diff --git a/.github/workflows/helm_release.yaml b/.github/workflows/helm_release.yaml
new file mode 100644
index 0000000..e911cdc
--- /dev/null
+++ b/.github/workflows/helm_release.yaml
@@ -0,0 +1,35 @@
+# from https://github.com/wkbrd/docker-registry.helm/blob/main/.github/workflows/helm_release.yaml
+# Apache 2 License
+
+name: Release Charts
+env:
+  HELM_VERSION_TO_INSTALL: 3.14.0
+  GCR_IMAGE: ghcr.io/${{ github.repository_owner }}
+  
+on:
+  workflow_dispatch:
+
+jobs:
+  release:
+    permissions:
+      contents: write
+      packages: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: install helm
+        uses: Azure/setup-helm@v4.2.0
+        with:
+          # Version of helm
+          version: ${{ env.HELM_VERSION_TO_INSTALL }} # default is latest
+
+      - name: publish to oci registry
+        run: |
+          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${{ github.repository_owner }} --password-stdin
+          helm package ${{ github.workspace }}/charts/questdb/
+          package=`ls -t questdb-*.tgz | head -n 1`
+          helm push "${package}" oci://${{ env.GCR_IMAGE }}
diff --git a/charts/questdb/Chart.yaml b/charts/questdb/Chart.yaml
index d0eaa42..87372a4 100644
--- a/charts/questdb/Chart.yaml
+++ b/charts/questdb/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: v2
 name: questdb
-version: 1.0.11
+version: 1.0.12-alpha1
 appVersion: 9.0.3
 description: Run QuestDB on Kubernetes via Helm
 icon: https://questdb.com/img/favicon.png
diff --git a/charts/questdb/templates/_helpers.tpl b/charts/questdb/templates/_helpers.tpl
index 85d5aed..48dba79 100644
--- a/charts/questdb/templates/_helpers.tpl
+++ b/charts/questdb/templates/_helpers.tpl
@@ -79,3 +79,54 @@ Generate log.conf file content
 {{ $key }} = {{ $value }}
 {{- end }}
 {{- end }}
+
+{{/*
+Generate mime.types file content
+*/}}
+{{- define "generateMimeConfig" -}}
+{{- range $key, $value := index .Values.questdb.mimeConfig.options }}
+{{ $key }}   {{ $value }}
+{{- end }}
+{{- end }}
+
+{{/*
+Build openshift detection
+*/}}
+{{- define "isOpenshiftEnabled" -}}
+{{- $openshiftEnabledString := (.Values.openshift).enabled | toString -}}
+{{- if eq $openshiftEnabledString "true" -}}
+true
+{{- else if and (eq $openshiftEnabledString "detect") (.Capabilities.APIVersions.Has "security.openshift.io/v1") }}
+true
+{{- end }}
+{{- end }}
+
+{{/*
+Build securityContext
+*/}}
+{{- define "generateSecurityContext" -}}
+{{- $context := .Values.securityContext -}}
+{{- if $context -}}
+{{- if (include "isOpenshiftEnabled" .) -}}
+{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
+{{- end -}}
+{{- else -}}
+{{ $context = dict -}}
+{{- end -}}
+{{ $context | toYaml }}
+{{- end }}
+
+{{/*
+Build podSecurityContext
+*/}}
+{{- define "generatePodSecurityContext" -}}
+{{- $context := .Values.podSecurityContext -}}
+{{- if $context -}}
+{{- if (include "isOpenshiftEnabled" .) -}}
+{{- $context = omit $context "runAsUser" "runAsGroup" "fsGroup" -}}
+{{- end -}}
+{{- else -}}
+{{ $context = dict -}}
+{{- end -}}
+{{ $context | toYaml }}
+{{- end }}
diff --git a/charts/questdb/templates/config.yaml b/charts/questdb/templates/config.yaml
index e085861..4f4c856 100644
--- a/charts/questdb/templates/config.yaml
+++ b/charts/questdb/templates/config.yaml
@@ -18,6 +18,9 @@ data:
   {{- if .Values.questdb.loggingConfig.enabled }}
   log.conf: {{ include "generateLogConfig" . | b64enc -}}
   {{- end }}
+  {{- if .Values.questdb.mimeConfig.enabled }}
+  mime.types: {{ include "generateMimeConfig" . | b64enc -}}
+  {{- end }}
 {{- else }}
 data:
   {{- if .Values.questdb.serverConfig.enabled }}
@@ -28,5 +31,9 @@ data:
   log.conf: |
     {{- include "generateLogConfig" . | nindent 4 -}}
   {{- end }}
+  {{- if .Values.questdb.mimeConfig.enabled }}
+  mime.types: |
+    {{- include "generateMimeConfig" . | nindent 4 -}}
+  {{- end }}
 {{- end }}
 {{- end }}
diff --git a/charts/questdb/templates/serviceaccount.yaml b/charts/questdb/templates/serviceaccount.yaml
index 4b3b0c6..cffb1d7 100644
--- a/charts/questdb/templates/serviceaccount.yaml
+++ b/charts/questdb/templates/serviceaccount.yaml
@@ -1,6 +1,7 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
     name: {{ include "questdb.serviceAccountName" . }}
     {{- if .Values.serviceAccount.labels }}
diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml
index a3956c6..bf21511 100644
--- a/charts/questdb/templates/statefulset.yaml
+++ b/charts/questdb/templates/statefulset.yaml
@@ -29,14 +29,15 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- include "generatePodSecurityContext" . | nindent 8 }}
       {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
       serviceAccountName: {{ include "questdb.serviceAccountName" . }}
       {{- end }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
-            {{- toYaml .Values.securityContext | nindent 12 }}
+            {{- include "generateSecurityContext" . | nindent 12 }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           env:
@@ -49,6 +50,12 @@ spec:
             {{ toYaml .Values.questdb.envFrom | nindent 10 }}
           {{- end }}
           volumeMounts:
+          - name: tmpfs-tmp
+            mountPath: /tmp
+          - name: tmpfs-questdb-import
+            mountPath: /var/lib/questdb/import
+          - name: tmpfs-questdb-public
+            mountPath: /var/lib/questdb/public
           - name: {{ include "questdb.fullname" . }}
             mountPath: {{ .Values.questdb.dataDir }}/db
             subPath: db/
@@ -68,6 +75,11 @@ spec:
             mountPath: {{ .Values.questdb.dataDir }}/conf/log.conf
             subPath: log.conf
           {{- end }}
+          {{- if .Values.questdb.mimeConfig.enabled }}
+          - name: mime-config
+            mountPath: {{ .Values.questdb.dataDir }}/conf/mime.types
+            subPath: mime.types
+          {{- end }}
           {{- if .Values.extraVolumeMounts }}
             {{ toYaml .Values.extraVolumeMounts | nindent 10 }}
           {{- end }}
@@ -103,6 +115,8 @@ spec:
         - name: init-db-migration
           image: "{{ .Values.dataMigration.image.repository }}:{{ .Values.dataMigration.image.tag }}"
           command: ["bash", "/mnt/migration_scripts/migrate_to_helm_v1.sh"]
+          securityContext:
+            {{- include "generateSecurityContext" . | nindent 12 }}
           volumeMounts:
             - name: {{ include "questdb.fullname" . }}
               mountPath: /mnt/questdb
@@ -128,6 +142,12 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
+        - name: tmpfs-tmp
+          emptyDir: {}
+        - name: tmpfs-questdb-import
+          emptyDir: {}
+        - name: tmpfs-questdb-public
+          emptyDir: {}
         {{- if .Values.questdb.serverConfig.enabled }}
         - name: server-config
           {{- if eq .Values.questdb.configStorageType "Secret" }}
@@ -148,6 +168,16 @@ spec:
             name: {{ include "questdb.fullname" . }}
           {{- end }}
         {{- end }}
+        {{- if .Values.questdb.mimeConfig.enabled }}
+        - name: mime-config
+          {{- if eq .Values.questdb.configStorageType "Secret" }}
+          secret:
+              secretName: {{ include "questdb.fullname" . }}
+          {{- else }}
+          configMap:
+            name: {{ include "questdb.fullname" . }}
+          {{- end }}
+        {{- end }}
         - name: migration-scripts
           configMap:
             name: {{ include "questdb.fullname" . }}-db-migrations
diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml
index 9a723ba..03ddd83 100644
--- a/charts/questdb/values.yaml
+++ b/charts/questdb/values.yaml
@@ -8,8 +8,24 @@ nameOverride: ""
 fullnameOverride: ""
 
 podAnnotations: {}
-podSecurityContext: {}
-securityContext: {}
+podSecurityContext:
+  fsGroup: 10001
+  seccompProfile:
+    type: RuntimeDefault
+
+securityContext:
+  readOnlyRootFilesystem: true
+  capabilities:
+    drop:
+    - ALL
+  runAsNonRoot: true
+  runAsUser: 10001
+  runAsGroup: 10001
+  privileged: false
+  allowPrivilegeEscalation: false
+  seccompProfile:
+    type: RuntimeDefault
+
 extraVolumes: []
 extraVolumeMounts: []
 extraLabels: {}
@@ -23,6 +39,9 @@ questdb:
   loggingConfig:
     enabled: false
     options: {}
+  mimeConfig:
+    enabled: false
+    options: {}
   # env supports key/value pairs that are added directly to the questdb statefulset's env
   env: {}
   # envFrom supports a list of sources that will be injected into the questdb statefulset's env
@@ -94,6 +113,7 @@ livenessProbe: {}
   # successThreshold: 1
   # timeoutSeconds: 2
 
+automountServiceAccountToken: false
 
 metrics:
   enabled: true
@@ -106,6 +126,7 @@ serviceAccount:
   create: false
   labels: {}
   annotations: {}
+  automountServiceAccountToken: false
 
   # if create is set to "true", you can specify the name of that service account below
   # if create is set to "false", you can use this to reference an existing service account for the StatefulSet pod
@@ -121,3 +142,8 @@ dataMigration:
       memory: "256Mi"
     limits:
       memory: "1Gi"
+
+# openshift
+openshift:
+  enabled: detect
+