diff --git a/lma/base/resources.yaml b/lma/base/resources.yaml
index e7ac50f..8ebde07 100644
--- a/lma/base/resources.yaml
+++ b/lma/base/resources.yaml
@@ -10,7 +10,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   helmVersion: v3
   releaseName: prometheus-operator-crds
@@ -29,7 +29,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   releaseName: prometheus-operator
   targetNamespace: lma
@@ -71,29 +71,25 @@ spec:
       enabled: true
       image:
         repository: tks/prometheus-operator
-        tag: v0.52.0
+        tag: v0.66.0
       admissionWebhooks:
         patch:
           image:
             repository: tks/kube-webhook-certgen
-            tag: v1.0
+            tag: v20221220-controller-v1.5.1-58-g787ea74b6
       prometheusConfigReloader:
         image:
           repository: tks/prometheus-config-reloader
-          tag: v0.52.0
+          tag: v0.66.0
       thanosImage:
         repository: tks/thanos
-        tag: v0.30.2
+        tag: v0.31.0
       nodeSelector: {}  # TO_BE_FIXED
       createCustomResource: true
       cleanupCustomResource: true
       cleanupCustomResourceBeforeInstall: true
     prometheus:
       enabled: false
-      prometheusSpec:
-        image:
-          repository: tks/prometheus
-          tag: v2.31.1
   wait: true
 ---
 apiVersion: helm.fluxcd.io/v1
@@ -108,7 +104,7 @@ spec:
     type: helmrepo
     repository: https://harbor.taco-cat.xyz/chartrepo/tks
     name: kube-prometheus-stack
-    version: 44.3.1
+    version: 48.3.1
     origin: https://prometheus-community.github.io/helm-charts
   releaseName: prometheus
   targetNamespace: lma
@@ -123,7 +119,7 @@ spec:
       alertmanagerSpec:
         image:
           repository: tks/alertmanager
-          tag: v0.23.0
+          tag: v0.25.0
         nodeSelector: {} # TO_BE_FIXED
         retention: TO_BE_FIXED
 
@@ -238,7 +234,7 @@ spec:
       prometheusSpec:
         image:
           repository: tks/prometheus
-          tag: v2.31.1
+          tag: v2.45.0
         retention: TO_BE_FIXED
         storageSpec:
           volumeClaimTemplate:
diff --git a/service-mesh/base/resources.yaml b/service-mesh/base/resources.yaml
index 8df5713..6d04499 100644
--- a/service-mesh/base/resources.yaml
+++ b/service-mesh/base/resources.yaml
@@ -718,3 +718,33 @@ spec:
     optimization:
       interval: "5s"
   wait: true
+---
+apiVersion: helm.fluxcd.io/v1
+kind: HelmRelease
+metadata:
+  labels:
+    name: gatekeeper
+  name: gatekeeper
+spec:
+  helmVersion: v3
+  chart:
+    type: helmrepo
+    repository: https://harbor.taco-cat.xyz/chartrepo/tks
+    name: gatekeeper
+    version: 0.1.39
+    origin: https://gogatekeeper.github.io/helm-gogatekeeper
+  releaseName: gatekeeper
+  targetNamespace: tks-msa
+  values:
+    image:
+      registry: harbor.taco-cat.xyz
+      repository: tks/gatekeeper
+    service:
+      type: LoadBalancer
+    config:
+      discovery-url: https://tks-console-dev.taco-cat.xyz/auth/realms/organization
+      upstream-url: http://jaeger-operator-jaeger-query.tks-msa.svc:16686
+      client-id: gatekeeper-jaeger
+      client-secret: secret
+  wait: true
+
diff --git a/service-mesh/base/site-values.yaml b/service-mesh/base/site-values.yaml
index ef7c8de..324cc2f 100644
--- a/service-mesh/base/site-values.yaml
+++ b/service-mesh/base/site-values.yaml
@@ -15,6 +15,9 @@ global:
     tks-egressgateway: enabled
   ingressGatewayLabel: istio-ingressgateway
   egressGatewayLabel: istio-egressgateway
+  keycloakIssuerUri: https://keycloak.com/auth/realms/oraganization
+  keycloakClientPrefix: client-prefix
+  gatekeeperSecret: gatekeeper-secret
 
 charts:
 - name: cert-manager
@@ -96,7 +99,7 @@ charts:
     global.hub: $(imageRepo)
     global.proxy.clusterDomain: $(clusterName)
     global.tracer.zipkin.address: jaeger-operator-jaeger-collector.$(namespace):9411
-    
+
 - name: istio-ingressgateway
   override:
     revision: ""
@@ -242,3 +245,11 @@ charts:
     namespace: tks-msa
     aggregation.interval: "15s"
     optimization.interval: "15s"
+
+- name: gatekeeper
+  override:
+    config:
+      discovery-url: $(keycloakIssuerUri)
+      client-id: $(keycloakClientPrefix)-gatekeeper-jaeger
+      client-secret: $(gatekeeperSecret)
+
diff --git a/tks-admin-tools/base/resources.yaml b/tks-admin-tools/base/resources.yaml
index abb5ef6..8f5b1b2 100644
--- a/tks-admin-tools/base/resources.yaml
+++ b/tks-admin-tools/base/resources.yaml
@@ -28,10 +28,6 @@ spec:
       enabled: true
       ingressClassName: nginx  # tunable
       hostname: TO_BE_FIXED
-      annotations:
-        nginx.ingress.kubernetes.io/proxy-buffer-size: 20k
-        acme.cert-manager.io/http01-edit-in-place: "true"
-        cert-manager.io/cluster-issuer: http0issuer
       tls: true
       selfSigned: false
     cache: