diff --git a/pkg/operator/data/charts/project-operator/Chart.yaml b/pkg/operator/data/charts/project-operator/Chart.yaml
index ba7d608..757f3b2 100644
--- a/pkg/operator/data/charts/project-operator/Chart.yaml
+++ b/pkg/operator/data/charts/project-operator/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: project-operator
 description: A Helm chart for https://github.com/sap/project-operator
 type: application
-version: 0.1.2
-appVersion: v0.1.1
+version: 0.1.3
+appVersion: v0.1.2
diff --git a/pkg/operator/data/charts/project-operator/README.md b/pkg/operator/data/charts/project-operator/README.md
index d1cf70c..9960fac 100644
--- a/pkg/operator/data/charts/project-operator/README.md
+++ b/pkg/operator/data/charts/project-operator/README.md
@@ -1,6 +1,6 @@
 # project-operator
 
-![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.0](https://img.shields.io/badge/AppVersion-v0.1.0-informational?style=flat-square)
+![Version: 0.1.3](https://img.shields.io/badge/Version-0.1.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.1.2](https://img.shields.io/badge/AppVersion-v0.1.2-informational?style=flat-square)
 
 A Helm chart for https://github.com/sap/project-operator
 
@@ -15,11 +15,11 @@ A Helm chart for https://github.com/sap/project-operator
 | image.tag | string | `""` | Image tag (defauls to .Chart.AppVersion) |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | imagePullSecrets | list | `[]` | Image pull secrets |
+| nodeSelector | object | `{}` | Node selector |
 | affinity | object | `{}` | Affinity settings |
 | topologySpreadConstraints | list | `[]` | Topology spread constraints (if unspecified, default constraints for hostname and zone will be generated) |
 | defaultHostNameSpreadPolicy | string | `"ScheduleAnyway"` | Default topology spread policy for hostname |
 | defaultZoneSpreadPolicy | string | `"ScheduleAnyway"` | Default topology spread policy for zone |
-| nodeSelector | object | `{}` | Node selector |
 | tolerations | list | `[]` | Tolerations |
 | priorityClassName | string | `""` | Priority class |
 | podSecurityContext | object | `{}` | Pod security context |
@@ -30,6 +30,10 @@ A Helm chart for https://github.com/sap/project-operator
 | resources.limits.cpu | float | `0.1` | CPU limit |
 | resources.requests.memory | string | `"20Mi"` | Memory request |
 | resources.requests.cpu | float | `0.01` | CPU request |
+| webhook.certManager.enabled | bool | `false` | Whether to use cert-manager to manage webhook tls |
+| webhook.certManager.issuerGroup | string | `""` | Issuer group (only relevant if enabled is true; if unset, the default cert-manager group is used) |
+| webhook.certManager.issuerKind | string | `""` | Issuer kind (only relevant if enabled is true; if unset, the default cert-manager type 'Issuer' is used) |
+| webhook.certManager.issuerName | string | `""` | Issuer name (only relevant if enabled is true; if unset, a self-signed issuer is used) |
 | namespacePrefix | string | `""` | Prefix for project namespaces (if empty, the operator default will be used) |
 | adminClusterRole | string | `""` | Cluster role to be granted to admin members on the project namespace (if empty, the operator default will be used) |
 | viewerClusterRole | string | `""` | Cluster role to be granted to viewer members on the project namespace (if empty, the operator default will be used) |
diff --git a/pkg/operator/data/charts/project-operator/templates/deployment.yaml b/pkg/operator/data/charts/project-operator/templates/deployment.yaml
index 492c220..8e77cf3 100644
--- a/pkg/operator/data/charts/project-operator/templates/deployment.yaml
+++ b/pkg/operator/data/charts/project-operator/templates/deployment.yaml
@@ -38,19 +38,28 @@ spec:
       affinity:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.topologySpreadConstraints }}
+      {{- with .Values.topologySpreadConstraints }}
       topologySpreadConstraints:
-      {{- toYaml .Values.topologySpreadConstraints | trim | nindent 6 }}
+      {{- range . }}
+      - {{ toYaml . | trim | nindent 8 }}
+        {{- if not .labelSelector }}
+        labelSelector:
+          matchLabels:
+            {{- include "project-operator.selectorLabels" $ | nindent 12 }}
+        {{- end }}
+      {{- end }}
       {{- else }}
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: kubernetes.io/hostname
+        nodeTaintsPolicy: Honor
         whenUnsatisfiable: {{ .Values.defaultHostNameSpreadPolicy  }}
         labelSelector:
           matchLabels:
             {{- include "project-operator.selectorLabels" . | nindent 12 }}
       - maxSkew: 1
         topologyKey: topology.kubernetes.io/zone
+        nodeTaintsPolicy: Honor
         whenUnsatisfiable: {{ .Values.defaultZoneSpreadPolicy  }}
         labelSelector:
           matchLabels:
@@ -69,12 +78,32 @@ spec:
       - name: controller
         image: {{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
+        ports:
+        - name: webhooks
+          containerPort: 9443
+          protocol: TCP
+        - name: metrics
+          containerPort: 8080
+          protocol: TCP
+        - name: probes
+          containerPort: 8081
+          protocol: TCP
         {{- with .Values.securityContext }}
         securityContext:
           {{- toYaml . | nindent 12 }}
         {{- end }}
         resources:
           {{- toYaml .Values.resources | nindent 12 }}
+        livenessProbe:
+          httpGet:
+            port: probes
+            scheme: HTTP
+            path: /healthz
+        readinessProbe:
+          httpGet:
+            port: probes
+            scheme: HTTP
+            path: /readyz
         args:
         - "--leader-elect=true"
         {{- with .Values.namespacePrefix }}
@@ -89,13 +118,6 @@ spec:
         {{- with .Values.enableClusterView }}
         - "--enable-cluster-view"
         {{- end }}
-        ports:
-        - containerPort: 9443
-          name: webhook-server
-          protocol: TCP
-        - containerPort: 8080
-          name: http
-          protocol: TCP
         volumeMounts:
         - mountPath: /tmp/k8s-webhook-server/serving-certs
           name: tls
diff --git a/pkg/operator/data/charts/project-operator/templates/service.yaml b/pkg/operator/data/charts/project-operator/templates/service.yaml
index 671a07a..fd92d28 100644
--- a/pkg/operator/data/charts/project-operator/templates/service.yaml
+++ b/pkg/operator/data/charts/project-operator/templates/service.yaml
@@ -9,7 +9,7 @@ spec:
   ports:
     - port: 443
       protocol: TCP
-      targetPort: webhook-server
+      targetPort: webhooks
       name: https
   selector:
     {{- include "project-operator.selectorLabels" . | nindent 4 }}
\ No newline at end of file
diff --git a/pkg/operator/data/charts/project-operator/values.yaml b/pkg/operator/data/charts/project-operator/values.yaml
index 7696b1a..c360c46 100644
--- a/pkg/operator/data/charts/project-operator/values.yaml
+++ b/pkg/operator/data/charts/project-operator/values.yaml
@@ -14,6 +14,8 @@ image:
   pullPolicy: IfNotPresent
 # -- Image pull secrets
 imagePullSecrets: []
+# -- Node selector
+nodeSelector: {}
 # -- Affinity settings
 affinity: {}
 # -- Topology spread constraints (if unspecified, default constraints for hostname and zone will be generated)
@@ -22,8 +24,6 @@ topologySpreadConstraints: []
 defaultHostNameSpreadPolicy: ScheduleAnyway
 # -- Default topology spread policy for zone
 defaultZoneSpreadPolicy: ScheduleAnyway
-# -- Node selector
-nodeSelector: {}
 # -- Tolerations
 tolerations: []
 # -- Priority class