--- charts-original/values.yaml
+++ charts/values.yaml
@@ -152,12 +152,10 @@
   # type: [null, string]
   # @schema
   override: ~
-  repository: "quay.io/cilium/cilium"
+  repository: "rancher/mirrored-cilium-cilium"
   tag: "v1.16.4"
   pullPolicy: "IfNotPresent"
-  # cilium-digest
-  digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
-  useDigest: true
+  useDigest: false
 # -- Affinity for cilium-agent.
 affinity:
   podAntiAffinity:
@@ -581,7 +579,10 @@
   #  - flannel
   #  - generic-veth
   #  - portmap
-  chainingMode: ~
+
+  # Otherwise rke2 hostPort does not work! Used for nginx
+  chainingMode: portmap
+
   # @schema
   # type: [null, string]
   # @schema
@@ -1013,10 +1014,9 @@
     # type: [null, string]
     # @schema
     override: ~
-    repository: "quay.io/cilium/certgen"
+    repository: "rancher/mirrored-cilium-certgen"
     tag: "v0.2.0"
-    digest: "sha256:169d93fd8f2f9009db3b9d5ccd37c2b753d0989e1e7cd8fe79f9160c459eef4f"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
   # -- Seconds after which the completed job pod will be deleted
   ttlSecondsAfterFinished: 1800
@@ -1037,7 +1037,7 @@
   affinity: {}
 hubble:
   # -- Enable Hubble (true by default).
-  enabled: true
+  enabled: false
   # -- Annotations to be added to all top-level hubble objects (resources under templates/hubble)
   annotations: {}
   # -- Buffer size of the channel Hubble uses to receive monitor events. If this
@@ -1317,11 +1317,9 @@
       # type: [null, string]
       # @schema
       override: ~
-      repository: "quay.io/cilium/hubble-relay"
+      repository: "rancher/mirrored-cilium-hubble-relay"
       tag: "v1.16.4"
-      # hubble-relay-digest
-      digest: "sha256:fb2c7d127a1c809f6ba23c05973f3dd00f6b6a48e4aee2da95db925a4f0351d2"
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
     # -- Specifies the resources for the hubble-relay pods
     resources: {}
@@ -1566,10 +1564,9 @@
         # type: [null, string]
         # @schema
         override: ~
-        repository: "quay.io/cilium/hubble-ui-backend"
+        repository: "rancher/mirrored-cilium-hubble-ui-backend"
         tag: "v0.13.1"
-        digest: "sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
       # -- Hubble-ui backend security context.
       securityContext: {}
@@ -1600,10 +1597,9 @@
         # type: [null, string]
         # @schema
         override: ~
-        repository: "quay.io/cilium/hubble-ui"
+        repository: "rancher/mirrored-cilium-hubble-ui"
         tag: "v0.13.1"
-        digest: "sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
       # -- Hubble-ui frontend security context.
       securityContext: {}
@@ -1777,7 +1773,7 @@
 ipam:
   # -- Configure IP Address Management mode.
   # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
-  mode: "cluster-pool"
+  mode: "kubernetes"
   # -- Maximum rate at which the CiliumNode custom resource is updated.
   ciliumNodeUpdateRate: "15s"
   operator:
@@ -2071,7 +2067,7 @@
   port: 6060
 # -- Configure prometheus metrics on the configured port at /metrics
 prometheus:
-  enabled: false
+  enabled: true
   port: 9962
   serviceMonitor:
     # -- Enable service monitors.
@@ -2135,9 +2131,9 @@
   # type: [null, boolean]
   # @schema
   # -- Enable Envoy Proxy in standalone DaemonSet.
-  # This field is enabled by default for new installation.
-  # @default -- `true` for new installation
-  enabled: ~
+  # This field is disabled by default.
+  # @default -- `false`
+  enabled: false
   # -- (int)
   # Set Envoy'--base-id' to use when allocating shared memory regions.
   # Only needs to be changed if multiple Envoy instances will run on the same node and may have conflicts. Supported values: 0 - 4294967295. Defaults to '0'
@@ -2168,11 +2164,10 @@
     # type: [null, string]
     # @schema
     override: ~
-    repository: "quay.io/cilium/cilium-envoy"
+    repository: "rancher/mirrored-cilium-cilium-envoy"
     tag: "v1.30.7-1731393961-97edc2815e2c6a174d3d12e71731d54f5d32ea16"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:0287b36f70cfbdf54f894160082f4f94d1ee1fb10389f3a95baa6c8e448586ed"
-    useDigest: true
+    useDigest: false
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
   # -- Additional envoy container arguments.
@@ -2483,17 +2478,9 @@
     # type: [null, string]
     # @schema
     override: ~
-    repository: "quay.io/cilium/operator"
+    repository: "rancher/mirrored-cilium-operator"
     tag: "v1.16.4"
-    # operator-generic-digest
-    genericDigest: "sha256:c55a7cbe19fe0b6b28903a085334edb586a3201add9db56d2122c8485f7a51c5"
-    # operator-azure-digest
-    azureDigest: "sha256:475594628af6d6a807d58fcb6b7d48f5a82e0289f54ae372972b1d0536c0b6de"
-    # operator-aws-digest
-    awsDigest: "sha256:355051bbebab73ea3067bb7f0c28cfd43b584d127570cb826f794f468e2d31be"
-    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:8d59d1c9043d0ccf40f3e16361e5c81e8044cb83695d32d750b0c352f690c686"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
     suffix: ""
   # -- Number of replicas to run for the cilium-operator deployment
@@ -2662,8 +2649,7 @@
   # @schema
   # -- Taint nodes where Cilium is scheduled but not running. This prevents pods
   # from being scheduled to nodes where Cilium is not the default CNI provider.
-  # @default -- same as removeNodeTaints
-  setNodeTaints: ~
+  setNodeTaints: false
   # -- Set Node condition NetworkUnavailable to 'false' with the reason
   # 'CiliumIsUp' for nodes that have a healthy Cilium pod.
   setNodeNetworkStatus: true
@@ -2767,11 +2753,9 @@
     # type: [null, string]
     # @schema
     override: ~
-    repository: "quay.io/cilium/cilium"
+    repository: "rancher/mirrored-cilium-cilium"
     tag: "v1.16.4"
-    # cilium-digest
-    digest: "sha256:d55ec38938854133e06739b1af237932b9c4dd4e75e9b7b2ca3acc72540a44bf"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
   # -- The priority class to use for the preflight pod.
   priorityClassName: ""
@@ -2916,11 +2900,9 @@
       # type: [null, string]
       # @schema
       override: ~
-      repository: "quay.io/cilium/clustermesh-apiserver"
+      repository: "rancher/mirrored-cilium-clustermesh-apiserver"
       tag: "v1.16.4"
-      # clustermesh-apiserver-digest
-      digest: "sha256:b41ba9c1b32e31308e17287a24a5b8e8ed0931f70d168087001c9679bc6c5dd2"
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
     # -- TCP port for the clustermesh-apiserver health API.
     healthPort: 9880
@@ -3561,3 +3543,11 @@
       agentSocketPath: /run/spire/sockets/agent/agent.sock
       # -- SPIRE connection timeout
       connectionTimeout: 30s
+
+portmapPlugin:
+  image:
+    repository: "rancher/hardened-cni-plugins"
+    tag: "v1.6.0-build20241022"
+
+global:
+  systemDefaultRegistry: ""