diff --git a/charts/.utils/gitlab-ci.yaml b/charts/.utils/gitlab-ci.yaml
index c37298faeacbb8d87d263a23607f5ee6b084c1d4..9295791375048af3af523782214fa2ef000460a1 100644
--- a/charts/.utils/gitlab-ci.yaml
+++ b/charts/.utils/gitlab-ci.yaml
@@ -38,11 +38,11 @@ chart-helm-unittest:
   stage: lint
   extends: .chart-matrix
   image:
-    name: docker.io/quintush/helm-unittest:3.10.1-0.2.9
+    name: docker.io/helmunittest/helm-unittest:3.11.2-0.3.1
     entrypoint: [""]
   script:
     - if [ ! -e charts/${CHART}/tests ]; then echo "No helm unittests"; exit 0; fi
-    - helm unittest -3 -o helm-unittest-${CHART}.xml -t junit charts/${CHART}
+    - helm unittest -o helm-unittest-${CHART}.xml -t junit charts/${CHART}
   artifacts:
     when: always
     reports:
diff --git a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
index 45c826300df21915f6989e7710451b04de7379c9..4c87dd93c1389b251f7ad8949e8464748f8143e0 100644
--- a/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
+++ b/charts/keycloak/tests/__snapshot__/snapshot_test.yaml.snap
@@ -25,78 +25,78 @@ should match basic snapshot:
             app.kubernetes.io/name: keycloak
         spec:
           containers:
-          - args:
-            - start
-            - --cache=ispn
-            - --cache-config-file=cache-ispn.xml
-            - --cache-stack=kubernetes
-            - --proxy
-            - edge
-            env:
-            - name: KC_HEALTH_ENABLED
-              value: "true"
-            - name: KC_HOSTNAME
-              value: keycloak.example.com
-            - name: JAVA_OPTS_APPEND
-              value: -Djgroups.dns.query=RELEASE-NAME-keycloak-headless.NAMESPACE.svc.cluster.local
-            - name: KC_DB
-              value: postgres
-            - name: KC_DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: database-username
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            - name: KC_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: database-password
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            - name: KC_DB_URL
-              valueFrom:
-                secretKeyRef:
-                  key: database-url
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            image: quay.io/keycloak/keycloak:4.5.6
-            imagePullPolicy: IfNotPresent
-            livenessProbe:
-              failureThreshold: 3
-              httpGet:
-                path: /health/live
-                port: http
-              periodSeconds: 10
-            name: keycloak
-            ports:
-            - containerPort: 8080
-              name: http
-              protocol: TCP
-            readinessProbe:
-              failureThreshold: 3
-              httpGet:
-                path: /health/ready
-                port: http
-              periodSeconds: 10
-            resources:
-              limits:
-                cpu: "1"
-                memory: 1.5Gi
-              requests:
-                cpu: 100m
-                memory: 1Gi
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              runAsNonRoot: true
-            startupProbe:
-              failureThreshold: 30
-              httpGet:
-                path: /health/live
-                port: http
-              periodSeconds: 10
+            - args:
+                - start
+                - --cache=ispn
+                - --cache-config-file=cache-ispn.xml
+                - --cache-stack=kubernetes
+                - --proxy
+                - edge
+              env:
+                - name: KC_HEALTH_ENABLED
+                  value: "true"
+                - name: KC_HOSTNAME
+                  value: keycloak.example.com
+                - name: JAVA_OPTS_APPEND
+                  value: -Djgroups.dns.query=RELEASE-NAME-keycloak-headless.NAMESPACE.svc.cluster.local
+                - name: KC_DB
+                  value: postgres
+                - name: KC_DB_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-username
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+                - name: KC_DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-password
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+                - name: KC_DB_URL
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-url
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+              image: quay.io/keycloak/keycloak:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /health/live
+                  port: http
+                periodSeconds: 10
+              name: keycloak
+              ports:
+                - containerPort: 8080
+                  name: http
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /health/ready
+                  port: http
+                periodSeconds: 10
+              resources:
+                limits:
+                  cpu: "1"
+                  memory: 1.5Gi
+                requests:
+                  cpu: 100m
+                  memory: 1Gi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                runAsNonRoot: true
+              startupProbe:
+                failureThreshold: 30
+                httpGet:
+                  path: /health/live
+                  port: http
+                periodSeconds: 10
           securityContext: {}
           serviceAccountName: RELEASE-NAME-keycloak
   2: |
@@ -128,10 +128,10 @@ should match basic snapshot:
       name: RELEASE-NAME-keycloak
     spec:
       ports:
-      - name: http
-        port: 80
-        protocol: TCP
-        targetPort: http
+        - name: http
+          port: 80
+          protocol: TCP
+          targetPort: http
       selector:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/name: keycloak
@@ -150,10 +150,10 @@ should match basic snapshot:
     spec:
       clusterIP: None
       ports:
-      - name: ping
-        port: 7800
-        protocol: TCP
-        targetPort: 7800
+        - name: ping
+          port: 7800
+          protocol: TCP
+          targetPort: 7800
       selector:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/name: keycloak
@@ -195,80 +195,80 @@ should match full snapshot:
             app.kubernetes.io/name: keycloak
         spec:
           containers:
-          - args:
-            - start
-            - --cache=ispn
-            - --cache-config-file=cache-ispn.xml
-            - --cache-stack=kubernetes
-            - --proxy
-            - edge
-            env:
-            - name: KC_HEALTH_ENABLED
-              value: "true"
-            - name: KC_METRICS_ENABLED
-              value: "true"
-            - name: KC_HOSTNAME
-              value: keycloak.example.com
-            - name: JAVA_OPTS_APPEND
-              value: -Djgroups.dns.query=RELEASE-NAME-keycloak-headless.NAMESPACE.svc.cluster.local
-            - name: KC_DB
-              value: postgres
-            - name: KC_DB_USERNAME
-              valueFrom:
-                secretKeyRef:
-                  key: database-username
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            - name: KC_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: database-password
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            - name: KC_DB_URL
-              valueFrom:
-                secretKeyRef:
-                  key: database-url
-                  name: RELEASE-NAME-keycloak
-                  optional: false
-            image: quay.io/keycloak/keycloak:4.5.6
-            imagePullPolicy: IfNotPresent
-            livenessProbe:
-              failureThreshold: 3
-              httpGet:
-                path: /health/live
-                port: http
-              periodSeconds: 10
-            name: keycloak
-            ports:
-            - containerPort: 8080
-              name: http
-              protocol: TCP
-            readinessProbe:
-              failureThreshold: 3
-              httpGet:
-                path: /health/ready
-                port: http
-              periodSeconds: 10
-            resources:
-              limits:
-                cpu: "1"
-                memory: 1.5Gi
-              requests:
-                cpu: 100m
-                memory: 1Gi
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                drop:
-                - ALL
-              runAsNonRoot: true
-            startupProbe:
-              failureThreshold: 30
-              httpGet:
-                path: /health/live
-                port: http
-              periodSeconds: 10
+            - args:
+                - start
+                - --cache=ispn
+                - --cache-config-file=cache-ispn.xml
+                - --cache-stack=kubernetes
+                - --proxy
+                - edge
+              env:
+                - name: KC_HEALTH_ENABLED
+                  value: "true"
+                - name: KC_METRICS_ENABLED
+                  value: "true"
+                - name: KC_HOSTNAME
+                  value: keycloak.example.com
+                - name: JAVA_OPTS_APPEND
+                  value: -Djgroups.dns.query=RELEASE-NAME-keycloak-headless.NAMESPACE.svc.cluster.local
+                - name: KC_DB
+                  value: postgres
+                - name: KC_DB_USERNAME
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-username
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+                - name: KC_DB_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-password
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+                - name: KC_DB_URL
+                  valueFrom:
+                    secretKeyRef:
+                      key: database-url
+                      name: RELEASE-NAME-keycloak
+                      optional: false
+              image: quay.io/keycloak/keycloak:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /health/live
+                  port: http
+                periodSeconds: 10
+              name: keycloak
+              ports:
+                - containerPort: 8080
+                  name: http
+                  protocol: TCP
+              readinessProbe:
+                failureThreshold: 3
+                httpGet:
+                  path: /health/ready
+                  port: http
+                periodSeconds: 10
+              resources:
+                limits:
+                  cpu: "1"
+                  memory: 1.5Gi
+                requests:
+                  cpu: 100m
+                  memory: 1Gi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  drop:
+                    - ALL
+                runAsNonRoot: true
+              startupProbe:
+                failureThreshold: 30
+                httpGet:
+                  path: /health/live
+                  port: http
+                periodSeconds: 10
           securityContext: {}
           serviceAccountName: RELEASE-NAME-keycloak
   2: |
@@ -300,10 +300,10 @@ should match full snapshot:
       name: RELEASE-NAME-keycloak
     spec:
       ports:
-      - name: http
-        port: 80
-        protocol: TCP
-        targetPort: http
+        - name: http
+          port: 80
+          protocol: TCP
+          targetPort: http
       selector:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/name: keycloak
@@ -322,10 +322,10 @@ should match full snapshot:
     spec:
       clusterIP: None
       ports:
-      - name: ping
-        port: 7800
-        protocol: TCP
-        targetPort: 7800
+        - name: ping
+          port: 7800
+          protocol: TCP
+          targetPort: 7800
       selector:
         app.kubernetes.io/instance: RELEASE-NAME
         app.kubernetes.io/name: keycloak
diff --git a/charts/keycloak/tests/helmlabels_test.yaml b/charts/keycloak/tests/helmlabels_test.yaml
index e3cdbe501b9adba80a7e696a387512ec0efa305f..f833b86738c107a1a380e678523b4047212f37bd 100644
--- a/charts/keycloak/tests/helmlabels_test.yaml
+++ b/charts/keycloak/tests/helmlabels_test.yaml
@@ -26,11 +26,11 @@ tests:
       version: 1.2.3
     asserts:
       - equal:
-          path: metadata.labels.[app.kubernetes.io/instance]
+          path: metadata.labels["app.kubernetes.io/instance"]
           value: "test-suite"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/managed-by]
+          path: metadata.labels["app.kubernetes.io/managed-by"]
           value: "Helm"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: "keycloak"
diff --git a/charts/mastodon/tests/50_sidekiq_test.yaml b/charts/mastodon/tests/50_sidekiq_test.yaml
index 6bcb3b2623ca41ccf4042a3c97989eac62a5117c..37c7a6abb87188454213e6d8b52862f9faab9292 100644
--- a/charts/mastodon/tests/50_sidekiq_test.yaml
+++ b/charts/mastodon/tests/50_sidekiq_test.yaml
@@ -65,17 +65,17 @@ tests:
       - mocks/sidekiq.yaml
     asserts:
       - equal:
-          path: spec.selector.matchLabels.app\.kubernetes\.io/component
+          path: spec.selector.matchLabels["app.kubernetes.io/component"]
           value: sidekiq-scheduler
         documentIndex: 0
         template: deployment-sidekiq.yaml
       - equal:
-          path: spec.selector.matchLabels.app\.kubernetes\.io/component
+          path: spec.selector.matchLabels["app.kubernetes.io/component"]
           value: sidekiq-default
         documentIndex: 1
         template: deployment-sidekiq.yaml
       - equal:
-          path: spec.selector.matchLabels.app\.kubernetes\.io/part-of
+          path: spec.selector.matchLabels["app.kubernetes.io/part-of"]
           value: rails
         template: deployment-sidekiq.yaml
           
diff --git a/charts/mastodon/tests/99_helmlabels_test.yaml b/charts/mastodon/tests/99_helmlabels_test.yaml
index fecc1e2aab2e2fe049f83bb50857dc05b2efabec..26d4dcab2ee77ec75875991a36d7f01900c30956 100644
--- a/charts/mastodon/tests/99_helmlabels_test.yaml
+++ b/charts/mastodon/tests/99_helmlabels_test.yaml
@@ -31,11 +31,11 @@ tests:
       version: 1.2.3
     asserts:
       - equal:
-          path: metadata.labels.[app.kubernetes.io/instance]
+          path: metadata.labels["app.kubernetes.io/instance"]
           value: "test-suite"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/managed-by]
+          path: metadata.labels["app.kubernetes.io/managed-by"]
           value: "Helm"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: "mastodon"
diff --git a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
index bd53acffc71254703967eca07088ec3ab9c10613..f079b253891faf7ee063260a0aa41f9396da8f19 100644
--- a/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_sidekiq_test.yaml.snap
@@ -72,62 +72,62 @@ should match basic snapshot:
             app.kubernetes.io/part-of: rails
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - sidekiq
-            - -c
-            - "25"
-            - -q
-            - default,8
-            - -q
-            - push,6
-            - -q
-            - ingress,4
-            - -q
-            - mailers,2
-            - -q
-            - pull
-            - -q
-            - scheduler
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: mastodon
-            resources: {}
-            securityContext: {}
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - sidekiq
+                - -c
+                - "25"
+                - -q
+                - default,8
+                - -q
+                - push,6
+                - -q
+                - ingress,4
+                - -q
+                - mailers,2
+                - -q
+                - pull
+                - -q
+                - scheduler
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: mastodon
+              resources: {}
+              securityContext: {}
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           securityContext:
             fsGroup: 991
             runAsGroup: 991
             runAsUser: 991
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   3: |
     apiVersion: v1
     data:
diff --git a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
index 5f5ca5e7493aba68246b41826598fbc57e51082e..43b8df2db9816d1266f731ffa0d2bbadd76f175b 100644
--- a/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/50_web_test.yaml.snap
@@ -68,67 +68,67 @@ should match basic snapshot:
             app.kubernetes.io/part-of: rails
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - puma
-            - -C
-            - config/puma.rb
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            livenessProbe:
-              tcpSocket:
-                port: http
-            name: mastodon-web
-            ports:
-            - containerPort: 3000
-              name: http
-              protocol: TCP
-            readinessProbe:
-              httpGet:
-                path: /health
-                port: http
-            startupProbe:
-              failureThreshold: 30
-              httpGet:
-                path: /health
-                port: http
-              periodSeconds: 5
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - puma
+                - -C
+                - config/puma.rb
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                tcpSocket:
+                  port: http
+              name: mastodon-web
+              ports:
+                - containerPort: 3000
+                  name: http
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /health
+                  port: http
+              startupProbe:
+                failureThreshold: 30
+                httpGet:
+                  path: /health
+                  port: http
+                periodSeconds: 5
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           securityContext:
             fsGroup: 991
             runAsGroup: 991
             runAsUser: 991
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   3: |
     apiVersion: networking.k8s.io/v1
     kind: Ingress
@@ -142,27 +142,27 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon
     spec:
       rules:
-      - host: mastodon.local
-        http:
-          paths:
-          - backend:
-              service:
-                name: RELEASE-NAME-mastodon-web
-                port:
-                  number: 3000
-            path: /
-            pathType: Prefix
-          - backend:
-              service:
-                name: RELEASE-NAME-mastodon-streaming
-                port:
-                  number: 4000
-            path: /api/v1/streaming
-            pathType: Prefix
+        - host: mastodon.local
+          http:
+            paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME-mastodon-web
+                    port:
+                      number: 3000
+                path: /
+                pathType: Prefix
+              - backend:
+                  service:
+                    name: RELEASE-NAME-mastodon-streaming
+                    port:
+                      number: 4000
+                path: /api/v1/streaming
+                pathType: Prefix
       tls:
-      - hosts:
-        - mastodon.local
-        secretName: mastodon-tls
+        - hosts:
+            - mastodon.local
+          secretName: mastodon-tls
   4: |
     apiVersion: v1
     data:
@@ -193,10 +193,10 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon-web
     spec:
       ports:
-      - name: http
-        port: 3000
-        protocol: TCP
-        targetPort: http
+        - name: http
+          port: 3000
+          protocol: TCP
+          targetPort: http
       selector:
         app.kubernetes.io/component: web
         app.kubernetes.io/instance: RELEASE-NAME
diff --git a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
index 92c567d5c92f5fe0f17ce865f4cf368258c997dd..da0bc7881cabbeb41d579a251cf0d9d4c70d8058 100644
--- a/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
+++ b/charts/mastodon/tests/__snapshot__/98_snapshot_test.yaml.snap
@@ -57,52 +57,52 @@ should match basic snapshot:
               affinity:
                 podAffinity:
                   requiredDuringSchedulingIgnoredDuringExecution:
-                  - labelSelector:
-                      matchExpressions:
-                      - key: app.kubernetes.io/part-of
-                        operator: In
-                        values:
-                        - rails
-                    topologyKey: kubernetes.io/hostname
+                    - labelSelector:
+                        matchExpressions:
+                          - key: app.kubernetes.io/part-of
+                            operator: In
+                            values:
+                              - rails
+                      topologyKey: kubernetes.io/hostname
               containers:
-              - command:
-                - bin/tootctl
-                - media
-                - remove
-                env:
-                - name: DB_PASS
-                  valueFrom:
-                    secretKeyRef:
-                      key: password
-                      name: RELEASE-NAME-postgresql
-                - name: REDIS_PASSWORD
-                  valueFrom:
-                    secretKeyRef:
-                      key: redis-password
-                      name: RELEASE-NAME-redis
-                - name: PORT
-                  value: "3000"
-                envFrom:
-                - configMapRef:
-                    name: RELEASE-NAME-mastodon-env
-                - secretRef:
-                    name: RELEASE-NAME-mastodon
-                image: ghcr.io/mastodon/mastodon:4.5.6
-                imagePullPolicy: IfNotPresent
-                name: RELEASE-NAME-mastodon-media-remove
-                volumeMounts:
-                - mountPath: /opt/mastodon/public/assets
-                  name: assets
-                - mountPath: /opt/mastodon/public/system
-                  name: system
+                - command:
+                    - bin/tootctl
+                    - media
+                    - remove
+                  env:
+                    - name: DB_PASS
+                      valueFrom:
+                        secretKeyRef:
+                          key: password
+                          name: RELEASE-NAME-postgresql
+                    - name: REDIS_PASSWORD
+                      valueFrom:
+                        secretKeyRef:
+                          key: redis-password
+                          name: RELEASE-NAME-redis
+                    - name: PORT
+                      value: "3000"
+                  envFrom:
+                    - configMapRef:
+                        name: RELEASE-NAME-mastodon-env
+                    - secretRef:
+                        name: RELEASE-NAME-mastodon
+                  image: ghcr.io/mastodon/mastodon:4.5.6
+                  imagePullPolicy: IfNotPresent
+                  name: RELEASE-NAME-mastodon-media-remove
+                  volumeMounts:
+                    - mountPath: /opt/mastodon/public/assets
+                      name: assets
+                    - mountPath: /opt/mastodon/public/system
+                      name: system
               restartPolicy: OnFailure
               volumes:
-              - name: assets
-                persistentVolumeClaim:
-                  claimName: RELEASE-NAME-mastodon-assets
-              - name: system
-                persistentVolumeClaim:
-                  claimName: RELEASE-NAME-mastodon-system
+                - name: assets
+                  persistentVolumeClaim:
+                    claimName: RELEASE-NAME-mastodon-assets
+                - name: system
+                  persistentVolumeClaim:
+                    claimName: RELEASE-NAME-mastodon-system
       schedule: 0 0 * * 0
   3: |
     apiVersion: apps/v1
@@ -140,62 +140,62 @@ should match basic snapshot:
             app.kubernetes.io/part-of: rails
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - sidekiq
-            - -c
-            - "25"
-            - -q
-            - default,8
-            - -q
-            - push,6
-            - -q
-            - ingress,4
-            - -q
-            - mailers,2
-            - -q
-            - pull
-            - -q
-            - scheduler
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: mastodon
-            resources: {}
-            securityContext: {}
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - sidekiq
+                - -c
+                - "25"
+                - -q
+                - default,8
+                - -q
+                - push,6
+                - -q
+                - ingress,4
+                - -q
+                - mailers,2
+                - -q
+                - pull
+                - -q
+                - scheduler
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: mastodon
+              resources: {}
+              securityContext: {}
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           securityContext:
             fsGroup: 991
             runAsGroup: 991
             runAsUser: 991
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   4: |
     apiVersion: apps/v1
     kind: Deployment
@@ -226,42 +226,42 @@ should match basic snapshot:
             app.kubernetes.io/name: mastodon
         spec:
           containers:
-          - command:
-            - node
-            - ./streaming
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "4000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            livenessProbe:
-              httpGet:
-                path: /api/v1/streaming/health
-                port: streaming
-            name: mastodon-streaming
-            ports:
-            - containerPort: 4000
-              name: streaming
-              protocol: TCP
-            readinessProbe:
-              httpGet:
-                path: /api/v1/streaming/health
-                port: streaming
+            - command:
+                - node
+                - ./streaming
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "4000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                httpGet:
+                  path: /api/v1/streaming/health
+                  port: streaming
+              name: mastodon-streaming
+              ports:
+                - containerPort: 4000
+                  name: streaming
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /api/v1/streaming/health
+                  port: streaming
           securityContext:
             fsGroup: 991
             runAsGroup: 991
@@ -299,67 +299,67 @@ should match basic snapshot:
             app.kubernetes.io/part-of: rails
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - puma
-            - -C
-            - config/puma.rb
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            livenessProbe:
-              tcpSocket:
-                port: http
-            name: mastodon-web
-            ports:
-            - containerPort: 3000
-              name: http
-              protocol: TCP
-            readinessProbe:
-              httpGet:
-                path: /health
-                port: http
-            startupProbe:
-              failureThreshold: 30
-              httpGet:
-                path: /health
-                port: http
-              periodSeconds: 5
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - puma
+                - -C
+                - config/puma.rb
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              livenessProbe:
+                tcpSocket:
+                  port: http
+              name: mastodon-web
+              ports:
+                - containerPort: 3000
+                  name: http
+                  protocol: TCP
+              readinessProbe:
+                httpGet:
+                  path: /health
+                  port: http
+              startupProbe:
+                failureThreshold: 30
+                httpGet:
+                  path: /health
+                  port: http
+                periodSeconds: 5
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           securityContext:
             fsGroup: 991
             runAsGroup: 991
             runAsUser: 991
           serviceAccountName: RELEASE-NAME-mastodon
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   6: |
     apiVersion: networking.k8s.io/v1
     kind: Ingress
@@ -373,27 +373,27 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon
     spec:
       rules:
-      - host: mastodon.local
-        http:
-          paths:
-          - backend:
-              service:
-                name: RELEASE-NAME-mastodon-web
-                port:
-                  number: 3000
-            path: /
-            pathType: Prefix
-          - backend:
-              service:
-                name: RELEASE-NAME-mastodon-streaming
-                port:
-                  number: 4000
-            path: /api/v1/streaming
-            pathType: Prefix
+        - host: mastodon.local
+          http:
+            paths:
+              - backend:
+                  service:
+                    name: RELEASE-NAME-mastodon-web
+                    port:
+                      number: 3000
+                path: /
+                pathType: Prefix
+              - backend:
+                  service:
+                    name: RELEASE-NAME-mastodon-streaming
+                    port:
+                      number: 4000
+                path: /api/v1/streaming
+                pathType: Prefix
       tls:
-      - hosts:
-        - mastodon.local
-        secretName: mastodon-tls
+        - hosts:
+            - mastodon.local
+          secretName: mastodon-tls
   7: |
     apiVersion: batch/v1
     kind: Job
@@ -415,45 +415,45 @@ should match basic snapshot:
           name: RELEASE-NAME-mastodon-assets-precompile
         spec:
           containers:
-          - command:
-            - bash
-            - -c
-            - |
-              bundle exec rake assets:precompile && yarn cache clean
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: RELEASE-NAME-mastodon-assets-precompile
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bash
+                - -c
+                - |
+                  bundle exec rake assets:precompile && yarn cache clean
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: RELEASE-NAME-mastodon-assets-precompile
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           restartPolicy: Never
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   8: |
     apiVersion: batch/v1
     kind: Job
@@ -475,45 +475,45 @@ should match basic snapshot:
           name: RELEASE-NAME-mastodon-chewy-upgrade
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - rake
-            - chewy:upgrade
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: RELEASE-NAME-mastodon-chewy-setup
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - rake
+                - chewy:upgrade
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: RELEASE-NAME-mastodon-chewy-setup
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           restartPolicy: Never
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   9: |
     apiVersion: batch/v1
     kind: Job
@@ -535,50 +535,50 @@ should match basic snapshot:
           name: RELEASE-NAME-mastodon-create-admin
         spec:
           containers:
-          - command:
-            - bin/tootctl
-            - accounts
-            - create
-            - not_gargron
-            - --email
-            - not@example.com
-            - --confirmed
-            - --role
-            - Owner
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: RELEASE-NAME-mastodon-create-admin
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bin/tootctl
+                - accounts
+                - create
+                - not_gargron
+                - --email
+                - not@example.com
+                - --confirmed
+                - --role
+                - Owner
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: RELEASE-NAME-mastodon-create-admin
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           restartPolicy: Never
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   10: |
     apiVersion: batch/v1
     kind: Job
@@ -600,45 +600,45 @@ should match basic snapshot:
           name: RELEASE-NAME-mastodon-db-migrate
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - rake
-            - db:migrate
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: RELEASE-NAME-mastodon-db-migrate
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - rake
+                - db:migrate
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: RELEASE-NAME-mastodon-db-migrate
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           restartPolicy: Never
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   11: |
     apiVersion: batch/v1
     kind: Job
@@ -660,47 +660,47 @@ should match basic snapshot:
           name: RELEASE-NAME-mastodon-db-migrate
         spec:
           containers:
-          - command:
-            - bundle
-            - exec
-            - rake
-            - db:migrate
-            env:
-            - name: DB_PASS
-              valueFrom:
-                secretKeyRef:
-                  key: password
-                  name: RELEASE-NAME-postgresql
-            - name: REDIS_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  key: redis-password
-                  name: RELEASE-NAME-redis
-            - name: PORT
-              value: "3000"
-            - name: SKIP_POST_DEPLOYMENT_MIGRATIONS
-              value: "true"
-            envFrom:
-            - configMapRef:
-                name: RELEASE-NAME-mastodon-env
-            - secretRef:
-                name: RELEASE-NAME-mastodon
-            image: ghcr.io/mastodon/mastodon:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: RELEASE-NAME-mastodon-db-migrate
-            volumeMounts:
-            - mountPath: /opt/mastodon/public/assets
-              name: assets
-            - mountPath: /opt/mastodon/public/system
-              name: system
+            - command:
+                - bundle
+                - exec
+                - rake
+                - db:migrate
+              env:
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      key: password
+                      name: RELEASE-NAME-postgresql
+                - name: REDIS_PASSWORD
+                  valueFrom:
+                    secretKeyRef:
+                      key: redis-password
+                      name: RELEASE-NAME-redis
+                - name: PORT
+                  value: "3000"
+                - name: SKIP_POST_DEPLOYMENT_MIGRATIONS
+                  value: "true"
+              envFrom:
+                - configMapRef:
+                    name: RELEASE-NAME-mastodon-env
+                - secretRef:
+                    name: RELEASE-NAME-mastodon
+              image: ghcr.io/mastodon/mastodon:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: RELEASE-NAME-mastodon-db-migrate
+              volumeMounts:
+                - mountPath: /opt/mastodon/public/assets
+                  name: assets
+                - mountPath: /opt/mastodon/public/system
+                  name: system
           restartPolicy: Never
           volumes:
-          - name: assets
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-assets
-          - name: system
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mastodon-system
+            - name: assets
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-assets
+            - name: system
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mastodon-system
   12: |
     apiVersion: v1
     kind: PersistentVolumeClaim
@@ -714,7 +714,7 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon-assets
     spec:
       accessModes:
-      - ReadWriteOnce
+        - ReadWriteOnce
       resources:
         requests:
           storage: 10Gi
@@ -732,7 +732,7 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon-system
     spec:
       accessModes:
-      - ReadWriteOnce
+        - ReadWriteOnce
       resources:
         requests:
           storage: 100Gi
@@ -778,10 +778,10 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon-streaming
     spec:
       ports:
-      - name: streaming
-        port: 4000
-        protocol: TCP
-        targetPort: streaming
+        - name: streaming
+          port: 4000
+          protocol: TCP
+          targetPort: streaming
       selector:
         app.kubernetes.io/component: streaming
         app.kubernetes.io/instance: RELEASE-NAME
@@ -800,10 +800,10 @@ should match basic snapshot:
       name: RELEASE-NAME-mastodon-web
     spec:
       ports:
-      - name: http
-        port: 3000
-        protocol: TCP
-        targetPort: http
+        - name: http
+          port: 3000
+          protocol: TCP
+          targetPort: http
       selector:
         app.kubernetes.io/component: web
         app.kubernetes.io/instance: RELEASE-NAME
diff --git a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
index 41a8bdf3fd4debc5e2e2d582c71f9a9d8c559f35..d524567faaedd1032e31921813d5295e0b600bfc 100644
--- a/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/dovecot_test.yaml.snap
@@ -12,21 +12,21 @@ should match snapshot:
       name: RELEASE-NAME-mok-dovecot
     spec:
       ports:
-      - name: pop3
-        port: 110
-        protocol: TCP
-      - name: imap4
-        port: 143
-        protocol: TCP
-      - name: imaps
-        port: 993
-        protocol: TCP
-      - name: pop3s
-        port: 995
-        protocol: TCP
-      - name: sieve
-        port: 4190
-        protocol: TCP
+        - name: pop3
+          port: 110
+          protocol: TCP
+        - name: imap4
+          port: 143
+          protocol: TCP
+        - name: imaps
+          port: 993
+          protocol: TCP
+        - name: pop3s
+          port: 995
+          protocol: TCP
+        - name: sieve
+          port: 4190
+          protocol: TCP
       selector:
         app.kubernetes.io/component: dovecot
         app.kubernetes.io/instance: RELEASE-NAME
@@ -45,12 +45,12 @@ should match snapshot:
       name: RELEASE-NAME-mok-dovecot-internal
     spec:
       ports:
-      - name: lmtp
-        port: 24
-      - name: metrics
-        port: 9090
-      - name: auth
-        port: 12345
+        - name: lmtp
+          port: 24
+        - name: metrics
+          port: 9090
+        - name: auth
+          port: 12345
       selector:
         app.kubernetes.io/component: dovecot
         app.kubernetes.io/instance: RELEASE-NAME
@@ -86,68 +86,68 @@ should match snapshot:
             app.kubernetes.io/name: mok
         spec:
           containers:
-          - image: quay.io/shivering-isles/dovecot:4.5.6
-            imagePullPolicy: IfNotPresent
-            name: dovecot
-            ports:
-            - containerPort: 24
-              name: lmtp
-            - containerPort: 110
-              name: pop3
-            - containerPort: 143
-              name: imap4
-            - containerPort: 993
-              name: imaps
-            - containerPort: 995
-              name: pop3s
-            - containerPort: 4190
-              name: sieve
-            - containerPort: 9090
-              name: metrics
-            - containerPort: 12345
-              name: auth
-            resources:
-              limits:
-                cpu: 500m
-                memory: 512Mi
-              requests:
-                cpu: 100m
-                memory: 128Mi
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                add:
-                - SYS_CHROOT
-                - CHOWN
-                - CAP_NET_BIND_SERVICE
-                - SETUID
-                - SETGID
-                - FOWNER
-                drop:
-                - ALL
-              runAsNonRoot: false
-            volumeMounts:
-            - mountPath: /srv/mail/
-              name: vmail
-            - mountPath: /srv/passdb/
-              name: users
-              readOnly: true
-            - mountPath: /srv/tls/
-              name: tls
-              readOnly: true
+            - image: quay.io/shivering-isles/dovecot:4.5.6
+              imagePullPolicy: IfNotPresent
+              name: dovecot
+              ports:
+                - containerPort: 24
+                  name: lmtp
+                - containerPort: 110
+                  name: pop3
+                - containerPort: 143
+                  name: imap4
+                - containerPort: 993
+                  name: imaps
+                - containerPort: 995
+                  name: pop3s
+                - containerPort: 4190
+                  name: sieve
+                - containerPort: 9090
+                  name: metrics
+                - containerPort: 12345
+                  name: auth
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 512Mi
+                requests:
+                  cpu: 100m
+                  memory: 128Mi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  add:
+                    - SYS_CHROOT
+                    - CHOWN
+                    - CAP_NET_BIND_SERVICE
+                    - SETUID
+                    - SETGID
+                    - FOWNER
+                  drop:
+                    - ALL
+                runAsNonRoot: false
+              volumeMounts:
+                - mountPath: /srv/mail/
+                  name: vmail
+                - mountPath: /srv/passdb/
+                  name: users
+                  readOnly: true
+                - mountPath: /srv/tls/
+                  name: tls
+                  readOnly: true
           securityContext: {}
           serviceAccountName: RELEASE-NAME-mok
           terminationGracePeriodSeconds: 300
           volumes:
-          - name: vmail
-            persistentVolumeClaim:
-              claimName: RELEASE-NAME-mok-dovecot-vmail
-          - name: users
-            secret:
-              secretName: RELEASE-NAME-mok-dovecot-users
-          - name: tls
-            secret:
-              secretName: example-tls
+            - name: vmail
+              persistentVolumeClaim:
+                claimName: RELEASE-NAME-mok-dovecot-vmail
+            - name: users
+              secret:
+                secretName: RELEASE-NAME-mok-dovecot-users
+            - name: tls
+              secret:
+                secretName: example-tls
   4: |
     apiVersion: v1
     kind: PersistentVolumeClaim
@@ -161,7 +161,7 @@ should match snapshot:
       name: RELEASE-NAME-mok-dovecot-vmail
     spec:
       accessModes:
-      - ReadWriteMany
+        - ReadWriteMany
       resources:
         requests:
           storage: 5Gi
diff --git a/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
index f0b0075c5974002754a6aeec6b770f9260d0a1f7..25f7750cc4c31ccc7cb7ed76cf23edb46b6153d4 100644
--- a/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/networkpolicies_test.yaml.snap
@@ -12,38 +12,38 @@ matches snapshot:
       name: RELEASE-NAME-mok-dovecot
     spec:
       ingress:
-      - from:
-        - podSelector:
-            matchLabels:
-              app.kubernetes.io/component: postfix
-              app.kubernetes.io/instance: RELEASE-NAME
-              app.kubernetes.io/name: mok
-        ports:
-        - port: 24
-          protocol: TCP
-        - port: 12345
-          protocol: TCP
-      - from:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-        ports:
-        - port: 110
-          protocol: TCP
-        - port: 143
-          protocol: TCP
-        - port: 993
-          protocol: TCP
-        - port: 995
-          protocol: TCP
-        - port: 4190
-          protocol: TCP
+        - from:
+            - podSelector:
+                matchLabels:
+                  app.kubernetes.io/component: postfix
+                  app.kubernetes.io/instance: RELEASE-NAME
+                  app.kubernetes.io/name: mok
+          ports:
+            - port: 24
+              protocol: TCP
+            - port: 12345
+              protocol: TCP
+        - from:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+          ports:
+            - port: 110
+              protocol: TCP
+            - port: 143
+              protocol: TCP
+            - port: 993
+              protocol: TCP
+            - port: 995
+              protocol: TCP
+            - port: 4190
+              protocol: TCP
       podSelector:
         matchLabels:
           app.kubernetes.io/component: dovecot
           app.kubernetes.io/instance: RELEASE-NAME
           app.kubernetes.io/name: mok
       policyTypes:
-      - Ingress
+        - Ingress
   2: |
     apiVersion: networking.k8s.io/v1
     kind: NetworkPolicy
@@ -57,20 +57,20 @@ matches snapshot:
       name: RELEASE-NAME-mok-postfix
     spec:
       ingress:
-      - from:
-        - ipBlock:
-            cidr: 0.0.0.0/0
-        ports:
-        - port: 25
-          protocol: TCP
-        - port: 465
-          protocol: TCP
-        - port: 587
-          protocol: TCP
+        - from:
+            - ipBlock:
+                cidr: 0.0.0.0/0
+          ports:
+            - port: 25
+              protocol: TCP
+            - port: 465
+              protocol: TCP
+            - port: 587
+              protocol: TCP
       podSelector:
         matchLabels:
           app.kubernetes.io/component: postfix
           app.kubernetes.io/instance: RELEASE-NAME
           app.kubernetes.io/name: mok
       policyTypes:
-      - Ingress
+        - Ingress
diff --git a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
index eac63ad5e5e857f9ef770200750708810eac14c4..c9f527256d7fd18c72b0fe8fe788a4d8b7d8d8ed 100644
--- a/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
+++ b/charts/mok/tests/__snapshot__/postfix_test.yaml.snap
@@ -13,15 +13,15 @@ should match snapshot:
     spec:
       externalTrafficPolicy: Local
       ports:
-      - name: smtp
-        port: 25
-        protocol: TCP
-      - name: submissions
-        port: 465
-        protocol: TCP
-      - name: submission
-        port: 587
-        protocol: TCP
+        - name: smtp
+          port: 25
+          protocol: TCP
+        - name: submissions
+          port: 465
+          protocol: TCP
+        - name: submission
+          port: 587
+          protocol: TCP
       selector:
         app.kubernetes.io/component: postfix
         app.kubernetes.io/instance: RELEASE-NAME
@@ -56,107 +56,104 @@ should match snapshot:
             app.kubernetes.io/name: mok
         spec:
           containers:
-          - env:
-            - name: DOVECOT_SERVICE_NAME
-              value: RELEASE-NAME-mok-dovecot-internal.NAMESPACE.svc.cluster.local
-            image: quay.io/shivering-isles/postfix:4.5.6
-            imagePullPolicy: IfNotPresent
-            lifecycle:
-              preStop:
+            - env:
+                - name: DOVECOT_SERVICE_NAME
+                  value: RELEASE-NAME-mok-dovecot-internal.NAMESPACE.svc.cluster.local
+              image: quay.io/shivering-isles/postfix:4.5.6
+              imagePullPolicy: IfNotPresent
+              lifecycle:
+                preStop:
+                  exec:
+                    command:
+                      - postqueue
+                      - -f
+              livenessProbe:
                 exec:
                   command:
-                  - postqueue
-                  - -f
-            livenessProbe:
-              exec:
-                command:
-                - sh
-                - -c
-                - ps axf | fgrep -v grep | fgrep -q "supervisord" && ps axf | fgrep -v
-                  grep | fgrep -q "/usr/libexec/postfix/master"
-              failureThreshold: 1
-              initialDelaySeconds: 5
-              periodSeconds: 5
-            name: postfix
-            ports:
-            - containerPort: 25
-              name: smtp
-            - containerPort: 465
-              name: submissions
-            - containerPort: 587
-              name: submission
-            readinessProbe:
-              exec:
-                command:
-                - sh
-                - -c
-                - printf "EHLO healthcheck\n" | nc 127.0.0.1 587 | grep -qE "^220.*ESMTP
-                  Postfix"
-              initialDelaySeconds: 5
-              periodSeconds: 60
-              timeoutSeconds: 5
-            resources:
-              limits:
-                cpu: 500m
-                memory: 512Mi
-              requests:
-                cpu: 100m
-                memory: 128Mi
-            securityContext:
-              allowPrivilegeEscalation: false
-              capabilities:
-                add:
-                - SYS_CHROOT
-                - CHOWN
-                - CAP_NET_BIND_SERVICE
-                - SETUID
-                - SETGID
-                - FOWNER
-                - DAC_OVERRIDE
-                drop:
-                - ALL
-              runAsNonRoot: false
-            startupProbe:
-              exec:
-                command:
-                - sh
-                - -c
-                - ps axf | fgrep -v grep | fgrep -q "supervisord" && ps axf | fgrep -v
-                  grep | fgrep -q "/usr/libexec/postfix/master"
-              failureThreshold: 12
-              initialDelaySeconds: 2
-              periodSeconds: 5
-            volumeMounts:
-            - mountPath: /var/spool/postfix/
-              name: spool
-            - mountPath: /srv/tmp
-              name: cache
-            - mountPath: /srv/virtual
-              name: maps
-              readOnly: true
-            - mountPath: /srv/tls
-              name: tls
-              readOnly: true
+                    - sh
+                    - -c
+                    - ps axf | fgrep -v grep | fgrep -q "supervisord" && ps axf | fgrep -v grep | fgrep -q "/usr/libexec/postfix/master"
+                failureThreshold: 1
+                initialDelaySeconds: 5
+                periodSeconds: 5
+              name: postfix
+              ports:
+                - containerPort: 25
+                  name: smtp
+                - containerPort: 465
+                  name: submissions
+                - containerPort: 587
+                  name: submission
+              readinessProbe:
+                exec:
+                  command:
+                    - sh
+                    - -c
+                    - printf "EHLO healthcheck\n" | nc 127.0.0.1 587 | grep -qE "^220.*ESMTP Postfix"
+                initialDelaySeconds: 5
+                periodSeconds: 60
+                timeoutSeconds: 5
+              resources:
+                limits:
+                  cpu: 500m
+                  memory: 512Mi
+                requests:
+                  cpu: 100m
+                  memory: 128Mi
+              securityContext:
+                allowPrivilegeEscalation: false
+                capabilities:
+                  add:
+                    - SYS_CHROOT
+                    - CHOWN
+                    - CAP_NET_BIND_SERVICE
+                    - SETUID
+                    - SETGID
+                    - FOWNER
+                    - DAC_OVERRIDE
+                  drop:
+                    - ALL
+                runAsNonRoot: false
+              startupProbe:
+                exec:
+                  command:
+                    - sh
+                    - -c
+                    - ps axf | fgrep -v grep | fgrep -q "supervisord" && ps axf | fgrep -v grep | fgrep -q "/usr/libexec/postfix/master"
+                failureThreshold: 12
+                initialDelaySeconds: 2
+                periodSeconds: 5
+              volumeMounts:
+                - mountPath: /var/spool/postfix/
+                  name: spool
+                - mountPath: /srv/tmp
+                  name: cache
+                - mountPath: /srv/virtual
+                  name: maps
+                  readOnly: true
+                - mountPath: /srv/tls
+                  name: tls
+                  readOnly: true
           securityContext: {}
           serviceAccountName: RELEASE-NAME-mok
           volumes:
-          - name: maps
-            secret:
-              secretName: RELEASE-NAME-mok-postfix-maps
-          - name: tls
-            secret:
-              secretName: example-tls
-          - emptyDir: {}
-            name: cache
+            - name: maps
+              secret:
+                secretName: RELEASE-NAME-mok-postfix-maps
+            - name: tls
+              secret:
+                secretName: example-tls
+            - emptyDir: {}
+              name: cache
       volumeClaimTemplates:
-      - metadata:
-          name: spool
-        spec:
-          accessModes:
-          - ReadWriteOnce
-          resources:
-            requests:
-              storage: 1Gi
+        - metadata:
+            name: spool
+          spec:
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 1Gi
   3: |
     apiVersion: v1
     kind: Secret
diff --git a/charts/mok/tests/dovecot_test.yaml b/charts/mok/tests/dovecot_test.yaml
index c170c198ff82611bd6c1da423f2961634878a916..4842c529db3abc73428e864b499cc651a435b7dc 100644
--- a/charts/mok/tests/dovecot_test.yaml
+++ b/charts/mok/tests/dovecot_test.yaml
@@ -96,7 +96,7 @@ tests:
         secretName: example-tls
     asserts:
       - equal:
-          path: spec.template.metadata.annotations.[checksum/config]
+          path: spec.template.metadata.annotations["checksum/config"]
           value: 66ea930a9b7e50528ddc0aa54786d07f78c7f56d1daea45b21d9eb94f8e5c4f2
         documentIndex: 2
         template: dovecot.yaml
@@ -113,7 +113,7 @@ tests:
               passwordHash: NotReallyAHash
     asserts:
       - equal:
-          path: spec.template.metadata.annotations.[checksum/config]
+          path: spec.template.metadata.annotations["checksum/config"]
           value: 9215abccdd6c1f21fd329db0133f6f8e892c50aab3dcde3259ea797e8ad2a959
         documentIndex: 2
         template: dovecot.yaml
diff --git a/charts/mok/tests/helmlabels_test.yaml b/charts/mok/tests/helmlabels_test.yaml
index cbf438d738d358e46af866d56be7447f78036e0a..e6374a6b8b75889dff4aae57403de32ba15a89a4 100644
--- a/charts/mok/tests/helmlabels_test.yaml
+++ b/charts/mok/tests/helmlabels_test.yaml
@@ -21,11 +21,11 @@ tests:
       version: 1.2.3
     asserts:
       - equal:
-          path: metadata.labels.[app.kubernetes.io/instance]
+          path: metadata.labels["app.kubernetes.io/instance"]
           value: "test-suite"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/managed-by]
+          path: metadata.labels["app.kubernetes.io/managed-by"]
           value: "Helm"
       - equal:
-          path: metadata.labels.[app.kubernetes.io/name]
+          path: metadata.labels["app.kubernetes.io/name"]
           value: "mok"
diff --git a/charts/mok/tests/networkpolicies_test.yaml b/charts/mok/tests/networkpolicies_test.yaml
index 1e16993c8fb357aff31269f7a7f6c98e08f21ea9..b94489955bb221e19ea056674661c82b56b89358 100644
--- a/charts/mok/tests/networkpolicies_test.yaml
+++ b/charts/mok/tests/networkpolicies_test.yaml
@@ -65,7 +65,7 @@ tests:
           value: 0.0.0.0/0
         documentIndex: 0
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[1].from[0].ipBlock.except
         documentIndex: 0
         template: networkpolicy.yaml
@@ -100,7 +100,7 @@ tests:
           value: 0.0.0.0/0
         documentIndex: 0
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[1].from[0].ipBlock.except
         documentIndex: 0
         template: networkpolicy.yaml
@@ -135,7 +135,7 @@ tests:
           value: 0.0.0.0/0
         documentIndex: 0
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[1].from[0].ipBlock.except
         documentIndex: 0
         template: networkpolicy.yaml
@@ -164,7 +164,7 @@ tests:
           value: 0.0.0.0/0
         documentIndex: 1
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[0].from[0].ipBlock.except
         documentIndex: 1
         template: networkpolicy.yaml
@@ -192,7 +192,7 @@ tests:
           value: 0.0.0.0/0
         documentIndex: 1
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[0].from[0].ipBlock.except
         documentIndex: 1
         template: networkpolicy.yaml
@@ -232,7 +232,7 @@ tests:
           value: 127.0.123.123/32
         documentIndex: 1
         template: networkpolicy.yaml
-      - isEmpty:
+      - isNull:
           path: spec.ingress[1].from[0].ipBlock.except
         documentIndex: 1
         template: networkpolicy.yaml
diff --git a/charts/mok/tests/postfix_test.yaml b/charts/mok/tests/postfix_test.yaml
index dbee2ef9f8e5eb44e4798a0e9d7a011e4467faf9..51a23aa5f82471faa190ad93213040e25c28c894 100644
--- a/charts/mok/tests/postfix_test.yaml
+++ b/charts/mok/tests/postfix_test.yaml
@@ -82,7 +82,7 @@ tests:
         secretName: example-tls
     asserts:
       - equal:
-          path: spec.template.metadata.annotations.[checksum/config]
+          path: spec.template.metadata.annotations["checksum/config"]
           value: 66ea930a9b7e50528ddc0aa54786d07f78c7f56d1daea45b21d9eb94f8e5c4f2
         documentIndex: 1
         template: postfix.yaml
@@ -99,7 +99,7 @@ tests:
               passwordHash: NotReallyAHash
     asserts:
       - equal:
-          path: spec.template.metadata.annotations.[checksum/config]
+          path: spec.template.metadata.annotations["checksum/config"]
           value: 9215abccdd6c1f21fd329db0133f6f8e892c50aab3dcde3259ea797e8ad2a959
         documentIndex: 1
         template: postfix.yaml