diff --git a/docs/getting-started/try-it-out/on-managed-kubernetes.mdx b/docs/getting-started/try-it-out/on-managed-kubernetes.mdx
index a4bbedc..1ee9b1b 100644
--- a/docs/getting-started/try-it-out/on-managed-kubernetes.mdx
+++ b/docs/getting-started/try-it-out/on-managed-kubernetes.mdx
@@ -381,86 +381,66 @@ kubectl logs -n openchoreo-data-plane -l app=cluster-agent --tail=10
## Step 3: Setup Build Plane (Optional)
-The Build Plane enables OpenChoreo's built-in CI capabilities. It runs Argo Workflows and hosts a container registry for your built images.
+The Build Plane runs Argo Workflows to build container images from your source code. You need a container registry to store built images.
-**Create Namespace**
+
+
+
+[ttl.sh](https://ttl.sh) is a free, anonymous registry. Images expire after 24 hours. No setup required.
```bash
-kubectl create namespace openchoreo-build-plane --dry-run=client -o yaml | kubectl apply -f -
+export REGISTRY_PREFIX=$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+echo "Your registry prefix: $REGISTRY_PREFIX"
```
-**Configure TLS**
+
+{`helm upgrade --install openchoreo-build-plane ${versions.helmSource}/openchoreo-build-plane \\
+ --version ${versions.helmChart} \\
+ --namespace openchoreo-build-plane \\
+ --create-namespace \\
+ --set external-secrets.enabled=false \\
+ --set global.defaultResources.registry.host=ttl.sh \\
+ --set global.defaultResources.registry.repoPath=$REGISTRY_PREFIX \\
+ --set global.defaultResources.registry.tlsVerify=true`}
+
-```bash
-kubectl apply -f - <
+
-```bash
-kubectl get certificate registry-tls -n openchoreo-build-plane -w
-```
+For production deployments, use your cloud provider's container registry:
+
+- **AWS EKS**: Amazon ECR
+- **GCP GKE**: Google Artifact Registry
+- **Azure AKS**: Azure Container Registry
-**Install**
+See [Container Registry Configuration](../../operations/container-registry-configuration.mdx) for detailed setup instructions.
+
+**Example with ECR:**
{`helm upgrade --install openchoreo-build-plane ${versions.helmSource}/openchoreo-build-plane \\
--version ${versions.helmChart} \\
--namespace openchoreo-build-plane \\
--create-namespace \\
- --set clusterAgent.enabled=true \\
- --set global.baseDomain=\${CP_DOMAIN} \\
- --set global.tls.enabled=true \\
- --set global.tls.secretName=registry-tls \\
- --set external-secrets.enabled=false`}
+ --set external-secrets.enabled=false \\
+ --set global.defaultResources.registry.host=123456789.dkr.ecr.us-east-1.amazonaws.com \\
+ --set global.defaultResources.registry.repoPath=openchoreo-builds \\
+ --set global.defaultResources.registry.tlsVerify=true`}
-This installs the build plane with these settings:
-
-- `global.baseDomain`: used to construct the registry URL at `registry.`.
-- `global.tls.enabled` and `global.tls.secretName`: enables TLS for the registry using the Let's Encrypt certificate.
-- `clusterAgent.enabled`: enables the cluster-agent for communication with the control plane.
+
+
This installs:
- `cluster-agent`: connects to the control plane to receive build instructions.
- `argo-workflows`: executes the actual build pipelines as Kubernetes workflows.
-- `registry`: a container registry that stores your built images.
- Argo Workflows CRDs: Workflow, WorkflowTemplate, and other resources for defining build pipelines.
-Like the data plane, the build plane could run in a completely separate cluster if you wanted to isolate your CI workloads.
-
For all available configuration options, see the [Build Plane Helm Reference](../../reference/helm/build-plane.mdx).
**Register with the Control Plane**
diff --git a/docs/getting-started/try-it-out/on-self-hosted-kubernetes.mdx b/docs/getting-started/try-it-out/on-self-hosted-kubernetes.mdx
index f017adb..409129b 100644
--- a/docs/getting-started/try-it-out/on-self-hosted-kubernetes.mdx
+++ b/docs/getting-started/try-it-out/on-self-hosted-kubernetes.mdx
@@ -341,37 +341,82 @@ kubectl logs -n openchoreo-data-plane -l app=cluster-agent --tail=10
## Step 3: Setup Build Plane (Optional)
-The Build Plane enables OpenChoreo's built-in CI capabilities. It runs Argo Workflows and hosts a container registry for your built images.
+The Build Plane runs Argo Workflows to build container images from your source code. You need a container registry to store built images.
+Install a container registry in your cluster:
+
+```bash
+helm repo add twuni https://helm.twun.io
+helm repo update
+
+helm install registry twuni/docker-registry \
+ --namespace openchoreo-build-plane \
+ --create-namespace \
+ --set persistence.enabled=true \
+ --set persistence.size=10Gi \
+ --set service.type=ClusterIP
+```
+
+Wait for the registry to be ready:
+
+```bash
+kubectl wait --for=condition=available deployment/registry-docker-registry -n openchoreo-build-plane --timeout=120s
+```
+
{`helm upgrade --install openchoreo-build-plane ${versions.helmSource}/openchoreo-build-plane \\
--version ${versions.helmChart} \\
--namespace openchoreo-build-plane \\
- --create-namespace \\
--set external-secrets.enabled=false \\
- --set global.defaultResources.registry.endpoint=host.k3d.internal:10082 \\
- --set registry.service.type=LoadBalancer`}
+ --set global.defaultResources.registry.host=registry-docker-registry.openchoreo-build-plane.svc.cluster.local:5000 \\
+ --set global.defaultResources.registry.tlsVerify=false`}
-This installs the build plane with these settings:
+
+
-- `global.defaultResources.registry.endpoint`: the address where built images are pushed and pulled. `host.k3d.internal` is a special hostname that k3d nodes can resolve to the host machine.
-- `registry.service.type`: exposes the registry via LoadBalancer so it's accessible from outside the cluster.
+Choose a registry option:
-This installs:
+
+
-- `cluster-agent`: connects to the control plane to receive build instructions.
-- `argo-workflows`: executes the actual build pipelines as Kubernetes workflows.
-- `registry`: a container registry that stores your built images.
-- Argo Workflows CRDs: Workflow, WorkflowTemplate, and other resources for defining build pipelines.
+[ttl.sh](https://ttl.sh) is a free, anonymous registry. Images expire after 24 hours. No setup required.
-For all available configuration options, see the [Build Plane Helm Reference](../../reference/helm/build-plane.mdx).
+```bash
+export REGISTRY_PREFIX=$(cat /dev/urandom | LC_ALL=C tr -dc 'a-z0-9' | fold -w 8 | head -n 1)
+echo "Your registry prefix: $REGISTRY_PREFIX"
+```
+
+
+{`helm upgrade --install openchoreo-build-plane ${versions.helmSource}/openchoreo-build-plane \\
+ --version ${versions.helmChart} \\
+ --namespace openchoreo-build-plane \\
+ --create-namespace \\
+ --set external-secrets.enabled=false \\
+ --set global.defaultResources.registry.host=ttl.sh \\
+ --set global.defaultResources.registry.repoPath=$REGISTRY_PREFIX \\
+ --set global.defaultResources.registry.tlsVerify=true`}
+
+
+:::note
+Images on ttl.sh expire after 24 hours. For persistent storage, use the host registry option or a cloud provider registry.
+:::
-
+
+
+Run a registry on your host machine using Docker. This works well when your cluster can reach the host via `host.docker.internal`.
+
+```bash
+docker run -d --name registry -p 5050:5000 registry:3
+```
+
+:::note HTTP Registry Access
+Configure your container runtime to allow this insecure registry. For Rancher Desktop, see [Configuring Private Registries](https://docs.rancherdesktop.io/how-to-guides/mirror-private-registry/).
+:::
{`helm upgrade --install openchoreo-build-plane ${versions.helmSource}/openchoreo-build-plane \\
@@ -379,31 +424,27 @@ For all available configuration options, see the [Build Plane Helm Reference](..
--namespace openchoreo-build-plane \\
--create-namespace \\
--set external-secrets.enabled=false \\
- --set global.defaultResources.registry.endpoint= \\
- --set registry.service.type=LoadBalancer \\
- --set registry.service.port=10082`}
+ --set global.defaultResources.registry.host=host.docker.internal:5050 \\
+ --set global.defaultResources.registry.tlsVerify=false`}
-This installs the build plane with these settings:
+:::tip
+If `host.docker.internal` doesn't resolve in your cluster, use your machine's IP address instead.
+:::
-- `global.defaultResources.registry.endpoint`: the address where built images are pushed and pulled. This needs to be accessible from both the build pods (for pushing) and the kubelet (for pulling). Common values are `host.docker.internal:10082` or your node's IP address.
-- `registry.service.type` and `registry.service.port`: exposes the registry via LoadBalancer.
+
+
+
+
+
This installs:
- `cluster-agent`: connects to the control plane to receive build instructions.
- `argo-workflows`: executes the actual build pipelines as Kubernetes workflows.
-- `registry`: a container registry that stores your built images.
- Argo Workflows CRDs: Workflow, WorkflowTemplate, and other resources for defining build pipelines.
-For all available configuration options, see the [Build Plane Helm Reference](../../reference/helm/build-plane.mdx).
-
-:::note HTTP Registry Access
-The Build Plane deploys an HTTP container registry. Container runtimes default to HTTPS for registries. If image pulls fail with "http: server gave HTTP response to HTTPS client", configure your container runtime to allow HTTP for this registry. For Rancher Desktop users, see [Configuring Private Registries](https://docs.rancherdesktop.io/how-to-guides/mirror-private-registry/).
-:::
-
-
-
+For all available configuration options, see the [Build Plane Helm Reference](../../reference/helm/build-plane.mdx). For production deployments, see [Container Registry Configuration](../../operations/container-registry-configuration.mdx).
**Register with the Control Plane**
diff --git a/docs/operations/container-registry-configuration.mdx b/docs/operations/container-registry-configuration.mdx
new file mode 100644
index 0000000..e12e639
--- /dev/null
+++ b/docs/operations/container-registry-configuration.mdx
@@ -0,0 +1,104 @@
+---
+title: Container Registry Configuration
+description: Configure the Build Plane to push images to your container registry.
+sidebar_position: 3
+---
+
+# Container Registry Configuration
+
+The Build Plane requires a container registry to store built images. Both build pods (for pushing) and kubelets on the Data Plane (for pulling) need access to the registry.
+
+## Configuration Parameters
+
+| Parameter | Description | Required |
+|-----------|-------------|----------|
+| `global.defaultResources.registry.host` | Registry hostname | Yes |
+| `global.defaultResources.registry.repoPath` | Path prefix for images | No |
+| `global.defaultResources.registry.tlsVerify` | Verify TLS certificates | No (default: `false`) |
+
+## Registry Providers
+
+### Amazon ECR
+
+See [Amazon ECR documentation](https://docs.aws.amazon.com/AmazonECR/latest/userguide/getting-started-cli.html) for repository setup and IAM configuration.
+
+```bash
+helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
+ --namespace openchoreo-build-plane \
+ --set global.defaultResources.registry.host=123456789.dkr.ecr.us-east-1.amazonaws.com \
+ --set global.defaultResources.registry.repoPath=openchoreo-builds \
+ --set global.defaultResources.registry.tlsVerify=true
+```
+
+### Google Artifact Registry
+
+See [Artifact Registry documentation](https://cloud.google.com/artifact-registry/docs/docker/store-docker-container-images) for repository setup and authentication.
+
+```bash
+helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
+ --namespace openchoreo-build-plane \
+ --set global.defaultResources.registry.host=us-central1-docker.pkg.dev/my-project/openchoreo-builds \
+ --set global.defaultResources.registry.tlsVerify=true
+```
+
+### Azure Container Registry
+
+See [ACR documentation](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-get-started-azure-cli) for registry setup and AKS integration.
+
+```bash
+helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
+ --namespace openchoreo-build-plane \
+ --set global.defaultResources.registry.host=myregistry.azurecr.io \
+ --set global.defaultResources.registry.tlsVerify=true
+```
+
+### GitHub Container Registry
+
+See [GHCR documentation](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry) for authentication setup.
+
+```bash
+helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
+ --namespace openchoreo-build-plane \
+ --set global.defaultResources.registry.host=ghcr.io \
+ --set global.defaultResources.registry.repoPath=my-org/openchoreo \
+ --set global.defaultResources.registry.tlsVerify=true
+```
+
+### Docker Hub
+
+See [Docker Hub documentation](https://docs.docker.com/docker-hub/repos/create/) for repository setup. Note the [rate limits](https://docs.docker.com/docker-hub/download-rate-limit/) for free accounts.
+
+```bash
+helm upgrade --install openchoreo-build-plane oci://ghcr.io/openchoreo/helm-charts/openchoreo-build-plane \
+ --namespace openchoreo-build-plane \
+ --set global.defaultResources.registry.host=docker.io \
+ --set global.defaultResources.registry.repoPath=your-username \
+ --set global.defaultResources.registry.tlsVerify=true
+```
+
+## Authentication
+
+### Push Secret (Build Plane)
+
+For registries requiring authentication, create a secret in the build plane namespace:
+
+```bash
+kubectl create secret docker-registry registry-push-secret \
+ --namespace openchoreo-build-plane \
+ --docker-server=REGISTRY_HOST \
+ --docker-username=USERNAME \
+ --docker-password=PASSWORD
+```
+
+### Pull Secret (Data Plane)
+
+For pulling images from private registries, see [Deploy from a Private Registry](../use-cases/deploy-prebuilt-image.mdx#deploy-from-a-private-registry).
+
+## Troubleshooting
+
+| Symptom | Check |
+|---------|-------|
+| "unauthorized" error | Verify `registry-push-secret` exists and credentials are valid |
+| `ImagePullBackOff` | Verify image exists and ImagePullSecret is configured |
+| "x509: certificate signed by unknown authority" | Set `tlsVerify=false` or configure CA certificate |
+| "connection refused" | Check network connectivity and firewall rules |
diff --git a/docs/reference/helm/build-plane.mdx b/docs/reference/helm/build-plane.mdx
index c4eaf75..8fc9b6b 100644
--- a/docs/reference/helm/build-plane.mdx
+++ b/docs/reference/helm/build-plane.mdx
@@ -13,7 +13,6 @@ This chart depends on the following sub-charts. For full configuration options o
| [argo-workflows](https://argoproj.github.io/argo-helm) | 0.45.2 | [https://argoproj.github.io/argo-helm](https://argoproj.github.io/argo-helm) | - |
| [external-secrets](https://charts.external-secrets.io) | 0.19.2 | [https://charts.external-secrets.io](https://charts.external-secrets.io) | `external-secrets.enabled` |
| [fluent-bit](https://fluent.github.io/helm-charts) | 0.54.0 | [https://fluent.github.io/helm-charts](https://fluent.github.io/helm-charts) | `fluent-bit.enabled` |
-| [docker-registry](https://twuni.github.io/docker-registry.helm) | 3.0.0 | [https://twuni.github.io/docker-registry.helm](https://twuni.github.io/docker-registry.helm) | `registry.enabled` |
## Argo Workflows
@@ -147,35 +146,15 @@ Global configuration values shared across all components
| Parameter | Description | Type | Default |
| :--- | :--- | :--- | :--- |
-| `global.baseDomain` | Base domain for external access. When set, registry will be accessible at registry.<baseDomain>. | `string` | |
| `global.commonLabels` | Common labels to add to every resource | `object` | |
-| `global.defaultResources.buildpackCache.enabled` | Enable buildpack image caching hook | `boolean` | `true` |
-| `global.defaultResources.buildpackCache.images` | List of buildpack images to cache | `array` | |
+| `global.defaultResources.buildpackCache.enabled` | Enable buildpack image caching. When enabled, images are pulled from cache registry instead of remote. | `boolean` | `false` |
+| `global.defaultResources.buildpackCache.images` | List of buildpack images to cache. Each entry has an id for lookup, remoteImage for external registry, and cachedImage for local cache. | `array` | |
| `global.defaultResources.enabled` | If true, applies the workflow templates | `boolean` | `true` |
| `global.defaultResources.podmanCache.size` | Size of the persistent volume for podman image layer cache | `string` | `10Gi` |
| `global.defaultResources.podmanCache.storageClass` | Storage class for the cache PVC. Uses cluster default if not set. | `string` | |
-| `global.defaultResources.registry.endpoint` | Registry endpoint for pushing and pulling images. For external registry with baseDomain, automatically uses registry.<baseDomain>. | `string` | `registry.openchoreo-build-plane.svc.cluster.local:5000` |
+| `global.defaultResources.registry.host` | Container registry host for pushing built images (REQUIRED). Examples include ECR (123456789.dkr.ecr.us-east-1.amazonaws.com), GCR (gcr.io/my-project), Docker Hub (docker.io), or a local registry (registry.openchoreo-build-plane.svc.cluster.local). | `string` | |
+| `global.defaultResources.registry.repoPath` | Repository path prepended to image names. Can be any depth (e.g., "myorg", "myorg/myproject", "namespace/subpath/images"). Leave empty for root-level images. | `string` | |
| `global.defaultResources.registry.tlsVerify` | Enable TLS verification when pushing images to the registry. Set to false for self-signed certificates or local development. | `boolean` | `false` |
-| `global.ingressClassName` | Ingress class name for registry ingress | `string` | `openchoreo-traefik` |
-| `global.tls.enabled` | Enable TLS for registry ingress | `boolean` | `false` |
-| `global.tls.secretName` | Secret containing TLS certificate for registry | `string` | `registry-tls` |
-
-## Registry
-
-For full configuration options, please refer to the [official chart documentation](https://twuni.github.io/docker-registry.helm).
-
-Container Registry sub-chart configuration using Twuni Docker Registry Helm Chart. Hosts container images built by Argo Workflows in the Build Plane. See https://github.com/twuni/docker-registry.helm for all options.
-
-| Parameter | Description | Type | Default |
-| :--- | :--- | :--- | :--- |
-| `registry.fullnameOverride` | Override the full name of registry resources | `string` | `registry` |
-| `registry.ingress.annotations` | Annotations to add to the ingress resource | `object` | |
-| `registry.ingress.className` | Ingress class name. Falls back to global.ingressClassName if not set. | `string` | |
-| `registry.ingress.enabled` | Enable ingress for external registry access | `boolean` | `false` |
-| `registry.ingress.tls.enabled` | Enable TLS for registry ingress | `boolean` | `false` |
-| `registry.ingress.tls.secretName` | Secret containing TLS certificate | `string` | |
-| `registry.persistence.enabled` | Enable persistent storage for registry | `boolean` | `true` |
-| `registry.persistence.size` | Size of the persistent volume for registry storage | `string` | `10Gi` |
## Wait Job
diff --git a/docs/reference/helm/control-plane.mdx b/docs/reference/helm/control-plane.mdx
index 12d09af..52e9582 100644
--- a/docs/reference/helm/control-plane.mdx
+++ b/docs/reference/helm/control-plane.mdx
@@ -54,8 +54,8 @@ Backstage UI configuration
| `backstage.database.type` | Database type | `object` | `sqlite` |
| `backstage.enabled` | Enable Backstage UI deployment | `boolean` | `true` |
| `backstage.env` | Environment variables for the Backstage container | `array` | |
-| `backstage.features.observability.enabled` | Enable observability feature | `boolean` | `true` |
-| `backstage.features.workflows.enabled` | Enable workflows feature | `boolean` | `true` |
+| `backstage.features.observability.enabled` | Enable Metrics, Traces, Runtime Logs tabs and RuntimeHealthCard in entity pages | `boolean` | `true` |
+| `backstage.features.workflows.enabled` | Enable Workflows tab and WorkflowsOverviewCard in entity pages | `boolean` | `true` |
| `backstage.image.pullPolicy` | Image pull policy | `object` | `IfNotPresent` |
| `backstage.image.repository` | Docker image repository | `string` | `ghcr.io/openchoreo/openchoreo-ui` |
| `backstage.image.tag` | Image tag. If empty, uses Chart.AppVersion | `string` | |
@@ -412,10 +412,13 @@ Common security configuration shared across all components
| `security.authServerBaseUrl` | Base URL for the authorization server (used for OAuth metadata). If not set, defaults to protocol://thunder.baseDomain:port | `string` | |
| `security.authz.databasePath` | Path to the Casbin database file | `string` | `/var/lib/openchoreo/data/casbin.db` |
| `security.authz.defaultAuthzDataFilePath` | Path to custom authz data file (roles and mappings). If not set, embedded defaults are used. To use custom data, set this path and mount a ConfigMap | `string` | `/etc/openchoreo/authz/default-roles-mappings.yaml` |
+| `security.authz.defaultRoleMappings` | Default entitlement-to-role mappings | `array` | |
+| `security.authz.defaultRoles` | Default roles and their permissions | `array` | |
| `security.authz.enabled` | Enable authorization using Casbin | `boolean` | `false` |
| `security.enabled` | Global security toggle - when disabled, authentication is turned off for all components | `boolean` | `true` |
| `security.jwt.audience` | Expected audience claim in JWT tokens | `string` | |
| `security.oidc.authorizationUrl` | OIDC authorization endpoint URL | `string` | |
+| `security.oidc.externalClients` | External client configurations for authentication | `array` | |
| `security.oidc.issuer` | OIDC provider issuer URL | `string` | |
| `security.oidc.jwksUrl` | OIDC JWKS URL for token validation | `string` | |
| `security.oidc.tokenUrl` | OIDC token endpoint URL | `string` | |
@@ -436,6 +439,8 @@ Asgardeo Thunder (Platform Identity Provider) configuration
| `thunder.bootstrap.enabled` | Enable bootstrap scripts | `boolean` | `true` |
| `thunder.bootstrap.rcaAgentClient.clientId` | | `string` | `openchoreo-rca-agent` |
| `thunder.bootstrap.rcaAgentClient.clientSecret` | | `string` | `openchoreo-rca-agent-secret` |
+| `thunder.bootstrap.systemApp.clientId` | | `string` | `openchoreo-system-app` |
+| `thunder.bootstrap.systemApp.clientSecret` | | `string` | `openchoreo-system-app-secret` |
| `thunder.configuration.cache.cleanupInterval` | Cache cleanup interval in seconds | `integer` | `300` |
| `thunder.configuration.cache.disabled` | Disable caching | `boolean` | `false` |
| `thunder.configuration.cache.evictionPolicy` | Cache eviction policy | `object` | `LRU` |
diff --git a/docs/reference/helm/data-plane.mdx b/docs/reference/helm/data-plane.mdx
index 99603ab..e208296 100644
--- a/docs/reference/helm/data-plane.mdx
+++ b/docs/reference/helm/data-plane.mdx
@@ -16,7 +16,7 @@ This chart depends on the following sub-charts. For full configuration options o
| [kgateway](oci://cr.kgateway.dev/kgateway-dev/charts) | v2.1.1 | oci://cr.kgateway.dev/kgateway-dev/charts | `gatewayController.enabled` |
| [kube-prometheus-stack](https://prometheus-community.github.io/helm-charts) | 78.3.0 | [https://prometheus-community.github.io/helm-charts](https://prometheus-community.github.io/helm-charts) | `kube-prometheus-stack.enabled` |
| [opentelemetry-collector](https://open-telemetry.github.io/opentelemetry-helm-charts) | 0.140.0 | [https://open-telemetry.github.io/opentelemetry-helm-charts](https://open-telemetry.github.io/opentelemetry-helm-charts) | `opentelemetry-collector.enabled` |
-| [gateway-operator](oci://ghcr.io/wso2/api-platform/helm-charts) | 0.1.0 | oci://ghcr.io/wso2/api-platform/helm-charts | `api-platform.enabled` |
+| [gateway-operator](oci://ghcr.io/wso2/api-platform/helm-charts) | 0.2.0 | oci://ghcr.io/wso2/api-platform/helm-charts | `api-platform.enabled` |
## Api Platform
@@ -28,19 +28,7 @@ WSO2 API Platform configuration for advanced API management capabilities
| :--- | :--- | :--- | :--- |
| `api-platform.enabled` | Enable WSO2 API Platform gateway operator | `boolean` | `false` |
| `api-platform.gateway.helm.chartName` | OCI chart reference for the API Platform gateway | `string` | `oci://ghcr.io/wso2/api-platform/helm-charts/gateway` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.AllowedAlgorithms` | Allowed JWT signing algorithms | `array` | `["RS256","ES256"]` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.AuthHeaderScheme` | Authorization header scheme prefix | `string` | `Bearer` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.ErrorMessage` | Error message returned on authentication failure | `string` | `Authentication failed.` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.ErrorMessageFormat` | Format for error messages | `object` | `json` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.HeaderName` | HTTP header name for JWT token | `string` | `Authorization` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.JwksCacheTtl` | Cache TTL for JWKS keys | `string` | `5m` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.JwksFetchRetryCount` | Number of retry attempts for JWKS fetch | `integer` | `3` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.JwksFetchRetryInterval` | Interval between JWKS fetch retries | `string` | `2s` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.JwksFetchTimeout` | Timeout for fetching JWKS | `string` | `5s` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.KeyManagers` | List of key managers for JWT validation | `array` | |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.Leeway` | Clock skew tolerance for JWT validation | `string` | `30s` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.OnFailureStatusCode` | HTTP status code returned on authentication failure | `integer` | `401` |
-| `api-platform.gateway.values.gateway.config.policy_configurations.JWTAuth_v010.ValidateIssuer` | Validate the JWT issuer claim | `boolean` | `true` |
+| `api-platform.gateway.helm.chartVersion` | Version of the API Platform gateway chart | `string` | `0.3.0` |
## Cluster Agent
diff --git a/docs/reference/helm/observability-plane.mdx b/docs/reference/helm/observability-plane.mdx
index 9402c28..6b55d37 100644
--- a/docs/reference/helm/observability-plane.mdx
+++ b/docs/reference/helm/observability-plane.mdx
@@ -373,6 +373,7 @@ These are NOT passed to the opentelemetry-collector Helm chart directly.
| `opentelemetryCollectorCustomizations.tailSampling.decisionCache.nonSampledCacheSize` | Cache size for non-sampled trace decisions | `integer` | `1000` |
| `opentelemetryCollectorCustomizations.tailSampling.decisionCache.sampledCacheSize` | Cache size for sampled trace decisions | `integer` | `10000` |
| `opentelemetryCollectorCustomizations.tailSampling.decisionWait` | Time to wait before making sampling decision | `string` | `10s` |
+| `opentelemetryCollectorCustomizations.tailSampling.enabled` | Enable tail sampling | `boolean` | `true` |
| `opentelemetryCollectorCustomizations.tailSampling.expectedNewTracesPerSec` | Expected new traces per second (for cache sizing) | `integer` | `10` |
| `opentelemetryCollectorCustomizations.tailSampling.numTraces` | Number of traces to keep in memory | `integer` | `100` |
| `opentelemetryCollectorCustomizations.tailSampling.spansPerSecond` | Maximum spans per second rate limit | `integer` | `10` |
@@ -386,7 +387,19 @@ Prometheus stack subchart configuration (kube-prometheus-stack) for metrics coll
| Parameter | Description | Type | Default |
| :--- | :--- | :--- | :--- |
| `prometheus.alertmanager.alertmanagerSpec.podMetadata.name` | Name for Alertmanager pod metadata | `string` | `alertmanager` |
-| `prometheus.alertmanager.enabled` | Enable Alertmanager deployment | `boolean` | `false` |
+| `prometheus.alertmanager.alertmanagerSpec.resources.limits.cpu` | | `string` | `100m` |
+| `prometheus.alertmanager.alertmanagerSpec.resources.limits.memory` | | `string` | `200Mi` |
+| `prometheus.alertmanager.alertmanagerSpec.resources.requests.cpu` | | `string` | `50m` |
+| `prometheus.alertmanager.alertmanagerSpec.resources.requests.memory` | | `string` | `100Mi` |
+| `prometheus.alertmanager.config.global.resolve_timeout` | | `string` | `5m` |
+| `prometheus.alertmanager.config.receivers` | | `array` | |
+| `prometheus.alertmanager.config.route.group_by` | | `array` | |
+| `prometheus.alertmanager.config.route.group_interval` | | `string` | `5m` |
+| `prometheus.alertmanager.config.route.group_wait` | | `string` | `30s` |
+| `prometheus.alertmanager.config.route.receiver` | | `string` | `null` |
+| `prometheus.alertmanager.config.route.repeat_interval` | | `string` | `12h` |
+| `prometheus.alertmanager.config.route.routes` | | `array` | |
+| `prometheus.alertmanager.enabled` | Enable Alertmanager deployment | `boolean` | `true` |
| `prometheus.cleanPrometheusOperatorObjectNames` | Produce cleaner resource names without redundant suffixes | `boolean` | `true` |
| `prometheus.coreDns.enabled` | Enable CoreDNS metrics scraping | `boolean` | `false` |
| `prometheus.crds.enabled` | Install Prometheus Operator CRDs (ServiceMonitor, PodMonitor, etc.) | `boolean` | `true` |
@@ -400,6 +413,7 @@ Prometheus stack subchart configuration (kube-prometheus-stack) for metrics coll
| `prometheus.grafana.defaultDashboardsEnabled` | Enable default Grafana dashboards | `boolean` | `false` |
| `prometheus.grafana.enabled` | Enable Grafana deployment | `boolean` | `false` |
| `prometheus.grafana.fullnameOverride` | Override the full name of Grafana resources | `string` | `grafana` |
+| `prometheus.grafana.grafana.ini.unified_alerting.enabled` | | `boolean` | `true` |
| `prometheus.grafana.sidecar.dashboards.enabled` | Enable dashboard sidecar | `boolean` | `false` |
| `prometheus.grafana.sidecar.datasources.enabled` | Enable datasource sidecar | `boolean` | `false` |
| `prometheus.kube-state-metrics.collectors` | List of Kubernetes resources to collect metrics from | `array` | |
@@ -416,6 +430,9 @@ Prometheus stack subchart configuration (kube-prometheus-stack) for metrics coll
| `prometheus.kubernetesServiceMonitors.enabled` | Enable Kubernetes component ServiceMonitors | `boolean` | `true` |
| `prometheus.nodeExporter.enabled` | Enable node exporter deployment | `boolean` | `false` |
| `prometheus.prometheus.enabled` | Enable Prometheus server deployment | `boolean` | `true` |
+| `prometheus.prometheus.prometheusSpec.ruleNamespaceSelector` | Namespace selector for PrometheusRules (empty = all namespaces) | `object` | `{}` |
+| `prometheus.prometheus.prometheusSpec.ruleSelector` | Label selector for PrometheusRules (empty = all PrometheusRules) | `object` | `{}` |
+| `prometheus.prometheus.prometheusSpec.ruleSelectorNilUsesHelmValues` | Use Helm values for PrometheusRule selection when selector is nil | `boolean` | `false` |
| `prometheus.prometheus.prometheusSpec.serviceMonitorNamespaceSelector` | Namespace selector for ServiceMonitors (empty = all namespaces) | `object` | `{}` |
| `prometheus.prometheus.prometheusSpec.serviceMonitorSelector` | Label selector for ServiceMonitors (empty = all ServiceMonitors) | `object` | `{}` |
| `prometheus.prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValues` | Use Helm values for ServiceMonitor selection when selector is nil | `boolean` | `false` |
@@ -444,7 +461,6 @@ AI-powered Root Cause Analysis agent configuration
| `rca.llm.modelName` | LLM model name (e.g., claude-sonnet-4-5, gpt-5, gemini-2.0-flash-exp) | `string` | |
| `rca.logLevel` | Log level for the RCA agent | `string` | `INFO` |
| `rca.name` | Name of the RCA agent deployment | `string` | `ai-rca-agent` |
-| `rca.logLevel` | Log level for the RCA agent | `string` | `INFO` |
| `rca.oauth.clientId` | OAuth2 client ID registered with the IDP | `string` | `openchoreo-rca-agent` |
| `rca.oauth.clientSecret` | OAuth2 client secret (override via --set rca.oauth.clientSecret) | `string` | `openchoreo-rca-agent-secret` |
| `rca.observerMcpUrl` | Observer MCP endpoint URL | `string` | |
diff --git a/sidebars.ts b/sidebars.ts
index 9b7ffc9..edd16a2 100644
--- a/sidebars.ts
+++ b/sidebars.ts
@@ -48,6 +48,7 @@ const sidebars: SidebarsConfig = {
items: [
'operations/deployment-topology',
'operations/multi-cluster-connectivity',
+ 'operations/container-registry-configuration',
'operations/identity-configuration',
'operations/backstage-configuration',
'operations/api-management',