional CR for Prometheus Operator. See EXAMPLES.md for more details.
         enabled: false
+        apiVersion: "monitoring.coreos.com/v1"
         additionalLabels: {}
-        # -- Annotations to be added to the PrometheusRule.
-        annotations: {}
-        # namespace: ""
-        rules: []
-        # # These are just examples rules, please adapt them to your needs
-        # - alert: NGINXConfigFailed
-        #   expr: count(nginx_ingress_controller_config_last_reload_successful == 0) > 0
-        #   for: 1s
-        #   labels:
-        #     severity: critical
-        #   annotations:
-        #     description: bad ingress config - nginx config test failed
-        #     summary: uninstall the latest ingress changes to allow config reloads to resume
-        # # By default a fake self-signed certificate is generated as default and
-        # # it is fine if it expires. If `--default-ssl-certificate` flag is used
-        # # and a valid certificate passed please do not filter for `host` label!
-        # # (i.e. delete `{host!="_"}` so also the default SSL certificate is
-        # # checked for expiration)
-        # - alert: NGINXCertificateExpiry
-        #   expr: (avg(nginx_ingress_controller_ssl_expire_time_seconds{host!="_"}) by (host) - time()) < 604800
-        #   for: 1s
-        #   labels:
-        #     severity: critical
-        #   annotations:
-        #     description: ssl certificate(s) will expire in less then a week
-        #     summary: renew expiring certificates to avoid downtime
-        # - alert: NGINXTooMany500s
-        #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"5.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
-        #   for: 1m
-        #   labels:
-        #     severity: warning
-        #   annotations:
-        #     description: Too many 5XXs
-        #     summary: More than 5% of all requests returned 5XX, this requires your attention
-        # - alert: NGINXTooMany400s
-        #   expr: 100 * ( sum( nginx_ingress_controller_requests{status=~"4.+"} ) / sum(nginx_ingress_controller_requests) ) > 5
-        #   for: 1m
-        #   labels:
-        #     severity: warning
-        #   annotations:
-        #     description: Too many 4XXs
-        #     summary: More than 5% of all requests returned 4XX, this requires your attention
-    # -- Improve connection draining when ingress controller pod is deleted using a lifecycle hook:
-    # With this new hook, we increased the default terminationGracePeriodSeconds from 30 seconds
-    # to 300, allowing the draining of connections up to five minutes.
-    # If the active connections end before that, the pod will terminate gracefully at that time.
-    # To effectively take advantage of this feature, the Configmap feature
-    # worker-shutdown-timeout new value is 240s instead of 10s.
-    ##
-    lifecycle:
-      preStop:
-        exec:
-          command:
-            - /wait-shutdown
-    priorityClassName: ""
-  # -- Rollback limit
-  ##
-  revisionHistoryLimit: 10
-  ## Default 404 backend
-  ##
-  defaultBackend:
-    ##
+        namespace: ""
+    #  datadog:
+    #    ## Address instructs exporter to send metrics to datadog-agent at this address.
+    #    address: "127.0.0.1:8125"
+    #    ## The interval used by the exporter to push metrics to datadog-agent. Default=10s
+    #    # pushInterval: 30s
+    #    ## The prefix to use for metrics collection. Default="traefik"
+    #    # prefix: traefik
+    #    ## Enable metrics on entry points. Default=true
+    #    # addEntryPointsLabels: false
+    #    ## Enable metrics on routers. Default=false
+    #    # addRoutersLabels: true
+    #    ## Enable metrics on services. Default=true
+    #    # addServicesLabels: false
+    #  influxdb2:
+    #    ## Address instructs exporter to send metrics to influxdb v2 at this address.
+    #    address: localhost:8086
+    #    ## Token with which to connect to InfluxDB v2.
+    #    token: xxx
+    #    ## Organisation where metrics will be stored.
+    #    org: ""
+    #    ## Bucket where metrics will be stored.
+    #    bucket: ""
+    #    ## The interval used by the exporter to push metrics to influxdb. Default=10s
+    #    # pushInterval: 30s
+    #    ## Additional labels (influxdb tags) on all metrics.
+    #    # additionalLabels:
+    #    #   env: production
+    #    #   foo: bar
+    #    ## Enable metrics on entry points. Default=true
+    #    # addEntryPointsLabels: false
+    #    ## Enable metrics on routers. Default=false
+    #    # addRoutersLabels: true
+    #    ## Enable metrics on services. Default=true
+    #    # addServicesLabels: false
+    #  statsd:
+    #    ## Address instructs exporter to send metrics to statsd at this address.
+    #    address: localhost:8125
+    #    ## The interval used by the exporter to push metrics to influxdb. Default=10s
+    #    # pushInterval: 30s
+    #    ## The prefix to use for metrics collection. Default="traefik"
+    #    # prefix: traefik
+    #    ## Enable metrics on entry points. Default=true
+    #    # addEntryPointsLabels: false
+    #    ## Enable metrics on routers. Default=false
+    #    # addRoutersLabels: true
+    #    ## Enable metrics on services. Default=true
+    #    # addServicesLabels: false
+    otlp:
+      # -- Set to true in order to enable the OpenTelemetry metrics
+      enabled: false
+      # -- Enable metrics on entry points. Default: true
+      addEntryPointsLabels: # @schema type:[boolean, null]
+      # -- Enable metrics on routers. Default: false
+      addRoutersLabels: # @schema type:[boolean, null]
+      # -- Enable metrics on services. Default: true
+      addServicesLabels: # @schema type:[boolean, null]
+      # -- Explicit boundaries for Histogram data points. Default: [.005, .01, .025, .05, .1, .25, .5, 1, 2.5, 5, 10]
+      explicitBoundaries: []
+      # -- Interval at which metrics are sent to the OpenTelemetry Collector. Default: 10s
+      pushInterval: ""
+      # -- Service name used in OTLP backend. Default: traefik.
+      serviceName: # @schema type:[string, null]
+      http:
+        # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
+        enabled: false
+        # -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/metrics
+        endpoint: ""
+        # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+        headers: {}
+        ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+        tls:
+          # -- The path to the certificate authority, it defaults to the system bundle.
+          ca: ""
+          # -- The path to the public certificate. When using this option, setting the key option is required.
+          cert: ""
+          # -- The path to the private key. When using this option, setting the cert option is required.
+          key: ""
+          # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+          insecureSkipVerify: # @schema type:[boolean, null]
+      grpc:
+        # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
+        enabled: false
+        # -- Format: <host>:<port>. Default: "localhost:4317"
+        endpoint: ""
+        # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+        insecure: false
+        ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+        tls:
+          # -- The path to the certificate authority, it defaults to the system bundle.
+          ca: ""
+          # -- The path to the public certificate. When using this option, setting the key option is required.
+          cert: ""
+          # -- The path to the private key. When using this option, setting the cert option is required.
+          key: ""
+          # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+          insecureSkipVerify: # @schema type:[boolean, null]
+      # -- Defines additional resource attributes to be sent to the collector.
+      resourceAttributes: {}
+  ocsp:
+    # -- Enable OCSP stapling support.
+    # See https://doc.traefik.io/traefik/https/ocsp/#overview
     enabled: false
-    name: defaultbackend
-    image:
-      # registry: registry.k8s.io
-      image: defaultbackend-amd64
-      ## for backwards compatibility consider setting the full image url via the repository value below
-      ## use *either* current default registry/image or repository format or installing chart by providing the values.yaml will fail
-      ## repository:
-      tag: "1.5"
-      pullPolicy: IfNotPresent
-      runAsNonRoot: true
-      # nobody user -> uid 65534
-      runAsUser: 65534
-      runAsGroup: 65534
-      allowPrivilegeEscalation: false
-      seccompProfile:
-        type: RuntimeDefault
-      readOnlyRootFilesystem: true
-    extraArgs: {}
-    serviceAccount:
-      create: true
-      name: ""
-      automountServiceAccountToken: true
-    # -- Additional environment variables to set for defaultBackend pods
-    extraEnvs: []
-    port: 8080
-    ## Readiness and liveness probes for default backend
-    ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/
-    ##
-    livenessProbe:
-      failureThreshold: 3
-      initialDelaySeconds: 30
-      periodSeconds: 10
-      successThreshold: 1
-      timeoutSeconds: 5
-    readinessProbe:
-      failureThreshold: 6
-      initialDelaySeconds: 0
-      periodSeconds: 5
-      successThreshold: 1
-      timeoutSeconds: 5
-    # -- The update strategy to apply to the Deployment or DaemonSet
-    ##
-    updateStrategy: {}
-    #  rollingUpdate:
-    #    maxUnavailable: 1
-    #  type: RollingUpdate
-
-    # -- `minReadySeconds` to avoid killing pods before we are ready
-    ##
-    minReadySeconds: 0
-    # -- Node tolerations for server scheduling to nodes with taints
-    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
-    ##
-    tolerations: []
-    #  - key: "key"
-    #    operator: "Equal|Exists"
-    #    value: "value"
-    #    effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
-
-    # -- Affinity and anti-affinity rules for server scheduling to nodes
-    ## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
-    affinity: {}
-    # # An example of preferred pod anti-affinity, weight is in the range 1-100
-    # podAntiAffinity:
-    #   preferredDuringSchedulingIgnoredDuringExecution:
-    #   - weight: 100
-    #     podAffinityTerm:
-    #       labelSelector:
-    #         matchExpressions:
-    #         - key: app.kubernetes.io/name
-    #           operator: In
-    #           values:
-    #           - '{{ include "ingress-nginx.name" . }}'
-    #         - key: app.kubernetes.io/instance
-    #           operator: In
-    #           values:
-    #           - '{{ .Release.Name }}'
-    #         - key: app.kubernetes.io/component
-    #           operator: In
-    #           values:
-    #           - default-backend
-    #       topologyKey: kubernetes.io/hostname
-
-    # # An example of required pod anti-affinity
-    # podAntiAffinity:
-    #   requiredDuringSchedulingIgnoredDuringExecution:
-    #   - labelSelector:
-    #       matchExpressions:
-    #       - key: app.kubernetes.io/name
-    #         operator: In
-    #         values:
-    #         - '{{ include "ingress-nginx.name" . }}'
-    #       - key: app.kubernetes.io/instance
-    #         operator: In
-    #         values:
-    #         - '{{ .Release.Name }}'
-    #       - key: app.kubernetes.io/component
-    #         operator: In
-    #         values:
-    #         - default-backend
-    #     topologyKey: kubernetes.io/hostname
-
-    # -- Topology spread constraints rely on node labels to identify the topology domain(s) that each Node is in.
-    # Ref.: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
-    topologySpreadConstraints: []
-    # - labelSelector:
-    #     matchLabels:
-    #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-    #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-    #       app.kubernetes.io/component: default-backend
-    #   matchLabelKeys:
-    #   - pod-template-hash
-    #   topologyKey: topology.kubernetes.io/zone
-    #   maxSkew: 1
-    #   whenUnsatisfiable: ScheduleAnyway
-    # - labelSelector:
-    #     matchLabels:
-    #       app.kubernetes.io/name: '{{ include "ingress-nginx.name" . }}'
-    #       app.kubernetes.io/instance: '{{ .Release.Name }}'
-    #       app.kubernetes.io/component: default-backend
-    #   matchLabelKeys:
-    #   - pod-template-hash
-    #   topologyKey: kubernetes.io/hostname
-    #   maxSkew: 1
-    #   whenUnsatisfiable: ScheduleAnyway
-    # -- Security context for default backend pods
-    podSecurityContext: {}
-    # -- Security context for default backend containers
-    containerSecurityContext: {}
-    # -- Labels to add to the pod container metadata
-    podLabels: {}
-    #  key: value
-
-    # -- Node labels for default backend pod assignment
-    ## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
-    ##
-    nodeSelector:
-      kubernetes.io/os: linux
-    # -- Annotations to be added to default backend pods
-    ##
-    podAnnotations: {}
-    replicaCount: 1
-    # -- Minimum available pods set in PodDisruptionBudget.
-    # Define either 'minAvailable' or 'maxUnavailable', never both.
-    minAvailable: 1
-    # -- Maximum unavailable pods set in PodDisruptionBudget. If set, 'minAvailable' is ignored.
-    # maxUnavailable: 1
-    # -- Eviction policy for unhealthy pods guarded by PodDisruptionBudget.
-    # Ref: https://kubernetes.io/blog/2023/01/06/unhealthy-pod-eviction-policy-for-pdbs/
-    unhealthyPodEvictionPolicy: ""
-    resources: {}
-    # limits:
-    #   cpu: 10m
-    #   memory: 20Mi
-    # requests:
-    #   cpu: 10m
-    #   memory: 20Mi
-
-    extraVolumeMounts: []
-    ## Additional volumeMounts to the default backend container.
-    #  - name: copy-portal-skins
-    #   mountPath: /var/lib/lemonldap-ng/portal/skins
-
-    extraVolumes: []
-    ## Additional volumes to the default backend pod.
-    #  - name: copy-portal-skins
-    #    emptyDir: {}
-
-    extraConfigMaps: []
-    ## Additional configmaps to the default backend pod.
-    #  - name: my-extra-configmap-1
-    #    labels:
-    #      type: config-1
-    #    data:
-    #      extra_file_1.html: |
-    #        <!-- Extra HTML content for ConfigMap 1 -->
-    #  - name: my-extra-configmap-2
-    #    labels:
-    #      type: config-2
-    #    data:
-    #      extra_file_2.html: |
-    #        <!-- Extra HTML content for ConfigMap 2 -->
-
-    autoscaling:
-      annotations: {}
+    # -- Defines the OCSP responder URLs to use instead of the one provided by the certificate.
+    responderOverrides: {}
+  ## Tracing
+  # -- https://doc.traefik.io/traefik/observability/tracing/overview/
+  # @default -- See _values.yaml_
+  tracing: # @schema additionalProperties: false
+    # -- Enables tracing for internal resources. Default: false.
+    addInternals: false
+    # -- Service name used in selected backend. Default: traefik.
+    serviceName: # @schema type:[string, null]
+    # -- Defines additional resource attributes to be sent to the collector.
+    resourceAttributes: {}
+    # -- Defines the list of request headers to add as attributes. It applies to client and server kind spans.
+    capturedRequestHeaders: []
+    # -- Defines the list of response headers to add as attributes. It applies to client and server kind spans.
+    capturedResponseHeaders: []
+    # -- By default, all query parameters are redacted. Defines the list of query parameters to not redact.
+    safeQueryParams: []
+    # -- The proportion of requests to trace, specified between 0.0 and 1.0. Default: 1.0.
+    sampleRate: # @schema type:[number, null]; minimum:0; maximum:1
+    otlp:
+      # -- See https://doc.traefik.io/traefik/v3.0/observability/tracing/opentelemetry/
       enabled: false
-      minReplicas: 1
-      maxReplicas: 2
-      targetCPUUtilizationPercentage: 50
-      targetMemoryUtilizationPercentage: 50
-    # NetworkPolicy for default backend component.
-    networkPolicy:
-      # -- Enable 'networkPolicy' or not
+      http:
+        # -- Set to true in order to send metrics to the OpenTelemetry Collector using HTTP.
+        enabled: false
+        # -- Format: <scheme>://<host>:<port><path>. Default: https://localhost:4318/v1/tracing
+        endpoint: ""
+        # -- Additional headers sent with metrics by the reporter to the OpenTelemetry Collector.
+        headers: {}
+        ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+        tls:
+          # -- The path to the certificate authority, it defaults to the system bundle.
+          ca: ""
+          # -- The path to the public certificate. When using this option, setting the key option is required.
+          cert: ""
+          # -- The path to the private key. When using this option, setting the cert option is required.
+          key: ""
+          # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+          insecureSkipVerify: # @schema type:[boolean, null]
+      grpc:
+        # -- Set to true in order to send metrics to the OpenTelemetry Collector using gRPC
+        enabled: false
+        # -- Format: <host>:<port>. Default: "localhost:4317"
+        endpoint: ""
+        # -- Allows reporter to send metrics to the OpenTelemetry Collector without using a secured protocol.
+        insecure: false
+        ## Defines the TLS configuration used by the reporter to send metrics to the OpenTelemetry Collector.
+        tls:
+          # -- The path to the certificate authority, it defaults to the system bundle.
+          ca: ""
+          # -- The path to the public certificate. When using this option, setting the key option is required.
+          cert: ""
+          # -- The path to the private key. When using this option, setting the cert option is required.
+          key: ""
+          # -- When set to true, the TLS connection accepts any certificate presented by the server regardless of the hostnames it covers.
+          insecureSkipVerify: # @schema type:[boolean, null]
+  global:
+    checkNewVersion: true
+    # -- Please take time to consider whether or not you wish to share anonymous data with us
+    # See https://doc.traefik.io/traefik/contributing/data-collection/
+    sendAnonymousUsage: false
+    # -- Required for Azure Marketplace integration.
+    # See https://learn.microsoft.com/en-us/partner-center/marketplace-offers/azure-container-technical-assets-kubernetes?tabs=linux,linux2#update-the-helm-chart
+    # @default -- See _values.yaml_
+    azure:
       enabled: false
-    service:
-      annotations: {}
-      # clusterIP: ""
-      # -- Pre-defined cluster internal IP addresses of the default backend service. Take care of collisions with existing services.
-      # This value is immutable. Set once, it can not be changed without deleting and re-creating the service.
-      # Ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address
-      clusterIPs: []
-      # -- List of IP addresses at which the default backend service is available
-      ## Ref: https://kubernetes.io/docs/concepts/services-networking/service/#external-ips
-      ##
-      externalIPs: []
-      # loadBalancerIP: ""
-      loadBalancerSourceRanges: []
-      servicePort: 80
-      type: ClusterIP
-    priorityClassName: ""
-    # -- Instruct the kubelet to use the named RuntimeClass to run the pod
-    runtimeClassName: ""
-    # -- Labels to be added to the default backend resources
+      images:
+        proxy:
+          image: traefik
+          tag: latest
+          registry: docker.io/library
+        hub:
+          image: traefik-hub
+          tag: latest
+          registry: ghcr.io/traefik
+  # -- Additional arguments to be passed at Traefik's binary
+  # See [CLI Reference](https://docs.traefik.io/reference/static-configuration/cli/)
+  # Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
+  additionalArguments: []
+  #  - "--providers.kubernetesingress.ingressclass=traefik-internal"
+  #  - "--log.level=DEBUG"
+
+  # -- Additional Environment variables to be passed to Traefik's binary
+  env: []
+  # -- Environment variables to be passed to Traefik's binary from configMaps or secrets
+  envFrom: []
+  # @schema mergeProperties: true
+  ports:
+    # @schema additionalProperties: false
+    traefik:
+      port: 8080
+      # -- Use hostPort if set.
+      hostPort: # @schema type:[integer, null]; minimum:0
+      # -- Use hostIP if set. If not set, Kubernetes will default to 0.0.0.0, which
+      # means it's listening on all your interfaces and all your IPs. You may want
+      # to set this value if you need traefik to listen on specific interface
+      # only.
+      hostIP: # @schema type:[string, null]
+      # Defines whether the port is exposed if service.type is LoadBalancer or
+      # NodePort.
+      #
+      # -- You SHOULD NOT expose the traefik port on production deployments.
+      # If you want to access it from outside your cluster,
+      # use `kubectl port-forward` or create a secure ingress
+      expose:
+        default: false
+      # -- The exposed port for this service
+      exposedPort: 8080
+      # -- The port protocol (TCP/UDP)
+      protocol: TCP
+      observability: # @schema additionalProperties: false
+        # -- Defines whether a router attached to this EntryPoint produces metrics by default.
+        metrics: # @schema type:[boolean, null]; default: true
+        # -- Defines whether a router attached to this EntryPoint produces access-logs by default.
+        accessLogs: # @schema type:[boolean, null]; default: true
+        # -- Defines whether a router attached to this EntryPoint produces traces by default.
+        tracing: # @schema type:[boolean, null]; default: true
+        # -- Defines the tracing verbosity level for routers attached to this EntryPoint.
+        traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
+    web:
+      ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
+      asDefault: # @schema type: [boolean, null]; default: null
+      port: 8000
+      # hostPort: 8000
+      # containerPort: 8000
+      expose:
+        default: true
+      exposedPort: 80
+      ## -- Different target traefik port on the cluster, useful for IP type LB
+      targetPort: # @schema type:[string, integer, null]; minimum:0
+      # The port protocol (TCP/UDP)
+      protocol: TCP
+      # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
+      nodePort: # @schema type:[integer, null]; minimum:0
+      http:
+        redirections:
+          # -- Port Redirections
+          # Added in 2.2, one can make permanent redirects via entrypoints.
+          # Same sets of parameters: to, scheme, permanent and priority.
+          # https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#configuration-example
+          entryPoint: {}
+      forwardedHeaders:
+        # -- Trust forwarded headers information (X-Forwarded-*).
+        trustedIPs: []
+        insecure: true
+      proxyProtocol:
+        # -- Enable the Proxy Protocol header parsing for the entry point
+        trustedIPs: []
+        insecure: false
+      # -- Set transport settings for the entrypoint; see also
+      # https://doc.traefik.io/traefik/routing/entrypoints/#transport
+      # @default -- nil
+      transport:
+        respondingTimeouts:
+          readTimeout: # @schema type:[string, integer, null]
+          writeTimeout: # @schema type:[string, integer, null]
+          idleTimeout: # @schema type:[string, integer, null]
+        lifeCycle:
+          requestAcceptGraceTimeout: # @schema type:[string, integer, null]
+          graceTimeOut: # @schema type:[string, integer, null]
+        keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
+        keepAliveMaxTime: # @schema type:[string, integer, null]
+      observability: # @schema additionalProperties: false
+        # -- Enables metrics for this entryPoint.
+        metrics: # @schema type:[boolean, null]; default: true
+        # -- Enables access-logs for this entryPoint.
+        accessLogs: # @schema type:[boolean, null]; default: true
+        # -- Enables tracing for this entryPoint.
+        tracing: # @schema type:[boolean, null]; default: true
+        # -- Defines the tracing verbosity level for this entryPoint.
+        traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
+    websecure:
+      ## -- Enable this entrypoint as a default entrypoint. When a service doesn't explicitly set an entrypoint it will only use this entrypoint.
+      # asDefault: true
+      port: 8443
+      hostPort: # @schema type:[integer, null]; minimum:0
+      containerPort: # @schema type:[integer, null]; minimum:0
+      expose:
+        default: true
+      exposedPort: 443
+      ## -- Different target traefik port on the cluster, useful for IP type LB
+      targetPort: web # @schema type:[string, integer, null]; minimum:0
+      ## -- The port protocol (TCP/UDP)
+      protocol: TCP
+      # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport)
+      nodePort: # @schema type:[integer, null]; minimum:0
+      # -- See [upstream documentation](https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol)
+      appProtocol: # @schema type:[string, null]
+      # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#allowacmebypass)
+      allowACMEByPass: false
+      http:
+        # -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#encoded-character-filtering)
+        # @default -- nil
+        encodedCharacters: # @schema additionalProperties: false
+          allowEncodedSlash: # @schema type:[boolean, null]
+          allowEncodedBackSlash: # @schema type:[boolean, null]
+          allowEncodedNullCharacter: # @schema type:[boolean, null]
+          allowEncodedSemicolon: # @schema type:[boolean, null]
+          allowEncodedPercent: # @schema type:[boolean, null]
+          allowEncodedQuestionMark: # @schema type:[boolean, null]
+          allowEncodedHash: # @schema type:[boolean, null]
+        # -- Maximum size of request headers in bytes. Default: 1048576 (1 MB)
+        maxHeaderBytes: # @schema type:[integer, null]; minimum:0
+        # -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#httpmiddlewares)
+        middlewares: [] # @schema type: [array, null]
+        # -- See [upstream documentation](https://doc.traefik.io/traefik/security/request-path/#path-sanitization)
+        sanitizePath: # @schema type:[boolean, null]
+        tls:
+          # -- See [upstream documentation](https://doc.traefik.io/traefik/reference/install-configuration/entrypoints/#opt-http-tls)
+          # @default -- true
+          enabled: true
+          options: ""
+          certResolver: ""
+          domains: []
+      http3:
+        ## -- Enable HTTP/3 on the entrypoint
+        ## Enabling it will also enable http3 experimental feature
+        ## https://doc.traefik.io/traefik/routing/entrypoints/#http3
+        ## There are known limitations when trying to listen on same ports for
+        ## TCP & UDP (Http3). There is a workaround in this chart using dual Service.
+        ## https://github.com/kubernetes/kubernetes/issues/47249#issuecomment-587960741
+        enabled: false
+        advertisedPort: # @schema type:[integer, null]; minimum:0
+      forwardedHeaders:
+        # -- Trust forwarded headers information (X-Forwarded-*).
+        trustedIPs: []
+        insecure: true
+      proxyProtocol:
+        # -- Enable the Proxy Protocol header parsing for the entry point
+        trustedIPs: []
+        insecure: false
+      # -- See [upstream documentation](https://doc.traefik.io/traefik/routing/entrypoints/#transport)
+      # @default -- nil
+      transport:
+        respondingTimeouts:
+          readTimeout: # @schema type:[string, integer, null]
+          writeTimeout: # @schema type:[string, integer, null]
+          idleTimeout: # @schema type:[string, integer, null]
+        lifeCycle:
+          requestAcceptGraceTimeout: # @schema type:[string, integer, null]
+          graceTimeOut: # @schema type:[string, integer, null]
+        keepAliveMaxRequests: # @schema type:[integer, null]; minimum:0
+        keepAliveMaxTime: # @schema type:[string, integer, null]
+      observability: # @schema additionalProperties: false
+        # -- Enables metrics for this entryPoint.
+        metrics: # @schema type:[boolean, null]; default: true
+        # -- Enables access-logs for this entryPoint.
+        accessLogs: # @schema type:[boolean, null]; default: true
+        # -- Enables tracing for this entryPoint.
+        tracing: # @schema type:[boolean, null]; default: true
+        # -- Defines the tracing verbosity level for this entryPoint.
+        traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
+    metrics:
+      # -- When using hostNetwork, use another port to avoid conflict with node exporter:
+      # https://github.com/prometheus/prometheus/wiki/Default-port-allocations
+      port: 9100
+      # -- You may not want to expose the metrics port on production deployments.
+      # If you want to access it from outside your cluster,
+      # use `kubectl port-forward` or create a secure ingress
+      expose:
+        default: false
+      # -- The exposed port for this service
+      exposedPort: 9100
+      # -- The port protocol (TCP/UDP)
+      protocol: TCP
+      observability: # @schema additionalProperties: false
+        # -- Enables metrics for this entryPoint.
+        metrics: # @schema type:[boolean, null]; default: true
+        # -- Enables access-logs for this entryPoint.
+        accessLogs: # @schema type:[boolean, null]; default: true
+        # -- Enables tracing for this entryPoint.
+        tracing: # @schema type:[boolean, null]; default: true
+        # -- Defines the tracing verbosity level for this entryPoint.
+        traceVerbosity: # @schema enum:[minimal, detailed, null]; type:[string, null]; default: minimal
+  # -- TLS Options are created as [TLSOption CRDs](https://doc.traefik.io/traefik/https/tls/#tls-options)
+  # When using `labelSelector`, you'll need to set labels on tlsOption accordingly.
+  # See EXAMPLE.md for details.
+  tlsOptions: {}
+  # -- TLS Store are created as [TLSStore CRDs](https://doc.traefik.io/traefik/https/tls/#default-certificate). This is useful if you want to set a default certificate. See EXAMPLE.md for details.
+  tlsStore: {}
+  service:
+    enabled: true
+    ## -- Single service is using `MixedProtocolLBService` feature gate.
+    ## -- When set to false, it will create two Service, one for TCP and one for UDP.
+    single: true
+    type: LoadBalancer
+    # -- Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
+    annotations: {}
+    # -- Additional annotations for TCP service only
+    annotationsTCP: {}
+    # -- Additional annotations for UDP service only
+    annotationsUDP: {}
+    # -- Additional service labels (e.g. for filtering Service by custom labels)
     labels: {}
-  ## Enable RBAC as per https://github.com/kubernetes/ingress-nginx/blob/main/docs/deploy/rbac.md and https://github.com/kubernetes/ingress-nginx/issues/266
-  rbac:
-    create: true
-    scope: false
-  serviceAccount:
-    create: true
-    name: ""
-    automountServiceAccountToken: true
-    # -- Annotations for the controller service account
+    # -- Additional entries here will be added to the service spec.
+    # -- Cannot contain type, selector or ports entries.
+    spec: {}
+    # externalTrafficPolicy: Cluster
+    # loadBalancerIP: "1.2.3.4"
+    # clusterIP: "2.3.4.5"
+    loadBalancerSourceRanges: []
+    # - 192.168.0.1/32
+    # - 172.16.0.0/16
+    ## -- Class of the load balancer implementation
+    # loadBalancerClass: service.k8s.aws/nlb
+    externalIPs: []
+    # - 1.2.3.4
+    ## One of SingleStack, PreferDualStack, or RequireDualStack.
+    # ipFamilyPolicy: SingleStack
+    ## List of IP families (e.g. IPv4 and/or IPv6).
+    ## ref: https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+    # ipFamilies:
+    #   - IPv4
+    #   - IPv6
+    ##
+    additionalServices: {}
+    ## -- An additional and optional internal Service.
+    ## Same parameters as external Service
+    # internal:
+    #   type: ClusterIP
+    #   # labels: {}
+    #   # annotations: {}
+    #   # spec: {}
+    #   # loadBalancerSourceRanges: []
+    #   # externalIPs: []
+    #   # ipFamilies: [ "IPv4","IPv6" ]
+  autoscaling: # @schema additionalProperties: false
+    # -- Create HorizontalPodAutoscaler object.
+    # See EXAMPLES.md for more details.
+    enabled: false
+    # -- minReplicas is the lower limit for the number of replicas to which the autoscaler can scale down. It defaults to 1 pod.
+    minReplicas: # @schema type:[integer, null]; minimum:0
+    # -- maxReplicas is the upper limit for the number of pods that can be set by the autoscaler; cannot be smaller than MinReplicas.
+    maxReplicas: # @schema type:[integer, null]; minimum:0
+    # -- metrics contains the specifications for which to use to calculate the desired replica count (the maximum replica count across all metrics will be used).
+    metrics: []
+    # -- behavior configures the scaling behavior of the target in both Up and Down directions (scaleUp and scaleDown fields respectively).
+    behavior: {}
+    # -- scaleTargetRef points to the target resource to scale, and is used for the pods for which metrics should be collected, as well as to actually change the replica count.
+    # @default -- Traefik Deployment
+    scaleTargetRef:
+      apiVersion: apps/v1
+      kind: Deployment
+      name: "{{ template \"traefik.fullname\" . }}"
+  persistence:
+    # -- Enable persistence using Persistent Volume Claims
+    # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/.
+    # It can be used to store TLS certificates along with `certificatesResolvers.<name>.acme.storage`  option
+    enabled: false
+    name: data
+    existingClaim: ""
+    accessMode: ReadWriteOnce
+    size: 128Mi
+    storageClass: # @schema type:[string, null]
+    volumeName: ""
+    path: /data
     annotations: {}
-  # -- Optional array of imagePullSecrets containing private registry credentials
-  ## Ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-  imagePullSecrets: []
-  # - name: secretName
-
-  # -- TCP service key-value pairs
-  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
-  ##
-  tcp: {}
-  #  "8080": "default/example-tcp-svc:9000"
-
-  # -- UDP service key-value pairs
-  ## Ref: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/exposing-tcp-udp-services.md
-  ##
-  udp: {}
-  #  "53": "kube-system/kube-dns:53"
-
-  # -- Prefix for TCP and UDP ports names in ingress controller service
-  ## Some cloud providers, like Yandex Cloud may have a requirements for a port name regex to support cloud load balancer integration
-  portNamePrefix: ""
-  # -- (string) A base64-encoded Diffie-Hellman parameter.
-  # This can be generated with: `openssl dhparam 4096 2> /dev/null | base64`
-  ## Ref: https://github.com/kubernetes/ingress-nginx/tree/main/docs/examples/customization/ssl-dh-param
-  dhParam: ""
-  # Placeholder values.yaml for mural-lib chart to appease chart testing (ct)
-
-  fullnameOverride: ingress-nginx
-  namespace: ingress-nginx
+    # -- Only mount a subpath of the Volume into the pod
+    subPath: ""
+  # -- Certificates resolvers configuration.
+  # Ref: https://doc.traefik.io/traefik/https/acme/#certificate-resolvers
+  # See EXAMPLES.md for more details.
+  certificatesResolvers: {}
+  # -- If hostNetwork is true, runs traefik in the host network namespace
+  # To prevent unschedulable pods due to port collisions, if hostNetwork=true
+  # and replicas>1, a pod anti-affinity is recommended and will be set if the
+  # affinity is left as default.
+  hostNetwork: false
+  rbac: # @schema additionalProperties: false
+    # -- Whether Role Based Access Control objects like roles and rolebindings should be created
+    enabled: true
+    # When set to true:
+    # 1. It switches respectively the use of `ClusterRole` and `ClusterRoleBinding` to `Role` and `RoleBinding`.
+    # 2. It adds `disableIngressClassLookup` on Kubernetes Ingress with Traefik Proxy v3 until v3.1.4
+    # 3. It adds `disableClusterScopeResources` on Ingress and CRD (Kubernetes) providers with Traefik Proxy v3.1.2+
+    # **NOTE**: `IngressClass`, `NodePortLB` and **Gateway** provider cannot be used with namespaced RBAC.
+    # See [upstream documentation](https://doc.traefik.io/traefik/providers/kubernetes-ingress/#disableclusterscoperesources) for more details.
+    namespaced: false
+    # Enable user-facing roles
+    # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+    aggregateTo: []
+  # -- Enable to create a PodSecurityPolicy and assign it to the Service Account via RoleBinding or ClusterRoleBinding
+  podSecurityPolicy:
+    enabled: false
+  # -- The service account the pods will use to interact with the Kubernetes API
+  serviceAccount: # @schema additionalProperties: false
+    # If set, an existing service account is used
+    # If not set, a service account is created automatically using the fullname template
+    name: ""
+  # -- Additional serviceAccount annotations (e.g. for oidc authentication)
+  serviceAccountAnnotations: {}
+  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
+  resources: {}
+  # -- This example pod anti-affinity forces the scheduler to put traefik pods
+  # -- on nodes where no other traefik pods are scheduled.
+  # It should be used when hostNetwork: true to prevent port conflicts
+  affinity: {}
+  #  podAntiAffinity:
+  #    requiredDuringSchedulingIgnoredDuringExecution:
+  #      - labelSelector:
+  #          matchLabels:
+  #            app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+  #            app.kubernetes.io/instance: '{{ .Release.Name }}-{{ include "traefik.namespace" . }}'
+  #        topologyKey: kubernetes.io/hostname
+
+  # -- nodeSelector is the simplest recommended form of node selection constraint.
+  nodeSelector: {}
+  # -- Tolerations allow the scheduler to schedule pods with matching taints.
+  tolerations: []
+  # -- You can use topology spread constraints to control
+  # how Pods are spread across your cluster among failure-domains.
+  topologySpreadConstraints: []
+  # This example topologySpreadConstraints forces the scheduler to put traefik pods
+  # on nodes where no other traefik pods are scheduled.
+  #  - labelSelector:
+  #      matchLabels:
+  #        app.kubernetes.io/name: '{{ template "traefik.name" . }}'
+  #    maxSkew: 1
+  #    topologyKey: kubernetes.io/hostname
+  #    whenUnsatisfiable: DoNotSchedule
+
+  # -- [Pod Priority and Preemption](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)
+  priorityClassName: ""
+  # -- [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1)
+  # @default -- See _values.yaml_
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop: [ALL]
+    readOnlyRootFilesystem: true
+  # -- [Pod Security Context](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context)
+  # @default -- See _values.yaml_
+  podSecurityContext:
+    runAsGroup: 65532
+    runAsNonRoot: true
+    runAsUser: 65532
+    seccompProfile:
+      type: RuntimeDefault
+  #
+  # -- Extra objects to deploy (value evaluated as a template)
+  #
+  # In some cases, it can avoid the need for additional, extended or adhoc deployments.
+  # See #595 for more details and traefik/tests/values/extra.yaml for example.
+  extraObjects: []
+  # -- This field overrides the default Release Namespace for Helm.
+  # It will not affect optional CRDs such as `ServiceMonitor` and `PrometheusRules`
+  namespaceOverride: ""
+  # -- This field overrides the default app.kubernetes.io/instance label for all Objects.
+  instanceLabelOverride: ""
+  # -- This field overrides the default version extracted from image.tag
+  versionOverride: ""
+  # -- overrides the app.kubernetes.io/name label
+  nameOverride: ""
+  # -- Overrides the resource name for templates (i.e deployment, service, etc..)
+  fullnameOverride: ""
+  # Traefik Hub configuration. See https://doc.traefik.io/traefik-hub/
+  hub:
+    # -- Name of `Secret` with key 'token' set to a valid license token.
+    # It enables API Gateway.
+    token: ""
+    # -- Disables all external network connections.
+    offline: # @schema type:[boolean, null]
+    # -- By default, Traefik Hub provider watches all namespaces. When using `rbac.namespaced`, it will watch helm release namespace and namespaces listed in this array.
+    namespaces: [] # @schema required:true
+    apimanagement:
+      # -- Set to true in order to enable API Management. Requires a valid license token.
+      enabled: false
+      admission:
+        # -- WebHook admission server listen address. Default: "0.0.0.0:9943".
+        listenAddr: ""
+        # -- Certificate name of the WebHook admission server. Default: "hub-agent-cert".
+        secretName: "hub-agent-cert"
+        # -- By default, this chart handles directly the tls certificate required for the admission webhook. It's possible to disable this behavior and handle it outside of the chart. See EXAMPLES.md for more details.
+        selfManagedCertificate: false
+        # -- Set custom certificate for the WebHook admission server. The certificate should be specified with _tls.crt_ and _tls.key_ in base64 encoding.
+        customWebhookCertificate: {}
+        # -- Set it to false if you need to disable Traefik Hub pod restart when mutating webhook certificate is updated. It's done with a label update.
+        restartOnCertificateChange: true
+        # -- Set custom annotations.
+        annotations: {}
+      openApi:
+        # -- When set to true, it will only accept paths and methods that are explicitly defined in its OpenAPI specification
+        validateRequestMethodAndPath: false
+    mcpgateway:
+      # -- Set to true in order to enable AI MCP Gateway. Requires a valid license token.
+      enabled: false
+      # -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
+      maxRequestBodySize: # @schema type:[integer, null]; minimum:0
+    aigateway:
+      # -- Set to true in order to enable AI Gateway. Requires a valid license token.
+      enabled: false
+      # -- Hard limit for the size of request bodies inspected by the gateway. Accepts a plain integer representing **bytes**. The default value is `1048576` (1 MiB).
+      maxRequestBodySize: # @schema type:[integer, null]; minimum:0
+    providers:
+      consulCatalogEnterprise:
+        # -- Enable Consul Catalog Enterprise backend with default settings.
+        enabled: false
+        # -- Use local agent caching for catalog reads.
+        cache: false
+        # -- Enable Consul Connect support.
+        connectAware: false
+        # -- Consider every service as Connect capable by default.
+        connectByDefault: false
+        # -- Constraints is an expression that Traefik matches against the container's labels
+        constraints: ""
+        # -- Default rule.
+        defaultRule: "Host(`{{ normalize .Name }}`)"
+        endpoint:
+          # -- The address of the Consul server
+          address: ""
+          # -- Data center to use. If not provided, the default agent data center is used
+          datacenter: ""
+          # -- WaitTime limits how long a Watch will block. If not provided, the agent default
+          endpointWaitTime: 0
+          httpauth:
+            # -- Basic Auth password
+            password: ""
+            # -- Basic Auth username
+            username: ""
+          # -- The URI scheme for the Consul server
+          scheme: ""
+          tls:
+            # -- TLS CA
+            ca: ""
+            # -- TLS cert
+            cert: ""
+            # -- TLS insecure skip verify
+            insecureSkipVerify: false
+            # -- TLS key
+            key: ""
+          # -- Token is used to provide a per-request ACL token which overrides the agent's
+          token: ""
+        # -- Expose containers by default.
+        exposedByDefault: true
+        # -- Sets the namespaces used to discover services (Consul Enterprise only).
+        namespaces: ""
+        # -- Sets the partition used to discover services (Consul Enterprise only).
+        partition: ""
+        # -- Prefix for consul service tags.
+        prefix: "traefik"
+        # -- Interval for checking Consul API.
+        refreshInterval: 15
+        # -- Forces the read to be fully consistent.
+        requireConsistent: false
+        # -- Name of the Traefik service in Consul Catalog (needs to be registered via the
+        serviceName: "traefik"
+        # -- Use stale consistency for catalog reads.
+        stale: false
+        # -- A list of service health statuses to allow taking traffic.
+        strictChecks: "passing, warning"
+        # -- Watch Consul API events.
+        watch: false
+      microcks:
+        # -- Enable Microcks provider.
+        enabled: false
+        auth:
+          # -- Microcks API client ID.
+          clientId: ""
+          # -- Microcks API client secret.
+          clientSecret: ""
+          # -- Microcks API endpoint.
+          endpoint: ""
+          # -- Microcks API token.
+          token: ""
+        # -- Microcks API endpoint.
+        endpoint: ""
+        # -- Polling interval for Microcks API.
+        pollInterval: 30
+        # -- Polling timeout for Microcks API.
+        pollTimeout: 5
+        tls:
+          # -- TLS CA
+          ca: ""
+          # -- TLS cert
+          cert: ""
+          # -- TLS insecure skip verify
+          insecureSkipVerify: false
+          # -- TLS key
+          key: ""
+    redis:
+      # -- Enable Redis Cluster. Default: true.
+      cluster: # @schema type:[boolean, null]
+      # -- Database used to store information. Default: "0".
+      database: # @schema type:[string, null]
+      # -- Endpoints of the Redis instances to connect to. Default: "".
+      endpoints: ""
+      # -- The username to use when connecting to Redis endpoints. Default: "".
+      username: ""
+      # -- The password to use when connecting to Redis endpoints. Default: "".
+      password: ""
+      sentinel:
+        # -- Name of the set of main nodes to use for main selection. Required when using Sentinel. Default: "".
+        masterset: ""
+        # -- Username to use for sentinel authentication (can be different from endpoint username). Default: "".
+        username: ""
+        # -- Password to use for sentinel authentication (can be different from endpoint password). Default: "".
+        password: ""
+      # -- Timeout applied on connection with redis. Default: "0s".
+      timeout: ""
+      tls:
+        # -- Path to the certificate authority used for the secured connection.
+        ca: ""
+        # -- Path to the public certificate used for the secure connection.
+        cert: ""
+        # -- Path to the private key used for the secure connection.
+        key: ""
+        # -- When insecureSkipVerify is set to true, the TLS connection accepts any certificate presented by the server. Default: false.
+        insecureSkipVerify: false
+    # Enable export of error logs to the platform. Default: true.
+    sendlogs: # @schema type:[boolean, null]
+    tracing:
+      additionalTraceHeaders:
+        # -- Tracing headers to duplicate.
+        # To configure the following, tracing.otlp.enabled needs to be set to true.
+        # @default -- See below
+        enabled: false
+        traceContext:
+          # -- Name of the header that will contain the parent-id header copy.
+          parentId: ""
+          # -- Name of the header that will contain the trace-id copy.
+          traceId: ""
+          # -- Name of the header that will contain the traceparent copy.
+          traceParent: ""
+          # -- Name of the header that will contain the tracestate copy.
+          traceState: ""
+    # Define private plugin sources
+    pluginRegistry:
+      sources: {}
+  # -- Required for OCI Marketplace integration.
+  # See https://docs.public.content.oci.oraclecloud.com/en-us/iaas/Content/Marketplace/understanding-helm-charts.htm
+  # @default -- See _values.yaml_
+  oci_meta:
+    # -- Enable specific values for Oracle Cloud Infrastructure
+    enabled: false
+    # -- It needs to be an ocir repo
+    repo: traefik
+    images:
+      proxy:
+        image: traefik
+        tag: latest
+      hub:
+        image: traefik-hub
+        tag: latest
+  # -- Required for IBM Cloud Marketplace integration.
+  # Injected by IBM Cloud Catalog when deploying via IBM Cloud Schematics. This value is not used by the chart.
+  offering_version: "" # @schema type:[string, null]
+  # -- Allow the Helm chart to be used as optional subchart.
+  enabled: true # @schema type:boolean; const:true

 ## @skip zot
 zot:
@@ -4790,20 +4841,35 @@ zot:
   # Only enable this if you have security enabled on your cluster
   ingress:
     enabled: false
-    annotations: {}
     # nginx.ingress.kubernetes.io/use-regex: "true"
     # nginx.ingress.kubernetes.io/rewrite-target: /$1
-    className: "nginx"
+    annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+    # If using nginx, disable body limits and increase read and write timeouts
+    # nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    # nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    # nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    className: "traefik"
     pathtype: ImplementationSpecific
     hosts:
       - host: replace.with.your.domain.com
         paths:
-          - path: /zot/(.*)
+          - path: /zot
+            pathType: ImplementationSpecific
     tls: []
     #  - secretName: chart-example-tls
     #    hosts:
     #      - chart-example.local

+    # subpathIngress + ingress.enabled false: Mural renders templates/zot/ingress-subpath.yaml
+    # instead of the upstream Zot Ingress. The Traefik StripPrefix middleware reference must
+    # include the install namespace and mural release fullname (…-zot-stripprefix@kubernetescrd);
+    # that string is computed in the parent chart, not in static zot.ingress.annotations values,
+    # so we keep a small Mural Ingress that attaches the middleware and routes /zot to Zot.
+    subpathIngress:
+      enabled: true
+      matchAllHosts: false
     # If using path-based routing with a redirect, you must enable the domainProxy.
     # The host and ingress class names will be inferred from the ingress host name.
     # Note: Zot must own the base domain's /v2 route.
@@ -5004,7 +5070,7 @@ zot:
 ## @section dexIngress
 ## @param dexIngress.enabled Enable Dex ingress. Default is true.
 ## @param dexIngress.annotations Annotations to be added to the ingress.
-## @param dexIngress.className Ingress class name. Default is "nginx".
+## @param dexIngress.className Ingress class name. Default is "traefik".
 ## @param dexIngress.matchAllHosts Whether to match all hosts. Default is true. If true, the host field for each host is ignored.
 ## @param dexIngress.hosts[0].host Ingress host.
 ## @param dexIngress.hosts[0].paths[0].path Ingress path.
@@ -5013,7 +5079,7 @@ zot:
 dexIngress:
   enabled: true
   annotations: {}
-  className: "nginx"
+  className: "traefik"
   matchAllHosts: true
   hosts:
     - host: ""

Full Component Release Notes

The following table lists all changes made to core components in this PaletteAI release.

Component	Tag	Notes
brush	`brush/v0.5.13`	Other hue: use hue-apis version to v0.14.3 main: bump go to 1.26.1 main: bump hue-apis version in hue, brush
brush	`brush/v0.5.14`	Other main: bump fcc to 0.2.3
brush	`brush/v0.5.15`	Bug Fixes brush: get helm release secrets from api instead of mount Other hue: update YAML import path to use go.yaml.in/yaml/v3 main: upgrade from go1.26.1 to go1.26.2 Performance brush: use watches instead of timed reconciles in brush Dependency Updates deps: update docker/dockerfile docker tag to v1.23 deps: update kubernetes packages (kubernetes)
brush	`brush/v0.5.16`	Features brush: remove unused values; handle both ingress controllers during install
brush	`brush/v0.5.17`	Bug Fixes brush: propagate hub's `global.instanceName` to all spoke clusters Other hue: bump system PBs to `paletteai-profilebundles@v1.1.0` main: bump fcc to v0.2.4 Dependency Updates deps: update brush - other go dependencies (brush)
brush	`brush/v0.5.18-hotfix.0`	Automated hotfix GitHub release (monorepo tag; not created by release-please).
brush	`brush/v0.5.18`	Other main: bump to go 1.26.3
canvas	`canvas/v0.6.0`	⚠ BREAKING CHANGES hue: append type prefix to definitionrevision names Features canvas: add tooltips to new Compute Pool variable description and name columns canvas: canvas README, Cursor rule, and prettierignore cleanup canvas: clone specific version of workload profile from view page canvas: Compute Pool Resource Groups Day 2 canvas: day 2 node pool config canvas: Delete confirmation dialog with name check, delete failure warning canvas: Scaling policy cluster details and compute pool changes canvas: ProfileBundle import from tarball in UI canvas: read-only mode for ProfileBundle manager canvas: repository deletion warning when in use by deployments or compute pools canvas: require entering model deployment name to delete canvas: Workload Profile all versions table and version revisit Bug Fixes canvas: add name instead of using index to calculate the order for a worker pool canvas: add pbm variable input validation canvas: Add validation for host URL canvas: canvas cluster profile page navigation fix canvas: cluster details shows unknown intent canvas: Compute Pool wizard blocks on Profile Bundle selection when no DefinitionRevisions exist canvas: correctly delete Project from list and prevent going to page canvas: delete unused model canvas: failed and deleting compute pools can no longer be selected as existing canvas: Filter infra profiles in existing compute pool canvas: filter out falsy profilebundles canvas: fix profile bundle version dropdown in create compute pool wizard canvas: Fix review page version display canvas: Handle empty secret case in integration secret update canvas: load wlps from system and project ns when creating/editing/cloning PB canvas: override WorkloadProfile vars correctly from ProfileBundle vars canvas: persist WLP variables for infra-typed ProfileBundles on Compute Pool Day 2 Updates canvas: run Project deletion permission checks per Project canvas: server-side proxy for brand logos; clarify docs canvas: traits list cut off of WLP Builder component layer display main: airgap Zot timeout, deployment scripts overhaul, playwright tests Other canvas: Model Management V2 canvas: Remove profile bundle mappings from project creation step canvas: Remove canvas Stack component and use Gamut canvas: Remove duplicate Typography component and use Gamut Typography canvas: revert to prod node.js image canvas: scaling policy project settings canvas: Unify Deployment settings form canvas: Unify Metadata component across the app and remove redundant key value component canvas: update config-reloader sidecar to watch for dex config changes canvas: update gamut 0.12.1 canvas: Update UI for the whoami page canvas: upgrade Node to v25.8.1 canvas: use K8S_DEFAULT_NAMESPACE for branding and feature flag Refactoring canvas: PBM phase 1a: extend BundleSelectionDrawer canvas: PBM phase 1b: add minimap canvas: PBM phase 2: add priority drawer canvas: PBM phases 3-4: use PBM in app deployment canvas: Remove pill and use Badge component hue: append type prefix to definitionrevision names
canvas	`canvas/v0.6.1`	Bug Fixes canvas: fix PB display name being used during model setup canvas: preserve project settings on update canvas: Remove version from target workload and workloadprofileRef
canvas	`canvas/v0.6.2`	Features canvas: clone Project canvas: definition overview style + version revamp canvas: force-delete ComputePool with cascade to associated AIWorkloads canvas: Playwright e2e – mock server canvas: status column for ProfileBundle list view canvas: Tenant Project Settings Limits canvas: tenant settings ref tab canvas: Tenant Settings User Access Tab canvas: use TextArea for multiline vars Bug Fixes canvas: Correctly handle variables for NVIDIA NIM deployment canvas: cursor jumping to end of variable inputs canvas: filter layers & vars by PB variant then WLP type in PBM; normalize vars consistently canvas: generate WLDCs for WLPs from pinned wlpRefs; load & persist vars for the same correctly canvas: load workload profiles from the system ns canvas: omit infrastructure ProfileBundles, add application-type warning, and include type column canvas: update showvariabletypes in the computepool flow main: escape hash characters in GO_LDFLAGS shell expression mural: edge/profilebundle reliability, CI workflow, deploy debugging skill Other canvas: Add sectioned Menu component canvas: Move scaling policy to Node Config Refactoring canvas: use spec.deletionPolicy for AIWorkloads and Compute Pools
canvas	`canvas/v0.6.3`	Features canvas: base64/offline logo support canvas: derive deterministic addonvariant names for profile bundles canvas: enhanced support for Palette cluster profile variables; functional alignment canvas: link Compute Pool on app and model deployment overview canvas: Profile Bundle overview logo; import without tarball extraction canvas: revamp project overview page canvas: revision deletion for WorkloadProfiles and Definitions canvas: Update mock crs script to support scaling policies, add testrail sync to claude canvas: use profileBundleRef and addonVariantName in WLDCs Bug Fixes canvas: Access Control User Access wording canvas: block invalid profile combinations in profile bundle builder canvas: tables fill vertical space and keep header visible on scroll main: pin axios to unimpacted versions; fully disable renovate for npm Other canvas: Add support for header actions node config and move appliance configuration outside drawer Dependency Updates deps: update docker/dockerfile docker tag to v1.23 Refactoring canvas: remove limits step from Project creation wizard canvas: Use Profile Bundle Manager in compute pool creation
canvas	`canvas/v0.6.4`	Features canvas: (canvas only) deployment feature flags canvas: playwright for App/Model Deployment Feature Flags main: switch from ingress-nginx to traefik Bug Fixes canvas: do not persist masked integration secrets on save without re-entry canvas: GPU family as dropdown on resource limits and related flows canvas: remove tableRow minHeight canvas: Fix Variables step for workload profile refs with @ version suffix canvas: fix toaster when deleting bundle results in error canvas: update fleet overview card calculations Refactoring deploy: comprehensive deployment script restructure and pipeline separation
canvas	`canvas/v0.6.5`	Features canvas: autoscaling policies tenant settings tab skeleton, use sectioned tabs canvas: autoscaling policy table shared component canvas: project overview followup updates canvas: Tenant Settings Compute Tab Part 1 - Tenant Tab Bug Fixes canvas: clone custom model deployment – validation, steps, and pre-fill canvas: fix issue with status on the drawer canvas: fix priority label for workload profiles canvas: Playwright – GPU family dropdown on resource limits and related flows canvas: remove hardcoded mural-system namespace from canvas chart canvas: remove withPortal false from wlp version dropdown Other canvas: Fix UX inconsistencies canvas: Update project overview drawer to reuse generic filters
canvas	`canvas/v0.6.6`	Features canvas: add feature flagging to canvas via openfeature spec canvas: add node pool name and sequential logic canvas: attempt to fix 5 e2e tests canvas: auto-populate centre panel of definition editor when editing Components canvas: compute config foundation for tenant settings canvas: follow-up tests for compute config list and tenant compute config flows canvas: Tenant Autoscaling Tab Shared With Projects canvas: tenant settings autoscaling policies screen canvas: tenant settings Model as a Service screen Bug Fixes canvas: bump gamut to cover CVE deps in canvas canvas: malformed canvas chart values canvas: node pool name should be read only in edit flow canvas: quickfix to increase login input heights canvas: make inline counter badges actually inline canvas: sync workload profile variables with bundle variables on remove canvas: playwright failures canvas: remove redux and replace nanoid with crypto.randomUUID canvas: resolve context extensions while rendering definitions canvas: stop mangling CUE persisted by the UI editor canvas: update axios to 1.15.1 in canvas Other canvas: use integrations enabled from settings instead of project canvas: Tenant overview page
canvas	`canvas/v0.6.7`	Features canvas: add sharedStyle import canvas: compact form on in nodeconfig component canvas: filter dex connectors by matching request subdomain against connector ID canvas: MaaS mappings projects tab canvas: migrate Compute Config forms to use NodesConfig canvas: Tenant scoped Compute pool deployments canvas: remove storage and version from review screen canvas: Settings Ref tab tenant/project integration management canvas: tenant settings — per-project GPU limits canvas: Tenant Settings Style and Consistency canvas: Tenant settings Target Namespaces tab canvas: use nodesconfig in profile bundle requirement Bug Fixes canvas: add name to the aiwl flow canvas: do not throw /login redirect from k8smiddleware; use clientLogger for connector filtering warnings canvas: fix docs URL for model deployments canvas: fix e2e tests due to clientLogger canvas: fix partially sliced input borders during focus/error canvas: fix the variables table for long variable names canvas: redirect to login when session expires instead of throwing an error canvas: render the table even when no profile bundles are found canvas: rm Mural from canvas, update Profiles to Workload Profiles in wizard Other canvas: Add labels to AI workloads canvas: Refactor selection to use react table selection
canvas	`canvas/v0.6.8`	Docs canvas: document branding properly; align values.yaml
canvas	`canvas/v0.6.9-hotfix.0`	Automated hotfix GitHub release (monorepo tag; not created by release-please).
canvas	`canvas/v0.6.9`	Features canvas: Tenant settings Models List tab (tenant + project sub-tabs) Bug Fixes canvas: disable node pool name in PB and compute edit flow
hue	`hue/v0.12.0`	⚠ BREAKING CHANGES hue: Replace studio compositions with variants hue: append type prefix to definitionrevision names hue: Rename applicationProfile hue: Rename paletteProfile to clusterProfile Features hue: add clustervariant validation to aiworkload validating webhooks hue: Clear Versions with basic versioning hue: CLI studio dependencies support hue: CLI studio import populates registry overrides hue: CLI: package studio bundle hue: populate metricsLastObservedAt in ComputePoolEvaluation hue: populate the referencing computepools slice in the scalingpolicy status hue: Support profile bundle metadata Bug Fixes hue: add delete to project admin permissions hue: aiwl cp deletion logic hue: allocated node drift detection and correction hue: ensure condition messages from a WL gets synced to the WLD aggregated status field hue: ensure deterministic compute ordering hue: improve CPU/GPU Prometheus queries for scaling reliability hue: properly handle versioned traits in obj output parser hue: skip applying system defs if exist hue: Support relative paths in studio import hue: swap Palette pack type to oci if import fails with NotFound error hue: tidy scaling policy controller hue: update semver parsing logic to better handle defs with dotted names Other hue: block PB type changes hue: Cleanup old field from studio bundles hue: Move studio import command into own file hue: Rename applicationProfile hue: Rename paletteProfile to clusterProfile hue: use hue-apis version to v0.14.3 main: bump fcc to 0.2.2 main: bump go to 1.26.1 main: bump hue-apis version in hue, brush Docs main: clarify authn/authz; delete migrated mural content; optimize local dev Performance hue: avoid reconciling definitions and wlps on status changes hue: misc reconcilers optimizations Refactoring hue: append type prefix to definitionrevision names hue: move condition helper functions from hue-apis to hue hue: Remove unused field repositories hue: Replace studio compositions with variants hue: Simplify fs.FS implementation in CLI hue: Use json tags instead of yaml
hue	`hue/v0.12.1`	Bug Fixes hue: add mutating webhook config for policies, traits hue: skip applying existing defrevs on spoke; hydrate cache at startup Other hue: mv webhook_env_test_suite from hue/test to hue-apis/test
hue	`hue/v0.12.2`	Features hue: Add --version flag to CLI hue: Support annotations from studio bundles hue: update and consolidate tenant role assignment code Bug Fixes canvas: Correctly handle variables for NVIDIA NIM deployment hue: allow usage of variables defined inline in profilebundle hue: allow wld deletion when meta-reference wlp not found hue: block aiwl and computepool creation with invalid target workload metadata hue: block configuring scaling policy for single node cluster hue: compute pool day 2 operations trigger scaling cooldown hue: OCM and Flux do not manage namespaces if they already exist Other hue: move lables and annotations from hue-apis to hue Refactoring ci: Clean up cli makefile targets hue: prioritize new deletionPolicy field and fallback to existing deletionPolicy field
hue	`hue/v0.12.3`	Features hue: derive project settings by merging with tenant if both exist hue: studio import sets ProfileBundle.tags Bug Fixes hue: append exe suffix to windows binaries hue: garbage collect wl and wld oci artifacts on deletion of wl and wld hue: orphan workload namespace hue: prevent infra-WLPs in all AddonVariants; clarify segregation logic main: escape hash characters in GO_LDFLAGS shell expression Other hue: bump hue, test to hue-apis v0.14.8; fix broken import hue: bump paletteai-profilebundles to v1.0.2 hue: move tenant conditions and reasons from hue-apis to hue main: bump fcc to 0.2.3
hue	`hue/v0.12.4`	Features hue: add webhook validator to ensure shared variant cluster deployment configs are homogenous hue: dry-run support for WorkloadProfiles hue: enable revision deletion; block system resource ops hue: Import logo in ProfileBundle hue: Include deletionPolicy in studio import hue: Include version on studio import dry-run hue: modifies pb webhooks to auto-gen name and block duplicate wlps per variant hue: port extract-and-mirror.sh to pure Go `mirror` CLI command hue: set addonVariant names for profilebundles in the hue webhooks hue: support importing infra addons via CLI Bug Fixes hue: add cross project namespace prevention validation hue: add gc and validation logic for aiwl and cp wlds hue: adds strict wlp check before deploying wld hue: delete project ns on project deletion hue: determine overall failure from priorityPhases hue: fall back to loading objs by GVK + label when inventory is empty due to Flux SSA config hue: fix platform e2e flake hue: make audit log emission non-blocking hue: on explicit settings deletion, also delete secrets hue: properly handle merge patches when defaulting wldc name hue: resync dry-run & dispatched conditions after reset hue: typo in affinity cue template hue: update component definition status details to support imports in cue string expressions hue: use a palette-friendly label for tracking CPs Other hue: apply IgnoreStatusOnlyPredicate to all hue controllers hue: remove trailing whitespace from dry-run heading hue: update YAML import path to use go.yaml.in/yaml/v3 main: upgrade from go1.26.1 to go1.26.2 Performance brush: use watches instead of timed reconciles in brush Dependency Updates deps: update docker/dockerfile docker tag to v1.23 deps: update kubernetes packages (kubernetes) deps: update module google.golang.org/grpc to v1.80.0 (hue go-core) Refactoring hue: go fix ./hue/cli/studio* hue: Remove ProfileBundle.status from studio import hue: Simplify studio CLI serialization hue: use a more stable algorithm for generating WLD names
hue	`hue/v0.12.5`	Bug Fixes hue: add mural-cleanup sa as authorized user hue: dont delete protected project namespaces
hue	`hue/v0.12.6`	Features hue: add --archive option for `paletteai mirror export`, add `paletteai mirror export-pack`; refactor utils hue: extend RBAC package to support upserting tenant-view RBAC resources per Project + GVK Bug Fixes hue: add tenant crd and tenant ns scope and labels hue: align OCI manifest w/ known working OCI Pack; always gzip Pack archives; add flag to skip pack upload hue: allow PB deletion to proceed when Palette integration is missing hue: new palette sdk that redacts api keys hue: preserve Deleting phase in ParseStep to unblock spoke workload deletion hue: project chain resources apply scope and owner hue: revert docker hostname alias stripping; preserve images as-is hue: scope constants and applying scope helper hue: VerifyAllWlpsAreUsed method by using a key that is unique to each pb hue: wait for palette cluster to be deleted before marking the computepool as deleted Other main: read OCI registry from .env for hue's devspace and canvas's local dev setup Performance hue: cache last-known push hash to prevent excessive writes hue: revert adding ignoreStatus predicates to WL/WLD controllers Dependency Updates deps: update golang.org/x/exp digest to 746e56f (hue go-core) Refactoring hue: move AIWorkload & ProfileBundle condition types/reasons into hue; deal with struct renames
hue	`hue/v0.12.7`	Features hue: add export-image command, --extra-image flag for mirror export / sync; refactor to reduce cyclomatic complexity hue: add RBAC steps to controllers for all shareable resources hue: add system-scoped ConfigMaps for default RBAC policies hue: clone RBAC template ConfigMaps from system to tenant ns hue: optional ns overrides for all Flux components hue: Project controller: consume RBAC template ConfigMaps from Tenant ns; watch them for updates Bug Fixes hue: Allow compute deletion with ComputePools hue: allow multiple VIPs for shared cluster
hue	`hue/v0.12.8`	Features hue: add system outputs for names: project/tenant, hub instance, and spoke cluster hue: adds ability to rerun failed migrations using pai cli hue: implements per project GPU limits and quota isolation between tenant and project ComputePools Bug Fixes hue: add CR/CRB watches and handle role ref changes in project controller hue: add ensure labels step to all controllers hue: adds migration details to configmap and pai cli migrate cmd hue: allow dry-run validation of Workloads on pure hubs hue: always use local defs during dry-run, regardless of version hue: apply project & tenant labels to project-scoped resources; patch pre-existing project namespaces hue: Create compute with invalid settings hue: fix hue platform e2e flake hue: handle default namespace in ResolveNamespaceScope hue: load feature flags for CLI commands w/ read-only perms; extend OOTB RBAC to provide ff cm reads for all users hue: migration logic for aiwl and cp wldcs and adds integration tests hue: prune inapplicable wldc conds hue: reorder and rename migrations and tests based on time enabled hue: scope cluster profile variables per profile hue: tenant admission configuration defaulting and validation hue: use spans slog package for migration code Other hue: bump paletteai-profilebundles to v1.1.1 hue: bump system PBs to `paletteai-profilebundles@v1.1.0` main: bump fcc to v0.2.4 Performance hue: immediate requeues for all appropriate errors Dependency Updates deps: update hue - other go dependencies (hue) (major) deps: update module go.uber.org/zap to v1.28.0 (hue go-core) deps: update module google.golang.org/grpc to v1.81.0 (hue go-core) deps: update module helm.sh/helm/v3 to v3.20.2
hue	`hue/v0.12.9`	Features hue: add support for ComputePools on the tenant hue: add variableset step to tenant controller hue: augment all webhook errors with resource metadata hue: leverage tenant admission config for tenant wls hue: settings sharedWithProjects and locking implementation hue: Tenant ComputeConfig: defaulting, migration, check_computeconfig step hue: tenant scoped ProfileBundle support hue: tenant-wide Palette Settings dedup Bug Fixes hue: add audit logging to AIWL webhooks hue: set WLP ns in OAM ctx when validating WLD deletion hue: verify definition versions on PRs and bump all definition patch versions Other main: bump to go 1.26.3
hue	`hue/v0.12.10`	Features hue: add model_policy_step and an ModelInPolicy condition to AIWorkload hue: add support for tenant scoped AIWorkloads hue: enable drift detection by default for the HelmRelease component Bug Fixes hue: block WorkloadDeployment until WorkloadProfiles are synced hue: hash Palette cluster variables; sync when spec drifts
hue	`hue/v0.12.11`	Bug Fixes hue: add conditions for when ensure scope labels fails hue: force apply ProfileBundles on import hue: settings sharing is respected when project settings doesnt exist Other hue: bump paletteai-profilebundles to v1.3.0
hue	`hue/v0.12.12-hotfix.0`	Automated hotfix GitHub release (monorepo tag; not created by release-please). Includes paletteai CLI binaries.
hue	`hue/v0.12.12`	Bug Fixes hue: ensure all necessary ComputePool conditions for Palette-deployed clusters; track child resource deletion in PB delete step; allow defrev GC by ns controller
mural-crds	`mural-crds/v0.7.0`	⚠ BREAKING CHANGES hue: remove openai integration Bug Fixes hue: remove openai integration hue: spoke project defaulting disabled Other hue-apis: add AGE printcolumn and normalize names to UPPER_SNAKE_CASE
mural-crds	`mural-crds/v0.7.1`	Features hue-apis: update metricsLastObservedAt structure in computePoolEvaluation hue-apis: update scaling policy status to include list of computePools that reference it Other canvas: Model Management V2 hue-apis: tidy scaling policy related APIs main: bump go to 1.26.1
mural-crds	`mural-crds/v0.7.2`	Features api: Add ProfileBundle.spec.tags field hue-apis: add effective settings to setting status hue-apis: Add ProfileBundle.spec.logo hue: multiline variable flag Refactoring hue: mv deletionPolicy field from clusterVariants to spec of aiwl and cp
mural-crds	`mural-crds/v0.7.3`	Features hue-apis: add optional wldc name field hue-apis: add SharedWithProjects for AIWorkload, ComputePool, and ProfileBundle hue-apis: add SharedWithProjects for ComputeConfig & ScalingPolicy hue-apis: add tenant GPU reservations, per-project GPU limits, and oversubscription tracking to the tenant API hue: add optional 'Name' field to profilebundle 'AddonVariant' struct mural-crds: include Gateway API CRDs in chart; ship CRDs as minified JSON mural-crds: include Gateway API CRDs in mural-crds chart and in apis crds/ Bug Fixes hue-apis: add 'addonVariantName' and 'profileBundleRef' fields to WorkloadDeploymentConfigs struct Other main: Revert "feat(mural-crds): include Gateway API CRDs in chart; ship CRDs as minified JSON" Dependency Updates deps: update kubernetes packages (kubernetes)
mural-crds	`mural-crds/v0.7.4`	Features hue-apis: add Conditions to ComputeConfig status; add global condition types/reasons main: switch from ingress-nginx to traefik
mural-crds	`mural-crds/v0.7.5`	Features hue-apis: add systemOutputs to Workload status, additional systemOutput consts hue-apis: sharedWithProjects + locking for settings and modelSettings hue-apis: tenant admission configuration for tenant scope deployments hue-apis: tenant model settings and override capabilities, project effective model settings Other hue-apis: clarify effectiveMeta locking mechanism
mural-crds	`mural-crds/v0.7.6`	Features hue-apis: aiwl deployed model settings hash and inPolicy conditions hue: add ClusterProfileVariablesHash to PaletteClusterStatus hue: add ComputeConfigRef to Tenant spec; update Tenant-scoped deployments RFC
mural-crds	`mural-crds/v0.7.7`	Other hue-apis: remove unused APIs from AIWL
mural-crds	`mural-crds/v0.7.8-hotfix.0`	Automated hotfix GitHub release (monorepo tag; not created by release-please).
mural-crds	`mural-crds/v0.7.8`	Features hue-apis: Add Unknown to ComputePool status

Summary​

Breaking Changes​

Upgrade Notes​

Non-GitOps​

GitOps​

Upgrade Steps​

Features​

Improvements​

Bug fixes​

Component versions​

Mural Helm values​

Full Component Release Notes​

Other

Other

Bug Fixes

Other

Performance

Dependency Updates

Features

Bug Fixes

Other

Dependency Updates

Other

⚠ BREAKING CHANGES

Features

Bug Fixes

Other

Refactoring

Bug Fixes

Features

Bug Fixes

Other

Refactoring

Features

Bug Fixes

Other

Dependency Updates

Refactoring

Features

Bug Fixes

Refactoring

Features

Bug Fixes

Other

Features

Bug Fixes

Other

Features

Bug Fixes

Other

Docs

Features

Bug Fixes

⚠ BREAKING CHANGES

Features

Bug Fixes

Other

Docs

Performance

Refactoring

Bug Fixes

Other

Features

Bug Fixes

Other

Refactoring

Features

Bug Fixes

Other

Features

Bug Fixes

Other

Performance

Dependency Updates

Refactoring

Bug Fixes

Features

Bug Fixes

Other

Performance

Summary

Breaking Changes

Upgrade Notes

Non-GitOps

GitOps

Upgrade Steps

Features

Improvements

Bug fixes

Component versions

Mural Helm values

Full Component Release Notes