diff --git a/changelog/0.43.md b/changelog/0.43.md
new file mode 100644
index 000000000..ebce1a315
--- /dev/null
+++ b/changelog/0.43.md
@@ -0,0 +1,81 @@
+# v0.43.0
+
+Released 2025-01-20
+
+> [!WARNING]
+> **Security Notice(s)**
+> - OpenSearch Dashboards was upgraded to `2.17.1` which mitigates [CVE-2024-45801](https://github.com/advisories/GHSA-mmhx-hmjr-r674)
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+> - The diagnostics script now assumes to retrieve GPG keys from a file `$CK8S_CONFIG_PATH/diagnostics_receiver.gpg` if the `CK8S_PGP_FP` environment variable is not set.
+> - Default external traffic policy is now set to `local`. If your infrastructure doesn't support this, please set `.externalTrafficPolicy.local` to false.
+> - The `hnc.excludedNamespaces` configuration option has been removed, you can use `hnc.excludedExtraNamespaces` if you need additional excluded namespaces.
+> - The resource request capacity management alerts have been reworked to target the `elastisys.io/node-group` label instead of being based on node name patterns. As such, any previous override config for `prometheus.capacityManagementAlerts.requestLimit` will be invalid and needs to be reconfigured or removed to use the new defaults.
+> - Migration steps for old releases other than the last five releases have been pruned to simplify repository maintainability.
+>   The old migrations can still be accessed by looking at their respective release tag.
+
+## Release highlights
+
+- Default external traffic policy is now set to `local`. If your infrastructure doesn't support this, please set `.externalTrafficPolicy.local` to false.
+
+## Changes by kind
+
+### Feature(s)
+
+- [#2367](https://github.com/elastisys/compliantkubernetes-apps/pull/2367) - Add extra Application Developer RBAC config @anders-elastisys
+
+### Improvement(s)
+
+- [#2203](https://github.com/elastisys/compliantkubernetes-apps/pull/2203) - apps sc: Alert size over limit only on active indices @aarnq
+- [#2250](https://github.com/elastisys/compliantkubernetes-apps/pull/2250) - Use file with GPG keys for diagnostics script and other improvements @anders-elastisys
+- [#2310](https://github.com/elastisys/compliantkubernetes-apps/pull/2310) - config: move harbor backup schedule and make it configurable @viktor-f
+- [#2317](https://github.com/elastisys/compliantkubernetes-apps/pull/2317) - apps: Change default for external traffic policy to local @Xartos
+  - Default external traffic policy is now set to `local`. If your infrastructure doesn't support this, please set `.externalTrafficPolicy.local` to false.
+- [#2324](https://github.com/elastisys/compliantkubernetes-apps/pull/2324) - Delete admin-rbac last in clean scripts @anders-elastisys
+- [#2331](https://github.com/elastisys/compliantkubernetes-apps/pull/2331) - apps sc: add falco exception for tekton cleanup @lunkan93
+- [#2336](https://github.com/elastisys/compliantkubernetes-apps/pull/2336) - scripts: Fixed idempotency for clean wc script @Xartos
+- [#2337](https://github.com/elastisys/compliantkubernetes-apps/pull/2337) - tests: update velero e2e backup specs and enable user app test @lunkan93
+- [#2350](https://github.com/elastisys/compliantkubernetes-apps/pull/2350) - Upgrade OpenSearch to v2.17.1 @lunkan93
+- [#2351](https://github.com/elastisys/compliantkubernetes-apps/pull/2351) - Add capi repositories as trusted for falco @robinAwallace
+- [#2355](https://github.com/elastisys/compliantkubernetes-apps/pull/2355) - Add harbor disableRedirect schema description @anders-elastisys
+- [#2356](https://github.com/elastisys/compliantkubernetes-apps/pull/2356) - apps sc: increase threshold for thanosobjstore latency alert @viktor-f
+- [#2357](https://github.com/elastisys/compliantkubernetes-apps/pull/2357) - apps: dropping some falco rules @viktor-f
+- [#2368](https://github.com/elastisys/compliantkubernetes-apps/pull/2368) - apps sc: add sub path and name suffix to rclone jobs, harbor restore support azure @viktor-f
+- [#2372](https://github.com/elastisys/compliantkubernetes-apps/pull/2372) - Don't get Cluster API resource metrics in workload cluster @anders-elastisys
+- [#2376](https://github.com/elastisys/compliantkubernetes-apps/pull/2376) - scripts: Add shfmt @aarnq
+- [#2382](https://github.com/elastisys/compliantkubernetes-apps/pull/2382) - apps: Mirror Bitnami images @aarnq
+- [#2386](https://github.com/elastisys/compliantkubernetes-apps/pull/2386) - Fixes and improvements to kube-stack-prometheus alerts @anders-elastisys
+- [#2391](https://github.com/elastisys/compliantkubernetes-apps/pull/2391) - apps: upgrade harbor helm chart to v1.16.1 with appversion v2.12.1 @Pavan-Gunda
+- [#2398](https://github.com/elastisys/compliantkubernetes-apps/pull/2398) - tests: Workflow improvements @aarnq
+
+### Other(s)
+
+- [#2248](https://github.com/elastisys/compliantkubernetes-apps/pull/2248) - documentation: JSON schema contribution guide @aarnq
+- [#2284](https://github.com/elastisys/compliantkubernetes-apps/pull/2284) - bug: apps wc: Fixed network policy to always allow ingress probe @Xartos
+- [#2290](https://github.com/elastisys/compliantkubernetes-apps/pull/2290) - other: all: adding codeowners @OlleLarsson
+- [#2329](https://github.com/elastisys/compliantkubernetes-apps/pull/2329) - bug: config: fix HNC config templating @OlleLarsson
+- [#2332](https://github.com/elastisys/compliantkubernetes-apps/pull/2332) - clean-up: apps: remove ceph node packet drops alert @lunkan93
+- [#2333](https://github.com/elastisys/compliantkubernetes-apps/pull/2333) - clean-up: apps: remove old unused falco-psp-rbac chart @viktor-f
+- [#2334](https://github.com/elastisys/compliantkubernetes-apps/pull/2334) - documentation: Rebrand to Welkin in configuration documentation @cristiklein
+- [#2338](https://github.com/elastisys/compliantkubernetes-apps/pull/2338) - other: all: add PA as codeowner @OlleLarsson
+- [#2340](https://github.com/elastisys/compliantkubernetes-apps/pull/2340) - other: release: update kubectl version to v1.30.4 @davidumea
+- [#2345](https://github.com/elastisys/compliantkubernetes-apps/pull/2345) - bug: apps sc: Fixed issues with log-manager script for azure @Xartos
+- [#2346](https://github.com/elastisys/compliantkubernetes-apps/pull/2346) - clean-up: apps wc: exclude capi namespaces from hnc @lunkan93
+- [#2347](https://github.com/elastisys/compliantkubernetes-apps/pull/2347) - other: Remove goto-scripts as code owners from upstream Helmfile index @simonklb
+- [#2352](https://github.com/elastisys/compliantkubernetes-apps/pull/2352) - other: Rename 'Compliant Kubernetes' to 'Welkin' in dashboards @Carl-Elastisys
+- [#2358](https://github.com/elastisys/compliantkubernetes-apps/pull/2358) - documentation: docs: Update templates @aarnq
+- [#2359](https://github.com/elastisys/compliantkubernetes-apps/pull/2359) - other: Port 0.42.0 @lucianvlad
+- [#2360](https://github.com/elastisys/compliantkubernetes-apps/pull/2360) - documentation: docs: Update LICENSE @cristiklein
+- [#2361](https://github.com/elastisys/compliantkubernetes-apps/pull/2361) - bug: Fixes for diagnostics script with namespace @anders-elastisys
+- [#2362](https://github.com/elastisys/compliantkubernetes-apps/pull/2362) - clean-up: apps: use node-group label in node resource request alerts @lunkan93
+- [#2369](https://github.com/elastisys/compliantkubernetes-apps/pull/2369) - clean-up: docs: Prune old migration docs @aarnq
+- [#2371](https://github.com/elastisys/compliantkubernetes-apps/pull/2371) - other: all: update codeowners with new goto areas @viktor-f
+- [#2374](https://github.com/elastisys/compliantkubernetes-apps/pull/2374) - bug: Fix runbook url for official prometheus alerts @HaoruiPeng
+- [#2379](https://github.com/elastisys/compliantkubernetes-apps/pull/2379) - bug: Fix Velero templating for kopia uploaderType @anders-elastisys
+- [#2380](https://github.com/elastisys/compliantkubernetes-apps/pull/2380) - bug: Fix ck8s ops commands after refactor @anders-elastisys
+- [#2385](https://github.com/elastisys/compliantkubernetes-apps/pull/2385) - other: Port 0.42.1 @lunkan93
+- [#2390](https://github.com/elastisys/compliantkubernetes-apps/pull/2390) - documentation: Fix URL in config schema @cristiklein
+- [#2392](https://github.com/elastisys/compliantkubernetes-apps/pull/2392) - bug: Replace ck8s with Welkin in tests @anders-elastisys
+- [#2393](https://github.com/elastisys/compliantkubernetes-apps/pull/2393) - bug: Fix config schema @cristiklein
+- [#2395](https://github.com/elastisys/compliantkubernetes-apps/pull/2395) - clean-up: apps: Update prometheus-label-enforcer to v0.11.0 @Zash
diff --git a/config/sc-config.yaml b/config/sc-config.yaml
index 209cdde95..3f577c6c4 100644
--- a/config/sc-config.yaml
+++ b/config/sc-config.yaml
@@ -575,7 +575,7 @@ thanos:
     # It needs to write to (REPLICATION_FACTOR + 1)/2 nodes for success.
     # For more info: https://thanos.io/v0.24/proposals-done/201812-thanos-remote-receive.md/#replication
     replicationFactor: 1
-
+    replicaCount: 1
     resources:
       requests:
         cpu: 150m
@@ -583,6 +583,7 @@ thanos:
       limits:
         cpu: 1000m
         memory: 1Gi
+    extraFlags: [] #use extraflags when you want to add more command line flags to the component.
 
   ruler:
     # Enables the ruler component
diff --git a/config/schemas/config.yaml b/config/schemas/config.yaml
index c9211a224..35a3dae04 100644
--- a/config/schemas/config.yaml
+++ b/config/schemas/config.yaml
@@ -4873,6 +4873,15 @@ properties:
         type: object
         additionalProperties: false
         properties:
+          replicaCount:
+            title: Thanos receiveDistributor Replicas
+            type: integer
+            default: 1
+          extraFlags:
+            title: Thanos receiveDistributor extraFlags
+            description: |-
+              When set, the arguments will be passed onto the component as command-line flags. Refer to the [upstream doc](https://github.com/bitnami/charts/blob/main/bitnami/thanos/README.md#adding-extra-flags) for more details.
+            type: array
           replicationFactor:
             title: Thanos Replication Factor
             description: Requires that incoming remote write requests are replicated `(replicationFactor + 1) / 2`.
diff --git a/helmfile.d/values/thanos/receiver.yaml.gotmpl b/helmfile.d/values/thanos/receiver.yaml.gotmpl
index fcf3fe1a6..cd6aaf84e 100644
--- a/helmfile.d/values/thanos/receiver.yaml.gotmpl
+++ b/helmfile.d/values/thanos/receiver.yaml.gotmpl
@@ -130,6 +130,7 @@ receiveDistributor:
 
   resources: {{- toYaml .Values.thanos.receiveDistributor.resources | nindent 4 }}
   replicationFactor: {{  .Values.thanos.receiveDistributor.replicationFactor }}
+  replicaCount: {{ .Values.thanos.receiveDistributor.replicaCount }}
 
   containerSecurityContext:
     capabilities:
@@ -137,6 +138,10 @@ receiveDistributor:
         - ALL
     seccompProfile:
       type: RuntimeDefault
+  {{- if .Values.thanos.receiveDistributor.extraFlags }}
+  extraFlags:
+    {{- toYaml .Values.thanos.receiveDistributor.extraFlags | nindent 4 }}
+  {{ end }}
 
 ruler:
   networkPolicy: