--- charts-original/values.yaml
+++ charts/values.yaml
@@ -142,12 +142,10 @@
 # -- Agent container image.
 image:
   override: ~
-  repository: "quay.io/cilium/cilium"
+  repository: "rancher/mirrored-cilium-cilium"
   tag: "v1.14.5"
   pullPolicy: "IfNotPresent"
-  # cilium-digest
-  digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
-  useDigest: true
+  useDigest: false
 
 # -- Affinity for cilium-agent.
 affinity:
@@ -537,7 +535,9 @@
   #  - flannel
   #  - generic-veth
   #  - portmap
-  chainingMode: ~
+
+  # Otherwise rke2 hostPort does not work! Used for nginx
+  chainingMode: portmap
 
   # -- A CNI network name in to which the Cilium plugin should be added as a chained plugin.
   # This will cause the agent to watch for a CNI network with this network name. When it is
@@ -936,10 +936,9 @@
 certgen:
   image:
     override: ~
-    repository: "quay.io/cilium/certgen"
+    repository: "rancher/mirrored-cilium-certgen"
     tag: "v0.1.9"
-    digest: "sha256:89a0847753686444daabde9474b48340993bd19c7bea66a46e45b2974b82041f"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
   # -- Seconds after which the completed job pod will be deleted
   ttlSecondsAfterFinished: 1800
@@ -961,7 +960,7 @@
 
 hubble:
   # -- Enable Hubble (true by default).
-  enabled: true
+  enabled: false
 
   # -- Buffer size of the channel Hubble uses to receive monitor events. If this
   # value is not set, the queue size is set to the default monitor queue size.
@@ -1112,11 +1111,9 @@
     # -- Hubble-relay container image.
     image:
       override: ~
-      repository: "quay.io/cilium/hubble-relay"
+      repository: "rancher/mirrored-cilium-hubble-relay"
       tag: "v1.14.5"
-       # hubble-relay-digest
-      digest: "sha256:dbef89f924a927043d02b40c18e417c1ea0e8f58b44523b80fef7e3652db24d4"
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     # -- Specifies the resources for the hubble-relay pods
@@ -1340,10 +1337,9 @@
       # -- Hubble-ui backend image.
       image:
         override: ~
-        repository: "quay.io/cilium/hubble-ui-backend"
+        repository: "rancher/mirrored-cilium-hubble-ui-backend"
         tag: "v0.12.1"
-        digest: "sha256:1f86f3400827a0451e6332262467f894eeb7caf0eb8779bd951e2caa9d027cbe"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       # -- Hubble-ui backend security context.
@@ -1371,10 +1367,9 @@
       # -- Hubble-ui frontend image.
       image:
         override: ~
-        repository: "quay.io/cilium/hubble-ui"
+        repository: "rancher/mirrored-cilium-hubble-ui"
         tag: "v0.12.1"
-        digest: "sha256:9e5f81ee747866480ea1ac4630eb6975ff9227f9782b7c93919c081c33f38267"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       # -- Hubble-ui frontend security context.
@@ -1500,7 +1495,7 @@
 ipam:
   # -- Configure IP Address Management mode.
   # ref: https://docs.cilium.io/en/stable/network/concepts/ipam/
-  mode: "cluster-pool"
+  mode: "kubernetes"
   # -- Maximum rate at which the CiliumNode custom resource is updated.
   ciliumNodeUpdateRate: "15s"
   operator:
@@ -1778,7 +1773,7 @@
 
 # -- Configure prometheus metrics on the configured port at /metrics
 prometheus:
-  enabled: false
+  enabled: true
   port: 9962
   serviceMonitor:
     # -- Enable service monitors.
@@ -1856,11 +1851,10 @@
   # -- Envoy container image.
   image:
     override: ~
-    repository: "quay.io/cilium/cilium-envoy"
+    repository: "rancher/mirrored-cilium-cilium-envoy"
     tag: "v1.26.6-ad82c7c56e88989992fd25d8d67747de865c823b"
     pullPolicy: "IfNotPresent"
-    digest: "sha256:992998398dadfff7117bfa9fdb7c9474fefab7f0237263f7c8114e106c67baca"
-    useDigest: true
+    useDigest: false
 
   # -- Additional containers added to the cilium Envoy DaemonSet.
   extraContainers: []
@@ -2148,10 +2142,9 @@
   # -- cilium-etcd-operator image.
   image:
     override: ~
-    repository: "quay.io/cilium/cilium-etcd-operator"
+    repository: "rancher/mirrored-cilium-cilium-etcd-operator"
     tag: "v2.0.7"
-    digest: "sha256:04b8327f7f992693c2cb483b999041ed8f92efc8e14f2a5f3ab95574a65ea2dc"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for cilium-etcd-operator
@@ -2253,17 +2246,9 @@
   # -- cilium-operator image.
   image:
     override: ~
-    repository: "quay.io/cilium/operator"
+    repository: "rancher/mirrored-cilium-operator"
     tag: "v1.14.5"
-    # operator-generic-digest
-    genericDigest: "sha256:303f9076bdc73b3fc32aaedee64a14f6f44c8bb08ee9e3956d443021103ebe7a"
-    # operator-azure-digest
-    azureDigest: "sha256:9203f5583aa34e716d7a6588ebd144e43ce3b77873f578fc12b2679e33591353"
-    # operator-aws-digest
-    awsDigest: "sha256:785ccf1267d0ed3ba9e4bd8166577cb4f9e4ce996af26b27c9d5c554a0d5b09a"
-    # operator-alibabacloud-digest
-    alibabacloudDigest: "sha256:e0152c498ba73c56a82eee2a706c8f400e9a6999c665af31a935bdf08e659bc3"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
     suffix: ""
 
@@ -2394,7 +2379,7 @@
   # -- Enable prometheus metrics for cilium-operator on the configured port at
   # /metrics
   prometheus:
-    enabled: false
+    enabled: true
     port: 9963
     serviceMonitor:
       # -- Enable service monitors.
@@ -2430,8 +2415,7 @@
 
   # -- Taint nodes where Cilium is scheduled but not running. This prevents pods
   # from being scheduled to nodes where Cilium is not the default CNI provider.
-  # @default -- same as removeNodeTaints
-  setNodeTaints: ~
+  setNodeTaints: false
 
   # -- Set Node condition NetworkUnavailable to 'false' with the reason
   # 'CiliumIsUp' for nodes that have a healthy Cilium pod.
@@ -2540,11 +2524,9 @@
   # -- Cilium pre-flight image.
   image:
     override: ~
-    repository: "quay.io/cilium/cilium"
+    repository: "rancher/mirrored-cilium-cilium"
     tag: "v1.14.5"
-    # cilium-digest
-    digest: "sha256:d3b287029755b6a47dee01420e2ea469469f1b174a2089c10af7e5e9289ef05b"
-    useDigest: true
+    useDigest: false
     pullPolicy: "IfNotPresent"
 
   # -- The priority class to use for the preflight pod.
@@ -2690,21 +2672,18 @@
     # -- Clustermesh API server image.
     image:
       override: ~
-      repository: "quay.io/cilium/clustermesh-apiserver"
+      repository: "rancher/mirrored-cilium-clustermesh-apiserver"
       tag: "v1.14.5"
-      # clustermesh-apiserver-digest
-      digest: "sha256:7eaa35cf5452c43b1f7d0cde0d707823ae7e49965bcb54c053e31ea4e04c3d96"
-      useDigest: true
+      useDigest: false
       pullPolicy: "IfNotPresent"
 
     etcd:
       # -- Clustermesh API server etcd image.
       image:
         override: ~
-        repository: "quay.io/coreos/etcd"
+        repository: "rancher/mirrored-coreos-etcd"
         tag: "v3.5.4"
-        digest: "sha256:795d8660c48c439a7c3764c2330ed9222ab5db5bb524d8d0607cac76f7ba82a3"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       # -- Specifies the resources for etcd container in the apiserver
@@ -2737,11 +2716,9 @@
       # -- KVStoreMesh image.
       image:
         override: ~
-        repository: "quay.io/cilium/kvstoremesh"
+        repository: "rancher/mirrored-cilium-kvstoremesh"
         tag: "v1.14.5"
-        # kvstoremesh-digest
-        digest: "sha256:d7137edd0efa2b1407b20088af3980a9993bb616d85bf9b55ea2891d1b99023a"
-        useDigest: true
+        useDigest: false
         pullPolicy: "IfNotPresent"
 
       # -- Additional KVStoreMesh arguments.
@@ -3222,3 +3199,11 @@
       agentSocketPath: /run/spire/sockets/agent/agent.sock
       # -- SPIRE connection timeout
       connectionTimeout: 30s
+
+portmapPlugin:
+  image:
+    repository: "rancher/hardened-cni-plugins"
+    tag: "v1.4.0-build20240122"
+
+global:
+  systemDefaultRegistry: ""