diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 350747ae0..a39e5eadf 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -28,7 +28,7 @@ jobs:
           go-version: ${{ env.GO_VERSION }}
 
       - name: Replace images
-        run: make dev-images && cat internal/controller/constants/images.go
+        run: make dev-images && cat internal/images/images.env
 
       - name: Build operator container
         run: make docker-build docker-push
@@ -51,7 +51,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Replace images
-        run: make dev-images && cat internal/controller/constants/images.go
+        run: make dev-images && cat internal/images/images.env
 
       - name: Build operator bundle
         run: make bundle bundle-build bundle-push
@@ -276,7 +276,7 @@ jobs:
         run: go install github.com/sigstore/cosign/v2/cmd/cosign@v2.4.0
 
       - name: Replace images
-        run: make dev-images && cat internal/controller/constants/images.go
+        run: make dev-images && cat internal/images/images.env
 
       - name: Run tests
         run: make test-e2e
@@ -402,7 +402,7 @@ jobs:
         run: go install github.com/sigstore/cosign/v2/cmd/cosign@v2.4.0
 
       - name: Replace images
-        run: make dev-images && cat internal/controller/constants/images.go
+        run: make dev-images && cat internal/images/images.env
 
       - name: Run tests
         env:
@@ -477,7 +477,7 @@ jobs:
           sudo echo "127.0.0.1 fulcio-server.local tuf.local rekor-server.local rekor-search-ui.local cli-server.local" | sudo tee -a /etc/hosts
 
       - name: Replace images
-        run: make dev-images && cat internal/controller/constants/images.go
+        run: make dev-images && cat internal/images/images.env
 
       - name: Run tests
         env:
diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index 5e23a3e44..817a34533 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -209,3 +209,117 @@ replacements:
     select:
       kind: Deployment
       name: operator-controller-manager
+
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+#- path: manager_auth_proxy_patch.yaml
+
+# [WEBHOOK] To enable webhook, uncomment all the sections with [WEBHOOK] prefix including the one in
+# crd/kustomization.yaml
+#- path: manager_webhook_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER'.
+# Uncomment 'CERTMANAGER' sections in crd/kustomization.yaml to enable the CA injection in the admission webhooks.
+# 'CERTMANAGER' needs to be enabled to use ca injection
+#- path: webhookcainjection_patch.yaml
+
+# [CERTMANAGER] To enable cert-manager, uncomment all sections with 'CERTMANAGER' prefix.
+# Uncomment the following replacements to add the cert-manager CA injection annotations
+#replacements:
+#  - source: # Add cert-manager annotation to ValidatingWebhookConfiguration, MutatingWebhookConfiguration and CRDs
+#      kind: Certificate
+#      group: cert-manager.io
+#      version: v1
+#      name: serving-cert # this name should match the one in certificate.yaml
+#      fieldPath: .metadata.namespace # namespace of the certificate CR
+#    targets:
+#      - select:
+#          kind: ValidatingWebhookConfiguration
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 0
+#          create: true
+#      - select:
+#          kind: MutatingWebhookConfiguration
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 0
+#          create: true
+#      - select:
+#          kind: CustomResourceDefinition
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 0
+#          create: true
+#  - source:
+#      kind: Certificate
+#      group: cert-manager.io
+#      version: v1
+#      name: serving-cert # this name should match the one in certificate.yaml
+#      fieldPath: .metadata.name
+#    targets:
+#      - select:
+#          kind: ValidatingWebhookConfiguration
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 1
+#          create: true
+#      - select:
+#          kind: MutatingWebhookConfiguration
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 1
+#          create: true
+#      - select:
+#          kind: CustomResourceDefinition
+#        fieldPaths:
+#          - .metadata.annotations.[cert-manager.io/inject-ca-from]
+#        options:
+#          delimiter: '/'
+#          index: 1
+#          create: true
+#  - source: # Add cert-manager annotation to the webhook Service
+#      kind: Service
+#      version: v1
+#      name: webhook-service
+#      fieldPath: .metadata.name # namespace of the service
+#    targets:
+#      - select:
+#          kind: Certificate
+#          group: cert-manager.io
+#          version: v1
+#        fieldPaths:
+#          - .spec.dnsNames.0
+#          - .spec.dnsNames.1
+#        options:
+#          delimiter: '.'
+#          index: 0
+#          create: true
+#  - source:
+#      kind: Service
+#      version: v1
+#      name: webhook-service
+#      fieldPath: .metadata.namespace # namespace of the service
+#    targets:
+#      - select:
+#          kind: Certificate
+#          group: cert-manager.io
+#          version: v1
+#        fieldPaths:
+#          - .spec.dnsNames.0
+#          - .spec.dnsNames.1
+#        options:
+#          delimiter: '.'
+#          index: 1
+#          create: true
\ No newline at end of file