demostand-fix (#202)

* dark-api fix KK url * Enlarge domainconfig init with providers, payouts, payment_routing * add reporter enable wapi-* fix fistfull config for identities create * add create account in settlement * fix wallet_contract * Service urls now requires own place in config * fix wapi-pcidss config * fix wapi for creation destination * add environment for devstand * fix wapi endpoint in fistful-magista * darkapi bump * bump dashboard * bump KK version * add roles to internal realm * bump questionary-proxy * reduce default_ttl * add wapi port * group ingress tls secrets for api and iddqd * reduce cert number by splitting tls section in papi * change domain inliner to use vars * refactor ingress domain logic * refactor trigger name * Update erlang services (#204) * Update wapi-pcidss to latest * Update wapi-v0 to latest * Update hellgate * Update fistful * Remove legacy capi services * Add party-management * Add limiter * Fix files for config output for limiter and party-management * Update capi-v2 to latest * Update dominant * Update kds * Update cds * Update bender * Convert template vars to values * Update machinegun * Add token-keeper * Add token-keeper * ED-159: shamway fix * ED-159: Add bouncer and bouncer-policies * Update config/bouncer-policies/values.yaml.gotmpl Co-authored-by: vilorij <vilorij@ya.ru> * Code review fixes * Update bouncer* * Add keys * Move to new way of ingress templating * drop doubled parameter * typofix in dominant host * devstand change * typofix in bouncers * disable LE and tls in devstand * Fix bouncer config * Fix binapi config * fix papi shebang * typofix add probes port * fix bouncer-policies port * disable KK tls if disabled in Values * Fix path to party service in mg * capi-v1 is back for test transaction * ingress secret typofix * capi-v1 in helmfile * typofix in domain address * enable idkfa * fix ttl * bump deps * Add links to provider and rulesets Co-authored-by: r.shaidullin <ndiezel0@gmail.com> Co-authored-by: vilorij <vilorij@ya.ru> Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com> * Update devstand.rbk.yaml * move prometheus to helm-infra * fix test-transaction stateless values * Add comment to default.values Co-authored-by: Dmitry Skokov <d.skokov@rbkmoney.com> Co-authored-by: Sergey Yelin <elinsn@gmail.com> Co-authored-by: ilyatrub <ilyatrub@gmail.com> Co-authored-by: Sergey Yelin <s.elin@rbkmoney.com> Co-authored-by: r.shaidullin <ndiezel0@gmail.com>
2024-11-06 00:45:18 +00:00 · 2021-09-09 20:44:45 +03:00 · 2021-09-09 20:44:45 +03:00 · 0cd257f642
commit 0cd257f642
parent cee683d4df
83 changed files with 3259 additions and 834 deletions
--- a/config/anapi/values.yaml.gotmpl
+++ b/config/anapi/values.yaml.gotmpl
@ -71,6 +71,9 @@ metrics:
    additionalLabels:
      release: prometheus

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -84,17 +87,17 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /lk/v1
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }} 
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/config/api-common/keys/apikeymgmt.privkey.pem
+++ b/config/api-common/keys/apikeymgmt.privkey.pem
@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIICXQIBAAKBgQCsUSRFysHJhysA43FGrepj4m85MmVnh5Mt0pyWQD+BF/nUpcQr
+2rpE3qzEoXD/q0DzPiDBms5h2Y3Rwlw1dviGl7krPUxwcnQksttSuO+jNf39qNdX
+ufhro0WCkr6G1vLpzL22YsXRU4STCKQOpDAUwAOkjcYbozVOTjv04XBHqwIDAQAB
+AoGBAIUsqNXvn9l6x7eGEFPJsa7En6Ua19gtpYfyj+ZnfSzuNL0t5/DkuLTlS60k
+AEr4NdhIGdTHKd3h34NPrSf87JED+CfsxEVhZZ+wl7nNe8CTBKInVbPBRf8AC9sh
+6qbxaCzPcRYn0XZTVmaph7iAStLZmy9pbfw31piKsS/KC7HxAkEA2UCYKkQ0i1jw
+EeXohy11MWN08xJ7+ye4qrYT2M+taEJDp/t4f5st12nzrpCP0CeQIX+8TuLVAieu
+zAlM/oirlQJBAMsM3jeIhXbyR9BSAesNGrTpWtj3wn07Yj5YfIP8C/wxy5PfdSV9
+rhB+kOrJ7MoW/3TjTpJgr1CGKoPwG8kCVj8CQDvobA17sWGbrNfCplRgXKi53E4L
+EtU3Jt0sSFzJJ/BQFYgE+D139TQpq2C/zGiCAGS8bJj0Q/jMKI9rISgvV+ECQQC/
+vRECI7rUTYke4LHLAf7cIxeUlrFjjHYDJY+/Gn0+0s7IflSi6IE8NigmbjNZyknE
+WPlTJFWolmkDWfMC52AFAkBsQa3mUuFDn50H4t9hLxkqICKFrK5IGY26bPDzQrcl
+NOuuhK6pAH1C3kfpUx83Ky9xuIogRpacycAuaXQdfrpo
+-----END RSA PRIVATE KEY-----
--- a/config/api-common/keys/capi.pubkey.pem
+++ b/config/api-common/keys/capi.pubkey.pem
@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsUSRFysHJhysA43FGrepj4m85
+MmVnh5Mt0pyWQD+BF/nUpcQr2rpE3qzEoXD/q0DzPiDBms5h2Y3Rwlw1dviGl7kr
+PUxwcnQksttSuO+jNf39qNdXufhro0WCkr6G1vLpzL22YsXRU4STCKQOpDAUwAOk
+jcYbozVOTjv04XBHqwIDAQAB
+-----END PUBLIC KEY-----
--- a/config/api-common/keys/wapi.pubkey.pem
+++ b/config/api-common/keys/wapi.pubkey.pem
@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsUSRFysHJhysA43FGrepj4m85
+MmVnh5Mt0pyWQD+BF/nUpcQr2rpE3qzEoXD/q0DzPiDBms5h2Y3Rwlw1dviGl7kr
+PUxwcnQksttSuO+jNf39qNdXufhro0WCkr6G1vLpzL22YsXRU4STCKQOpDAUwAOk
+jcYbozVOTjv04XBHqwIDAQAB
+-----END PUBLIC KEY-----
--- a/config/bender/values.yaml.gotmpl
+++ b/config/bender/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/bender
-  tag: b0eea3098f05606fa244cc8ffc1fa20d101d42b7
+  tag: cd0ee8faae41f22a40ea119337be2a842e3e9cd8
  pullPolicy: IfNotPresent

 configMap:
--- a/config/binapi/sys.config
+++ b/config/binapi/sys.config
@ -49,7 +49,9 @@
            jwt => #{
                signee => binapi,
                keyset => #{
-                    keycloak => {pem_file, "/var/lib/binapi/keys/keycloak/keycloak.pubkey.pem"}
+                    keycloak => #{
+                        source => {pem_file, "/var/lib/binapi/keys/keycloak/keycloak.pubkey.pem"}
+                    }
                }
            }
        }},
--- a/config/binapi/values.yaml.gotmpl
+++ b/config/binapi/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/binapi
-  tag: bc5d6fd206c740a3075fd33228561928763d0995
+  tag: c7a2a6ace195094819b57f599f25de724219136e
  pullPolicy: IfNotPresent

 configMap:
@ -71,6 +71,9 @@ metrics:
    additionalLabels:
      release: prometheus

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -84,17 +87,17 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths: 
        - /binbase/v1
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/config/bouncer-policies/blacklisted_keys.yaml
+++ b/config/bouncer-policies/blacklisted_keys.yaml
@ -0,0 +1,11 @@
+title: Auth Token Blacklist
+description: >
+  Used for banning clients carrying specific auth tokens from using any of our
+  public APIs. Each entry in a list is an _identifier_ of some auth token.
+  Broadly speaking, what constitutes an _identifier_ depends on which _tokens_
+  are we talking about. Though for the foreseeable future, we consider only
+  JWTs where JWT's identifier is the value of the 'jti' claim.
+entries:
+  # IMPORTANT
+  # Keep in sync with the contents of `capi.blacklisted_keys` directory.
+  - "d48e07ec-4899-4338-965b-98752397f2c4"
--- a/config/bouncer-policies/values.yaml.gotmpl
+++ b/config/bouncer-policies/values.yaml.gotmpl
@ -0,0 +1,37 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/bouncer-policies
+  tag: 39ca136c5f0e4c89ab4253552759299fdbde360b
+  pullPolicy: IfNotPresent
+
+configMap:
+  data:
+    blacklist: |
+      {{- readFile "blacklisted_keys.yaml" | nindent 6 }}
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /var/opa/roots/service/authz/blacklists/auth_token/data.yaml
+    subPath: blacklist
+    readOnly: true
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+
+service:
+  type: ClusterIP
+  ports:
+    - name: api
+      port: 8181
--- a/config/bouncer/sys.config
+++ b/config/bouncer/sys.config
@ -0,0 +1,118 @@
+%% -*- mode: erlang -*-
+[
+    {bouncer, [
+        {ip, "::"},
+        {port, 8022},
+        {services, #{
+            arbiter => #{path => <<"/v1/arbiter">>}
+        }},
+        {protocol_opts, #{
+            % How much to wait for another request before closing a keepalive connection? (ms)
+            request_timeout => 5000
+        }},
+        {transport_opts, #{
+            % Maximum number of simultaneous connections.
+            max_connections => 8000,
+            % Size of the acceptor pool.
+            num_acceptors => 100
+        }},
+        % How much to wait for outstanding requests completion when asked to shut down? (ms)
+        {shutdown_timeout, 1000},
+
+        {audit, #{
+            % Audit logging.
+            log => #{
+                % Audit log level, ideally should be higher that `kernel.level`.
+                level => notice,
+                backend => #{
+                    type => standard_io
+                },
+                formatter => {logger_logstash_formatter, #{
+                    chars_limit => 4096,
+                    depth => unlimited
+                }}
+            }
+        }},
+
+        {opa, #{
+            %% Endpoint of the OPA service
+            endpoint => {
+                {resolve, dns, "bouncer-policies",
+                    #{pick => random}
+                },
+                8181
+            },
+            %% Timeout for making request and receiving response. (ms)
+            request_timeout => 1000,
+            %% Pool options, see gunner_pool:pool_opts()
+            pool_opts => #{
+                cleanup_interval => 1000,
+                max_connection_idle_age => 3000,
+                max_size => 200,
+                min_size => 5,
+                connection_opts => #{
+                    % Which transport to use? (tcp | tls)
+                    transport             => tcp,
+                    % Which `gen_tcp:connect_option()`s to use? Relevant only for `tcp` transport.
+                    tcp_opts              => [inet6],
+                    % Total timeout for estabilishing a connection. (ms)
+                    connect_timeout       => 1000
+                }
+            }
+        }},
+
+        {woody_event_handlers, [
+            hay_woody_event_handler,
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000,
+                        max_printable_string_length => 80
+                    }
+                }
+            }}
+        ]},
+
+        {health_check, #{
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [70]},
+            service => {erl_health, service  , [<<"bouncer">>]}
+        }}
+
+    ]},
+
+    {how_are_you, [
+        {metrics_publishers, [
+            {hay_statsd_publisher, #{
+                key_prefix => <<"bouncer.">>,
+                host => "localhost",
+                port => 8125
+            }}
+        ]}
+    ]},
+
+    {os_mon, [
+        {disksup_posix_only, true}
+    ]},
+
+    {scoper, [
+        {storage, scoper_storage_logger}
+    ]},
+
+    {kernel, [
+        {logger_level, info},
+        {logger, [
+            {handler, default, logger_std_h, #{
+                level => debug,
+                config => #{
+                    type => standard_io,
+                    sync_mode_qlen => 2000,
+                    drop_mode_qlen => 2000,
+                    flush_qlen => 3000
+                },
+                formatter => {logger_logstash_formatter, #{}}
+            }}
+        ]}
+    ]}
+
+].
--- a/config/bouncer/values.yaml.gotmpl
+++ b/config/bouncer/values.yaml.gotmpl
@ -0,0 +1,50 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/bouncer
+  tag: 6dbd5079a7a9ac2107d6226f54b910a9d03b68ac
+  pullPolicy: IfNotPresent
+
+configMap:
+  data:
+    sys.config: |
+      {{- readFile "sys.config" | nindent 6 }}
+    erl_inetrc: |
+      {{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
+    vm.args: |
+      {{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/bouncer/releases/0.1.0/sys.config
+    subPath: sys.config
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/bouncer/releases/0.1.0/vm.args
+    subPath: vm.args
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/bouncer/erl_inetrc
+    subPath: erl_inetrc
+    readOnly: true
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+
+ciliumPolicies:
+  - filters:
+    - port: 8181
+      type: TCP
+    name: bouncer-policies
+    namespace: {{ .Release.Namespace }}
--- a/config/capi-pcidss-v1/sys.config
+++ b/config/capi-pcidss-v1/sys.config
@ -1,109 +0,0 @@
-[
-    {kernel, [
-        {logger_level, info},
-        {logger, [
-            {handler, default, logger_std_h, #{
-                level => debug,
-                config => #{
-                    type => standard_io,
-                    sync_mode_qlen => 2000,
-                    drop_mode_qlen => 2000,
-                    flush_qlen => 3000
-                },
-                filters => [{access_log, {fun logger_filters:domain/2, {stop, equal, [cowboy_access_log]}}}],
-                formatter => {logger_logstash_formatter, #{
-                    message_redaction_regex_list => [
-                        %% PAN
-                        "(?<=\\W[2-6][0-9]{5})[0-9]{1,11}(?=[0-9]{2}\\W)",
-                        %% Expiration date
-                        "(?<=\\W)[0-9]{1,2}[\\s.,-/]([0-9]{2}|2[0-9]{3})(?=\\W)",
-                        %% CVV / CVV2 / CSC
-                        "(?<=\\W)[0-9]{3,4}(?=\\W)"
-                    ]
-                }}
-            }},
-            {handler, access_logger, logger_std_h, #{
-                level => info,
-                config => #{
-                    type => standard_io,
-                    sync_mode_qlen => 2000,
-                    drop_mode_qlen => 2000,
-                    flush_qlen => 3000
-                },
-                filters => [{access_log, {fun logger_filters:domain/2, {stop, not_equal, [cowboy_access_log]}}}],
-                formatter => {logger_logstash_formatter, #{
-                    message_redaction_regex_list => [
-                        %% PAN
-                        "(?<=\\W[2-6][0-9]{5})[0-9]{1,11}(?=[0-9]{2}\\W)",
-                        %% Expiration date
-                        "(?<=\\W)[0-9]{1,2}[\\s.,-/]([0-9]{2}|2[0-9]{3})(?=\\W)",
-                        %% CVV / CVV2 / CSC
-                        "(?<=\\W)[0-9]{3,4}(?=\\W)"
-                    ]
-                }}
-            }}
-        ]}
-    ]},
-
-    {scoper, [
-        {storage, scoper_storage_logger}
-    ]},
-
-    {capi_pcidss, [
-        {ip                  , "::"                     },
-        {port                , 8080                     },
-        {service_type        , real                     },
-        {access_conf, #{
-            jwt => #{
-                keyset => #{
-                    keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
-                    capi     => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"}
-                }
-            },
-            access => #{
-                service_name => <<"common-api">>,
-                resource_hierarchy => #{
-                    payment_resources   => #{}
-                }
-            }
-        }},
-        {oops_bodies, #{
-            500 => "/var/lib/capi/oops-bodies/oopsBody1",
-            501 => "/var/lib/capi/oops-bodies/oopsBody1",
-            502 => "/var/lib/capi/oops-bodies/oopsBody1",
-            503 => "/var/lib/capi/oops-bodies/oopsBody2",
-            504 => "/var/lib/capi/oops-bodies/oopsBody2"
-        }},
-        {health_checkers, [
-            {erl_health, disk     , ["/", 99]},
-            {erl_health, cg_memory, [70]},
-            {erl_health, service  , [<<"capi-pcidss-v1">>]}
-        ]},
-        {lechiffre_opts, #{
-            encryption_source => {json, {file, <<"/var/lib/capi/keys/token_encryption_key1.jwk">>}}
-        }},
-        {validation, #{
-            %% By default now = current datetime.
-            now => { {2020, 2, 1}, {0, 0, 0} }
-        }}
-    ]},
-
-
-    {capi_woody_client, [
-        {service_urls, #{
-            cds_storage => "http://cds:8022/v2/storage",
-            binbase => "http://binbase:8022/v1/binbase",
-            bender => "http://bender:8022/v1/bender"
-        }}
-    ]},
-
-    {how_are_you, [{metrics_publishers, []}]},
-
-    {os_mon, [
-        {disksup_posix_only, true}
-    ]},
-
-    {prometheus, [
-        {collectors, [default]}
-    ]}
-].
--- a/config/capi-pcidss-v1/values.yaml.gotmpl
+++ b/config/capi-pcidss-v1/values.yaml.gotmpl
@ -1,145 +0,0 @@
-# -*- mode: yaml -*-
-
-replicaCount: 1
-
-image:
-  repository: docker.io/rbkmoney/capi_pcidss-v1
-  tag: 3007bbf74504d9f9c709d5ace37cbcfce85c0f4e
-  pullPolicy: IfNotPresent
-
-configMap:
-  data:
-    sys.config: |
-      {{- readFile "sys.config" | nindent 6 }}
-    erl_inetrc: |
-      {{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
-    fetchKeycloakPubkey: |
-      {{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
-    oopsBody1: |
-      {{- readFile "../api-common/oops-bodies/sad-kitty1" | nindent 6 }}
-    oopsBody2: |
-      {{- readFile "../api-common/oops-bodies/sad-kitty2" | nindent 6 }}
-    vm.args: |
-      {{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
-
-secret:
-  data:
-    token_encryption_key1.jwk: |
-      {{- readFile "../api-common/keys/token-encryption-keys/1.jwk" | nindent 6 }}
-    capi.privkey.pem: |
-      {{- readFile "../api-common/keys/capi.privkey.pem" | nindent 6 }}
-
-apiInitContainers:
-  enabled: true
-
-volumeMounts:
-  - name: config-volume
-    mountPath: /opt/capi_pcidss/releases/0.1.0/sys.config
-    subPath: sys.config
-    readOnly: true
-  - name: config-volume
-    mountPath: /opt/capi_pcidss/releases/0.1.0/vm.args
-    subPath: vm.args
-    readOnly: true
-  - name: config-volume
-    mountPath: /opt/capi_pcidss/erl_inetrc
-    subPath: erl_inetrc
-    readOnly: true
-  - name: config-volume
-    mountPath: /var/lib/capi/oops-bodies/oopsBody1
-    subPath: oopsBody1
-    readOnly: true
-  - name: config-volume
-    mountPath: /var/lib/capi/oops-bodies/oopsBody2
-    subPath: oopsBody2
-    readOnly: true
-  - name: secret
-    mountPath: /var/lib/capi/keys
-    readOnly: true
-  - name: keycloak-pubkey
-    mountPath: /var/lib/capi/keys/keycloak
-    readOnly: true
-
-volumes:
-  - name: config-volume
-    configMap:
-      name: {{ .Release.Name }}
-      defaultMode: 0755
-  - name: secret
-    secret:
-      secretName: {{ .Release.Name }}
-  - name: keycloak-pubkey
-    emptyDir: {}
-
-service:
-  type: ClusterIP
-  ports:
-    - name: api
-      port: 8080
-
-metrics:
-  serviceMonitor:
-    enabled: false
-    namespace: {{ .Release.Namespace }}
-    additionalLabels:
-      release: prometheus
-
-ingress:
-  enabled: true
-  annotations:
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
-{{- end }}
-    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
-    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
-    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-       more_set_headers "Access-Control-Allow-Origin: $http_origin";
-  annotations:
-    nginx.ingress.kubernetes.io/enable-cors: "true"
-{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
-{{- end }}
-    kubernetes.io/ingress.class: "nginx"
-    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
-    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-       more_set_headers "Access-Control-Allow-Origin: $http_origin";
-  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
-      paths:
-        - /v1/processing/payment-resources
-{{- if .Values.services.ingress.tls.enabled }}
-  tls:
-  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
-  {{- else }}
-    - secretName: {{ .Values.services.ingress.tls.secretName }}
-  {{- end }}
-      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
-{{- end }}
-  servicePort: 8080
-
-ciliumPolicies:
-  - filters:
-    - port: 8080
-      type: TCP
-    name: keycloak
-    namespace: {{ .Release.Namespace }}
-  - filters:
-    - port: 8022
-      type: TCP
-    name: binbase
-    namespace: {{ .Release.Namespace }}
-  - filters:
-    - port: 8022
-      type: TCP
-    name: bender
-    namespace: {{ .Release.Namespace }}
-  - filters:
-    - port: 8022
-      type: TCP
-    name: cds
-    namespace: {{ .Release.Namespace }}
--- a/config/capi-pcidss-v2/sys.config
+++ b/config/capi-pcidss-v2/sys.config
@ -55,9 +55,19 @@
        {service_type        , real                     },
        {access_conf, #{
            jwt => #{
+                signee => capi,
                keyset => #{
-                    keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
-                    capi     => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"}
+                    keycloak => #{
+                        source => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
+                        metadata => #{
+                            auth_method => user_session_token,
+                            user_realm => <<"external">>
+                        }
+                    },
+                    capi => #{
+                        source => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"},
+                        metadata => #{}
+                    }
                }
            },
            access => #{
@ -67,6 +77,7 @@
                }
            }
        }},
+        {bouncer_ruleset_id, <<"service/authz/api">>},
        {oops_bodies, #{
            500 => "/var/lib/capi/oops-bodies/oopsBody1",
            501 => "/var/lib/capi/oops-bodies/oopsBody1",
@ -74,11 +85,18 @@
            503 => "/var/lib/capi/oops-bodies/oopsBody2",
            504 => "/var/lib/capi/oops-bodies/oopsBody2"
        }},
-        {health_checkers, [
-            {erl_health, disk     , ["/", 99]},
-            {erl_health, cg_memory, [70]},
-            {erl_health, service  , [<<"capi-pcidss-v2">>]}
-        ]},
+        {swagger_handler_opts, #{
+            validation_opts => #{
+                schema => #{
+                    response => mild
+                }
+            }
+        }},
+        {health_check, #{
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [70]},
+            service => {erl_health, service  , [<<"capi-pcidss-v2">>]}
+        }},
        {max_request_deadline, 60000}, % milliseconds
        {lechiffre_opts, #{
            encryption_source => {json, {file, <<"/var/lib/capi/keys/token_encryption_key1.jwk">>}}
@ -86,6 +104,16 @@
        {validation, #{
            %% By default now = current datetime.
            now => { {2020, 2, 1}, {0, 0, 0} }
+        }},
+        {payment_tool_token_lifetime, <<"600s">>},
+        {auth_config, #{
+            metadata_mappings => #{
+                % Keep those synchronized with token-keeper config!
+                party_id => <<"com.rbkmoney.party.id">>,
+                token_consumer => <<"com.rbkmoney.token.consumer">>,
+                user_id => <<"com.rbkmoney.user.id">>,
+                user_email => <<"com.rbkmoney.user.email">>
+            }
        }}
    ]},

@ -122,11 +150,59 @@
                    max_connections => 1
                }
            }
+            }}
+    ]},
+
+    {bouncer_client, [
+        {service_clients, #{
+            bouncer => #{
+                url => <<"http://bouncer:8022/v1/arbiter">>,
+                retries => #{
+                    'Judge' => {linear, 3, 500},
+                    '_' => finish
+                }
+            },
+            org_management => #{
+                url => <<"http://bouncer:8022/v1/org_management_stub">>,
+                retries => #{
+                    'GetUserContext' => {linear, 3, 500},
+                    '_' => finish
+                }
+            }
        }}
    ]},

-    {hackney, [
-        {mod_metrics, woody_client_metrics}
+    {dmt_client, [
+        {cache_update_interval, 5000}, % milliseconds
+        {cache_server_call_timeout, 30000}, % milliseconds
+        {max_cache_size, #{
+            elements => 1,
+            memory => 10485760 % 10Mb
+        }},
+        {woody_event_handlers, [
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000,
+                        max_printable_string_length => 80
+                    }
+                }
+            }}
+        ]},
+        {service_urls, #{
+            'Repository'       => <<"http://dominant:8022/v1/domain/repository"       >>,
+            'RepositoryClient' => <<"http://dominant:8022/v1/domain/repository_client">>
+        }}
+    ]},
+
+    {token_keeper_client, [
+        {service_client, #{
+            url => <<"http://token-keeper:8022/v1/token-keeper">>,
+            retries => #{
+                'GetByToken' => {linear, 3, 500},
+                '_' => finish
+            }
+        }}
    ]},

    {how_are_you, [
--- a/config/capi-pcidss-v2/values.yaml.gotmpl
+++ b/config/capi-pcidss-v2/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/capi_pcidss-v2
-  tag: 54dde2dd6a7ce75437be334ee3adfcfb9b590d19
+  tag: 2ab58783a40e03c03353a441097f46928d898b09
  pullPolicy: IfNotPresent

 configMap:
@ -84,6 +84,9 @@ metrics:
    additionalLabels:
      release: prometheus

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -98,18 +101,18 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v2/processing/payment-resources
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

@ -133,3 +136,13 @@ ciliumPolicies:
      type: TCP
    name: cds
    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: bouncer
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: binbase
+    namespace: {{ .Release.Namespace }}
--- a/config/capi-v1/values.yaml.gotmpl
+++ b/config/capi-v1/values.yaml.gotmpl
@ -84,6 +84,9 @@ metrics:
    additionalLabels:
      release: prometheus

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -97,18 +100,18 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v1
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/capi-v2/sys.config
+++ b/config/capi-v2/sys.config
@ -1,219 +1,293 @@
+%% -*- mode: erlang -*-
 [
    {kernel, [
        {logger_level, info},
        {logger, [
            {handler, default, logger_std_h, #{
-                level => debug,
-                config => #{
-                    type => standard_io,
-                    sync_mode_qlen => 2000,
-                    drop_mode_qlen => 2000,
-                    flush_qlen => 3000
-                },
-                filters => [{access_log, {fun logger_filters:domain/2, {stop, equal, [cowboy_access_log]}}}],
-                formatter => {logger_logstash_formatter, #{}}
+                    level => debug,
+                    config => #{
+                        type => standard_io,
+                        sync_mode_qlen => 2000,
+                        drop_mode_qlen => 2000,
+                        flush_qlen => 3000
+                    },
+                    filters => [{access_log, {fun logger_filters:domain/2, {stop, equal, [cowboy_access_log]}}}],
+                    formatter => {logger_logstash_formatter, #{}}
            }},
            {handler, access_logger, logger_std_h, #{
-                level => info,
-                config => #{
-                    type => standard_io,
-                    sync_mode_qlen => 2000,
-                    drop_mode_qlen => 2000,
-                    flush_qlen => 3000
+                    level => info,
+                    config => #{
+                        type => standard_io,
+                        sync_mode_qlen => 2000,
+                        drop_mode_qlen => 2000,
+                        flush_qlen => 3000
+                    },
+                    filters => [{access_log, {fun logger_filters:domain/2, {stop, not_equal, [cowboy_access_log]}}}],
+                    formatter => {logger_logstash_formatter, #{}}
+                    }}
+                ]}
+            ]},
+
+            {scoper, [
+                {storage, scoper_storage_logger}
+            ]},
+
+            {capi, [
+                {ip                  , "::"                     },
+                {port                , 8080                     },
+                {service_type        , real                     },
+                {access_conf, #{
+                    jwt => #{
+                        signee => capi,
+                        keyset => #{
+                            keycloak => #{
+                                source => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
+                                metadata => #{
+                                    auth_method => user_session_token,
+                                    user_realm => <<"external">>
+                                }
+                            },
+                            capi => #{
+                                source => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"},
+                                metadata => #{}
+                            }
+                        }
+                    }
+                }},
+                {bouncer_ruleset_id, <<"service/authz/api">>},
+                {oops_bodies, #{
+                    500 => "/var/lib/capi/oops-bodies/oopsBody1",
+                    501 => "/var/lib/capi/oops-bodies/oopsBody1",
+                    502 => "/var/lib/capi/oops-bodies/oopsBody1",
+                    503 => "/var/lib/capi/oops-bodies/oopsBody2",
+                    504 => "/var/lib/capi/oops-bodies/oopsBody2"
+                }},
+                {swagger_handler_opts, #{
+                    validation_opts => #{
+                        schema => #{
+                            response => mild
+                        }
+                    }
+                }},
+                {health_check, #{
+                    disk    => {erl_health, disk     , ["/", 99]},
+                    memory  => {erl_health, cg_memory, [70]},
+                    service => {erl_health, service  , [<<"capi-v2">>]}
+                }},
+                {max_request_deadline, 60000}, % milliseconds
+                {reporter_url_lifetime, 300}, % seconds
+                {default_processing_deadline, <<"30m">>},
+                {lechiffre_opts, #{
+                    decryption_sources => [
+                        {json, {file, <<"/var/lib/capi/keys/token_encryption_key1.jwk">>}}
+                    ]
+                }},
+                {auth_config, #{
+                    metadata_mappings => #{
+                        % Keep those synchronized with token-keeper config!
+                        party_id => <<"com.rbkmoney.party.id">>,
+                        token_consumer => <<"com.rbkmoney.token.consumer">>,
+                        user_id => <<"com.rbkmoney.user.id">>,
+                        user_email => <<"com.rbkmoney.user.email">>
+                    }
+                }}
+            ]},
+
+            {capi_woody_client, [
+                {services, #{
+                    bender => #{
+                        url => <<"http://bender:8022/v1/bender">>,
+                        transport_opts => #{
+                            pool => bender,
+                            timeout => 2000,
+                            max_connections => 2000
+                }
                },
-                filters => [{access_log, {fun logger_filters:domain/2, {stop, not_equal, [cowboy_access_log]}}}],
-                formatter => {logger_logstash_formatter, #{}}
-            }}
-        ]}
-    ]},
-
-    {scoper, [
-        {storage, scoper_storage_logger}
-    ]},
-
-    {capi, [
-        {ip                  , "::"                     },
-        {port                , 8080                     },
-        {service_type        , real                     },
-        {access_conf, #{
-            jwt => #{
-                signee => capi,
-                keyset => #{
-                    keycloak => {pem_file, "/var/lib/capi/keys/keycloak/keycloak.pubkey.pem"},
-                    capi     => {pem_file, "/var/lib/capi/keys/capi.privkey.pem"}
-                }
+                invoicing => #{
+                url => <<"http://hellgate:8022/v1/processing/invoicing">>,
+            transport_opts => #{
+                pool => invoicing,
+                timeout => 2000,
+                max_connections => 2000
            }
-        }},
-        {oops_bodies, #{
-            500 => "/var/lib/capi/oops-bodies/oopsBody1",
-            501 => "/var/lib/capi/oops-bodies/oopsBody1",
-            502 => "/var/lib/capi/oops-bodies/oopsBody1",
-            503 => "/var/lib/capi/oops-bodies/oopsBody2",
-            504 => "/var/lib/capi/oops-bodies/oopsBody2"
-        }},
-        {api_key_blacklist, #{
-            update_interval => 50000, % milliseconds
-            blacklisted_keys_dir => "/opt/capi"
-        }},
-        {swagger_handler_opts, #{
-             validation_opts => #{
-                 schema => #{
-                     response => mild
-                 }
-             }
-        }},
-        {health_check, #{
-            disk    => {erl_health, disk     , ["/", 99]},
-            memory  => {erl_health, cg_memory, [70]},
-            service => {erl_health, service  , [<<"capi-v2">>]}
-        }},
-        {max_request_deadline, 60000}, % milliseconds
-        {reporter_url_lifetime, 300}, % seconds
-        {default_processing_deadline, <<"30m">>},
-        {lechiffre_opts, #{
-            decryption_sources => [
-                {json, {file, <<"/var/lib/capi/keys/token_encryption_key1.jwk">>}}
-            ]
-        }}
-    ]},
-
-    {capi_woody_client, [
-        {services, #{
-            invoicing => #{
-                url => "http://hellgate:8022/v1/processing/invoicing",
-                transport_opts => #{
-                    pool => invoicing
-                    %timeout => {{ woody_client_keep_alive }},
-                    %max_connections => {{ salt['pillar.get']('wetkitty:macroservice:limits:concurrent-payments') }}
-                }
            },
            invoice_templating => #{
-                url => "http://hellgate:8022/v1/processing/invoice_templating",
+                url => <<"http://hellgate:8022/v1/processing/invoice_templating">>,
                transport_opts => #{
-                    pool => invoice_templating
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => invoice_templating,
+                    timeout => 2000
                }
            },
            merchant_stat => #{
-                url => "http://magista:8022/stat",
+                url => <<"http://magista:8022/stat">>,
                transport_opts => #{
-                    pool => merchant_stat
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => merchant_stat,
+                    timeout => 2000
                }
            },
            party_management => #{
-                url => "http://hellgate:8022/v1/processing/partymgmt",
+                url => <<"http://party-management:8022/v1/processing/partymgmt">>,
                transport_opts => #{
-                    pool => party_management
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => party_management,
+                    timeout => 2000
                }
            },
            geo_ip_service => #{
-                url => "http://columbus:8022/repo",
+                url => <<"http://columbus:8022/repo">>,
                transport_opts => #{
-                    pool => geo_ip_service
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => geo_ip_service,
+                    timeout => 2000
                }
            },
            accounter => #{
-                url => "http://shumway:8022/accounter",
+                url => <<"http://shumway:8022/accounter">>,
                transport_opts => #{
-                    pool => accounter
-                    %timeout => {{ woody_client_keep_alive }},
-                    %max_connections => {{ salt['pillar.get']('wetkitty:macroservice:limits:concurrent-payments') }}
-                }
+                    pool => accounter,
+                    timeout => 2000,
+                    max_connections => 1000
+            }
            },
            file_storage => #{
-                url => "http://file_storage:8022/file_storage",
+                url => <<"http://file-storage:8022/file_storage">>,
                transport_opts => #{
-                    pool => file_storage
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => file_storage,
+                    timeout => 2000
                }
            },
            reporting => #{
-                url => "http://reporter:8022/reports/new-proto",
+                url => <<"http://reporter:8022/reports/new-proto">>,
                transport_opts => #{
-                    pool => reporting
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => reporting,
+                    timeout => 2000
                }
            },
            payouts => #{
-                url => "http://payouter:8022/payout/management",
+                url => <<"http://payouter:8022/payout/management">>,
                transport_opts => #{
-                    pool => payouts
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => payouts,
+                    timeout => 2000
                }
            },
            webhook_manager => #{
-                url => "http://hooker:8022/hook",
+                url => <<"http://hooker:8022/hook">>,
                transport_opts => #{
-                    pool => webhook_manager
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => webhook_manager,
+                    timeout => 2000
                }
            },
            customer_management => #{
-                url => "http://hellgate:8022/v1/processing/customer_management",
+                url => <<"http://hellgate:8022/v1/processing/customer_management">>,
                transport_opts => #{
-                    pool => customer_management
-                    %timeout => {{ woody_client_keep_alive }}
+                    pool => customer_management,
+                    timeout => 2000
                }
            }
-        }},
-        {service_deadlines, #{
-            bender              => 30000,
-            invoicing           => 30000, % milliseconds
-            party_management    => 30000,
-            customer_management => 30000
-        }}
-    ]},
+            }},
+            {service_deadlines, #{
+                bender              => 30000,
+                invoicing           => 30000, % milliseconds
+                party_management    => 30000,
+                customer_management => 30000
+            }}
+                ]},

-    {bender_client, [
-        {services, #{
-            'Bender' => <<"http://bender:8022/v1/bender">>,
-            'Generator' => <<"http://bender:8022/v1/generator">>
-        }},
-        {deadline, 60000}
-    ]},
+            {party_client, [
+                {services, #{
+                    party_management => <<"http://party-management:8022/v1/processing/partymgmt">>
+                }},
+                {woody, #{
+                    cache_mode => safe,  % disabled | safe | aggressive
+                    options => #{
+                        woody_client => #{
+                            event_handler => {
+                                scoper_woody_event_handler,
+                                {scoper_event_handler_options, #{
+                                    event_handler_opts => #{
+                                        formatter_opts => #{
+                                            max_length => 1000,
+                                            max_printable_string_length => 80
+                                        }
+                                    }
+                                }
+                                }
+                            },
+                            transport_opts => #{
+                                pool => party_client,
+                                timeout => 2000
+                            }
+                        }
+                    },
+                    %retries => #{'_' => finish},
+                    deadline_timeout => 30000
+                }}
+            ]},

-    {dmt_client, [
-        {cache_update_interval, 30000}, % milliseconds
-        {cache_server_call_timeout, 30000}, % milliseconds
-        {max_cache_size, #{
-            elements => 5,
-            memory => 52428800 % 50Mb
-        }},
-        {service_urls, #{
-            'Repository'       => <<"http://dominant:8022/v1/domain/repository">>,
-            'RepositoryClient' => <<"http://dominant:8022/v1/domain/repository_client">>
-        }}
-    ]},
+            {bender_client, [
+                {services, #{
+                    'Bender' => <<"http://bender:8022/v1/bender">>,
+                    'Generator' => <<"http://bender:8022/v1/generator">>
+                }},
+                {deadline, 60000}
+            ]},

-    {how_are_you, [
-        {metrics_handlers, [
-            hay_vm_handler,
-            hay_cgroup_handler,
-            woody_api_hay
-        ]},
-        {metrics_publishers, [
-            %{hay_statsd_publisher, #{
-            %   key_prefix => <<"{{ service_name }}.">>,
-            %   host => "{{ salt['pillar.get']('wetkitty:statsd:host') }}",
-            %   port => {{ salt['pillar.get']('wetkitty:statsd:port') }}
-            %}}
-        ]}
-    ]},
+            {bouncer_client, [
+                {service_clients, #{
+                    bouncer => #{
+                        url => <<"http://bouncer:8022/v1/arbiter">>,
+                        retries => #{
+                            'Judge' => {linear, 3, 500},
+                            '_' => finish
+                        }
+                    },
+                    org_management => #{
+                        url => <<"http://bouncer:8022/v1/org_management_stub">>,
+                        retries => #{
+                            'GetUserContext' => {linear, 3, 500},
+                            '_' => finish
+                        }
+                    }
+                }}
+            ]},

-    {hackney, [
-        {mod_metrics, woody_client_metrics}
-    ]},
+            {dmt_client, [
+                {cache_update_interval, 30000}, % milliseconds
+                {cache_server_call_timeout, 30000}, % milliseconds
+                {max_cache_size, #{
+                    elements => 5,
+                    memory => 52428800 % 50Mb
+                }},
+                {service_urls, #{
+                    'Repository'       => <<"http://dominant:8022/v1/domain/repository">>,
+                    'RepositoryClient' => <<"http://dominant:8022/v1/domain/repository_client">>
+                }}
+            ]},

-    {os_mon, [
-        {disksup_posix_only, true}
-    ]},
+            {token_keeper_client, [
+                {service_client, #{
+                    url => <<"http://token-keeper:8022/v1/token-keeper">>,
+                    retries => #{
+                        'GetByToken' => {linear, 3, 500},
+                        '_' => finish
+                    }
+                }}
+            ]},

-    {snowflake, [{machine_id, hostname_hash}]},
+            {how_are_you, [
+                {metrics_handlers, [
+                    hay_vm_handler,
+                    hay_cgroup_handler,
+                    woody_api_hay
+                ]},
+                {metrics_publishers, []}
+            ]},

-    {prometheus, [
-        {collectors, [default]}
-    ]}
+            {hackney, [
+                {mod_metrics, woody_client_metrics}
+            ]},
+
+            {os_mon, [
+                {disksup_posix_only, true}
+            ]},
+
+            {snowflake, [{machine_id, 1}]}
 ].
--- a/config/capi-v2/values.yaml.gotmpl
+++ b/config/capi-v2/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/capi-v2
-  tag: 10510c2148fb3aaf1bf8893f8ddd2b4de900e557
+  tag: bc6446611ef7af7c6a60f6de9ca5f4b896d1c004
  pullPolicy: IfNotPresent

 configMap:
@ -84,6 +84,9 @@ metrics:
    additionalLabels:
      release: prometheus

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -93,18 +96,18 @@ ingress:
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v2
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

@ -134,3 +137,23 @@ ciliumPolicies:
      type: TCP
    name: hellgate
    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: bouncer
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: party-management
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: hooker
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: hooker
+    namespace: {{ .Release.Namespace }}
--- a/config/cds/values.yaml.gotmpl
+++ b/config/cds/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/cds
-  tag: c0661c4d5abb85f7728bd0e816760670aa248251
+  tag: b1e03ab1669fc73cdade6507e9fe9b46c772cfa3
  pullPolicy: IfNotPresent

 configMap:
--- a/config/claim-management/values.yaml.gotmpl
+++ b/config/claim-management/values.yaml.gotmpl
@ -83,6 +83,9 @@ metrics:
        path: /actuator/prometheus
        scheme: http

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -91,18 +94,18 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v1/cm
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8022

--- a/config/controlcenter/appConfig.json.gotmpl
+++ b/config/controlcenter/appConfig.json.gotmpl
@ -1,7 +1,9 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
 {{- if .Values.services.ingress.tls.enabled }}
-    "papiEndpoint": "https://iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
+    "papiEndpoint": "https://iddqd.{{ $ingressDomain | default "rbk.dev" }}/papi/v1"
 {{- else }}
-    "papiEndpoint": "http://iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
+    "papiEndpoint": "http://iddqd.{{ $ingressDomain | default "rbk.dev" }}/papi/v1"
 {{- end }}
 }
--- a/config/controlcenter/authConfig.json.gotmpl
+++ b/config/controlcenter/authConfig.json.gotmpl
@ -1,6 +1,8 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
    "realm": "internal",
-    "auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/",
+    "auth-server-url": "https://auth.{{ $ingressDomain | default "rbk.dev" }}/auth/",
    "ssl-required": "external",
    "resource": "control-center",
    "public-client": true
--- a/config/controlcenter/values.yaml.gotmpl
+++ b/config/controlcenter/values.yaml.gotmpl
@ -53,6 +53,9 @@ readinessProbe:
  initialDelaySeconds: 30
  timeoutSeconds: 3

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -61,17 +64,17 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/config/dark-api/entrypoint.sh.gotmpl
+++ b/config/dark-api/entrypoint.sh.gotmpl
@ -34,9 +34,9 @@ java \
    --dominant.networkTimeout=30000 \
    --dudoser.url=http://dudoser:8022/dudos \
    --dudoser.networkTimeout=30000 \
+    --keycloak.auth-server-url=https://auth.{{ .Release.Namespace }}.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth \
    --keycloak.realm-public-key.file-path="/var/lib/dark-api/keys/keycloak/keycloak.pubkey.pem" \
    --keycloak.realm=external \
    --keycloak.resource=common-api \
    --server.servlet.context-path=/dark-api/v1 \
-    ${@} \
-    --spring.config.additional-location=/vault/secrets/application.properties \
+    ${@}
--- a/config/dark-api/values.yaml.gotmpl
+++ b/config/dark-api/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/dark-api
-  tag: da3705fde0414af7e9e3eb60ba9b7b4ce88231fc
+  tag: 933d0b9506ba312d69dfd46c5432ced36e3fce64
  pullPolicy: IfNotPresent

 runopts:
@ -13,7 +13,7 @@ runopts:
 configMap:
  data:
    entrypoint.sh: |
-      {{- readFile "entrypoint.sh" | nindent 6 }}
+      {{- tpl  (readFile "entrypoint.sh.gotmpl") . | nindent 6 }}
    loggers.xml: |
      {{- readFile "loggers.xml" | nindent 6 }}
    logback.xml: |
@ -60,26 +60,34 @@ service:
    - name: management
      port: 8023

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
 {{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
 {{- end }}
+    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST"
+    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "content-type,content-disposition,authorization,x-request-id"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+       more_set_headers "Access-Control-Allow-Origin: $http_origin";
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /dark-api
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/dashboard/appConfig.json.gotmpl
+++ b/config/dashboard/appConfig.json.gotmpl
@ -1,12 +1,15 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
-    "apiEndpoint": "https://api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
-    "urlShortenerEndpoint": "https://shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
-    "checkoutEndpoint": "https://checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
-    "ext": {
-        "docsEndpoint": "https://rbkmoney.github.io/docs",
-        "supportEmail": "support@rbkmoney.com",
-        "paymentsApiSpecEndpoint": "https://developer.rbk.money/api/"
+    "keycloakEndpoint": "https://auth.{{ $ingressDomain | default "rbk.dev" }}",
+    "theme": {
+      "isMainBackgroundImages": true,
+      "logoName": "rbkmoney",
+      "name": "main"
    },
+    "apiEndpoint": "https://api.{{ $ingressDomain | default "rbk.dev" }}",
+    "urlShortenerEndpoint": "https://shrt.{{ $ingressDomain | default "rbk.dev" }}",
+    "checkoutEndpoint": "https://checkout.{{ $ingressDomain | default "rbk.dev" }}",
    "yandexMetrika": {
        "id": null,
        "clickmap": true,
--- a/config/dashboard/authConfig.json.gotmpl
+++ b/config/dashboard/authConfig.json.gotmpl
@ -1,6 +1,8 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
    "realm": "external",
-    "auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/",
+    "auth-server-url": "https://auth.{{ $ingressDomain | default "rbk.dev" }}/auth/",
    "ssl-required": "external",
    "resource": "koffing",
    "public-client": true
--- a/config/dashboard/values.yaml.gotmpl
+++ b/config/dashboard/values.yaml.gotmpl
@ -3,7 +3,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/dashboard
-  tag: 380a2e2464ccec1e624d8972381622fcb3b5789a
+  tag: 407b46da200b7c3b42f4ba890e018687f69ea45d
  pullPolicy: IfNotPresent

 service:
@ -53,6 +53,9 @@ readinessProbe:
  initialDelaySeconds: 30
  timeoutSeconds: 3

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -66,17 +69,17 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: dashboard.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: dashboard-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - dashboard.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/config/deanonimus/values.yaml.gotmpl
+++ b/config/deanonimus/values.yaml.gotmpl
@ -60,6 +60,9 @@ readinessProbe:
    path: /actuator/health
    port: api

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -68,18 +71,18 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /deanonimus
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8022

--- a/config/dominant/init-script.sh
+++ b/config/dominant/init-script.sh
--- a/config/dominant/values.yaml.gotmpl
+++ b/config/dominant/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/dominant
-  tag: de2a937b3b92eb4fa6888be5aef3bde7d3c8b409
+  tag: c25af1f5a6cc13ac667110534c8d19eb9128a4f3
  pullPolicy: IfNotPresent

 configMap:
@ -64,6 +64,9 @@ volumeMounts:
    subPath: erl_inetrc
    readOnly: true

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -72,18 +75,18 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v1
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8022

--- a/config/fistful-magista/entrypoint.sh
+++ b/config/fistful-magista/entrypoint.sh
@ -22,7 +22,7 @@ java \
    --spring.datasource.hikari.maximum-pool-size=20 \
    --spring.application.name=fistful-magista \
    --flyway.schemas=mst \
-    --identity-management.url=http://wapi:8022/v1/identity \
+    --identity-management.url=http://wapi-v0:8080/v1/identity \
    --identity-management.timeout=5000 \
    --kafka.bootstrap-servers=kafka:9092 \
    --kafka.consumer.group-id=fistful-magista \
--- a/config/fistful/sys.config
+++ b/config/fistful/sys.config
@ -57,7 +57,7 @@

    {party_client, [
        {services, #{
-            party_management => "http://hellgate:8022/v1/processing/partymgmt"
+            party_management => "http://party-management:8022/v1/processing/partymgmt"
        }},
        {woody, #{
            cache_mode => safe,  % disabled | safe | aggressive
@ -84,11 +84,11 @@
        {providers, #{
            <<"test">> => #{
                routes => [<<"mocketbank">>],
-                payment_institution_id => {{ payinst_test }},
+                payment_institution_id => 1,
                identity_classes       => #{
                    <<"person">>          => #{
                        name                 => <<"Person">>,
-                        contract_template_id => {{ contract_tpl_test_person }},
+                        contract_template_id => 1,
                        initial_level        => <<"anonymous">>,
                        levels               => #{
                            <<"anonymous">>     => #{
@ -114,7 +114,7 @@
                    },
                    <<"company">>          => #{
                        name                 => <<"Legal Entity">>,
-                        contract_template_id => {{ contract_tpl_test_company }},
+                        contract_template_id => 1,
                        initial_level        => <<"identified">>,
                        levels               => #{
                            <<"identified">>    => #{
@ -126,12 +126,12 @@
                }
            },
            <<"dpl">> => #{
-                payment_institution_id => {{ payinst_dpl }},
+                payment_institution_id => 1,
                routes => [<<"accentpay">>],
                identity_classes       => #{
                    <<"company">>          => #{
                        name                 => <<"Legal Entity">>,
-                        contract_template_id => {{ contract_tpl_dpl_company }},
+                        contract_template_id => 1,
                        initial_level        => <<"identified">>,
                        levels               => #{
                            <<"identified">>    => #{
--- a/config/fistful/values.yaml.gotmpl
+++ b/config/fistful/values.yaml.gotmpl
@ -2,7 +2,7 @@

 image:
  repository: docker.io/rbkmoney/fistful-server
-  tag: 60b964d0e07f911c841903bc61d8d9fb20a32658
+  tag: ef3dc8880c54abdf6da94f3ce64cf613c563c457
  pullPolicy: IfNotPresent

 configMap:
--- a/config/hellgate/sys.config
+++ b/config/hellgate/sys.config
@ -92,7 +92,7 @@
                }
            },
            party_management => #{
-                url => <<"http://hellgate:8022/v1/processing/partymgmt">>,
+                url => <<"http://party-management:8022/v1/processing/partymgmt">>,
                transport_opts => #{
                    pool => woody_party_management,
                    timeout => 3000,
@ -122,6 +122,14 @@
                    timeout => 3000,
                    max_connections => 2000
                }
+            },
+            limiter => #{
+                url => <<"http://limiter:8022/v1/limiter">>,
+                transport_opts => #{
+                    pool => woody_proto_limiter,
+                    timeout => 3000,
+                    max_connections => 300
+                }
            }
        }},
        {fault_detector, #{
@ -166,39 +174,17 @@
            captured => {exponential, {max_total_timeout, 18000}, 2, 1, 300},
            refunded => no_retry
        }},
-        {inspect_timeout, 7000}
-    ]},
-    {party_management, [
-        {scoper_event_handler_options, #{
-            event_handler_opts => #{
-                formatter_opts => #{
-                    max_length => 1000,
-                    max_printable_string_length => 80
-                }
-            }
-        }},
-        {services, #{
-            automaton => #{
-                url => <<"http://machinegun:8022/v1/automaton">>,
-                transport_opts => #{
-                    pool => woody_automaton,
-                    timeout => 3000,
-                    max_connections => 2000
-                }
-            },
-            accounter => #{
-                url => <<"http://shumway:8022/shumpune">>,
-                transport_opts => #{
-                    pool => woody_accounter,
-                    timeout => 3000,
-                    max_connections => 2000
-                }
-            }
+        {inspect_timeout, 7000},
+        {binding, #{
+            max_sync_interval => <<"5s">>,
+            outdated_sync_interval => <<"1440m">>,
+            outdate_timeout => <<"180m">>
        }}
    ]},
+
    {party_client, [
        {services, #{
-            party_management => <<"http://hellgate:8022/v1/processing/partymgmt">>
+            party_management => <<"http://party-management:8022/v1/processing/partymgmt">>
        }},
        {woody, #{
            cache_mode => safe,  % disabled | safe | aggressive
@ -247,5 +233,7 @@

    {prometheus, [
        {collectors, [default]}
-    ]}
+    ]},
+
+    {snowflake, [{machine_id, 1}]}
 ].
--- a/config/hellgate/values.yaml.gotmpl
+++ b/config/hellgate/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/hellgate
-  tag: efe0b67a7a048bfa17cac871ff2e7b797ea13796
+  tag: 9dd99ab584105159efdcc8f0c48ef74a0b918299
  pullPolicy: IfNotPresent

 configMap:
@ -42,6 +42,9 @@ volumes:
    configMap:
      name: {{ .Release.Name }}

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -50,18 +53,18 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v1/processing/invoicing
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8022

--- a/config/kds/values.yaml.gotmpl
+++ b/config/kds/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/kds
-  tag: df8a550af175177486ec49cf3bdab64cf5db2d33
+  tag: f8deaa250250fc2cb2f9daba8c762b3ea1895324
  pullPolicy: IfNotPresent

 hook:
--- a/config/keycloak-realms/external.json.gotmpl
+++ b/config/keycloak-realms/external.json.gotmpl
@ -1,3 +1,5 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
  "id": "external",
  "realm": "external",
@ -1439,12 +1441,12 @@
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
-        "https://beta.dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*",
-        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
+        "https://beta.dashboard.{{ $ingressDomain | default "rbk.dev" }}/*",
+        "https://dashboard.{{ $ingressDomain | default "rbk.dev" }}/*"
      ],
      "webOrigins": [
-        "https://beta.dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
-        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
+        "https://beta.dashboard.{{ $ingressDomain | default "rbk.dev" }}",
+        "https://dashboard.{{ $ingressDomain | default "rbk.dev" }}"
      ],
      "notBefore": 0,
      "bearerOnly": false,
@ -1501,10 +1503,10 @@
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
-        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
+        "https://dashboard.{{ $ingressDomain | default "rbk.dev" }}/*"
      ],
      "webOrigins": [
-        "https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
+        "https://dashboard.{{ $ingressDomain | default "rbk.dev" }}"
      ],
      "notBefore": 0,
      "bearerOnly": false,
@ -2197,10 +2199,10 @@
      "clientAuthenticatorType": "client-secret",
      "secret": "**********",
      "redirectUris": [
-        "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
+        "https://auth.{{ $ingressDomain | default "rbk.dev" }}/*"
      ],
      "webOrigins": [
-        "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
+        "https://auth.{{ $ingressDomain | default "rbk.dev" }}"
      ],
      "notBefore": 0,
      "bearerOnly": false,
@ -3089,8 +3091,8 @@
    "contentSecurityPolicyReportOnly": "",
    "xContentTypeOptions": "nosniff",
    "xRobotsTag": "none",
-    "xFrameOptions": "ALLOW-FROM https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
-    "contentSecurityPolicy": "child-src 'self', frame-ancestors https://dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }} ;",
+    "xFrameOptions": "ALLOW-FROM https://dashboard.{{ $ingressDomain | default "rbk.dev" }}",
+    "contentSecurityPolicy": "child-src 'self', frame-ancestors https://dashboard.{{ $ingressDomain | default "rbk.dev" }} ;",
    "xXSSProtection": "1; mode=block",
    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
  },
--- a/config/keycloak-realms/internal.json.gotmpl
+++ b/config/keycloak-realms/internal.json.gotmpl
@ -1,3 +1,5 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
  "id": "internal",
  "realm": "internal",
@ -664,7 +666,8 @@
      "clientRoles" : {
        "private-api" : [ "adjustment:update", "dmt:pull", "payout:read", "payout:pay", "adjustment:create", "claim:get", "payout:confirm", "dmt:checkout", "claim.comment:get", "party:get", "claim.action:get", "claim:update", "dmt:commit", "claim:accept", "adjustment:get", "merchant:create", "claim.comment:add", "payout:generate", "merchant:update", "accounting_report:get", "internal_report:get", "payout:cancel" ],
        "account" : [ "manage-account", "view-profile" ],
-        "control-center": [ "manage_chargebacks", "search_deposits", "search_ops", "search_invoices", "deposit:write", "search_payments", "view_chargebacks"]
+        "control-center": [ "manage_chargebacks", "search_deposits", "search_ops", "search_invoices", "deposit:write", "search_payments", "view_chargebacks"],
+        "claim-management": [ "get_claims", "request_claim_changes", "add_party_mod", "request_claim_review", "update_claim", "accept_claim", "revoke_claim", "create_claim", "deny_claim", "add_claim_mod"]
      },
      "notBefore" : 0,
      "groups" : [ ]
@ -1473,10 +1476,10 @@
        "clientAuthenticatorType": "client-secret",
        "secret": "**********",
              "redirectUris": [
-          "https://iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*"
+          "https://iddqd.{{ $ingressDomain | default "rbk.dev" }}/*"
        ],
        "webOrigins": [
-          "https://iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}"
+          "https://iddqd.{{ $ingressDomain | default "rbk.dev" }}"
        ],
        "notBefore": 0,
        "bearerOnly": false,
@ -1595,8 +1598,8 @@
      "enabled" : true,
      "clientAuthenticatorType" : "client-secret",
      "secret" : "7fed580b-e400-4b61-b031-f524ee69d283",
-      "redirectUris" : [ "https://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/*" ],
-      "webOrigins" : [ "https://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}" ],
+      "redirectUris" : [ "https://idkfa.{{ $ingressDomain | default "rbk.dev" }}/*" ],
+      "webOrigins" : [ "https://idkfa.{{ $ingressDomain | default "rbk.dev" }}" ],
      "notBefore" : 0,
      "bearerOnly" : false,
      "consentRequired" : false,
--- a/config/keycloak/values.yaml.gotmpl
+++ b/config/keycloak/values.yaml.gotmpl
@ -4,8 +4,6 @@ postgresql:
 podLabels:
  selector.cilium.rbkmoney/release: {{ .Release.Name }}

-image:
-  tag: 12.0.4
 extraEnv: |
  - name: KEYCLOAK_USER
    value: true_admin
@ -50,6 +48,9 @@ extraVolumeMounts: |
    mountPath: "/realm/"
    readOnly: true

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -64,19 +65,21 @@ ingress:
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  servicePort: http
  rules:
-    - host: 'auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}'
+    - host: 'auth.{{ $ingressDomain | default "rbk.dev" }}'
      paths:
        - path: /
          pathType: Prefix
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
    - hosts:
-        - 'auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}'
+        - 'auth.{{ $ingressDomain | default "rbk.dev" }}'
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
      secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
      secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
+{{- else }}
+  tls: []
 {{- end }}

 ciliumPolicies:
--- a/config/limiter/sys.config
+++ b/config/limiter/sys.config
@ -0,0 +1,103 @@
+[
+    {limiter, [
+        {ip, "::"},
+        {port, 8022},
+        {services, #{
+            limiter => #{
+                path => <<"/v1/limiter">>
+            },
+            configurator => #{
+                path => <<"/v1/configurator">>
+            }
+        }},
+        {service_clients, #{
+            accounter => #{
+                url => <<"http://shumway:8022/accounter">>
+            },
+            automaton => #{
+                url => <<"http://machinegun:8022/v1/automaton">>
+            },
+            xrates => #{
+                url => <<"http://xrates:8022/xrates">>
+            }
+        }},
+
+        {exchange_factors, #{
+            <<"DEFAULT">> => {1, 1},
+            <<"USD">> => {105, 100},
+            <<"EUR">> => {12, 10}
+        }},
+
+        {protocol_opts, #{
+            % How much to wait for another request before closing a keepalive connection? (ms)
+            request_timeout => {{ woody_server_keep_alive }},
+            % Should be greater than any other timeouts
+            idle_timeout => infinity
+        }},
+        {transport_opts, #{
+            handshake_timeout => 5000, % timeout() | infinity, default is 5000
+            max_connections => 10000,  % maximum number of incoming connections, default is 1024
+            num_acceptors => 100       % size of acceptors pool, default is 10
+        }},
+        % How much to wait for outstanding requests completion when asked to shut down? (ms)
+        {shutdown_timeout, 7000},
+
+        {woody_event_handlers, [
+            hay_woody_event_handler,
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000,
+                        max_printable_string_length => 120
+                    }
+                }
+            }}
+        ]},
+
+        {health_check, #{
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [99]},
+            service => {erl_health, service  , [<<"limiter">>]}
+        }}
+    ]},
+
+    {kernel, [
+        {logger_level, info},
+        {logger, [
+            {handler, default, logger_std_h, #{
+                level => debug,
+                config => #{
+                    type => standard_io,
+                    sync_mode_qlen => 2000,
+                    drop_mode_qlen => 2000,
+                    flush_qlen => 3000
+                },
+                formatter => {logger_logstash_formatter, #{}}
+            }}
+        ]}
+    ]},
+
+    {os_mon, [
+        % for better compatibility with busybox coreutils
+        {disksup_posix_only, true}
+    ]},
+
+    {scoper, [
+        {storage, scoper_storage_logger}
+    ]},
+
+    {how_are_you, [
+        {metrics_handlers, [
+            hay_vm_handler,
+            hay_cgroup_handler,
+            woody_api_hay
+        ]},
+        {metrics_publishers, []}
+    ]},
+
+    {snowflake, [{machine_id, 1}]},
+
+    {prometheus, [
+        {collectors, [default]}
+    ]}
+].
--- a/config/limiter/values.yaml.gotmpl
+++ b/config/limiter/values.yaml.gotmpl
@ -0,0 +1,88 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/limiter
+  tag: c7e96068a56da444e78cc7739a902da8e268dc63
+  pullPolicy: IfNotPresent
+
+configMap:
+  data:
+    sys.config: |
+      {{- readFile "sys.config" | nindent 6 }}
+    erl_inetrc: |
+      {{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
+    vm.args: |
+      {{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
+
+metrics:
+  serviceMonitor:
+    enabled: false
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/limiter/releases/0.1/sys.config
+    subPath: sys.config
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/limiter/releases/0.1/vm.args
+    subPath: vm.args
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/limiter/erl_inetrc
+    subPath: erl_inetrc
+    readOnly: true
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+
+
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
+ingress:
+  enabled: true
+  annotations:
+{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
+{{- end }}
+    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
+  hosts:
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
+      paths:
+        - /v1/limiter
+        - /v1/configurator
+{{- if .Values.services.ingress.tls.enabled }}
+  tls:
+  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
+  {{- else }}
+    - secretName: {{ .Values.services.ingress.tls.secretName }}
+  {{- end }}
+      hosts:
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
+{{- end }}
+  servicePort: 8022
+
+ciliumPolicies:
+  - filters:
+    - port: 8022
+      type: TCP
+    name: shumway
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: machinegun
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: xrates
+    namespace: {{ .Release.Namespace }}
--- a/config/machinegun/config.yaml.gotmpl
+++ b/config/machinegun/config.yaml.gotmpl
@ -140,7 +140,7 @@ namespaces:
        topic: mg-events-party
        client: default_kafka_client
    processor:
-      url: http://hellgate:8022/v1/stateproc/party
+      url: http://party-management:8022/v1/stateproc/party
      http_keep_alive_timeout: 3000ms
  url-shortener:
    timers: *default_timers_config
--- a/config/machinegun/values.yaml.gotmpl
+++ b/config/machinegun/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/machinegun
-  tag: b7a4e8e938a9857ed47d43701e7672fc9fefdf00
+  tag: 9c3248a68fe530d23a8266057a40a1a339a161b8
  pullPolicy: IfNotPresent

 configMap:
--- a/config/messages/values.yaml.gotmpl
+++ b/config/messages/values.yaml.gotmpl
@ -74,6 +74,9 @@ readinessProbe:
 #     flyway.schemas=msgs
 #     {{- end }}`}}

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -82,18 +85,18 @@ ingress:
 {{- end }}
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /v1/messages
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8022

--- a/config/papi/entrypoint.sh.gotmpl
+++ b/config/papi/entrypoint.sh.gotmpl
@ -1,3 +1,5 @@
+{{- $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain -}}
+{{- $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain -}}
 #!/bin/sh
 set -ue

@ -27,7 +29,7 @@ java \
    --magista.url=http://magista:8022/stat \
    --shitter.url=http://payouter:8022/payout/management \
    --walker.url=http://walker:8022/walker \
-    --keycloak.auth-server-url=https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth \
+    --keycloak.auth-server-url=https://auth.{{ $ingressDomain | default "rbk.dev" }}/auth \
    --keycloak.realm-public-key.file-path="/opt/papi/bin/secret" \
    --keycloak.realm=internal \
    --keycloak.resource=private-api \
--- a/config/papi/fetch-keycloak-pubkey.sh.gotmpl
+++ b/config/papi/fetch-keycloak-pubkey.sh.gotmpl
@ -1,3 +1,5 @@
+{{- $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain -}}
+{{- $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain -}}
 #!/bin/sh

 set -o pipefail
@ -26,7 +28,7 @@ while true; do

    log INFO "Attempting to fetch Keycloak key..."

-    REALM_DATA=$(wget --quiet --timeout=10 "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/realms/internal" -O -)
+    REALM_DATA=$(wget --quiet --timeout=10 "https://auth.{{ $ingressDomain | default "rbk.dev" }}/auth/realms/internal" -O -)
    EXIT_CODE=$?
    if [ "${EXIT_CODE}" -ne "0" ]; then
        REALM_FAIL=true
--- a/config/papi/values.yaml.gotmpl
+++ b/config/papi/values.yaml.gotmpl
@ -58,6 +58,9 @@ service:
    - name: api
      port: 8080

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -69,26 +72,38 @@ ingress:
    nginx.ingress.kubernetes.io/rewrite-target: /api/v1/$1
    # nginx.ingress.kubernetes.io/app-root: /api/v1
  hosts:
-    - host: iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /papi/v1/(.+)
-    - host: idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: idkfa.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /papi/v1
-    - host: dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: dashboard.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /papi/v1
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
-        - dashboard.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
-        - iddqd.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
+  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    - secretName: dashboard-{{ .Values.services.ingress.tls.secretName }}
+  {{- else }}
+    - secretName: {{ .Values.services.ingress.tls.secretName }}
+  {{- end }}
+      hosts:
+        - dashboard.{{ $ingressDomain | default "rbk.dev" }}
+  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    - secretName: idkfa-{{ .Values.services.ingress.tls.secretName }}
+  {{- else }}
+    - secretName: {{ .Values.services.ingress.tls.secretName }}
+  {{- end }}
+      hosts:
+        - idkfa.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/party-management/sys.config
+++ b/config/party-management/sys.config
@ -0,0 +1,91 @@
+%% -*- mode: erlang -*-
+[
+    {kernel, [
+        {logger_sasl_compatible, false},
+        {logger_level, info},
+        {logger, [
+            {handler, default, logger_std_h, #{
+                level => error,
+                config => #{
+                    type => standard_error
+                },
+                formatter => {logger_formatter, #{
+                    depth => 30
+                }}
+            }},
+            {handler, console_logger, logger_std_h, #{
+                level => debug,
+                config => #{
+                    type => standard_io,
+                    sync_mode_qlen => 20
+                },
+                formatter => {logger_logstash_formatter, #{}}
+            }}
+        ]}
+    ]},
+
+    {scoper, [
+        {storage, scoper_storage_logger}
+    ]},
+
+    {party_management, [
+        {scoper_event_handler_options, #{
+            event_handler_opts => #{
+                formatter_opts => #{
+                    max_length => 1000
+                }
+            }
+        }},
+        {services, #{
+            automaton        => "http://machinegun:8022/v1/automaton",
+            accounter        => "http://shumway:8022/shumpune"
+        }},
+        {cache_options, #{ %% see `pm_party_cache:cache_options/0`
+            memory => 209715200,  % 200Mb, cache memory quota in bytes
+            ttl => 3600,
+            size => 3000
+        }},
+        {health_check, #{
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [70]},
+            dmt_client => {dmt_client, health_check, []},
+            service => {erl_health, service  , [<<"party-management">>]}
+        }}
+    ]},
+
+    {dmt_client, [
+        {cache_update_interval, 5000}, % milliseconds
+        {max_cache_size, #{
+            elements => 20,
+            memory => 52428800 % 50Mb
+        }},
+        {woody_event_handlers, [
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000
+                    }
+                }
+            }}
+        ]},
+        {service_urls, #{
+            'Repository' => <<"http://dominant:8022/v1/domain/repository">>,
+            'RepositoryClient' => <<"http://dominant:8022/v1/domain/repository_client">>
+        }}
+    ]},
+
+    {how_are_you, [
+        {metrics_handlers, [
+            hay_vm_handler,
+            hay_cgroup_handler,
+            woody_api_hay
+        ]},
+        {metrics_publishers, []}
+    ]},
+
+    {snowflake, [{machine_id, 1}]},
+
+    {prometheus, [
+        {collectors, [default]}
+    ]}
+].
--- a/config/party-management/values.yaml.gotmpl
+++ b/config/party-management/values.yaml.gotmpl
@ -0,0 +1,86 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/party-management
+  tag: 1431cc385e6950a9e28214ec6583eb7d04c5970b
+  pullPolicy: IfNotPresent
+
+configMap:
+  data:
+    sys.config: |
+      {{- readFile "sys.config" | nindent 6 }}
+    erl_inetrc: |
+      {{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
+    vm.args: |
+      {{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
+
+metrics:
+  serviceMonitor:
+    enabled: false
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/party-management/releases/0.1/sys.config
+    subPath: sys.config
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/party-management/releases/0.1/vm.args
+    subPath: vm.args
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/party-management/erl_inetrc
+    subPath: erl_inetrc
+    readOnly: true
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
+ingress:
+  enabled: true
+  annotations:
+{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
+{{- end }}
+    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
+  hosts:
+    - host: iddqd.{{ $ingressDomain | default "rbk.dev" }}
+      paths:
+        - /v1/processing/partymgmt
+{{- if .Values.services.ingress.tls.enabled }}
+  tls:
+  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    - secretName: iddqd-{{ .Values.services.ingress.tls.secretName }}
+  {{- else }}
+    - secretName: {{ .Values.services.ingress.tls.secretName }}
+  {{- end }}
+      hosts:
+        - iddqd.{{ $ingressDomain | default "rbk.dev" }}
+{{- end }}
+  servicePort: 8022
+
+ciliumPolicies:
+  - filters:
+    - port: 8022
+      type: TCP
+    name: shumway
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: machinegun
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: dominant
+    namespace: {{ .Release.Namespace }}
--- a/config/payform/appConfig.json.gotmpl
+++ b/config/payform/appConfig.json.gotmpl
@ -1,11 +1,13 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
-    "applePayMerchantID": "merchant.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
+    "applePayMerchantID": "merchant.{{ $ingressDomain | default "rbk.dev" }}",
    "brandless": false,
-    "capiEndpoint": "https://api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
+    "capiEndpoint": "https://api.{{ $ingressDomain | default "rbk.dev" }}",
    "fixedTheme": "",
    "googlePayGatewayMerchantID": "rbkmoneydevcheckout",
    "googlePayMerchantID": "15442243338125315447",
    "samsungPayMerchantName": "RBK.money",
    "samsungPayServiceID": "c9d337a160e242ba8322aa",
-    "wrapperEndpoint": "https://wrapper.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/"
+    "wrapperEndpoint": "https://wrapper.{{ $ingressDomain | default "rbk.dev" }}/"
 }
--- a/config/payform/values.yaml.gotmpl
+++ b/config/payform/values.yaml.gotmpl
@ -47,6 +47,9 @@ readinessProbe:
  initialDelaySeconds: 30
  timeoutSeconds: 3

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -60,7 +63,7 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: checkout.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /
 {{- if .Values.services.ingress.tls.enabled }}
@ -71,6 +74,6 @@ ingress:
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - checkout.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - checkout.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/config/questionary-aggr-proxy/values.yaml.gotmpl
+++ b/config/questionary-aggr-proxy/values.yaml.gotmpl
@ -4,7 +4,7 @@ replicaCount: 1

 image:
  repository: docker.io/rbkmoney/questionary-aggr-proxy
-  tag: 78b6d2f972a9f175ff075a3d9809439c190548d1
+  tag: 2961b3fa19d3b5e077de847d7e7172fd01a50a17
  pullPolicy: IfNotPresent

 runopts:
--- a/config/reporter/entrypoint.sh
+++ b/config/reporter/entrypoint.sh
@ -0,0 +1,58 @@
+#!/bin/sh
+set -ue
+
+java \
+    "-XX:OnOutOfMemoryError=kill %p" -XX:+HeapDumpOnOutOfMemoryError \
+    -jar \
+    /opt/reporter/reporter.jar \
+    --logging.config=/opt/reporter/logback.xml \
+    --management.security.flag=false \
+    --management.metrics.export.statsd.flavor=etsy \
+    --management.metrics.export.statsd.enabled=true \
+    --management.metrics.export.prometheus.enabled=true \
+    --management.endpoint.health.show-details=always \
+    --management.endpoint.metrics.enabled=true \
+    --management.endpoint.prometheus.enabled=true \
+    --management.endpoints.web.exposure.include=health,info,prometheus \
+    --spring.datasource.hikari.data-source-properties.prepareThreshold=0 \
+    --spring.datasource.hikari.leak-detection-threshold=5300 \
+    --spring.datasource.hikari.max-lifetime=300000 \
+    --spring.datasource.hikari.idle-timeout=30000 \
+    --spring.datasource.hikari.minimum-idle=2 \
+    --spring.datasource.hikari.maximum-pool-size=20 \
+    --spring.output.ansi.enabled=never \
+    --spring.quartz.jdbc.initialize-schema=never \
+    --spring.flyway.table=schema_version \
+    --partyManagement.url=http://hellgate:8022/v1/processing/partymgmt \
+    --partyManagement.timeout=30000 \
+    --magista.url=http://magista:8022/stat \
+    --magista.timeout=700000 \
+    --domainConfig.url=http://dominant:8022/v1/domain/repository \
+    --domainConfig.timeout=30000 \
+    --storage.endpoint=eu-central-1.linodeobjects.com \
+    --storage.signingRegion=EU \
+    --storage.bucketName=files \
+    --storage.accessKey=YOUR_S3_ACCESS_KEY \
+    --storage.secretKey=YOUR_S3_SECRET_KEY \
+    --storage.client.protocol=HTTP \
+    --payouter.polling.enabled=true \
+    --payouter.polling.url=http://payouter:8022/repo \
+    --hellgate.invoicing.url=http://hellgate:8022/v1/processing/invoicing \
+    --hellgate.invoicing.timeout=60000 \
+    --kafka.bootstrap-servers=kafka:9092 \
+    --kafka.topics.invoicing.enabled=true \
+    --kafka.topics.invoicing.id=mg-events-invoice \
+    --kafka.topics.invoicing.concurrency=10 \
+    --kafka.topics.invoicing.throttling-timeout-ms=0 \
+    --kafka.topics.invoicing.error-throttling-timeout-ms=1000 \
+    --kafka.topics.party-management.id=mg-events-party \
+    --kafka.topics.party-management.enabled=true \
+    --kafka.topics.party-management.concurrency=1 \
+    --kafka.client-id=reporter \
+    --kafka.consumer.group-id=ReporterGroup \
+    --kafka.consumer.max-poll-records=350 \
+    --kafka.consumer.max-poll-interval-ms=300000 \
+    --kafka.consumer.session-timeout-ms=300000 \
+    --kafka.consumer.auto-offset-reset=earliest \
+    ${@} \
+    --spring.config.additional-location=/vault/secrets/application.properties \
--- a/config/reporter/loggers.xml
+++ b/config/reporter/loggers.xml
@ -0,0 +1,4 @@
+<included>
+    <logger name="com.rbkmoney" level="INFO"/>
+    <logger name="com.rbkmoney.woody" level="INFO"/>
+</included>
--- a/config/reporter/values.yaml.gotmpl
+++ b/config/reporter/values.yaml.gotmpl
@ -0,0 +1,131 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: rbkmoney/reporter
+  tag: 6872c8d1bdce6b4e1d9d5e8eabc462bb2c6daa71
+  pullPolicy: IfNotPresent
+
+runopts:
+  command: ["/opt/reporter/entrypoint.sh"]
+
+configMap:
+  data: 
+    entrypoint.sh: |
+      {{- readFile "entrypoint.sh" | nindent 6 }}
+    loggers.xml: |
+      {{- readFile "loggers.xml" | nindent 6 }}
+    logback.xml: |
+      {{- readFile "../logs/logback.xml" | nindent 6 }}
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+      defaultMode: 0755
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/reporter/entrypoint.sh
+    subPath: entrypoint.sh
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/reporter/logback.xml
+    subPath: logback.xml
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/reporter/loggers.xml
+    subPath: loggers.xml
+    readOnly: true
+
+service:
+  ports:
+    - name: api
+      port: 8022
+    - name: management
+      port: 8023
+
+livenessProbe:
+  httpGet:
+    path: /actuator/health
+    port: management
+
+readinessProbe:
+  httpGet:
+    path: /actuator/health
+    port: management
+
+podAnnotations:
+  vault.hashicorp.com/role: "db-app"
+  vault.hashicorp.com/agent-inject: "true"
+  vault.hashicorp.com/agent-inject-secret-application.properties: "database/creds/db-app-reporter"
+  vault.hashicorp.com/agent-inject-template-application.properties: |
+    {{`{{- with secret "database/creds/db-app-reporter" -}}
+    spring.datasource.url=jdbc:postgresql://postgres-postgresql:5432/reporter?sslmode=disable
+    spring.datasource.username={{ .Data.username }}
+    spring.datasource.password={{ .Data.password }}
+    flyway.url=jdbc:postgresql://postgres-postgresql:5432/reporter?sslmode=disable
+    flyway.user={{ .Data.username }}
+    flyway.password={{ .Data.password }}
+    flyway.schemas=rpt
+    {{- end }}`}}
+
+metrics:
+  serviceMonitor:
+    enabled: true
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+    endpoints:
+      - port: "management"
+        path: /actuator/prometheus
+        scheme: http
+
+ciliumPolicies:
+  - filters:
+    - port: 5432
+      type: TCP
+    name: postgres
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 9092
+      rules:
+        kafka:
+        - role: consume
+          topics:
+            - mg-events-invoice
+            - mg-events-party
+      type: TCP
+    name: kafka
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 9000
+      type: TCP
+    name: minio
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8200
+      type: TCP
+    name: vault
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: hellgate
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: magista
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: payouter
+    namespace: {{ .Release.Namespace }}
+  - filters:
+    - port: 8022
+      type: TCP
+    name: dominant
+    namespace: {{ .Release.Namespace }}
--- a/config/shumway/entrypoint.sh
+++ b/config/shumway/entrypoint.sh
@ -22,4 +22,4 @@ java \
    --spring.datasource.hikari.minimum-idle=2 \
    --spring.datasource.hikari.maximum-pool-size=20 \
    ${@} \
-    --spring.config.additional-location=/vault/secrets/application.properties
+    --spring.config.additional-location=/vault/secrets/application.properties \
--- a/config/test-transaction/values.yaml.gotmpl
+++ b/config/test-transaction/values.yaml.gotmpl
@ -15,15 +15,15 @@ service:
    - name: api
      port: 80

-livenessProbe:
+livenessProbe: 
  httpGet:
    port: api
-    path: /
+    path: /healthz

-readinessProbe:
+readinessProbe: 
  httpGet:
    port: api
-    path: /
+    path: /healthz

 volumeMounts:
  - name: config-volume
--- a/config/test-transaction/virtualhost.conf
+++ b/config/test-transaction/virtualhost.conf
@ -5,20 +5,26 @@ server {
  error_log /var/log/nginx/error.log;
  resolver kube-dns.kube-system.svc.cluster.local valid=20s;

-  location =/v1/processing/payment-resources {
-    set $capipciv1 capi-pcidss-v1.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
-    proxy_pass http://$capipciv1:8080/v1/processing/payment-resources;
-  }
-  location =/v2/processing/payment-resources {
-    set $capipciv2 capi-pcidss-v2.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
-    proxy_pass http://$capipciv2:8080/v2/processing/payment-resources;
-  }
-  location /v1 {
-    set $capiv1 capi-v1.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
-    proxy_pass http://$capiv1:8080;
-  }
-  location /v2 {
-    set $capiv2 capi-v2.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
-    proxy_pass http://$capiv2:8080;
-  }
-}
+      location =/v1/processing/invoice-templates {
+        set $capiv1 capi-v1.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
+        proxy_pass http://$capiv1:8080/v1/processing/invoice-templates;
+      }
+
+      location =/v2/processing/payment-resources {
+        set $capipciv2 capi-pcidss-v2.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
+        proxy_pass http://$capipciv2:8080/v2/processing/payment-resources;
+      }
+
+      location ^~ /v1 {
+        rewrite /v1/(.*)$ /v2/$1 last;
+      }
+
+      location /v2 {
+        set $capiv2 capi-v2.{{ .Release.Namespace | default "default" }}.svc.cluster.local;
+        proxy_pass http://$capiv2:8080;
+      }
+
+      location /healthz {
+      return 200;
+      }
+}
--- a/config/token-keeper/sys.config.gotmpl
+++ b/config/token-keeper/sys.config.gotmpl
@ -0,0 +1,204 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+[
+
+    {token_keeper, [
+
+        {ip, "::"},
+        {port, 8022},
+        {services, #{
+            token_keeper => #{
+                path => <<"/v1/token-keeper">>
+            }
+        }},
+        {protocol_opts, #{
+            % How much to wait for another request before closing a keepalive connection? (ms)
+            request_timeout => 3000
+        }},
+        {transport_opts, #{
+            % Maximum number of simultaneous connections. (default = 1024)
+            max_connections => 8000,
+            % Size of the acceptor pool. (default = 10)
+            num_acceptors => 100
+        }},
+        % How much to wait for outstanding requests completion when asked to shut down? (ms)
+        {shutdown_timeout, 1000},
+
+        {audit, #{
+            % Audit logging.
+            log => #{
+                % Audit log level, ideally should be higher that `kernel.level`.
+                level => notice,
+                backend => #{
+                    type => standard_io
+                },
+                formatter => {logger_logstash_formatter, #{
+                    chars_limit => 4096,
+                    depth => unlimited
+                }}
+            }
+        }},
+
+        {woody_event_handlers, [
+            hay_woody_event_handler,
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000,
+                        max_printable_string_length => 80
+                    }
+                }
+            }}
+        ]},
+
+        {health_check, #{
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [70]},
+            service => {erl_health, service  , [<<"token-keeper">>]}
+        }},
+
+        {jwt, #{
+            keyset => #{
+                keycloak => #{
+                    source => {pem_file, "/var/lib/token-keeper/keys/keycloak/keycloak.pubkey.pem"},
+                    authority => keycloak
+                },
+                capi => #{
+                    source => {pem_file, "/var/lib/token-keeper/keys/capi.pubkey.pem"},
+                    authority => capi
+                },
+                wapi => #{
+                    source => {pem_file, "/var/lib/token-keeper/keys/wapi.pubkey.pem"},
+                    authority => wapi
+                },
+                apikeymgmt => #{
+                    source => {pem_file, "/var/lib/token-keeper/keys/apikeymgmt.privkey.pem"},
+                    authority => apikeymgmt
+                }
+            }
+        }},
+
+        {blacklist, #{
+            path => "/opt/token-keeper/token-blacklist.yaml"
+        }},
+
+        {issuing, #{
+            authority => apikeymgmt
+        }},
+
+        {authorities, #{
+            keycloak => #{
+                id => <<"com.rbkmoney.keycloak">>,
+                authdata_sources => [
+                    {extract, #{
+                        methods => [
+                            {detect_token, #{
+                                phony_api_key_opts => #{
+                                    metadata_mappings => #{
+                                        party_id => <<"com.rbkmoney.party.id">>
+                                    }
+                                },
+                                user_session_token_opts => #{
+                                    user_realm => <<"external">>,
+                                    metadata_mappings => #{
+                                        user_id => <<"com.rbkmoney.user.id">>,
+                                        user_email => <<"com.rbkmoney.user.email">>,
+                                        user_realm => <<"com.rbkmoney.user.realm">>
+                                    }
+                                },
+                                user_session_token_origins => [
+                                    <<"https://dashboard.{{ $ingressDomain | default "rbk.dev" }}">>,
+                                    <<"https://beta.dashboard.{{ $ingressDomain | default "rbk.dev" }}">>,
+                                    <<"https://old.dashboard.{{ $ingressDomain | default "rbk.dev" }}">>
+                                ]
+                            }}
+                        ]
+                    }}
+                ]
+            },
+            capi => #{
+                id => <<"com.rbkmoney.capi">>,
+                authdata_sources => [
+                    {claim, #{
+                        compatibility => {true, #{
+                            metadata_mappings => #{
+                                party_id => <<"com.rbkmoney.user.party.id">>,
+                                consumer => <<"com.rbkmoney.user.consumer">>
+                            }
+                        }}
+                    }},
+                    {extract, #{
+                        methods => [
+                            {invoice_template_access_token, #{
+                                domain => <<"common-api">>,
+                                metadata_mappings => #{
+                                    party_id => <<"com.rbkmoney.user.party.id">>
+                                }
+                            }}
+                        ]
+                    }}
+                ]
+            },
+            %% CAUTION: For whatever reason, capi keys are getting wapi authority encoded into them
+            wapi => #{
+                id => <<"com.rbkmoney.wapi">>,
+                authdata_sources => [
+                    {claim, #{
+                        compatibility => {true, #{
+                            metadata_mappings => #{
+                                party_id => <<"com.rbkmoney.user.party.id">>,
+                                consumer => <<"com.rbkmoney.user.consumer">>
+                            }
+                        }}
+                    }},
+                    {extract, #{
+                        methods => [
+                            {invoice_template_access_token, #{
+                                domain => <<"common-api">>,
+                                metadata_mappings => #{
+                                    party_id => <<"com.rbkmoney.user.party.id">>
+                                }
+                            }}
+                        ]
+                    }}
+                ]
+            },
+            apikeymgmt => #{
+                id => <<"com.rbkmoney.apikeymgmt">>,
+                signer => apikeymgmt,
+                authdata_sources => [
+                    {storage, {claim, #{}}}
+                ]
+            }
+        }}
+    ]},
+
+    {how_are_you, [
+        {metrics_publishers, []}
+    ]},
+
+    {os_mon, [
+        {disksup_posix_only, true}
+    ]},
+
+    {scoper, [
+        {storage, scoper_storage_logger}
+    ]},
+
+    {kernel, [
+        {logger_level, info},
+        {logger, [
+            {handler, default, logger_std_h, #{
+                level => debug,
+                config => #{
+                    type => standard_io,
+                    sync_mode_qlen => 2000,
+                    drop_mode_qlen => 2000,
+                    flush_qlen => 3000
+                },
+                formatter => {logger_logstash_formatter, #{}}
+            }}
+        ]}
+    ]}
+
+].
--- a/config/token-keeper/token-blacklist.yaml
+++ b/config/token-keeper/token-blacklist.yaml
@ -0,0 +1,17 @@
+title: Auth Token Blacklist
+description: >
+  Used for banning clients carrying specific auth tokens from using any of our
+  public APIs. Entries are separated by their respective authorities. Then, each
+  entry in a list is an _identifier_ of some auth token. Example:
+    entries:
+      keycloak:
+        - "token_a"
+        - "token_b"
+      apikeymgmt:
+        - "token_c"
+  Broadly speaking, what constitutes an _identifier_ depends on which _tokens_
+  are we talking about. Though for the foreseeable future, we consider only
+  JWTs where JWT's identifier is the value of the 'jti' claim.
+entries:
+  keycloak:
+    - "d48e07ec-4899-4338-965b-98752397f2c4"
--- a/config/token-keeper/values.yaml.gotmpl
+++ b/config/token-keeper/values.yaml.gotmpl
@ -0,0 +1,126 @@
+# -*- mode: yaml -*-
+
+replicaCount: 1
+
+image:
+  repository: docker.io/rbkmoney/token-keeper
+  tag: 8dca9ed3c8394566d64bfbb726fe22e8299bccdd
+  pullPolicy: IfNotPresent
+
+configMap:
+  data:
+    sys.config: |
+      {{- tpl (readFile "sys.config.gotmpl") . | nindent 6 }}
+    erl_inetrc: |
+      {{- tpl (readFile "../vm/erl_inetrc.gotmpl") . | nindent 6 }}
+    vm.args: |
+      {{- tpl (readFile "../vm/erl_vm_args.gotmpl") . | nindent 6 }}
+    token-blacklist.yaml: |
+      {{- readFile "token-blacklist.yaml" | nindent 6 }}
+    fetchKeycloakPubkey: |
+      {{- readFile "../api-common/fetch-keycloak-pubkey.sh" | nindent 6 }}
+
+secret:
+  data:
+    capi.pubkey.pem: |
+      {{- readFile "../api-common/keys/capi.pubkey.pem" | nindent 6 }}
+    wapi.pubkey.pem: |
+      {{- readFile "../api-common/keys/wapi.pubkey.pem" | nindent 6 }}
+    apikeymgmt.privkey.pem: |
+      {{- readFile "../api-common/keys/apikeymgmt.privkey.pem" | nindent 6 }}
+
+apiInitContainers:
+  enabled: true
+
+volumeMounts:
+  - name: config-volume
+    mountPath: /opt/token-keeper/releases/0.1.0/sys.config
+    subPath: sys.config
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/token-keeper/releases/0.1.0/vm.args
+    subPath: vm.args
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/token-keeper/erl_inetrc
+    subPath: erl_inetrc
+    readOnly: true
+  - name: config-volume
+    mountPath: /opt/token-keeper/token-blacklist.yaml
+    subPath: token-blacklist.yaml
+    readOnly: true
+  - name: secret
+    mountPath: /var/lib/token-keeper/keys
+    readOnly: true
+  - name: keycloak-pubkey
+    mountPath: /var/lib/token-keeper/keys/keycloak
+    readOnly: true
+
+volumes:
+  - name: config-volume
+    configMap:
+      name: {{ .Release.Name }}
+      defaultMode: 0755
+  - name: secret
+    secret:
+      secretName: {{ .Release.Name }}
+  - name: keycloak-pubkey
+    emptyDir: {}
+
+metrics:
+  serviceMonitor:
+    enabled: false
+    namespace: {{ .Release.Namespace }}
+    additionalLabels:
+      release: prometheus
+
+service:
+  type: ClusterIP
+  ports:
+    - name: api
+      port: 8080
+    - name: internal
+      port: 8022
+
+livenessProbe:
+  httpGet:
+    port: internal
+
+readinessProbe:
+  httpGet:
+    port: internal
+
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
+ingress:
+  enabled: true
+  annotations:
+{{- if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.services.ingress.tls.letsEncrypt.issuer }}
+{{- end }}
+    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,X-Request-ID"
+    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
+    nginx.ingress.kubernetes.io/enable-cors: "false"
+  hosts:
+    - host: shrt.{{ $ingressDomain | default "rbk.dev" }}
+      paths:
+        - /v1/token-keeper
+{{- if .Values.services.ingress.tls.enabled }}
+  tls:
+  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
+    - secretName: shortener-{{ .Values.services.ingress.tls.secretName }}
+  {{- else }}
+    - secretName: {{ .Values.services.ingress.tls.secretName }}
+  {{- end }}
+      hosts:
+        - shrt.{{ $ingressDomain | default "rbk.dev" }}
+{{- end }}
+  servicePort: 8022
+
+ciliumPolicies:
+  - filters:
+    - port: 8022
+      type: TCP
+    name: machinegun
+    namespace: {{ .Release.Namespace }}
--- a/config/url-shortener/sys.config.gotmpl
+++ b/config/url-shortener/sys.config.gotmpl
@ -1,3 +1,5 @@
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 [
    {scoper, [
        {storage, scoper_storage_logger}
@ -16,7 +18,7 @@
            },
            short_url_template => #{
                scheme         => https,
-                netloc         => "shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}",
+                netloc         => "shrt.{{ $ingressDomain | default "rbk.dev" }}",
                path           => "/"
            },
            source_url_whitelist => [
--- a/config/url-shortener/values.yaml.gotmpl
+++ b/config/url-shortener/values.yaml.gotmpl
@ -61,6 +61,9 @@ service:
    - name: internal
      port: 8022

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -71,18 +74,18 @@ ingress:
    kubernetes.io/ingress.class: {{ .Values.services.ingress.class | quote }}
    nginx.ingress.kubernetes.io/enable-cors: "false"
  hosts:
-    - host: shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: shrt.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: shortener-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - shrt.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - shrt.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/vault-cm/values.yaml.gotmpl
+++ b/config/vault-cm/values.yaml.gotmpl
@ -19,7 +19,7 @@ configMap:
        GRANT ALL ON schema shm TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA shm TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA shm TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/hooker \
@ -36,7 +36,7 @@ configMap:
        GRANT ALL ON schema hook TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA hook TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA hook TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/messages \
@ -48,7 +48,7 @@ configMap:
      vault write database/roles/db-app-messages \
        db_name=messages \
        creation_statements="CREATE ROLE \"{{`{{name}}`}}\" WITH LOGIN PASSWORD '{{`{{password}}`}}' IN ROLE messages VALID UNTIL '{{`{{expiration}}`}}';" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/payouter \
@ -65,7 +65,7 @@ configMap:
        GRANT ALL ON SCHEMA sht TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA sht TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA sht TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/magista \
@ -82,7 +82,7 @@ configMap:
        GRANT ALL ON SCHEMA mst TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA mst TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA mst TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/analytics \
@ -99,7 +99,7 @@ configMap:
        GRANT ALL ON SCHEMA analytics TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA analytics TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA analytics TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/claim-management \
@ -116,7 +116,7 @@ configMap:
        GRANT ALL ON SCHEMA cm TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA cm TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA cm TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/questionary \
@ -133,7 +133,7 @@ configMap:
        GRANT ALL ON SCHEMA qs TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA qs TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA qs TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/reporter \
@ -150,7 +150,7 @@ configMap:
        GRANT ALL ON SCHEMA rpt TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA rpt TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA rpt TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/fistful-magista \
@ -167,7 +167,7 @@ configMap:
        GRANT ALL ON SCHEMA mst TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA mst TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA mst TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault write database/config/fbmgmt \
@ -184,7 +184,7 @@ configMap:
        GRANT ALL ON SCHEMA af TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL TABLES IN SCHEMA af TO \"{{`{{name}}`}}\";
        GRANT ALL ON ALL SEQUENCES IN SCHEMA af TO \"{{`{{name}}`}}\";" \
-        default_ttl="1h" \
+        default_ttl="10h" \
        max_ttl="240h"

      vault secrets enable kv
--- a/config/wapi-pcidss-v0/sys.config
+++ b/config/wapi-pcidss-v0/sys.config
@ -55,6 +55,7 @@
        {realm, <<"external">>},
        {public_endpoint, <<"http://wapi">>},
        {access_conf, #{
+            signee => capi,
            jwt => #{
                keyset => #{
                    keycloak => {pem_file, "/var/lib/wapi/keys/keycloak/keycloak.pubkey.pem"},
@ -62,29 +63,50 @@
                }
            }
        }},
-        {service_urls, #{
-            cds_storage         => "http://cds:8022/v2/storage",
-            binbase             => "http://binbaser:8022/v1/binbase",
-            identdoc_storage    => "http://cds:8022/v1/identity_document_storage"
-        }},
        {health_checkers, [
            {erl_health, disk     , ["/", 99]   },
            {erl_health, cg_memory, [99]        },
            {erl_health, service  , [<<"wapi-pcidss">>]}
        ]},
        {lechiffre_opts,  #{
-            encryption_key_path => {json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}},
-            decryption_key_paths => [{json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}}]
-        }},
-        {validation, #{
-            env => #{now => {{2020, 03, 01}, {0, 0, 0}}}
+            encryption_source => {json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}},
+            decryption_sources => [{json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}}]
        }}
    ]},

-    {snowflake, [
-        {machine_id, hostname_hash}
+    {wapi_woody_client, [
+        {service_urls, #{
+            cds_storage         => "http://cds:8022/v2/storage",
+            binbase             => "http://binbase:8022/v1/binbase",
+            identdoc_storage    => "http://cds:8022/v1/identity_document_storage"
+        }}
    ]},

+    {dmt_client, [
+        {cache_update_interval, 5000}, % milliseconds
+        {cache_server_call_timeout, 30000}, % milliseconds
+        {max_cache_size, #{
+            elements => 80,
+            memory => 209715200 % 200Mb
+        }},
+        {woody_event_handlers, [
+            {scoper_woody_event_handler, #{
+                event_handler_opts => #{
+                    formatter_opts => #{
+                        max_length => 1000,
+                        max_printable_string_length => 80
+                    }
+                }
+            }}
+        ]},
+        {service_urls, #{
+            'Repository'       => <<"http://dominant:8022/v1/domain/repository">>,
+            'RepositoryClient' => <<"http://dominant:8022/v1/domain/repository_client">>
+        }}
+    ]},
+
+    {snowflake, [{machine_id, 1}]},
+
    {prometheus, [
        {collectors, [default]}
    ]}
--- a/config/wapi-pcidss-v0/values.yaml.gotmpl
+++ b/config/wapi-pcidss-v0/values.yaml.gotmpl
@ -2,7 +2,7 @@

 image:
  repository: docker.io/rbkmoney/wapi
-  tag: d115d1933b58fcc2e94c1af7df5a58e1e04dc364
+  tag: 5909eba3e4ee8f0c27db5fa02e91f49f6a7dd74b
  pullPolicy: IfNotPresent

 configMap:
@ -57,6 +57,16 @@ volumes:
  - name: keycloak-pubkey
    emptyDir: {}

+service:
+  type: ClusterIP
+  ports:
+    - name: api
+      port: 8080
+
+
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -70,19 +80,19 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths: 
        - /privdoc/v0
        - /payres/v0
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/wapi-v0/sys.config
+++ b/config/wapi-v0/sys.config
@ -90,12 +90,13 @@
            504 => "/var/lib/wapi/oops-bodies/oopsBody2"
        }},
        {health_check, #{
-            service => {erl_health, service, [<<"wapi-v0">>]}
+            disk    => {erl_health, disk     , ["/", 99]},
+            memory  => {erl_health, cg_memory, [70]},
+            service => {erl_health, service  , [<<"wapi-v0">>]}
        }},
        {file_storage_url_lifetime, 60}, % seconds
        {lechiffre_opts, #{
-            encryption_key_path => {json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}},
-            decryption_key_paths => [
+            decryption_sources => [
                {json, {file, <<"/var/lib/wapi/keys/token_encryption_key1.jwk">>}}
            ]
        }},
@ -108,12 +109,12 @@

    {wapi_woody_client, [
        {service_urls, #{
-            webhook_manager      => <<"http://wallets_hooker:8022/wallets-hooker/v1/hook">>,
+            webhook_manager      => <<"http://wallets-hooker:8022/wallets-hooker/v1/hook">>,
            cds_storage          => <<"http://cds:8022/v2/storage">>,
            identdoc_storage     => <<"http://cds:8022/v1/identity_document_storage">>,
-            fistful_stat         => <<"http://fistful_magista:8022/stat">>,
-            fistful_report       => <<"http://fistful_reporter:8022/fistful/reports">>,
-            file_storage         => <<"http://file_storage:8022/file_storage">>,
+            fistful_stat         => <<"http://fistful-magista:8022/stat">>,
+            fistful_report       => <<"http://fistful-reporter:8022/fistful/reports">>,
+            file_storage         => <<"http://file-storage:8022/file_storage">>,
            fistful_wallet       => <<"http://fistful:8022/v1/wallet">>,
            fistful_identity     => <<"http://fistful:8022/v1/identity">>,
            fistful_destination  => <<"http://fistful:8022/v1/destination">>,
--- a/config/wapi-v0/values.yaml.gotmpl
+++ b/config/wapi-v0/values.yaml.gotmpl
@ -1,8 +1,9 @@
+
 # -*- mode: yaml -*-

 image:
  repository: docker.io/rbkmoney/wapi-v0
-  tag: e6206e686b23cef36e98c24aa5d28df8e56017bc
+  tag: fab27c234ed818e594912cbc647dc15fbf55218d
  pullPolicy: IfNotPresent

 configMap:
@ -78,11 +79,14 @@ service:
 livenessProbe:
  httpGet:
    path: /health
-    port: management
+    port: api
 readinessProbe:
  httpGet:
    path: /health
-    port: management
+    port: api
+
+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}

 ingress:
  enabled: true
@ -94,21 +98,23 @@ ingress:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/cors-allow-methods: "PUT, GET, POST, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"
+    nginx.ingress.kubernetes.io/cors-allow-headers: "content-type,content-disposition,authorization,x-request-id"
    nginx.ingress.kubernetes.io/configuration-snippet: |
-       more_set_headers "Access-Control-Allow-Origin: $http_origin";
+       more_set_headers 'Access-Control-Allow-Methods: PUT, GET, POST, OPTIONS' "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: api.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /wapi
+        - /wallet
 {{- if .Values.services.ingress.tls.enabled }}
  tls:  
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: api-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - api.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - api.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080

--- a/config/weezing/appConfig.json.gotmpl
+++ b/config/weezing/appConfig.json.gotmpl
@ -1,7 +1,9 @@
+{{- $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{- $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
 {{- if .Values.services.ingress.tls.enabled }}
-    "papiEndpoint": "https://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
+    "papiEndpoint": "https://idkfa.{{ $ingressDomain | default "rbk.dev" }}/papi/v1"
 {{- else }}
-    "papiEndpoint": "http://idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/papi/v1"
+    "papiEndpoint": "http://idkfa.{{ $ingressDomain | default "rbk.dev" }}/papi/v1"
 {{- end }}
 }
--- a/config/weezing/authConfig.json.gotmpl
+++ b/config/weezing/authConfig.json.gotmpl
@ -1,6 +1,8 @@
+{{- $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{- $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
 {
    "realm": "internal",
-    "auth-server-url": "https://auth.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}/auth/",
+    "auth-server-url": "https://auth.{{ $ingressDomain | default "rbk.dev" }}/auth/",
    "ssl-required": "external",
    "resource": "weezing",
    "public-client": true
--- a/config/weezing/values.yaml.gotmpl
+++ b/config/weezing/values.yaml.gotmpl
@ -53,6 +53,9 @@ readinessProbe:
  initialDelaySeconds: 30
  timeoutSeconds: 3

+{{ $domainWithNamespace := printf "%s.%s" .Release.Namespace .Values.services.ingress.rootDomain }}
+{{ $ingressDomain := .Values.services.ingress.namespacedDomain | ternary $domainWithNamespace .Values.services.ingress.rootDomain }}
+
 ingress:
  enabled: true
  annotations:
@ -67,17 +70,17 @@ ingress:
    nginx.ingress.kubernetes.io/configuration-snippet: |
       more_set_headers "Access-Control-Allow-Origin: $http_origin";
  hosts:
-    - host: idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+    - host: idkfa.{{ $ingressDomain | default "rbk.dev" }}
      paths:
        - /
 {{- if .Values.services.ingress.tls.enabled }}
  tls:
  {{ if .Values.services.ingress.tls.letsEncrypt.enabled }}
-    - secretName: {{ .Release.Name }}-{{ .Values.services.ingress.tls.secretName }}
+    - secretName: idkfa-{{ .Values.services.ingress.tls.secretName }}
  {{- else }}
    - secretName: {{ .Values.services.ingress.tls.secretName }}
  {{- end }}
      hosts:
-        - idkfa.{{ .Values.services.ingress.rootDomain | default "rbk.dev" }}
+        - idkfa.{{ $ingressDomain | default "rbk.dev" }}
 {{- end }}
  servicePort: 8080
--- a/default.values.yaml
+++ b/default.values.yaml
@ -1,29 +1,50 @@
+# Deploy CiliumNetworkPolicies if you already use cilium as cni
 cilium:
  enabled: false
+# Deploy ECK https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html 
+# include operator,elastic,kibana,filebeats
 elk:
  enabled: false
+# Deploy Prometheus operator in monitoring namespace. 
+# Must have as we use ServiceMonitor by CRD in setup with processing services
 prometheus:
  enabled: false
+# Deploy nginx Ingresscontroller. 
+# We use and recommend https://github.com/kubernetes/ingress-nginx/ coz we have 
+# a lot sublocation on same host on different services
+# and we do not fell in love with minion config by nginx official controller
 ingress:
  enabled: false
+# OUR setup is in baremetal, so there is ip which bind to ingresscontroller
  ip: 'someip'
+# Deploy certmaanger operator. But you still need setup you Issuer or ClusterIssuer for certmanager
 certmanager:
  enabled: false

+# Section of common settings for some services
 services:
  global:
+# Set to "true" if your cluster CIDR only ipv6 family
    ipv6only: false
  
  vault:
    dev: true

  ingress:
+# Ingressclass if have more than one controller:
    class: "nginx"
+# root domain with will be used for services subdomain:
    rootDomain: some-site.ru
+# If true ingress will be rendered with name of namespace. For example, if deploy
+# in Namespace test api will be available at api.test.some-site.ru
+    namespacedDomain: false
    tls:
      enabled: false
+# Use certmanager annotations for tls certificate
      letsEncrypt:
        enabled: false
        issuer: ""
+# Put here name of secret with wildcard cert for services.ingress.rootDomain if you have one.
+# If use Lets Encrypt for cert this value will be used as suffix for secrets with certs
      secretName: sometlssecret

--- a/devstand.rbk.yaml
+++ b/devstand.rbk.yaml
@ -0,0 +1,30 @@
+cilium:
+  enabled: false
+elk:
+  enabled: false
+prometheus:
+  enabled: false
+ingress:
+  enabled: false
+  ip: 'someip'
+certmanager:
+  enabled: false
+
+services:
+  global:
+    ipv6only: true
+  
+  vault:
+    dev: true
+
+  ingress:
+    class: "nginx"
+    rootDomain: dev.rbk.mn
+    namespacedDomain: true
+    tls:
+      enabled: false
+      letsEncrypt:
+        enabled: false
+        issuer: "letsencrypt-staging"
+      secretName: devstand
+
--- a/environments.yaml
+++ b/environments.yaml
@ -5,4 +5,6 @@ environments:
    values:
      - default.values.yaml
  devstand:
+    values:
+      - devstand.rbk.yaml
  production:
--- a/helmfile-infra.lock
+++ b/helmfile-infra.lock
@ -1,13 +1,10 @@
 version: v0.140.0
 dependencies:
- name: elk
-  repository: https://rbkmoney.github.io/charts
-  version: 0.1.5
- name: ingress-nginx
-  repository: https://kubernetes.github.io/ingress-nginx
-  version: 4.0.1
+- name: kube-prometheus-stack
+  repository: https://prometheus-community.github.io/helm-charts
+  version: 18.0.5
 - name: netpolicy
  repository: https://rbkmoney.github.io/charts
  version: 0.1.14
-digest: sha256:e2548803992017dd694868336da9a3993b4ae205ac029e041d220df6779ec2ee
-generated: "2021-08-25T17:06:29.154322+03:00"
+digest: sha256:c9f0356038a75ab2f3d76699408b5db4add8d6f01ca6d9d3fb55cc9e4cb6182f
+generated: "2021-09-09T19:15:03.586698+03:00"
--- a/helmfile-infra.yaml
+++ b/helmfile-infra.yaml
@ -11,16 +11,26 @@ repositories:
  url: https://kubernetes.github.io/ingress-nginx
 - name: certmanager
  url: https://charts.jetstack.io
+- name: prometheus-community
+  url: https://prometheus-community.github.io/helm-charts

 releases:
+{{- if eq .Values.ingress.enabled true }}
 - name: ingress
-  installed: {{ .Values.ingress.enabled }}
  <<: *infra_default
-  chart: ingress-nginx/ingress-nginx  
+  chart: ingress-nginx/ingress-nginx
+{{- end }}
+{{- if eq .Values.prometheus.enabled true }}
+- name: prometheus
+  <<: *infra_default
+  chart: prometheus-community/kube-prometheus-stack
+  namespace: monitoring
+{{- end }}
+{{- if eq .Values.elk.enabled true }}
 - name: logs
-  installed: {{ .Values.elk.enabled }}
  <<: *infra_default
  chart: rbkmoney/elk
+{{- end }}
 - name: netpolicy
  installed: {{ .Values.cilium.enabled }}
  <<: *infra_default
@ -30,4 +40,4 @@ releases:
  <<: *infra_default
  namespace: cert-manager
  chart: certmanager/cert-manager
-{{- end }}
+{{- end }}
--- a/helmfile-prometheus.lock
+++ b/helmfile-prometheus.lock
@ -1,7 +0,0 @@
-version: v0.137.0
-dependencies:
- name: kube-prometheus-stack
-  repository: https://prometheus-community.github.io/helm-charts
-  version: 13.13.0
-digest: sha256:3f0f9a266b49b60eaaee7376657a39b393f92254d0c234c9bd818ceef66c3a64
-generated: "2021-02-26T00:57:42.1115+03:00"
--- a/helmfile-prometheus.yaml
+++ b/helmfile-prometheus.yaml
@ -1,16 +0,0 @@
-bases:
-  - environments.yaml
---
-
-{{ readFile "hf-templates.yaml" }}
-
-repositories:
- name: prometheus-community
-  url: https://prometheus-community.github.io/helm-charts
-
-releases:
- name: prometheus
-  <<: *infra_default
-  chart: prometheus-community/kube-prometheus-stack
-  namespace: monitoring
-
--- a/helmfile.lock
+++ b/helmfile.lock
@ -11,7 +11,7 @@ dependencies:
  version: 12.7.3
 - name: keycloak
  repository: https://codecentric.github.io/helm-charts
-  version: 14.0.1
+  version: 15.0.2
 - name: postgresql
  repository: https://charts.bitnami.com/bitnami
  version: 9.7.2
@ -153,8 +153,29 @@ dependencies:
 - name: stateless
  repository: https://rbkmoney.github.io/charts
  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
+- name: stateless
+  repository: https://rbkmoney.github.io/charts
+  version: 0.1.18
 - name: vault
  repository: https://helm.releases.hashicorp.com
-  version: 0.11.0
-digest: sha256:aec6606f1b3dd5e6ad764b5827f9e3b914bf2576b4ca5c73c66fbd251396882b
-generated: "2021-08-25T17:10:36.554803+03:00"
+  version: 0.15.0
+digest: sha256:fafb11cc92200741c3e5611cf74243894aa43507f35bb1cceac3d643479102fc
+generated: "2021-09-09T19:15:29.886974+03:00"
--- a/helmfile.yaml
+++ b/helmfile.yaml
@ -25,10 +25,6 @@ repositories:
 # Path to the helmfile state file being processed BEFORE releases in this state file
 helmfiles:
  - path: helmfile-infra.yaml
-{{- if and (eq .Values.prometheus.enabled true) ( eq .Namespace "") }}
-  - path: helmfile-prometheus.yaml
-{{- end }}
-

 releases:
 #External releases
@ -50,7 +46,6 @@ releases:
 - name: vault
  <<: *default
  chart: hashicorp/vault
-  version: 0.11.0
  needs:
  - {{ .Namespace | default "default" }}/postgres
  - {{ .Namespace | default "default" }}/vault-cm
@ -123,11 +118,15 @@ releases:
  <<: *generic_stateless_json
  needs:
    - {{ .Namespace | default "default" }}/dominant
- name: capi-pcidss-v2
+- name: limiter
+  <<: *generic_stateless_json
+- name: party-management
+  <<: *generic_stateless_json
+- name: token-keeper
  <<: *generic_stateless_json
  needs:
-    - {{ .Namespace | default "default" }}/keycloak
- name: capi-pcidss-v1
+    - {{ .Namespace | default "default" }}/dominant
+- name: capi-pcidss-v2
  <<: *generic_stateless_json
  needs:
    - {{ .Namespace | default "default" }}/keycloak
@ -144,12 +143,10 @@ releases:
  needs:
    - {{ .Namespace | default "default" }}/keycloak
 - name: wapi-pcidss-v0
-  installed: false
  <<: *generic_stateless_json
  needs:
   - {{ .Namespace | default "default" }}/keycloak
 - name: wapi-v0
-  installed: false
  <<: *generic_stateless_json
  needs:
    - {{ .Namespace | default "default" }}/keycloak
@ -180,6 +177,10 @@ releases:
  <<: *generic_stateless_json
  needs:
    - {{ .Namespace | default "default" }}/keycloak
+- name: weezing
+  <<: *generic_stateless_json
+  needs:
+    - {{ .Namespace | default "default" }}/keycloak
 - name: dashboard
  <<: *generic_stateless_json
  needs:
@ -267,3 +268,15 @@ releases:
  - {{ .Namespace | default "default" }}/dominant
  - {{ .Namespace | default "default" }}/magista
  - {{ .Namespace | default "default" }}/hellgate
+- name: reporter
+  <<: *generic_stateless
+  needs:
+    - {{ .Namespace | default "default" }}/vault
+    - {{ .Namespace | default "default" }}/kafka
+    - {{ .Namespace | default "default" }}/hellgate
+    - {{ .Namespace | default "default" }}/magista
+    - {{ .Namespace | default "default" }}/dominant
+- name: bouncer
+  <<: *generic_stateless_json
+- name: bouncer-policies
+  <<: *generic_stateless_json
--- a/tools/cold_reset.sh
+++ b/tools/cold_reset.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 export MINIKUBE_MEMORY=${MINIKUBE_MEMORY:-8000}
 export MINIKUBE_CPUS=${MINIKUBE_CPUS:-5}
 export MINIKUBE_DISK_SIZE=${MINIKUBE_DISK_SIZE:-61g}
--- a/tools/quick_reset.sh
+++ b/tools/quick_reset.sh
@ -1,3 +1,4 @@
+#!/bin/bash
 # Do not re-download images
 # authored by Dmitry Skokov <d.skokov@rbkmoney.com>
 helmfile delete \
@ -5,4 +6,4 @@ helmfile delete \
 && kubectl delete deploy,rs,pvc,pv,svc,crd,ing,sts,job,cj,cm,secret,sa --all \
 && minikube ssh -- sudo rm -rf /tmp/hostpath-provisioner/default \
 && kubectl delete mutatingwebhookconfigurations,validatingwebhookconfigurations prometheus-prometheus-oper-admission || echo "prometheus webhooks already deleted" \
-&& kubectl delete ns monitoring elastic-system || echo "namespaces not found" \
+&& kubectl delete ns monitoring elastic-system || echo "namespaces not found"