diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 0000000..8cd1beb
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,3 @@
+[*]
+indent_style=space
+indent_size=2
diff --git a/Chart.yaml b/Chart.yaml
index 04df389..38b28ec 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -4,7 +4,7 @@ type: application
 
 # Chart version is set automatically as part of the release process
 version: 0.0.0
-appVersion: 2.4.1
+appVersion: 2.4.3
 
 dependencies:
   - name: postgresql
diff --git a/README.md b/README.md
index da31f77..5a3fb60 100644
--- a/README.md
+++ b/README.md
@@ -1,8 +1,148 @@
 # Jitsu Helm Chart
-:warning: **This chart is under development and may receive breaking changes at any time.**
+
+## TL;DR
+```bash
+helm install jitsu oci://registry-1.docker.io/stafftasticcharts/jitsu -f-<<EOF
+ingress:
+  host: "jitsu.example.com"
+console:
+  config:
+    seedUserEmail: "me@example.com"
+    seedUserPassword: "changeMe"
+EOF
+```
+
+For a production deployment it is recommended to read through `values.yaml` and make conscious
+decisions in order to ensure the deployment is secure, reliable and scalable.
+
+## Basic Configuration
+`values.yaml`:
+```yaml
+postgresql:
+  auth:
+    password: "changeMe"
+mongodb:
+  auth:
+    passwords: ["changeMe"]
+redis:
+  auth:
+    password: "changeMe"
+
+ingress:
+  className: "nginx"
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+  host: "jitsu.example.com"
+  tls: true
+
+console:
+  config:
+    # Populate with GitHub OAuth client credentials
+    githubClientId: "..."
+    githubClientSecret: "..."
+```
+
+Once you have logged in, set `console.config.disableSignup` to `true` to prevent anyone with a
+GitHub account from using your instance.
+
+See [values.yaml](values.yaml) for more configuration options.
 
 ## Dependencies
+This chart deploys the following dependencies by default in order to provide an easy out-of-the-box
+experience, however for production it is recommended you deploy these separately:
+
 * Postgres
 * Redis
 * Kafka
 * MongoDB
+
+In order to use your own instances of these, disable them in with their respective options:
+```yaml
+postgresql:
+  enabled: false
+redis:
+  enabled: false
+kafka:
+  enabled: false
+mongodb:
+  enabled: false
+```
+
+Then supply the connection details in the `config` section (or specifically per service):
+```yaml
+config:
+  databaseUrl: "postgres://..."
+  redisUrl: "redis://..."
+  kafkaBootstrapServers: "kafka:9092,..."
+  mongodbUrl: "mongodb://..."
+```
+
+## Configuration Options
+The individual services' configuration corresponds to the environment variables they accept. For
+services where every environment variable is prefixed with the service name, the prefix is stripped,
+otherwise the keys are naïvely converted to camel case, with each letter that would follow an
+underscore capitalized.
+
+Some values, in particular those that contain sensitive information or connection information, also
+allow you to reference a secret or configmap. In `values.yaml` these are suffixed with `From`. E.g.
+to read the database URL (`config.databaseUrl`) from a secret, set it as you would an environment
+variable:
+
+```yaml
+config:
+  databaseUrlFrom:
+    secretKeyRef:
+      name: database-secret-name
+      key: database-url-key
+```
+
+For the full list of variables that support this syntax, see `values.yaml`.
+
+Many of the configuration values will be set automatically when left empty, such as connection
+parameters for services deployed by the subcharts, tokens and URLs for inter-service communication
+and values that can be directly derived from other values. When this is the case it is noted in the
+comments above the value. Links are also provided to relevant upstream documentation.
+
+Some configuration values contain structured data. For these you can either specify them as a string
+as you would in an environment variable, or as a dict that will be converted to the appropriate
+string representation by the chart.
+
+One notable example of this, and the only exception to the 1:1 mapping of environment variables to
+camel cased keys, is the `bulker.config.destination` value. The Bulker takes an arbitrary number of
+destination environment variables in the form of `BULKER_DESTINATION_*`. These are represented in
+`values.yaml` as a dict of either strings or dicts.
+
+Example:
+
+```yaml
+bulker:
+  config:
+    destination:
+      postgres:
+        id: postgres
+      s3: '{"id":"s3"}'
+```
+
+Becomes:
+
+```bash
+BULKER_DESTINATION_POSTGRES='{"id":"postgres"}'
+BULKER_DESTINATION_S3='{"id":"s3"}'
+```
+
+If you prefer to configure one or more services manually through the environment, you can disable
+the configuration abstractions by setting `config.enabled` to `false`, either at the top-level or
+service-level.
+
+## Inter-Service Authentication
+The different Jitsu services communicate with each other using tokens and corresponding salted
+hashes to verify. These can be managed manually, however by default they are generated by a job and
+stored in a secret. Each service then gets access to the tokens they need through the environment.
+
+In order to disable this, set `tokenGenerator.enabled` to `false` and supply the tokens manually.
+
+## Running Connectors in a Different Namespace
+By default syncctl runs connectors in the same namespace as the rest of the Jitsu services. If you
+wish to run these ephemeral and to some degree user-controlled workloads in a separate namespace you
+can set `syncctl.config.kubernetesNamespace` to the desired namespace, and the chart will create the
+namespace, service proxies for the bulker and databse, and the necessary RBAC resources for you.
diff --git a/templates/NOTES.txt b/templates/NOTES.txt
new file mode 100644
index 0000000..3139d83
--- /dev/null
+++ b/templates/NOTES.txt
@@ -0,0 +1,23 @@
+{{- $warned := false }}
+{{- define "jitsu.warn-default-password" }}
+{{- printf "\033[1;31m" -}}
+WARNING: You are using the default password for {{ . }}.
+{{ printf "\033[0m" -}}
+{{- end }}
+{{- if and .Values.redis.enabled (eq .Values.redis.auth.password "jitsu") }}
+{{- $warned = true }}
+{{- include "jitsu.warn-default-password" "Redis" }}
+{{- end }}
+{{- if and .Values.postgresql.enabled (eq .Values.postgresql.auth.password "jitsu") }}
+{{- $warned = true }}
+{{- include "jitsu.warn-default-password" "PostgreSQL" }}
+{{- end }}
+{{- if and .Values.mongodb.enabled (eq (index .Values.mongodb.auth.passwords 0) "jitsu") }}
+{{- $warned = true }}
+{{- include "jitsu.warn-default-password" "MongoDB" }}
+{{- end }}
+{{- if $warned }}
+{{- printf "\033[1;32m" -}}
+For production use, change the passwords in values.yaml.
+{{- printf "\033[0m" -}}
+{{- end }}
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
index 6a333fe..3320823 100644
--- a/templates/_helpers.tpl
+++ b/templates/_helpers.tpl
@@ -60,3 +60,60 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{- define "jitsu.publicUrl" }}
+{{- if .Values.ingress.enabled }}
+{{- printf "http%s://%s%s"
+  (.Values.ingress.tls | ternary "s" "")
+  .Values.ingress.host
+  (not .Values.ingress.port | ternary "" (printf ":%s" .Values.ingress.port))
+-}}
+{{- end }}
+{{- end }}
+
+{{- define "jitsu.databaseUrl" -}}
+{{- if and (not .Values.config.databaseUrl) .Values.postgresql.enabled }}
+{{- with $.Values.postgresql.auth -}}
+{{ printf "postgres://%s:%s@%s:%d/%s?schema=newjitsu"
+  .username
+  .password
+  (printf "%s-postgresql" $.Release.Name)
+  5432
+  .database
+}}
+{{- end }}
+{{- else -}}
+{{ .Values.config.databaseUrl }}
+{{- end }}
+{{- end }}
+
+{{- define "jitsu.redisUrl" -}}
+{{- if and (not .Values.config.redisUrl) .Values.redis.enabled }}
+{{- with $.Values.redis -}}
+{{ printf "redis://:%s@%s:%d"
+  .auth.password
+  (printf "%s-redis-master" $.Release.Name)
+  6379
+}}
+{{- end }}
+{{- else -}}
+{{ .Values.config.redisUrl }}
+{{- end }}
+{{- end }}
+
+{{- define "jitsu.mongodbUrl" -}}
+{{- if and (not .Values.config.mongodbUrl) .Values.mongodb.enabled }}
+{{- with $.Values.mongodb.auth -}}
+{{ printf "mongodb://%s:%s@%s:%d/%s?authSource=%s"
+  (index .usernames 0)
+  (index .passwords 0)
+  (printf "%s-mongodb" $.Release.Name)
+  27017
+  (index .databases 0)
+  (index .databases 0)
+}}
+{{- end }}
+{{- else -}}
+{{ .Values.config.mongodbUrl }}
+{{- end }}
+{{- end }}
diff --git a/templates/bulker/_helpers.tpl b/templates/bulker/_helpers.tpl
index ba9e5cf..0b1f6eb 100644
--- a/templates/bulker/_helpers.tpl
+++ b/templates/bulker/_helpers.tpl
@@ -4,3 +4,223 @@ Bulker selector labels
 {{- define "jitsu.bulker.selectorLabels" -}}
 app.kubernetes.io/component: bulker
 {{- end }}
+
+{{- define "jitsu.bulker.env" -}}
+{{- with .Values.bulker.config }}
+- name: BULKER_INSTANCE_ID
+  value: {{ .instanceId | quote }}
+
+
+{{- if or .redisUrlFrom $.Values.config.redisUrlFrom }}
+- name: BULKER_REDIS_URL
+  valueFrom:
+    {{- toYaml (.redisUrlFrom | default $.Values.config.redisUrlFrom) | nindent 4 }}
+{{- else }}
+- name: BULKER_REDIS_URL
+  value: {{ .redisUrl | default (include "jitsu.redisUrl" $) | quote }}
+{{- end }}
+
+{{- if and (not .configSource) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: BULKER_CONFIG_SOURCE
+  value: {{ printf "http://%s-console:%d/api/admin/export/bulker-connections"
+    (include "jitsu.fullname" $)
+    (int $.Values.console.service.port)
+  | quote }}
+{{- end }}
+{{- with .configSource }}
+- name: BULKER_CONFIG_SOURCE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .configSourceHttpAuthTokenFrom }}
+- name: BULKER_CONFIG_SOURCE_HTTP_AUTH_TOKEN
+  valueFrom:
+    {{- toYaml .configSourceHttpAuthTokenFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .configSourceHttpAuthToken) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: BULKER_CONFIG_SOURCE_HTTP_AUTH_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: consoleAuthToken
+{{- end }}
+{{- with .configSourceHttpAuthToken }}
+- name: BULKER_CONFIG_SOURCE_HTTP_AUTH_TOKEN
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .configRefreshPeriodSec }}
+- name: BULKER_CONFIG_REFRESH_PERIOD_SEC
+  value: {{ . | quote }}
+{{- end }}
+
+{{- range $k, $v := .destination }}
+- name: {{ printf "BULKER_DESTINATION_%s" (upper $k) | quote }}
+  {{- if kindIs "string" $v }}
+  value: {{ $v | quote }}
+  {{- else }}
+  value: {{ toJson $v | quote }}
+  {{- end }}
+{{- end }}
+
+{{- if .authTokensFrom }}
+- name: BULKER_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .authTokensFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .authTokens) $.Values.tokenGenerator.enabled }}
+- name: BULKER_AUTH_TOKENS
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: bulkerAuthTokens
+{{- end }}
+{{- with .authTokens}}
+- name: BULKER_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .tokenSecretFrom }}
+- name: BULKER_TOKEN_SECRET
+  valueFrom:
+    {{- toYaml .tokenSecretFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .tokenSecret) $.Values.tokenGenerator.enabled }}
+- name: BULKER_TOKEN_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: bulkerTokenSecret
+{{- end }}
+{{- with .tokenSecret }}
+- name: BULKER_TOKEN_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .rawAuthTokensFrom }}
+- name: BULKER_RAW_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .rawAuthTokensFrom | nindent 4 }}
+{{- else }}
+{{- with .rawAuthTokens }}
+- name: BULKER_RAW_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if or .globalHashSecretFrom $.Values.config.globalHashSecretFrom }}
+- name: GLOBAL_HASH_SECRET
+  valueFrom:
+    {{- toYaml (.globalHashSecretFrom | default $.Values.config.globalHashSecretFrom) | nindent 4 }}
+{{- else }}
+{{- if and (not .globalHashSecret) (not $.Values.config.globalHashSecret) $.Values.tokenGenerator.enabled }}
+- name: BULKER_GLOBAL_HASH_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: globalHashSecret
+{{- end }}
+{{- with (.globalHashSecret | default $.Values.config.globalHashSecret) }}
+- name: GLOBAL_HASH_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .eventsLogMaxSize }}
+- name: BULKER_EVENTS_LOG_MAX_SIZE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .kafkaBootstrapServers) (not $.Values.config.kafkaBootstrapServers) $.Values.kafka.enabled }}
+- name: BULKER_KAFKA_BOOTSTRAP_SERVERS
+  value: "{{ $.Release.Name }}-kafka:9092"
+{{- end }}
+{{- with (.kafkaBootstrapServers | default $.Values.config.kafkaBootstrapServers) }}
+- name: BULKER_KAFKA_BOOTSTRAP_SERVERS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with (.kafkaSsl | default $.Values.config.kafkaSsl) }}
+- name: BULKER_KAFKA_SSL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .kafkaSslSkipVerify }}
+- name: BULKER_KAFKA_SSL_SKIP_VERIFY
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if or .kafkaSaslFrom $.Values.config.kafkaSaslFrom }}
+- name: BULKER_KAFKA_SASL
+  valueFrom:
+    {{- toYaml (.kafkaSaslFrom | default $.Values.config.kafkaSaslFrom) | nindent 4 }}
+{{- else }}
+{{- with (.kafkaSasl | default $.Values.config.kafkaSasl) }}
+- name: BULKER_KAFKA_SASL
+  {{- if kindIs "string" . }}
+  value: {{ . | quote }}
+  {{- else }}
+  value: {{ toJson . | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- with .batchRunnerDefaultPeriodSec }}
+- name: BULKER_BATCH_RUNNER_DEFAULT_PERIOD_SEC
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .batchRunnerDefaultBatchSize }}
+- name: BULKER_BATCH_RUNNER_DEFAULT_BATCH_SIZE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .batchRunnerDefaultRetryPeriodSec }}
+- name: BULKER_BATCH_RUNNER_DEFAULT_RETRY_PERIOD_SEC
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .batchRunnerDefaultRetryBatchSize }}
+- name: BULKER_BATCH_RUNNER_DEFAULT_RETRY_BATCH_SIZE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryCount }}
+- name: BULKER_MESSAGES_RETRY_COUNT
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryBackoffBase }}
+- name: BULKER_MESSAGES_RETRY_BACKOFF_BASE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryBackoffMaxDelay }}
+- name: BULKER_MESSAGES_RETRY_BACKOFF_MAX_DELAY
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .kafkaTopicRetentionHours }}
+- name: BULKER_KAFKA_TOPIC_RETENTION_HOURS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .kafkaRetryTopicRetentionHours }}
+- name: BULKER_KAFKA_RETRY_TOPIC_RETENTION_HOURS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .kafkaDeadTopicRetentionHours }}
+- name: BULKER_KAFKA_DEAD_TOPIC_RETENTION_HOURS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .kafkaTopicReplicationFactor }}
+- name: BULKER_KAFKA_TOPIC_REPLICATION_FACTOR
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/bulker/deployment.yaml b/templates/bulker/deployment.yaml
index 3f3aa6f..2f8bfca 100644
--- a/templates/bulker/deployment.yaml
+++ b/templates/bulker/deployment.yaml
@@ -34,6 +34,32 @@ spec:
       serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.redis.enabled }}
+        - name: wait-for-redis
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-redis-master"]
+        {{- end }}
+        {{- if .Values.kafka.enabled }}
+        - name: wait-for-kafka
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-kafka"]
+        {{- end }}
+        {{- if .Values.migration.enabled }}
+        - name: wait-for-migration
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-migration-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.console.enabled }}
+        - name: wait-for-console
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-console"]
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -54,11 +80,16 @@ spec:
               port: http
               path: /ready
           {{- end }}
+          {{- if .Values.bulker.envFrom }}
+          envFrom:
+            {{- toYaml .Values.bulker.envFrom | nindent 12 }}
+          {{- end }}
           env:
-            {{- $env := merge (deepCopy .Values.bulker.environment) .Values.jitsu.environment -}}
-            {{- range $k, $v := $env }}
-              - name: {{ $k | quote }}
-                {{- toYaml $v | nindent 16 }}
+            {{- if and .Values.config.enabled .Values.bulker.config.enabled }}
+            {{- include "jitsu.bulker.env" . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.bulker.env }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/templates/console/_helpers.tpl b/templates/console/_helpers.tpl
index e2cb0b6..0daddda 100644
--- a/templates/console/_helpers.tpl
+++ b/templates/console/_helpers.tpl
@@ -4,3 +4,287 @@ Console selector labels
 {{- define "jitsu.console.selectorLabels" -}}
 app.kubernetes.io/component: console
 {{- end }}
+
+{{- define "jitsu.console.env" -}}
+{{- with .Values.console.config -}}
+- name: JITSU_PUBLIC_URL
+  value: {{ .jitsuPublicUrl | default (include "jitsu.publicUrl" $) | quote }}
+- name: NEXTAUTH_URL
+  value: {{ .nextauthUrl | default .jitsuPublicUrl | default (include "jitsu.publicUrl" $) | quote }}
+- name: NEXTAUTH_URL_INTERNAL
+  value: {{ .nextauthUrlInternal | default (printf "http://%s-console:%d" (include "jitsu.fullname" $) (int $.Values.console.service.port)) | quote }}
+- name: JITSU_INGEST_PUBLIC_URL
+  value: {{ .jitsuIngestPublicUrl | default (include "jitsu.publicUrl" $) | quote }}
+
+{{- if or .databaseUrlFrom $.Values.config.databaseUrlFrom }}
+- name: DATABASE_URL
+  valueFrom:
+    {{- toYaml (.databaseUrlFrom | default $.Values.config.databaseUrlFrom) | nindent 4 }}
+{{- else }}
+- name: DATABASE_URL
+  value: {{ .databaseUrl | default (include "jitsu.databaseUrl" $) | quote }}
+{{- end }}
+
+{{- if and (not .bulkerUrl) (not $.Values.config.bulkerUrl) $.Values.bulker.enabled }}
+- name: BULKER_URL
+  value: {{ printf "http://%s-bulker:%d" (include "jitsu.fullname" $) (int $.Values.bulker.service.port) | quote }}
+{{- end }}
+{{- with (.bulkerUrl | default $.Values.config.bulkerUrl) }}
+- name: BULKER_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .bulkerAuthKeyFrom }}
+- name: BULKER_AUTH_KEY
+  valueFrom:
+    {{- toYaml .bulkerAuthKeyFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .bulkerAuthKey) $.Values.bulker.enabled $.Values.tokenGenerator.enabled }}
+- name: BULKER_AUTH_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: bulkerAuthToken
+{{- end }}
+{{- with .bulkerAuthKey }}
+- name: BULKER_AUTH_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if and (not .rotorUrl) (not $.Values.config.rotorUrl) $.Values.rotor.enabled }}
+- name: ROTOR_URL
+  value: {{ printf "http://%s-rotor:%d" (include "jitsu.fullname" $) (int $.Values.rotor.service.port) | quote }}
+{{- end }}
+{{- with (.rotorUrl | default $.Values.config.rotorUrl) }}
+- name: ROTOR_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .ingestHost) (not $.Values.config.ingestHost) $.Values.ingest.enabled }}
+- name: INGEST_HOST
+  value: {{ $.Values.ingest.config.dataDomain | default (printf "%s-ingest" (include "jitsu.fullname" $)) | quote }}
+{{- end }}
+{{- with (.ingestHost | default $.Values.config.ingestHost) }}
+- name: INGEST_HOST
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .ingestPort) (not $.Values.config.ingestPort) $.Values.ingest.enabled }}
+- name: INGEST_PORT
+  {{- if and $.Values.ingest.ingress.enabled $.Values.ingest.ingress.tls }}
+  value: "443"
+  {{- else if $.Values.ingest.ingress.enabled }}
+  value: "80"
+  {{- else }}
+  value: {{ $.Values.ingest.service.port | quote }}
+  {{- end }}
+{{- end }}
+{{- with (.ingestPort | default $.Values.config.ingestPort) }}
+- name: INGEST_PORT
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .syncsEnabled) $.Values.syncctl.enabled }}
+- name: SYNCS_ENABLED
+  value: "true"
+{{- end }}
+{{- with .syncsEnabled }}
+- name: SYNCS_ENABLED
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .syncctlUrl) (not $.Values.config.syncctlUrl) $.Values.syncctl.enabled }}
+- name: SYNCCTL_URL
+  value: {{ printf "http://%s-syncctl:%d" (include "jitsu.fullname" $) (int $.Values.syncctl.service.port) | quote }}
+{{- end }}
+{{- with (.syncctlUrl | default $.Values.config.syncctlUrl) }}
+- name: SYNCCTL_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .syncctlAuthKeyFrom }}
+- name: SYNCCTL_AUTH_KEY
+  valueFrom:
+    {{- toYaml .syncctlAuthKeyFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .syncctlAuthKey) $.Values.syncctl.enabled $.Values.tokenGenerator.enabled }}
+- name: SYNCCTL_AUTH_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: syncctlAuthToken
+{{- end }}
+{{- with .syncctlAuthKey }}
+- name: SYNCCTL_AUTH_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .consoleAuthTokensFrom }}
+- name: CONSOLE_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .consoleAuthTokensFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .consoleAuthTokens) $.Values.tokenGenerator.enabled }}
+- name: CONSOLE_AUTH_TOKENS
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: consoleAuthTokens
+{{- end }}
+{{- with .consoleAuthTokens }}
+- name: CONSOLE_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if or .globalHashSecretFrom $.Values.config.globalHashSecretFrom }}
+- name: GLOBAL_HASH_SECRET
+  valueFrom:
+    {{- toYaml (.globalHashSecretFrom | default $.Values.config.globalHashSecretFrom) | nindent 4 }}
+{{- else }}
+{{- if and (not .globalHashSecret) (not $.Values.config.globalHashSecret) $.Values.tokenGenerator.enabled }}
+- name: GLOBAL_HASH_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: globalHashSecret
+{{- end }}
+{{- with (.globalHashSecret | default $.Values.config.globalHashSecret) }}
+- name: GLOBAL_HASH_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .consoleRawAuthTokensFrom }}
+- name: CONSOLE_RAW_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .consoleRawAuthTokensFrom | nindent 4 }}
+{{- else }}
+{{- with .consoleRawAuthTokens }}
+- name: CONSOLE_RAW_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .seedUserEmailFrom }}
+- name: SEED_USER_EMAIL
+  valueFrom:
+    {{- toYaml .seedUserEmailFrom | nindent 4 }}
+{{- else }}
+{{- with .seedUserEmail }}
+- name: SEED_USER_EMAIL
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .seedUserPasswordFrom }}
+- name: SEED_USER_PASSWORD
+  valueFrom:
+    {{- toYaml .seedUserPasswordFrom | nindent 4 }}
+{{- else }}
+{{- with .seedUserPassword }}
+- name: SEED_USER_PASSWORD
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .githubClientIdFrom }}
+- name: GITHUB_CLIENT_ID
+  valueFrom:
+    {{- toYaml .githubClientIdFrom | nindent 4 }}
+{{- else }}
+{{- with .githubClientId }}
+- name: GITHUB_CLIENT_ID
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .githubClientSecretFrom }}
+- name: GITHUB_CLIENT_SECRET
+  valueFrom:
+    {{- toYaml .githubClientSecretFrom | nindent 4 }}
+{{- else }}
+{{- with .githubClientSecret }}
+- name: GITHUB_CLIENT_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .enableCredentialsLogin }}
+- name: ENABLE_CREDENTIALS_LOGIN
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .adminCredentials }}
+- name: ADMIN_CREDENTIALS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .googleSchedulerKeyFrom }}
+- name: GOOGLE_SCHEDULER_KEY
+  valueFrom:
+    {{- toYaml .googleSchedulerKeyFrom | nindent 4 }}
+{{- else }}
+{{- with .googleSchedulerKey }}
+- name: GOOGLE_SCHEDULER_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .clickhouseMetricsSchemaFrom }}
+- name: CLICKHOUSE_METRICS_SCHEMA
+  valueFrom:
+    {{- toYaml .clickhouseMetricsSchemaFrom | nindent 4 }}
+{{- else }}
+{{- with .clickhouseMetricsSchema }}
+- name: CLICKHOUSE_METRICS_SCHEMA
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .clickhouseUrlFrom }}
+- name: CLICKHOUSE_URL
+  valueFrom:
+    {{- toYaml .clickhouseUrlFrom | nindent 4 }}
+{{- else }}
+{{- with .clickhouseUrl }}
+- name: CLICKHOUSE_URL
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .clickhouseUsernameFrom }}
+- name: CLICKHOUSE_USERNAME
+  valueFrom:
+    {{- toYaml .clickhouseUsernameFrom | nindent 4 }}
+{{- else }}
+{{- with .clickhouseUsername }}
+- name: CLICKHOUSE_USERNAME
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .clickhousePasswordFrom }}
+- name: CLICKHOUSE_PASSWORD
+  valueFrom:
+    {{- toYaml .clickhousePasswordFrom | nindent 4 }}
+{{- else }}
+{{- with .clickhousePassword }}
+- name: CLICKHOUSE_PASSWORD
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .logFormat }}
+- name: LOG_FORMAT
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .disableSignup }}
+- name: DISABLE_SIGNUP
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/console/deployment.yaml b/templates/console/deployment.yaml
index ad2a13c..ff0be73 100644
--- a/templates/console/deployment.yaml
+++ b/templates/console/deployment.yaml
@@ -34,12 +34,17 @@ spec:
       serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      {{- if .Values.migration.enabled }}
       initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.migration.enabled }}
         - name: wait-for-migration
           image: ghcr.io/groundnuty/k8s-wait-for:v2.0
           args: ["job-wr", "{{ include "jitsu.fullname" . }}-migration-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
-      {{- end }}
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -60,11 +65,16 @@ spec:
               port: http
               path: /api/healthcheck
           {{- end }}
+          {{- if .Values.console.envFrom }}
+          envFrom:
+            {{- toYaml .Values.console.envFrom | nindent 12 }}
+          {{- end }}
           env:
-            {{- $env := merge (deepCopy .Values.console.environment) .Values.jitsu.environment -}}
-            {{- range $k, $v := $env }}
-              - name: {{ $k | quote }}
-                {{- toYaml $v | nindent 16 }}
+            {{- if and .Values.config.enabled .Values.console.config.enabled }}
+            {{- include "jitsu.console.env" . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.console.env }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/templates/console/ingress.yaml b/templates/console/ingress.yaml
index c1cbf9f..ab9c3c4 100644
--- a/templates/console/ingress.yaml
+++ b/templates/console/ingress.yaml
@@ -1,21 +1,8 @@
 {{- if .Values.console.ingress.enabled -}}
-{{- $fullName := include "jitsu.fullname" . -}}
-{{- $svcPort := .Values.console.service.port -}}
-{{- if and .Values.console.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.console.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.console.ingress.annotations "kubernetes.io/ingress.class" .Values.console.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}-console
+  name: {{ include "jitsu.fullname" . }}-console
   labels:
     {{- include "jitsu.labels" . | nindent 4 }}
   {{- with .Values.console.ingress.annotations }}
@@ -23,9 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if and .Values.console.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.console.ingress.className }}
-  {{- end }}
   {{- if .Values.console.ingress.tls }}
   tls:
     {{- range .Values.console.ingress.tls }}
@@ -43,19 +28,12 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: {{ .pathType }}
-            {{- end }}
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
-                name: {{ $fullName }}-console
+                name: {{ include "jitsu.fullname" $ }}-console
                 port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}-console
-              servicePort: {{ $svcPort }}
-              {{- end }}
+                  number: {{ $.Values.console.service.port }}
           {{- end }}
     {{- end }}
 {{- end }}
diff --git a/templates/ingest/_helpers.tpl b/templates/ingest/_helpers.tpl
index 57058a7..ffb75b4 100644
--- a/templates/ingest/_helpers.tpl
+++ b/templates/ingest/_helpers.tpl
@@ -4,3 +4,172 @@ Console selector labels
 {{- define "jitsu.ingest.selectorLabels" -}}
 app.kubernetes.io/component: ingest
 {{- end }}
+
+{{- define "jitsu.ingest.env" -}}
+{{- with .Values.ingest.config }}
+- name: INGEST_DATA_DOMAIN
+  value: {{ .dataDomain | default ($.Values.ingress.enabled | ternary $.Values.ingress.host "") | quote }}
+
+{{- if or .redisUrlFrom $.Values.config.redisUrlFrom }}
+- name: INGEST_REDIS_URL
+  valueFrom:
+    {{- toYaml (.redisUrlFrom | default $.Values.config.redisUrlFrom) | nindent 4 }}
+{{- else }}
+- name: INGEST_REDIS_URL
+  value: {{ .redisUrl | default (include "jitsu.redisUrl" $) | quote }}
+{{- end }}
+
+{{- if .authTokensFrom }}
+- name: INGEST_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .authTokensFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .authTokens) $.Values.tokenGenerator.enabled }}
+- name: INGEST_AUTH_TOKENS
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: ingestAuthTokens
+{{- end }}
+{{- with .authTokens }}
+- name: INGEST_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .tokenSecretFrom }}
+- name: INGEST_TOKEN_SECRET
+  valueFrom:
+    {{- toYaml .tokenSecretFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .tokenSecret) $.Values.tokenGenerator.enabled }}
+- name: INGEST_TOKEN_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: ingestTokenSecret
+{{- end }}
+{{- with .tokenSecret }}
+- name: INGEST_TOKEN_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .rawAuthTokensFrom }}
+- name: INGEST_RAW_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .rawAuthTokensFrom | nindent 4 }}
+{{- else }}
+{{- with .rawAuthTokens }}
+- name: INGEST_RAW_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if or .globalHashSecretFrom $.Values.config.globalHashSecretFrom }}
+- name: INGEST_GLOBAL_HASH_SECRET
+  valueFrom:
+    {{- toYaml (.globalHashSecretFrom | default $.Values.config.globalHashSecretFrom) | nindent 4 }}
+{{- else }}
+{{- if and (not .globalHashSecret) (not $.Values.config.globalHashSecret) $.Values.tokenGenerator.enabled }}
+- name: INGEST_GLOBAL_HASH_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: globalHashSecret
+{{- end }}
+{{- with (.globalHashSecret | default $.Values.config.globalHashSecret) }}
+- name: GLOBAL_HASH_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if and (not .repositoryUrl) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: INGEST_REPOSITORY_URL
+  value: {{ printf "http://%s-console:%d/api/admin/export/streams-with-destinations"
+    (include "jitsu.fullname" $)
+    (int $.Values.console.service.port)
+  | quote }}
+{{- end }}
+{{- with .repositoryUrl }}
+- name: INGEST_REPOSITORY_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .repositoryAuthTokenFrom }}
+- name: INGEST_REPOSITORY_AUTH_TOKEN
+  valueFrom:
+    {{- toYaml .repositoryAuthTokenFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .repositoryAuthToken) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: INGEST_REPOSITORY_AUTH_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: consoleAuthToken
+{{- end }}
+{{- with .repositoryAuthToken }}
+- name: INGEST_REPOSITORY_AUTH_TOKEN
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .repositoryRefreshPeriodSec }}
+- name: INGEST_REPOSITORY_REFRESH_PERIOD_SEC
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .kafkaBootstrapServers) (not $.Values.config.kafkaBootstrapServers) $.Values.kafka.enabled }}
+- name: INGEST_KAFKA_BOOTSTRAP_SERVERS
+  value: "{{ $.Release.Name }}-kafka:9092"
+{{- end }}
+{{- with (.kafkaBootstrapServers | default $.Values.config.kafkaBootstrapServers) }}
+- name: INGEST_KAFKA_BOOTSTRAP_SERVERS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with (.kafkaSsl | default $.Values.config.kafkaSsl) }}
+- name: INGEST_KAFKA_SSL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with (.kafkaSslSkipVerify | default $.Values.config.kafkaSslSkipVerify) }}
+- name: INGEST_KAFKA_SSL_SKIP_VERIFY
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if or .kafkaSaslFrom $.Values.config.kafkaSaslFrom }}
+- name: INGEST_KAFKA_SASL
+  valueFrom:
+    {{- toYaml (.kafkaSaslFrom | default $.Values.config.kafkaSaslFrom) | nindent 4 }}
+{{- else }}
+{{- with (.kafkaSasl | default $.Values.config.kafkaSasl) }}
+- name: INGEST_KAFKA_SASL
+  {{- if kindIs "string" . }}
+  value: {{ . | quote }}
+  {{- else }}
+  value: {{ toJson . | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- if and (not .rotorUrl) (not $.Values.config.rotorUrl) $.Values.rotor.enabled }}
+- name: INGEST_ROTOR_URL
+  value: {{ printf "http://%s-rotor:%d" (include "jitsu.fullname" $) (int $.Values.rotor.service.port) | quote }}
+{{- end }}
+{{- with (.rotorUrl | default $.Values.config.rotorUrl) }}
+- name: INGEST_ROTOR_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .eventsLogMaxSize }}
+- name: INGEST_EVENTS_LOG_MAX_SIZE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .logFormat }}
+- name: INGEST_LOG_FORMAT
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/ingest/deployment.yaml b/templates/ingest/deployment.yaml
index d43ad73..0077a08 100644
--- a/templates/ingest/deployment.yaml
+++ b/templates/ingest/deployment.yaml
@@ -34,6 +34,32 @@ spec:
       serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.redis.enabled }}
+        - name: wait-for-redis
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-redis-master"]
+        {{- end }}
+        {{- if .Values.kafka.enabled }}
+        - name: wait-for-kafka
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-kafka"]
+        {{- end }}
+        {{- if .Values.console.enabled }}
+        - name: wait-for-console
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-console"]
+        {{- end }}
+        {{- if .Values.rotor.enabled }}
+        - name: wait-for-rotor
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-rotor"]
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -54,11 +80,16 @@ spec:
               port: http
               path: /health
           {{- end }}
+          {{- if .Values.ingest.envFrom }}
+          envFrom:
+            {{- toYaml .Values.ingest.envFrom | nindent 12 }}
+          {{- end }}
           env:
-            {{- $env := merge (deepCopy .Values.ingest.environment) .Values.jitsu.environment -}}
-            {{- range $k, $v := $env }}
-              - name: {{ $k | quote }}
-                {{- toYaml $v | nindent 16 }}
+            {{- if and .Values.config.enabled .Values.ingest.config.enabled }}
+            {{- include "jitsu.ingest.env" . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.ingest.env }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/templates/ingest/ingress.yaml b/templates/ingest/ingress.yaml
index 70cfd68..02d095e 100644
--- a/templates/ingest/ingress.yaml
+++ b/templates/ingest/ingress.yaml
@@ -1,21 +1,8 @@
 {{- if .Values.ingest.ingress.enabled -}}
-{{- $fullName := include "jitsu.fullname" . -}}
-{{- $svcPort := .Values.ingest.service.port -}}
-{{- if and .Values.ingest.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
-  {{- if not (hasKey .Values.ingest.ingress.annotations "kubernetes.io/ingress.class") }}
-  {{- $_ := set .Values.ingest.ingress.annotations "kubernetes.io/ingress.class" .Values.ingest.ingress.className}}
-  {{- end }}
-{{- end }}
-{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
-{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
-apiVersion: networking.k8s.io/v1beta1
-{{- else -}}
-apiVersion: extensions/v1beta1
-{{- end }}
 kind: Ingress
 metadata:
-  name: {{ $fullName }}-ingest
+  name: {{ include "jitsu.fullname" . }}-ingest
   labels:
     {{- include "jitsu.labels" . | nindent 4 }}
   {{- with .Values.ingest.ingress.annotations }}
@@ -23,9 +10,7 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  {{- if and .Values.ingest.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
   ingressClassName: {{ .Values.ingest.ingress.className }}
-  {{- end }}
   {{- if .Values.ingest.ingress.tls }}
   tls:
     {{- range .Values.ingest.ingress.tls }}
@@ -43,19 +28,12 @@ spec:
         paths:
           {{- range .paths }}
           - path: {{ .path }}
-            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
             pathType: {{ .pathType }}
-            {{- end }}
             backend:
-              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
               service:
-                name: {{ $fullName }}-ingest
+                name: {{ include "jitsu.fullname" $ }}-ingest
                 port:
-                  number: {{ $svcPort }}
-              {{- else }}
-              serviceName: {{ $fullName }}-ingest
-              servicePort: {{ $svcPort }}
-              {{- end }}
+                  number: {{ $.Values.ingest.service.port }}
           {{- end }}
     {{- end }}
 {{- end }}
diff --git a/templates/ingress.yaml b/templates/ingress.yaml
new file mode 100644
index 0000000..509a8b9
--- /dev/null
+++ b/templates/ingress.yaml
@@ -0,0 +1,49 @@
+{{- if and .Values.ingress.enabled (or .Values.console.enabled .Values.ingest.enabled) -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "jitsu.fullname" . }}
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host | quote }}
+      secretName: {{ include "jitsu.fullname" . }}-tls
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host | quote }}
+      http:
+        paths:
+          {{- if .Values.console.enabled }}
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "jitsu.fullname" . }}-console
+                port:
+                  number: {{ .Values.console.service.port }}
+          {{- end }}
+          {{- if .Values.ingest.enabled }}
+          - path: /api/s/
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "jitsu.fullname" . }}-ingest
+                port:
+                  number: {{ .Values.ingest.service.port }}
+          - path: /v1/batch
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ include "jitsu.fullname" . }}-ingest
+                port:
+                  number: {{ .Values.ingest.service.port }}
+          {{- end }}
+{{- end }}
diff --git a/templates/migration/job.yaml b/templates/migration/job.yaml
index 15f0157..f4379ee 100644
--- a/templates/migration/job.yaml
+++ b/templates/migration/job.yaml
@@ -22,16 +22,39 @@ spec:
       {{- end }}
       restartPolicy: "Never"
       serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
+      initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+          {{- end }}
+        {{- if .Values.postgresql.enabled }}
+        - name: wait-for-postgresql
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-postgresql"]
+        {{- end }}
       containers:
-      - name: {{ .Chart.Name }}
-        image: "{{ .Values.migration.image.repository }}:{{ .Values.migration.image.tag | default .Chart.AppVersion }}"
-        imagePullPolicy: {{ .Values.migration.image.pullPolicy }}
-        command: [prisma]
-        args: [db, push, --skip-generate, --schema, /app/schema.prisma]
-        env:
-          {{- $env := merge (deepCopy .Values.migration.environment) .Values.jitsu.environment -}}
-          {{- range $k, $v := $env }}
-            - name: {{ $k | quote }}
-              {{- toYaml $v | nindent 14 }}
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.migration.image.repository }}:{{ .Values.migration.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.migration.image.pullPolicy }}
+          command: [prisma]
+          args: [db, push, --skip-generate, --schema, /app/schema.prisma]
+          {{- if .Values.migration.envFrom }}
+          envFrom:
+            {{- toYaml .Values.migration.envFrom | nindent 12 }}
           {{- end }}
+          env:
+            {{- if and .Values.config.enabled .Values.migration.config.enabled }}
+            {{- if or .databaseUrlFrom $.Values.config.databaseUrlFrom }}
+            - name: DATABASE_URL
+              valueFrom:
+                {{- toYaml (.databaseUrlFrom | default $.Values.config.databaseUrlFrom) | nindent 4 }}
+            {{- else }}
+            - name: DATABASE_URL
+              value: {{ .Values.migration.config.databaseUrl | default (include "jitsu.databaseUrl" .) | quote }}
+            {{- end }}
+            {{- end }}
+            {{- with .Values.migration.env }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
 {{- end }}
diff --git a/templates/role.yaml b/templates/role.yaml
new file mode 100644
index 0000000..33c7471
--- /dev/null
+++ b/templates/role.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.serviceAccount.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "jitsu.fullname" . }}-k8s-wait-for
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+{{- end }}
diff --git a/templates/rolebinding.yaml b/templates/rolebinding.yaml
new file mode 100644
index 0000000..f446314
--- /dev/null
+++ b/templates/rolebinding.yaml
@@ -0,0 +1,23 @@
+{{- if or .Values.serviceAccount.rbac.create .Values.syncctl.serviceAccount.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "jitsu.fullname" . }}-k8s-wait-for
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "jitsu.fullname" . }}-k8s-wait-for
+subjects:
+  {{- if .Values.serviceAccount.rbac.create }}
+  - kind: ServiceAccount
+    name: {{ include "jitsu.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+  {{- if .Values.syncctl.serviceAccount.rbac.create }}
+  - kind: ServiceAccount
+    name: {{ include "jitsu.syncctl.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+  {{- end }}
+{{- end }}
diff --git a/templates/rotor/_helpers.tpl b/templates/rotor/_helpers.tpl
index f1c10c5..cc773db 100644
--- a/templates/rotor/_helpers.tpl
+++ b/templates/rotor/_helpers.tpl
@@ -4,3 +4,154 @@ Rotor selector labels
 {{- define "jitsu.rotor.selectorLabels" -}}
 app.kubernetes.io/component: rotor
 {{- end }}
+
+{{- define "jitsu.rotor.env" -}}
+{{- with .Values.rotor.config }}
+{{- if or .redisUrlFrom $.Values.config.redisUrlFrom }}
+- name: REDIS_URL
+  valueFrom:
+    {{- toYaml (.redisUrlFrom | default $.Values.config.redisUrlFrom) | nindent 4 }}
+{{- else }}
+- name: REDIS_URL
+  value: {{ .redisUrl | default (include "jitsu.redisUrl" $) | quote }}
+{{- end }}
+
+{{- if or .mongodbUrlFrom $.Values.config.mongodbUrlFrom }}
+- name: MONGODB_URL
+  valueFrom:
+    {{- toYaml (.mongodbUrlFrom | default $.Values.config.mongodbUrlFrom) | nindent 4 }}
+{{- else }}
+- name: MONGODB_URL
+  value: {{ .mongodbUrl | default (include "jitsu.mongodbUrl" $) | quote }}
+{{- end }}
+
+{{- if and (not .repositoryBaseUrl) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: REPOSITORY_BASE_URL
+  value: {{ printf "http://%s-console:%d/api/admin/export"
+    (include "jitsu.fullname" $)
+    (int $.Values.console.service.port)
+  | quote }}
+{{- end }}
+{{- with .repositoryBaseUrl }}
+- name: REPOSITORY_BASE_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .repositoryAuthTokenFrom }}
+- name: REPOSITORY_AUTH_TOKEN
+  valueFrom:
+    {{- toYaml .repositoryAuthTokenFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .repositoryAuthToken) $.Values.console.enabled $.Values.tokenGenerator.enabled }}
+- name: REPOSITORY_AUTH_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: consoleAuthToken
+{{- end }}
+{{- with .repositoryAuthToken }}
+- name: REPOSITORY_AUTH_TOKEN
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .repositoryRefreshPeriodSec }}
+- name: REPOSITORY_REFRESH_PERIOD_SEC
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if and (not .bulkerUrl) (not $.Values.config.bulkerUrl) $.Values.bulker.enabled }}
+- name: BULKER_URL
+  value: {{ printf "http://%s-bulker:%d"
+    (include "jitsu.fullname" $)
+    (int $.Values.bulker.service.port)
+  | quote }}
+{{- end }}
+{{- with (.bulkerUrl | default $.Values.config.bulkerUrl) }}
+- name: BULKER_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .bulkerAuthKeyFrom }}
+- name: BULKER_AUTH_KEY
+  valueFrom:
+    {{- toYaml .bulkerAuthKeyFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .bulkerAuthKey) $.Values.bulker.enabled $.Values.tokenGenerator.enabled }}
+- name: BULKER_AUTH_KEY
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: bulkerAuthToken
+{{- end }}
+{{- with .bulkerAuthKey }}
+- name: BULKER_AUTH_KEY
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if and (not .kafkaBootstrapServers) (not $.Values.config.kafkaBootstrapServers) $.Values.kafka.enabled }}
+- name: KAFKA_BOOTSTRAP_SERVERS
+  value: {{ printf "%s-kafka:9092" $.Release.Name | quote }}
+{{- end }}
+{{- with (.kafkaBootstrapServers | default $.Values.config.kafkaBootstrapServers) }}
+- name: KAFKA_BOOTSTRAP_SERVERS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with (.kafkaSsl | default $.Values.config.kafkaSsl) }}
+- name: KAFKA_SSL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if or .kafkaSaslFrom $.Values.config.kafkaSaslFrom }}
+- name: KAFKA_SASL
+  valueFrom:
+    {{- toYaml (.kafkaSaslFrom | default $.Values.config.kafkaSaslFrom) | nindent 4 }}
+{{- else }}
+{{- with (.kafkaSasl | default $.Values.config.kafkaSasl) }}
+- name: KAFKA_SASL
+  {{- if kindIs "string" . }}
+  value: {{ . | quote }}
+  {{- else }}
+  value: {{ toJson . | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- with .metricsDestinationId }}
+- name: METRICS_DESTINATION_ID
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .eventsLogMaxSize }}
+- name: EVENTS_LOG_MAX_SIZE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .concurrency }}
+- name: CONCURRENCY
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryCount }}
+- name: MESSAGES_RETRY_COUNT
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryBackoffBase }}
+- name: MESSAGES_RETRY_BACKOFF_BASE
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .messagesRetryBackoffMaxDelay }}
+- name: MESSAGES_RETRY_BACKOFF_MAX_DELAY
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .logFormat }}
+- name: LOG_FORMAT
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/rotor/deployment.yaml b/templates/rotor/deployment.yaml
index 3b6b189..f837f28 100644
--- a/templates/rotor/deployment.yaml
+++ b/templates/rotor/deployment.yaml
@@ -34,6 +34,37 @@ spec:
       serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.redis.enabled }}
+        - name: wait-for-redis
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-redis-master"]
+        {{- end }}
+        {{- if .Values.kafka.enabled }}
+        - name: wait-for-kafka
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-kafka"]
+        {{- end }}
+        {{- if .Values.mongodb.enabled }}
+        - name: wait-for-mongodb
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ .Release.Name }}-mongodb"]
+        {{- end }}
+        {{- if .Values.console.enabled }}
+        - name: wait-for-console
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-console"]
+        {{- end }}
+        {{- if .Values.bulker.enabled }}
+        - name: wait-for-bulker
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["service", "{{ include "jitsu.fullname" . }}-bulker"]
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -54,11 +85,16 @@ spec:
               port: http
               path: /health
           {{- end }}
+          {{- if .Values.rotor.envFrom }}
+          envFrom:
+            {{- toYaml .Values.rotor.envFrom | nindent 12 }}
+          {{- end }}
           env:
-            {{- $env := merge (deepCopy .Values.rotor.environment) .Values.jitsu.environment -}}
-            {{- range $k, $v := $env }}
-              - name: {{ $k | quote }}
-                {{- toYaml $v | nindent 16 }}
+            {{- if and .Values.config.enabled .Values.rotor.config.enabled }}
+            {{- include "jitsu.rotor.env" . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.rotor.env }}
+            {{- toYaml .Values.rotor.env | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/templates/syncctl/_helpers.tpl b/templates/syncctl/_helpers.tpl
index 65ee7a6..47b2f40 100644
--- a/templates/syncctl/_helpers.tpl
+++ b/templates/syncctl/_helpers.tpl
@@ -4,3 +4,160 @@ Rotor selector labels
 {{- define "jitsu.syncctl.selectorLabels" -}}
 app.kubernetes.io/component: syncctl
 {{- end }}
+
+{{- define "jitsu.syncctl.serviceAccountName" -}}
+{{- if .Values.syncctl.serviceAccount.create }}
+{{- default (printf "%s-syncctl" (include "jitsu.fullname" .)) .Values.syncctl.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.syncctl.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "jitsu.syncctl.env" -}}
+{{- with .Values.syncctl.config -}}
+{{- if or .databaseUrlFrom $.Values.config.databaseUrlFrom }}
+- name: SYNCCTL_DATABASE_URL
+  valueFrom:
+    {{- toYaml (.databaseUrlFrom | default $.Values.config.databaseUrlFrom) | nindent 4 }}
+{{- else }}
+- name: SYNCCTL_DATABASE_URL
+  value: {{ .databaseUrl | default (include "jitsu.databaseUrl" $ | replace "schema=" "search_path=") | quote }}
+{{- end }}
+
+{{- if .authTokensFrom }}
+- name: SYNCCTL_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .authTokensFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .authTokens) $.Values.tokenGenerator.enabled }}
+- name: SYNCCTL_AUTH_TOKENS
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: syncctlAuthTokens
+{{- end }}
+{{- with .authTokens }}
+- name: SYNCCTL_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .tokenSecretFrom }}
+- name: SYNCCTL_TOKEN_SECRET
+  valueFrom:
+    {{- toYaml .tokenSecretFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .tokenSecret) $.Values.tokenGenerator.enabled }}
+- name: SYNCCTL_TOKEN_SECRET
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: syncctlTokenSecret
+{{- end }}
+{{- with .tokenSecret }}
+- name: SYNCCTL_TOKEN_SECRET
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .rawAuthTokensFrom }}
+- name: SYNCCTL_RAW_AUTH_TOKENS
+  valueFrom:
+    {{- toYaml .rawAuthTokensFrom | nindent 4 }}
+{{- else }}
+{{- with .rawAuthTokens }}
+- name: SYNCCTL_RAW_AUTH_TOKENS
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .sidecarDatabaseUrlFrom }}
+- name: SYNCCTL_SIDECAR_DATABASE_URL
+  valueFrom:
+    {{- toYaml .sidecarDatabaseUrlFrom | nindent 4 }}
+{{- else }}
+{{- with .sidecarDatabaseUrl }}
+- name: SYNCCTL_SIDECAR_DATABASE_URL
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if and (not .bulkerUrl) (not $.Values.config.bulkerUrl) $.Values.bulker.enabled }}
+- name: SYNCCTL_BULKER_URL
+  value: {{ printf "http://%s-bulker:%d" (include "jitsu.fullname" $) (int $.Values.bulker.service.port) | quote }}
+{{- end }}
+{{- with (.bulkerUrl | default $.Values.config.bulkerUrl) }}
+- name: SYNCCTL_BULKER_URL
+  value: {{ . | quote }}
+{{- end }}
+
+{{- if .bulkerAuthTokenFrom }}
+- name: SYNCCTL_BULKER_AUTH_TOKEN
+  valueFrom:
+    {{- toYaml .bulkerAuthTokenFrom | nindent 4 }}
+{{- else }}
+{{- if and (not .bulkerAuthToken ) $.Values.bulker.enabled $.Values.tokenGenerator.enabled }}
+- name: SYNCCTL_BULKER_AUTH_TOKEN
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "jitsu.fullname" $ }}-tokens
+      key: bulkerAuthToken
+{{- end }}
+{{- with .bulkerAuthToken }}
+- name: SYNCCTL_BULKER_AUTH_TOKEN
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .kubernetesClientConfigFrom }}
+- name: SYNCCTL_KUBERNETES_CLIENT_CONFIG
+  valueFrom:
+    {{- toYaml .kubernetesClientConfigFrom | nindent 4 }}
+{{- else }}
+{{- with .kubernetesClientConfig }}
+- name: SYNCCTL_KUBERNETES_CLIENT_CONFIG
+  {{- if kindIs "string" . }}
+  value: {{ . | quote }}
+  {{- else }}
+  value: {{ toYaml . | quote }}
+  {{- end }}
+{{- end }}
+{{- end }}
+
+{{- if .kubernetesContextFrom }}
+- name: SYNCCTL_KUBERNETES_CONTEXT
+  valueFrom:
+    {{- toYaml .kubernetesContextFrom | nindent 4 }}
+{{- else }}
+{{- with .kubernetesContext }}
+- name: SYNCCTL_KUBERNETES_CONTEXT
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- if .kubernetesNamespaceFrom }}
+- name: SYNCCTL_KUBERNETES_NAMESPACE
+  valueFrom:
+    {{- toYaml .kubernetesNamespaceFrom | nindent 4 }}
+{{- else }}
+{{- if not .kubernetesNamespace }}
+- name: SYNCCTL_KUBERNETES_NAMESPACE
+  value: "{{ $.Release.Namespace }}"
+{{- end }}
+{{- with .kubernetesNamespace }}
+- name: SYNCCTL_KUBERNETES_NAMESPACE
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- with .taskTimeoutHours }}
+- name: SYNCCTL_TASK_TIMEOUT_HOURS
+  value: {{ . | quote }}
+{{- end }}
+
+{{- with .logFormat }}
+- name: SYNCCTL_LOG_FORMAT
+  value: {{ . | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/templates/syncctl/deployment.yaml b/templates/syncctl/deployment.yaml
index 7e265ec..29929d0 100644
--- a/templates/syncctl/deployment.yaml
+++ b/templates/syncctl/deployment.yaml
@@ -31,9 +31,20 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      serviceAccountName: {{ include "jitsu.serviceAccountName" . }}
+      serviceAccountName: {{ include "jitsu.syncctl.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      initContainers:
+        {{- if .Values.tokenGenerator.enabled }}
+        - name: wait-for-tokens
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
+        {{- if .Values.migration.enabled }}
+        - name: wait-for-migration
+          image: ghcr.io/groundnuty/k8s-wait-for:v2.0
+          args: ["job-wr", "{{ include "jitsu.fullname" . }}-migration-{{ sha1sum (toJson .Values) | substr 0 8 }}"]
+        {{- end }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
@@ -54,11 +65,16 @@ spec:
               port: http
               path: /health
           {{- end }}
+          {{- if .Values.syncctl.envFrom }}
+          envFrom:
+            {{- toYaml .Values.syncctl.envFrom | nindent 12 }}
+          {{- end }}
           env:
-            {{- $env := merge (deepCopy .Values.syncctl.environment) .Values.jitsu.environment -}}
-            {{- range $k, $v := $env }}
-              - name: {{ $k | quote }}
-                {{- toYaml $v | nindent 16 }}
+            {{- if and .Values.config.enabled .Values.syncctl.config.enabled }}
+            {{- include "jitsu.syncctl.env" . | nindent 12 }}
+            {{- end }}
+            {{- with .Values.syncctl.env }}
+            {{- toYaml . | nindent 12 }}
             {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
diff --git a/templates/syncctl/namespace.yaml b/templates/syncctl/namespace.yaml
new file mode 100644
index 0000000..e84bc6a
--- /dev/null
+++ b/templates/syncctl/namespace.yaml
@@ -0,0 +1,11 @@
+{{- if and
+  .Values.syncctl.enabled
+  .Values.syncctl.createNamespace
+  (not (eq (.Values.syncctl.config.kubernetesNamespace | default .Release.Namespace) .Release.Namespace))
+  (not .Values.syncctl.config.kubernetesClientConfig)
+}}
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .Values.syncctl.config.kubernetesNamespace }}
+{{- end }}
diff --git a/templates/syncctl/proxy-services.yaml b/templates/syncctl/proxy-services.yaml
new file mode 100644
index 0000000..5be9453
--- /dev/null
+++ b/templates/syncctl/proxy-services.yaml
@@ -0,0 +1,20 @@
+{{- if and
+  .Values.syncctl.enabled
+  (not (eq (.Values.syncctl.config.kubernetesNamespace | default .Release.Namespace) .Release.Namespace))
+  (not .Values.syncctl.config.kubernetesClientConfig)
+}}
+{{- range list
+  (printf "%s-postgresql" .Release.Name)
+  (printf "%s-bulker" (include "jitsu.fullname" .))
+}}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ . | quote }}
+  namespace: {{ $.Values.syncctl.config.kubernetesNamespace }}
+spec:
+  type: ExternalName
+  externalName: {{ printf "%s.%s.svc.%s" . $.Release.Namespace ($.Values.syncctl.clusterDomain | default "cluster.local") | quote }}
+{{- end }}
+{{- end }}
diff --git a/templates/syncctl/role.yaml b/templates/syncctl/role.yaml
new file mode 100644
index 0000000..709ad47
--- /dev/null
+++ b/templates/syncctl/role.yaml
@@ -0,0 +1,22 @@
+{{- if and .Values.syncctl.enabled .Values.syncctl.serviceAccount.rbac.create (not .Values.syncctl.config.kubernetesClientConfig) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "jitsu.fullname" . }}-syncctl
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+  namespace: {{ .Values.syncctl.config.kubernetesNamespace | default .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create","delete"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get","list","watch","create","delete"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+{{- end }}
diff --git a/templates/syncctl/rolebinding.yaml b/templates/syncctl/rolebinding.yaml
new file mode 100644
index 0000000..bb865e6
--- /dev/null
+++ b/templates/syncctl/rolebinding.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.syncctl.enabled .Values.syncctl.serviceAccount.rbac.create (not .Values.syncctl.config.kubernetesClientConfig) }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "jitsu.fullname" . }}-syncctl
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+  namespace: {{ .Values.syncctl.config.kubernetesNamespace | default .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "jitsu.fullname" . }}-syncctl
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "jitsu.syncctl.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/syncctl/serviceaccount.yaml b/templates/syncctl/serviceaccount.yaml
new file mode 100644
index 0000000..da186ef
--- /dev/null
+++ b/templates/syncctl/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.syncctl.serviceAccount.create .Values.syncctl.serviceAccount.rbac.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "jitsu.syncctl.serviceAccountName" . }}
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+  {{- with .Values.syncctl.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/templates/token-generator/_helpers.tpl b/templates/token-generator/_helpers.tpl
new file mode 100644
index 0000000..e8bfa40
--- /dev/null
+++ b/templates/token-generator/_helpers.tpl
@@ -0,0 +1,7 @@
+{{- define "jitsu.tokenGenerator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (printf "%s-token-generator" (include "jitsu.fullname" .)) .Values.tokenGenerator.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.tokenGenerator.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/templates/token-generator/job.yaml b/templates/token-generator/job.yaml
new file mode 100644
index 0000000..2bf6a0a
--- /dev/null
+++ b/templates/token-generator/job.yaml
@@ -0,0 +1,94 @@
+{{- if .Values.tokenGenerator.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "jitsu.fullname" . }}-token-generator-{{ sha1sum (toJson .Values) | substr 0 8 }}
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels:
+        {{- include "jitsu.selectorLabels" . | nindent 8 }}
+    spec:
+      restartPolicy: Never
+      serviceAccountName: {{ include "jitsu.tokenGenerator.serviceAccountName" . }}
+      containers:
+        - name: token-generator
+          image: "alpine/k8s:{{ .Capabilities.KubeVersion.Version | trimPrefix "v"}}"
+          env:
+            - name: FULLNAME
+              value: {{ include "jitsu.fullname" . }}
+            - name: SECRET_LENGTH
+              value: {{ .Values.tokenGenerator.secretLength | default "32" | quote }}
+            - name: TOKEN_LENGTH
+              value: {{ .Values.tokenGenerator.tokenLength | default "32" | quote }}
+            - name: SALT_LENGTH
+              value: {{ .Values.tokenGenerator.saltLength | default "32" | quote }}
+          command: ["sh", "-c"]
+          args:
+            - |
+              if kubectl get secrets "$FULLNAME-tokens" > /dev/null 2>&1; then
+                echo "Secret $FULLNAME-tokens already exists, skipping generation"
+                exit 0
+              fi
+              set -e
+              random_string() {
+                length="$1"
+                cat /dev/urandom | tr -dc 'a-zA-Z0-9_-' | head -c "$length"
+              }
+              hex_hash_token() {
+                token="$1"
+                salt="$2"
+                secret="$3"
+                echo -n "$token$salt$secret" | sha512sum | awk '{print $1}' | tr -d '\n'
+              }
+              base64_hash_token() {
+                hex_hash_token "$@" | xxd -r -p | base64 -w 0 | tr -d '='
+              }
+              globalHashSecret=$(random_string $SECRET_LENGTH)
+              ingestTokenSecret=$(random_string $SECRET_LENGTH)
+              bulkerTokenSecret=$(random_string $SECRET_LENGTH)
+              syncctlTokenSecret=$(random_string $SECRET_LENGTH)
+
+              consoleAuthToken=$(random_string $TOKEN_LENGTH)
+              ingestAuthToken=$(random_string $TOKEN_LENGTH)
+              bulkerAuthToken=$(random_string $TOKEN_LENGTH)
+              syncctlAuthToken=$(random_string $TOKEN_LENGTH)
+
+              consoleAuthTokenSalt=$(random_string $SALT_LENGTH)
+              ingestAuthTokenSalt=$(random_string $SALT_LENGTH)
+              bulkerAuthTokenSalt=$(random_string $SALT_LENGTH)
+              syncctlAuthTokenSalt=$(random_string $SALT_LENGTH)
+
+              ingestAuthTokens="$ingestAuthTokenSalt.$(base64_hash_token $ingestAuthToken $ingestAuthTokenSalt $ingestTokenSecret)"
+              bulkerAuthTokens="$bulkerAuthTokenSalt.$(base64_hash_token $bulkerAuthToken $bulkerAuthTokenSalt $bulkerTokenSecret)"
+              syncctlAuthTokens="$syncctlAuthTokenSalt.$(base64_hash_token $syncctlAuthToken $syncctlAuthTokenSalt $syncctlTokenSecret)"
+
+              consoleAuthTokens="$consoleAuthTokenSalt.$(hex_hash_token $consoleAuthToken $consoleAuthTokenSalt $globalHashSecret)"
+
+              kubectl apply -f- <<EOF
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                name: $FULLNAME-tokens
+              type: Opaque
+              stringData:
+                globalHashSecret: "$globalHashSecret"
+
+                ingestTokenSecret: "$ingestTokenSecret"
+                bulkerTokenSecret: "$bulkerTokenSecret"
+                syncctlTokenSecret: "$syncctlTokenSecret"
+
+                ingestAuthToken: "$ingestAuthToken"
+                bulkerAuthToken: "$bulkerAuthToken"
+                syncctlAuthToken: "$syncctlAuthToken"
+                consoleAuthToken: "service-admin-account:$consoleAuthToken"
+
+                ingestAuthTokens: "$ingestAuthTokens"
+                bulkerAuthTokens: "$bulkerAuthTokens"
+                syncctlAuthTokens: "$syncctlAuthTokens"
+                consoleAuthTokens: "$consoleAuthTokens"
+              EOF
+{{- end }}
diff --git a/templates/token-generator/role.yaml b/templates/token-generator/role.yaml
new file mode 100644
index 0000000..c5354ac
--- /dev/null
+++ b/templates/token-generator/role.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.tokenGenerator.enabled .Values.tokenGenerator.serviceAccount.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "jitsu.fullname" . }}-token-generator
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["create"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+    resourceNames: ["{{ include "jitsu.fullname" . }}-tokens"]
+{{- end }}
diff --git a/templates/token-generator/rolebinding.yaml b/templates/token-generator/rolebinding.yaml
new file mode 100644
index 0000000..82c3592
--- /dev/null
+++ b/templates/token-generator/rolebinding.yaml
@@ -0,0 +1,16 @@
+{{- if and .Values.tokenGenerator.enabled .Values.tokenGenerator.serviceAccount.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "jitsu.fullname" . }}-token-generator
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "jitsu.fullname" . }}-token-generator
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "jitsu.tokenGenerator.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+{{- end }}
diff --git a/templates/token-generator/serviceaccount.yaml b/templates/token-generator/serviceaccount.yaml
new file mode 100644
index 0000000..bf99890
--- /dev/null
+++ b/templates/token-generator/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if and .Values.tokenGenerator.enabled .Values.tokenGenerator.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "jitsu.tokenGenerator.serviceAccountName" . }}
+  labels:
+    {{- include "jitsu.labels" . | nindent 4 }}
+  {{- with .Values.tokenGenerator.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/values.yaml b/values.yaml
index 3240180..94f877f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -2,23 +2,69 @@ nameOverride: ""
 
 fullnameOverride: ""
 
-jitsu:
-  environment:
-    DATABASE_URL:
-      # postgres://username:password@host:port/database?options
-      value: ""
-    REDIS_URL:
-      # redis://username:password@host:port
-      value: ""
-    BULKER_URL:
-      value: "http://jitsu-bulker:3042"
+# Common configuration values shared across multiple components.
+config:
+  # Set to false to disable config abstractions for all services in order to configure them manually.
+  enabled: true
+
+  # Postgres database URL in the format of: postgres://username:password@host:port/database?options
+  # Will be configured automatically if left empty and using the PostgreSQL subchart.
+  databaseUrl: ""
+  databaseUrlFrom: {}
+
+  # Global Redis URL in the format of: redis://:password@host:port
+  # Will be configured automatically if left empty and using the Redis subchart.
+  redisUrl: ""
+  redisUrlFrom: {}
+
+  # Global Kafka configuration. Leave empty if using Kafka subchart.
+  # List of hosts in the format of: host:port,...
+  kafkaBootstrapServers: ""
+  # Enable/disable SSL
+  kafkaSsl: ""
+  # Dict or JSON string with SASL configuration. Leave empty to disable.
+  kafkaSasl: ""
+  kafkaSaslFrom: {}
+
+  # Global MongoDB URL. Leave empty if using MongoDB subchart.
+  mongodbUrl: ""
+  mongodbUrlFrom: {}
+
+  # Global hash secret used by console, bulker and ingest.
+  # Configured automatically when tokenGenerator.enabled is true.
+  globalHashSecret: ""
+  globalHashSecretFrom: {}
+
+  # Use these values to override service URLs if deployed externally.
+  bulkerUrl: ""
+  rotorUrl: ""
+  syncctlUrl: ""
+
+# Unified and simplified ingress definition.
+# Uses a single host for both console and ingest and automatically configures public URL options.
+ingress:
+  enabled: true
+  className: ""
+  annotations: {}
+  host: jitsu.example.com
+  tls: false
+  # Only used for URL generation if your Ingress controller listens to a non-standard port.
+  port: ""
+
+tokenGenerator:
+  # Generate inter-service auth tokens automatically upon deployment.
+  enabled: true
+  serviceAccount:
+    create: true
+    annotations: {}
+    name: ""
+    rbac:
+      create: true
+  tokenLength: 32
+  secretLength: 32
+  saltLength: 32
 
 global:
-  postgresql:
-    auth:
-      username: ""
-      password: ""
-      database: ""
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
@@ -29,27 +75,139 @@ global:
 
 console:
   enabled: true
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # The URL where the Jitsu Console will be available.
+    # If using unified ingress (ingress.enabled) leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#jitsu_public_url
+    jitsuPublicUrl: ""
+
+    # The external URL of the ingest service.
+    # If using unified ingress (ingress.enabled) leave empty to configure automatically.
+    jitsuIngestPublicUrl: ""
+
+    # Leave empty to default to jitsuPublicUrl.
+    nextauthUrl: ""
+
+    # Leave empty to default to the console service.
+    nextauthUrlInternal: ""
+
+    # Initial admin user. Required if not using GitHub OAuth.
+    seedUserEmail: ""
+    seedUserEmailFrom: {}
+    seedUserPassword: ""
+    seedUserPasswordFrom: {}
+
+    # Enable GitHub OAuth
+    # https://docs.jitsu.com/self-hosting/configuration#github_client_id
+    githubClientId: ""
+    githubClientIdFrom: {}
+    githubClientSecret: ""
+    githubClientSecretFrom: {}
+
+    # Disable sign-up
+    # https://github.com/jitsucom/jitsu/blob/newjitsu/docker/README.md#further-steps
+    disableSignup: "false"
+
+    # Enable credentials login regardless of seedUser* being set or not.
+    enableCredentialsLogin: ""
+
+    # Leave empty to configure automatically
+    # https://docs.jitsu.com/self-hosting/configuration#console_auth_tokens
+    consoleAuthTokens: ""
+    consoleAuthTokensFrom: {}
+
+    # Leave empty to configure automatically
+    # https://docs.jitsu.com/self-hosting/configuration#global_hash_secret
+    globalHashSecret: ""
+    globalHashSecretFrom: {}
+
+    # Plain, non-hashed tokens. Not recommended for production.
+    # https://docs.jitsu.com/self-hosting/configuration#console_raw_auth_tokens
+    consoleRawAuthTokens: ""
+    consoleRawAuthTokensFrom: {}
+
+    # Leave empty to use global jitsu.databaseUrl
+    # https://docs.jitsu.com/self-hosting/configuration#database_url
+    databaseUrl: ""
+    databaseUrlFrom: {}
+
+    # Only needed if the bulker is deployed outside of this chart. Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#bulker_url-1
+    bulkerUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#bulker_auth_key-1
+    bulkerAuthKey: ""
+    bulkerAuthKeyFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#rotor_url
+    rotorUrl: ""
+
+    # Public domain where ingest service is available. Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_host
+    ingestHost: ""
+
+    # HTTP port of the ingest service. Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_port
+    ingestPort: ""
+
+    # Whether to enable the Connectors Syncs feature in the Jitsu Console UI. Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncs_enabled
+    syncsEnabled: ""
+
+    # The URL of the Syncctl service. Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_url
+    syncctlUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_auth_key
+    syncctlAuthKey: ""
+    syncctlAuthKeyFrom: {}
+
+    # Enables Connectors Sync Scheduler feature. Google Service Account Key in JSON format.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_auth_key
+    googleSchedulerKey: ""
+    googleSchedulerKeyFrom: {}
+
+    # ClickHouse configuration
+    # https://docs.jitsu.com/self-hosting/configuration#clickhouse_metrics_schema
+    clickhouseMetricsSchema: ""
+    clickhouseMetricsSchemaFrom: {}
+    clickhouseUrl: ""
+    clickhouseUrlFrom: {}
+    clickhouseUsername: ""
+    clickhouseUsernameFrom: {}
+    clickhousePassword: ""
+    clickhousePasswordFrom: {}
+
+    # Log format. One of "text", "json".
+    # https://docs.jitsu.com/self-hosting/configuration#log_format-1
+    logFormat: "text"
   replicaCount: 1
   image:
     repository: jitsucom/console
     pullPolicy: IfNotPresent
-    tag: "latest"
+    tag: ""
   service:
     type: ClusterIP
     port: 3000
   ingress:
-    enabled: true
+    enabled: false
     className: ''
     annotations: {}
-    hosts: []
-    # - host: jitsu.example.org
-    #   paths:
-    #     - path: /
-    #       pathType: Prefix
+    hosts:
+      - host: jitsu.example.com
+        paths:
+          - path: /
+            pathType: Prefix
     tls: []
-    # - secretName: jitsu-example-org-tls
+    # - secretName: jitsu-example-com-tls
     #   hosts:
-    #     - jitsu.example.org
+    #     - jitsu.example.com
   probes:
     enabled: true
   autoscaling:
@@ -61,45 +219,8 @@ console:
   podDisruptionBudget:
     enabled: false
     minAvailable: 1
-  environment:
-    NEXTAUTH_URL:
-      value: ""
-    JITSU_PUBLIC_URL:
-      value: ""
-    JITSU_INGEST_PUBLIC_URL:
-      value: ""
-    CONSOLE_AUTH_TOKENS:
-      # https://docs.jitsu.com/self-hosting/configuration#console_auth_tokens
-      # needed by ingest
-      value: ""
-    ROTOR_URL:
-      value: "http://jitsu-rotor:3401"
-    BULKER_AUTH_KEY:
-      # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_auth_tokens
-      value: ""
-    DISABLE_SIGNUP:
-      value: "false"
-    GITHUB_CLIENT_ID:
-      value: ""
-    GITHUB_CLIENT_SECRET:
-      value: ""
-  podAnnotations: {}
-  podSecurityContext: {}
-  securityContext: {}
-  resources: {}
-  nodeSelector: {}
-  tolerations: []
-  affinity: {}
-
-migration:
-  enabled: true
-  image:
-    repository: jitsucom/console
-    pullPolicy: IfNotPresent
-    tag: "latest"
-  restartPolicy: Never
-  environment: {}
-  jobAnnotations: {}
+  env: []
+  envFrom: []
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
@@ -110,12 +231,115 @@ migration:
 
 bulker:
   enabled: true
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # UUID of bulker instance
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_instance_id
+    instanceId: ""
+    instanceIdFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_config_source
+    configSource: ""
+
+    # Leave empty to configure automatically.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_config_source_http_auth_token
+    configSourceHttpAuthToken: ""
+    configSourceHttpAuthTokenFrom: {}
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_config_refresh_period_sec
+    configRefreshPeriodSec: ""
+
+    # Dict of dicts converted to JSON environment variables, e.g.:
+    # bulkerDestination:
+    #   postgres:
+    #     id: postgres
+    # results in: BULKER_DESTINATION_POSTGRES='{"id": "postgres"}'
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#with-bulker_destination_-environment-variables
+    destination: {}
+
+    # Leave empty to automatically configure.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_auth_tokens
+    authTokens: ""
+    authTokensFrom: {}
+
+    # Leave empty to automatically configure.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_token_secret
+    tokenSecret: ""
+    tokenSecretFrom: {}
+
+    # Leave empty to automatically configure.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_raw_auth_tokens
+    rawAuthTokens: ""
+    rawAuthTokensFrom: {}
+
+    # Leave empty to automatically configure.
+    globalHashSecret: ""
+    globalHashSecretFrom: {}
+
+    # Leave empty to automatically configure.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_bootstrap_servers
+    kafkaBootstrapServers: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_ssl
+    kafkaSsl: "false"
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_ssl_skip_verify
+    kafkaSslSkipVerify: ""
+
+    # Can be either a string or a dict.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_sasl-aka-kafka-auth
+    kafkaSasl: ""
+    kafkaSaslFrom: {}
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_batch_runner_default_period_sec
+    batchRunnerDefaultPeriodSec: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_batch_runner_default_batch_size
+    batchRunnerDefaultBatchSize: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_messages_retry_count
+    messagesRetryCount: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_messages_retry_backoff_base
+    messagesRetryBackoffBase: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_messages_retry_backoff_max_delay
+    messagesRetryBackoffMaxDelay: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_batch_runner_default_retry_period_sec
+    batchRunnerDefaultRetryPeriodSec: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_batch_runner_default_retry_batch_size
+    batchRunnerDefaultRetryBatchSize: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_topic_retention_hours
+    kafkaTopicRetentionHours: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_retry_topic_retention_hours
+    kafkaRetryTopicRetentionHours: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_dead_topic_retention_hours
+    kafkaDeadTopicRetentionHours: ""
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_kafka_topic_replication_factor
+    kafkaTopicReplicationFactor: ""
+
+    # Store history of processed events in Redis. Leave empty to configure automatically if config.redisUrl is set and/or Redis subchart is being used.
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#connection-to-redis-optional
+    redisUrl: ""
+    redisUrlFrom: {}
+
+    # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#connection-to-redis-optional
+    eventsLogMaxSize: ""
   replicaCount: 1
   image:
     repository: jitsucom/bulker
     pullPolicy: IfNotPresent
     # Overrides the image tag whose default is the chart appVersion.
-    tag: "latest"
+    tag: ""
   service:
     type: ClusterIP
     port: 3042
@@ -130,34 +354,8 @@ bulker:
   podDisruptionBudget:
     enabled: false
     minAvailable: 1
-  environment:
-    BULKER_AUTH_TOKENS:
-      # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_auth_tokens
-      value: ""
-    BULKER_KAFKA_BOOTSTRAP_SERVERS:
-      value: ""
-    BULKER_CONFIG_SOURCE:
-      value: "redis"
-    BULKER_INTERNAL_TASK_LOG:
-      value: |
-        {
-        "id": "task_log",
-        "metricsKeyPrefix": "syncs",
-        "usesBulker": true,
-        "type": "postgres",
-        "options":{
-          "mode": "stream"
-        },
-        "credentials":{
-          "host": "",
-          "port": 5432,
-          "sslMode": "disable",
-          "database": "",
-          "password": "",
-          "username": "",
-          "defaultSchema":"public"
-          }
-        }
+  env: []
+  envFrom: []
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
@@ -168,11 +366,78 @@ bulker:
 
 rotor:
   enabled: true
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#repository_base_url
+    repositoryBaseUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#repository_auth_token
+    repositoryAuthToken: ""
+    repositoryAuthTokenFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#repository_refresh_period_sec
+    repositoryRefreshPeriodSec: ""
+
+    # Leave empty to configure automatically if config.redisUrl is set or Redis subchart is being used.
+    # https://docs.jitsu.com/self-hosting/configuration#redis_url
+    redisUrl: ""
+    redisUrlFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#bulker_url
+    bulkerUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#bulker_auth_key
+    bulkerAuthKey: ""
+    bulkerAuthKeyFrom: {}
+
+    # Leave empty to configure automatically if config.kafkaBootstrapServers is set or Kafka subchart is being used.
+    # https://docs.jitsu.com/self-hosting/configuration#kafka_bootstrap_servers
+    kafkaBootstrapServers: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#kafka_ssl
+    kafkaSsl: "false"
+
+    # Can be either a string or a dict.
+    # https://docs.jitsu.com/self-hosting/configuration#kafka_sasl-aka-kafka-auth
+    kafkaSasl: ""
+    kafkaSaslFrom: {}
+
+    # Leave empty to configure automatically if MongoDB subchart is being used.
+    # https://docs.jitsu.com/self-hosting/configuration#mongodb_url
+    mongodbUrl: ""
+    mongodbUrlFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#metrics_destination_id
+    metricsDestinationId: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#events_log_max_size
+    eventsLogMaxSize: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#concurrency
+    concurrency: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#messages_retry_count
+    messagesRetryCount: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#messages_retry_backoff_base
+    messagesRetryBackoffBase: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#messages_retry_backoff_max_delay
+    messagesRetryBackoffMaxDelay: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#log_format
+    logFormat: "text"
   replicaCount: 1
   image:
     repository: jitsucom/rotor
     pullPolicy: IfNotPresent
-    tag: "latest"
+    tag: ""
   service:
     type: ClusterIP
     port: 3401
@@ -184,19 +449,8 @@ rotor:
     maxReplicas: 100
     targetCPUUtilizationPercentage: 80
     # targetMemoryUtilizationPercentage: 80
-  environment:
-    MONGODB_URL:
-      # mongodb://username:password@host:port
-      value: ""
-    KAFKA_BOOTSTRAP_SERVERS:
-      # host:port
-      value: ""
-    BULKER_AUTH_KEY:
-      # https://github.com/jitsucom/bulker/blob/main/.docs/server-config.md#bulker_auth_tokens
-      value: ""
-    CONFIG_STORE_DATABASE_URL:
-      # postgres://username:password@host:port/database?options
-      value: ""
+  env: []
+  envFrom: []
   podDisruptionBudget:
     enabled: false
     minAvailable: 1
@@ -210,27 +464,94 @@ rotor:
 
 ingest:
   enabled: true
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # Public domain where ingest service is deployed.
+    # If using unified ingress (ingress.enabled) leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_data_domain
+    dataDomain: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_auth_tokens
+    authTokens: ""
+    authTokensFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_token_secret
+    tokenSecret: ""
+    tokenSecretFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_raw_auth_tokens
+    rawAuthTokens: ""
+    rawAuthTokensFrom: {}
+
+    # Leave empty to automatically configure.
+    globalHashSecret: ""
+    globalHashSecretFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_repository_url
+    repositoryUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_repository_auth_token
+    repositoryAuthToken: ""
+    repositoryAuthTokenFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_repository_refresh_period_sec
+    repositoryRefreshPeriodSec: ""
+
+    # Leave empty to configure automatically when Kafka subchart is enabled or config.kafkaBootstrapServers is set.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_kafka_bootstrap_servers
+    kafkaBootstrapServers: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_kafka_ssl
+    kafkaSsl: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_kafka_ssl_skip_verify
+    kafkaSslSkipVerify: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_kafka_sasl-aka-kafka-auth
+    kafkaSasl: ""
+    kafkaSaslFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_rotor_url
+    rotorUrl: ""
+
+    # Leave empty to configure automatically when Redis subchart is enabled or config.redisUrl is set.
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_redis_url
+    redisUrl: ""
+    redisUrlFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_events_log_max_size
+    eventsLogMaxSize: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#ingest_log_format
+    logFormat: "text"
   replicaCount: 1
   image:
     repository: jitsucom/ingest
     pullPolicy: IfNotPresent
-    tag: "latest"
+    tag: ""
   service:
     type: ClusterIP
-    port: 3043
+    port: 3049
   ingress:
-    enabled: true
+    enabled: false
     className: ''
     annotations: {}
-    hosts: []
-    # - host: jitsu.example.org
-    #   paths:
-    #     - path: /api/s/
-    #       pathType: Prefix
+    hosts:
+      - host: data.jitsu.example.com
+        paths:
+          - path: /
+            pathType: Prefix
     tls: []
-    # - secretName: jitsu-example-org-tls
+    # - secretName: jitsu-example-com-tls
     #   hosts:
-    #     - jitsu.example.org
+    #     - jitsu.example.com
   probes:
     enabled: true
   autoscaling:
@@ -242,27 +563,8 @@ ingest:
   podDisruptionBudget:
     enabled: false
     minAvailable: 1
-  environment:
-    INGEST_PUBLIC_URL:
-      value: ""
-    INGEST_AUTH_TOKENS:
-      # https://docs.jitsu.com/self-hosting/configuration#ingest_auth_tokens
-      value: ""
-    INGEST_KAFKA_BOOTSTRAP_SERVERS:
-      # host:port
-      value: ""
-    INGEST_REPOSITORY_URL:
-      value: "http://jitsu-console:3000/api/admin/export/streams-with-destionations"
-    INGEST_REPOSITORY_AUTH_TOKEN:
-      # https://docs.jitsu.com/self-hosting/configuration#console_auth_tokens
-      # service-admin-account:console-token
-      value: ""
-    INGEST_SCRIPT_ORIGIN:
-      value: "http://jitsu-console:3000/api/s/javascript-library"
-    INGEST_ROTOR_URL:
-      value: "http://jitsu-rotor:3401"
-    INGEST_REDIS_URL:
-      value: ""
+  env: []
+  envFrom: []
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
@@ -273,11 +575,82 @@ ingest:
 
 syncctl:
   enabled: true
+
+  # Create the syncctl namespace if it's not the same as the deployment namespace and we're
+  # using the service account to talk to Kubernetes.
+  createNamespace: true
+
+  # If using the Postgres subchart and a separate namespace for syncctl workloads, we need to
+  # create proxy services to Postgres and the Bulker in the new namespace. If you're not using
+  # the default cluster domain "cluster.local" this can be overridden here.
+  clusterDomain: ""
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_auth_tokens
+    authTokens: ""
+    authTokensFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_token_secret
+    tokenSecret: ""
+    tokenSecretFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_raw_auth_tokens
+    rawAuthTokens: ""
+    rawAuthTokensFrom: {}
+
+    # Leave empty to configure automatically when Postgres subchart is used or config.databaseUrl is set.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_database_url
+    databaseUrl: ""
+    databaseUrlFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_sidecar_database_url
+    sidecarDatabaseUrl: ""
+    sidecarDatabaseUrlFrom: {}
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_bulker_url
+    bulkerUrl: ""
+
+    # Leave empty to configure automatically.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_bulker_auth_key
+    bulkerAuthToken: ""
+    bulkerAuthTokenFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_kubernetes_client_config
+    kubernetesClientConfig: ""
+    kubernetesClientConfigFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_kubernetes_client_config
+    kubernetesContext: ""
+    kubernetesContextFrom: {}
+
+    # Leave empty to use the deployment namespace. If syncctl.serviceAccount.rbac.create is true
+    # and syncctl.config.kubernetesClientConfig is unset a Role and RoleBinding will be created in
+    # this namespace.
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_task_timeout_hours
+    kubernetesNamespace: ""
+    kubernetesNamespaceFrom: {}
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_task_timeout_hours
+    taskTimeoutHours: ""
+
+    # https://docs.jitsu.com/self-hosting/configuration#syncctl_log_format
+    logFormat: "text"
+  serviceAccount:
+    create: true
+    annotations: {}
+    name: ""
+    rbac:
+      create: true
   replicaCount: 1
   image:
     repository: jitsucom/syncctl
     pullPolicy: IfNotPresent
-    tag: "latest"
+    tag: ""
   service:
     type: ClusterIP
     port: 3043
@@ -292,24 +665,34 @@ syncctl:
   podDisruptionBudget:
     enabled: false
     minAvailable: 1
-  environment:
-    SYNCCTL_AUTH_TOKENS:
-      value: ""
-    SYNCCTL_TOKEN_SECRET:
-      value: ""
-    SYNCCTL_DATABASE_URL:
-      value: ""
-    SYNCCTL_KUBERNETES_CLIENT_CONFIG:
-      value: local
-    SYNCCTL_KUBERNETES_CONTEXT:
-      value: ""
-    SYNCCTL_KUBERNETES_NAMESPACE:
-      # This needs to be abstracted
-      value: '{{ .Release.Namespace }}'
-    SYNCCTL_BULKER_URL:
-      value: "http://jitsu-bulker:3042"
-    SYNCCTL_BULKER_AUTH_KEY:
-      value: ""
+  env: []
+  envFrom: []
+  podAnnotations: {}
+  podSecurityContext: {}
+  securityContext: {}
+  resources: {}
+  nodeSelector: {}
+  tolerations: []
+  affinity: {}
+
+migration:
+  enabled: true
+  config:
+    # Set to false to disable config abstractions in order to configure manually.
+    enabled: true
+
+    # Leave empty to use global jitsu.databaseUrl
+    # https://docs.jitsu.com/self-hosting/configuration#database_url
+    databaseUrl: ""
+    databaseUrlFrom: {}
+  image:
+    repository: jitsucom/console
+    pullPolicy: IfNotPresent
+    tag: ""
+  restartPolicy: Never
+  env: []
+  envFrom: []
+  jobAnnotations: {}
   podAnnotations: {}
   podSecurityContext: {}
   securityContext: {}
@@ -324,12 +707,29 @@ serviceAccount:
   create: true
   annotations: {}
   name: ""
+  rbac:
+    create: true
 
 postgresql:
   enabled: true
+  auth:
+    database: "jitsu"
+    username: "jitsu"
+    password: "jitsu"
 
 redis:
   enabled: true
+  auth:
+    enabled: true
+    password: "jitsu"
+
+mongodb:
+  enabled: true
+  auth:
+    enabled: true
+    databases: ["jitsu"]
+    usernames: ["jitsu"]
+    passwords: ["jitsu"]
 
 kafka:
   enabled: true
@@ -341,6 +741,3 @@ kafka:
     client:
       protocol: PLAINTEXT
       external: PLAINTEXT
-
-mongodb:
-  enabled: true