diff --git a/.circleci/values/hydra.yaml b/.circleci/values/hydra.yaml
index cc34aaf091..dcddd11c71 100644
--- a/.circleci/values/hydra.yaml
+++ b/.circleci/values/hydra.yaml
@@ -8,7 +8,7 @@ hydra:
   autoMigrate: true
   dangerousForceHttp: true
   config:
-    dsn: "postgres://ory:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
+    dsn: "postgres://postgres:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
     secrets:
       system:
         - "OG5XbmxXa3dYeGplQXpQanYxeEFuRUFa"
diff --git a/.circleci/values/keto.yaml b/.circleci/values/keto.yaml
index 61286e7a1c..bf45e17a4d 100644
--- a/.circleci/values/keto.yaml
+++ b/.circleci/values/keto.yaml
@@ -2,7 +2,7 @@
 keto:
   autoMigrate: true
   config:
-    dsn: "postgres://ory:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
+    dsn: "postgres://postgres:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
 ingress:
   read:
     enabled: true
diff --git a/.circleci/values/kratos.yaml b/.circleci/values/kratos.yaml
index f06a1231a2..32fdef1821 100644
--- a/.circleci/values/kratos.yaml
+++ b/.circleci/values/kratos.yaml
@@ -43,7 +43,7 @@ kratos:
   config:
     # ciphers: 
     #   algorithm: aes
-    dsn: "postgres://ory:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
+    dsn: "postgres://postgres:ory@postgresql.default.svc.cluster.local/ory?sslmode=disable&max_conn_lifetime=10s"
     selfservice:
       default_browser_return_url: http://127.0.0.1:4455/
       methods:
diff --git a/.circleci/values/postgres.yaml b/.circleci/values/postgres.yaml
index 66ae31d2e7..e02bca8a44 100644
--- a/.circleci/values/postgres.yaml
+++ b/.circleci/values/postgres.yaml
@@ -1,3 +1,5 @@
-postgresqlUsername: ory
-postgresqlPassword: ory
-postgresqlDatabase: ory
+global:
+  postgresql:
+    auth:
+      database: ory
+      postgresPassword: ory
diff --git a/helm/charts/kratos/templates/service-admin.yaml b/helm/charts/kratos/templates/service-admin.yaml
index b037103662..911ea3c29d 100644
--- a/helm/charts/kratos/templates/service-admin.yaml
+++ b/helm/charts/kratos/templates/service-admin.yaml
@@ -33,6 +33,7 @@ metadata:
   name: {{ include "kratos.fullname" . }}-admin
   namespace: {{ .Release.Namespace }}
   labels:
+    app.kubernetes.io/component: admin
 {{ include "kratos.labels" . | indent 4 }}
   {{- with .Values.service.admin.annotations }}
   annotations:
diff --git a/helm/charts/oathkeeper/templates/deployment-controller.yaml b/helm/charts/oathkeeper/templates/deployment-controller.yaml
index ff1eee2d1e..2dc9108db7 100644
--- a/helm/charts/oathkeeper/templates/deployment-controller.yaml
+++ b/helm/charts/oathkeeper/templates/deployment-controller.yaml
@@ -106,6 +106,9 @@ spec:
             - name: http-proxy
               containerPort: {{ .Values.oathkeeper.config.serve.proxy.port }}
               protocol: TCP
+            - name: http-metrics
+              protocol: TCP
+              containerPort: {{ .Values.oathkeeper.config.serve.prometheus.port }}
           livenessProbe:
             httpGet:
               path: /health/alive
diff --git a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml
index 441dbcbcfb..2a420772d0 100644
--- a/helm/charts/oathkeeper/templates/deployment-sidecar.yaml
+++ b/helm/charts/oathkeeper/templates/deployment-sidecar.yaml
@@ -85,6 +85,9 @@ spec:
             - name: http-proxy
               containerPort: {{ .Values.oathkeeper.config.serve.proxy.port }}
               protocol: TCP
+            - name: http-metrics
+              protocol: TCP
+              containerPort: {{ .Values.oathkeeper.config.serve.prometheus.port }}
           livenessProbe:
             httpGet:
               path: /health/alive
diff --git a/helm/charts/oathkeeper/templates/service-api.yaml b/helm/charts/oathkeeper/templates/service-api.yaml
index 731e485767..49e78a1afc 100644
--- a/helm/charts/oathkeeper/templates/service-api.yaml
+++ b/helm/charts/oathkeeper/templates/service-api.yaml
@@ -7,6 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   {{- end }}
   labels:
+    app.kubernetes.io/component: api
 {{ include "oathkeeper.labels" . | indent 4 }}
     {{- with .Values.service.api.labels }}
       {{- toYaml . | nindent 4 }}
diff --git a/helm/charts/oathkeeper/templates/service-metrics.yaml b/helm/charts/oathkeeper/templates/service-metrics.yaml
new file mode 100644
index 0000000000..6d64e5cce9
--- /dev/null
+++ b/helm/charts/oathkeeper/templates/service-metrics.yaml
@@ -0,0 +1,55 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "oathkeeper.fullname" . }}-metrics
+  {{- if .Release.Namespace }}
+  namespace: {{ .Release.Namespace }}
+  {{- end }}
+  labels:
+    app.kubernetes.io/component: metrics
+{{ include "oathkeeper.labels" . | indent 4 }}
+    {{- with .Values.service.metrics.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.service.metrics.type }}
+  ports:
+    - port: {{ .Values.service.metrics.port }}
+      targetPort: http-metrics
+      protocol: TCP
+      name: {{ .Values.service.metrics.name }} 
+  selector:
+    app.kubernetes.io/name: {{ include "oathkeeper.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+{{- if .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" }}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "oathkeeper.fullname" . }}-metrics
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: metrics
+{{ include "oathkeeper.labels" . | indent 4 }}
+    {{- with .Values.service.metrics.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.service.metrics.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  endpoints:
+  - path: /metrics/prometheus
+    port: {{ .Values.service.metrics.name }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "oathkeeper.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: metrics
+{{- end -}}
\ No newline at end of file
diff --git a/helm/charts/oathkeeper/templates/service-proxy.yaml b/helm/charts/oathkeeper/templates/service-proxy.yaml
index 83562c16cc..b25bf8b0b8 100644
--- a/helm/charts/oathkeeper/templates/service-proxy.yaml
+++ b/helm/charts/oathkeeper/templates/service-proxy.yaml
@@ -7,6 +7,7 @@ metadata:
   namespace: {{ .Release.Namespace }}
   {{- end }}
   labels:
+    app.kubernetes.io/component: proxy
 {{ include "oathkeeper.labels" . | indent 4 }}
     {{- with .Values.service.proxy.labels }}
       {{- toYaml . | nindent 4 }}
diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml
index f4a34738e2..393cf51cfa 100644
--- a/helm/charts/oathkeeper/values.yaml
+++ b/helm/charts/oathkeeper/values.yaml
@@ -13,7 +13,7 @@ image:
   # -- ORY Oathkeeper image
   repository: oryd/oathkeeper
   # -- ORY Oathkeeper version
-  tag: v0.38.9-beta.1
+  tag: v0.38.17-beta.1
   # -- Image pull policy
   pullPolicy: IfNotPresent
 
@@ -48,13 +48,12 @@ service:
     name: http
     # -- If you do want to specify annotations, uncomment the following
     # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
-    annotations: {}
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
+    annotations: {}
+    # -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
+    # e.g.  app: oathkeeper
     labels: {}
-    #      If you do want to specify additional labels, uncomment the following
-    #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
-    #      e.g.  app: oathkeeper
 
   # -- Configures the Kubernetes service for the api port.
   api:
@@ -68,13 +67,31 @@ service:
     name: http
     # -- If you do want to specify annotations, uncomment the following
     # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
     annotations: {}
+    # -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
+    # e.g.  app: oathkeeper
+    labels: {}
+
+  # -- Configures the Kubernetes service for the metrics port.
+  metrics:
+    # -- En-/disable the service
+    enabled: true
+    # -- The service type
+    type: ClusterIP
+    # -- The service port
+    port: 80
+    # -- The service port name. Useful to set a custom service port name if it must follow a scheme (e.g. Istio)
+    name: http
+    # -- If you do want to specify annotations, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'annotations:'.
     # kubernetes.io/ingress.class: nginx
     # kubernetes.io/tls-acme: "true"
+    annotations: {}
+    # -- If you do want to specify additional labels, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'labels:'.
+    # e.g.  app: oathkeeper
     labels: {}
-    #      If you do want to specify additional labels, uncomment the following
-    #      lines, adjust them as necessary, and remove the curly braces after 'labels:'.
-    #      e.g.  app: oathkeeper
 
 # -- Configure ingress
 ingress:
@@ -134,6 +151,8 @@ oathkeeper:
         port: 4455
       api:
         port: 4456
+      prometheus:
+        port: 9000
   # -- If set, uses the given JSON Web Key Set as the signing key for the ID Token Mutator.
   mutatorIdTokenJWKs: {}
   # -- If set, uses the given access rules.