diff --git a/README.md b/README.md
index 8ab7bf60e0..b0a5c9bdfa 100644
--- a/README.md
+++ b/README.md
@@ -177,6 +177,43 @@ migrated by following these steps:
    docker compose up -d
    ```
 
+### Local Kubernetes with Tilt
+
+#### Setup
+
+1. Install Tilt
+2. Install OpenTofu
+3. Install Minikube
+4. Install ctlptl
+
+Create the Minikube cluster with ctlptl:
+
+```console
+ctlptl create cluster minikube --registry=ctlptl-registry --minikube-start-flags "--memory=6g" --minikube-start-flags "--cpus=4"
+```
+
+Start ORT Server:
+
+```console
+tilt up
+```
+
+Destroy the cluster:
+
+```console
+ctlptl delete cluster minikube
+```
+
+To get the UI working, create file `/ui/.env.local` with the following content:
+
+```env
+VITE_CLIENT_ID=ort-server
+VITE_AUTHORITY=http://localhost:8081/realms/ort-server
+```
+
+and run it with `pnpm -C ui dev`.
+
+
 ### Accessing the services
 
 | Service        | URL                              | Credentials                                             |
diff --git a/Tiltfile b/Tiltfile
new file mode 100644
index 0000000000..4bdfb94e20
--- /dev/null
+++ b/Tiltfile
@@ -0,0 +1,304 @@
+load('ext://helm_remote', 'helm_remote')
+load('ext://helm_resource', 'helm_resource', 'helm_repo')
+load('ext://configmap', 'configmap_create', 'configmap_from_dict')
+load('ext://secret', 'secret_create_generic')
+
+update_settings(k8s_upsert_timeout_secs=120)
+
+gradlew = "./gradlew"
+if os.name == "nt":
+  gradlew = "gradlew.bat"
+
+k8s_yaml('./scripts/kubernetes/namespace.yaml')
+
+helm_resource(
+  'postgresql',
+  'bitnami/postgresql',
+  resource_deps=['bitnami'],
+  namespace='ort-server',
+  flags=[
+    '--set=global.postgresql.auth.postgresPassword=postgres',
+    '--set=global.postgresql.auth.database=ort',
+  ],
+  labels=['ort-server']
+)
+
+helm_repo('bitnami', 'https://charts.bitnami.com/bitnami', labels=['helm_repos'])
+
+configmap_create('ort-core-secrets',
+  namespace='ort-server',
+  from_file=['secrets.properties=./scripts/compose/secrets.properties'])
+
+secret_create_generic('ort-secrets',
+  namespace='ort-server',
+  from_file=['secrets.properties=./scripts/compose/secrets.properties'])
+
+secret_create_generic('ort-core-secrets',
+  namespace='ort-server',
+  from_file=['secrets.properties=./scripts/compose/secrets.properties']
+  )
+
+secret_create_generic('ort-config-secret',
+  namespace='ort-server',
+  from_file=[
+    'evaluator.rules.kts=./scripts/compose/config/evaluator.rules.kts',
+    'ort-server.params.kts=./scripts/compose/config/ort-server.params.kts',
+    ]
+  )
+ 
+helm_resource(
+  'keycloak',
+  'bitnami/keycloak',
+  resource_deps=['bitnami'],
+  namespace='ort-server',
+  flags=[
+    '--version=21.4.5',
+    '--set=auth.adminUser=keycloak-admin',
+    '--set=auth.adminPassword=keycloak-admin',
+    '--set=extraStartupArgs=--hostname-strict-backchannel=false',
+  ],
+  labels=['keycloak']
+)
+
+local_resource('keycloak-terraform',
+  resource_deps=['keycloak'],
+  cmd='cd ./scripts/kubernetes/keycloak && tofu init && tofu apply -auto-approve',
+  deps=['./scripts/kubernetes/keycloak/keycloak.tf'],
+  labels=['keycloak']
+)
+
+# Keycloak port forward has to be done manually because the Chart contains multiple containers, and
+# the port forward may hit the database if done in helm_resource.
+k8s_resource(
+  workload='keycloak',
+  port_forwards=["8081:8080"],
+  extra_pod_selectors={'statefulset.kubernetes.io/pod-name': 'keycloak-0'},
+  discovery_strategy='selectors-only')
+
+helm_resource(
+  'rabbitmq',
+  'bitnami/rabbitmq',
+  resource_deps=['bitnami'],
+  namespace='ort-server',
+  flags=[
+    '--version=14.4.6',
+    "--set=auth.username=admin",
+    "--set=auth.password=admin",
+  ],
+  labels=['rabbitmq']
+)
+
+k8s_resource(
+  workload='rabbitmq',
+  port_forwards=["15672"],
+)
+
+local_resource('rabbitmq-terraform',
+  resource_deps=['rabbitmq'],
+  cmd='cd ./scripts/kubernetes/rabbitmq && tofu init && tofu apply -auto-approve',
+  deps=['./scripts/kubernetes/rabbitmq/rabbitmq.tf'],
+  labels=['rabbitmq']
+)
+
+helm_repo('kiwigrid', 'https://kiwigrid.github.io', labels=['helm_repos'])
+
+helm_resource(
+  'graphite',
+  'kiwigrid/graphite',
+  resource_deps=['kiwigrid'],
+  namespace='ort-server',
+  labels=['monitoring'],
+)
+
+custom_build(
+  'core',
+  './gradlew :core:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./core/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./core/build/classes', './core/build.gradle.kts',],
+)
+
+k8s_resource(
+  workload='ort-server-core',
+  port_forwards=[
+    port_forward(8080, 8080, "API Endpoint")],
+  links=[
+    link('http://localhost:8080/swagger-ui', "Swagger UI"),
+  ],
+  resource_deps=['keycloak', 'rabbitmq', 'rabbitmq-terraform', 'graphite', 'postgresql', 'keycloak-terraform'],
+  labels=['ort-server'],
+)
+
+configmap_create('ort-orchestrator-config',
+  namespace='ort-server',
+  from_file=['application.conf=./scripts/kubernetes/orchestrator.application.conf'])
+
+secret_create_generic('ort-config-worker-config',
+  secret_type='generic',
+  namespace='ort-server',
+  from_file=['application.conf=./scripts/kubernetes/config.application.conf'],
+  )
+
+k8s_resource(
+  workload='ort-server-orchestrator',
+  resource_deps=['keycloak', 'rabbitmq', 'rabbitmq-terraform', 'graphite', 'postgresql', 'ort-server-core', 'worker-base-images'],
+  labels=['ort-server'],
+)
+
+custom_build(
+  'ort-server-orchestrator',
+  './gradlew :orchestrator:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./orchestrator/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./orchestrator/build/classes', './orchestrator/build.gradle.kts', './scripts/kubernetes/orchestrator.application.conf'],
+)
+
+k8s_yaml('./scripts/kubernetes/core.yaml')
+k8s_yaml('./scripts/kubernetes/orchestrator.yaml')
+
+# Worker images
+
+local_resource(
+  'worker-base-images',
+  cmd='./gradlew buildAllWorkerImages',
+  deps=[
+    './workers/analyzer/docker/Analyzer.Dockerfile',
+    './workers/config/docker/Config.Dockerfile',
+    './workers/evaluator/docker/Evaluator.Dockerfile',
+    './workers/notifier/docker/Notifier.Dockerfile',
+    './workers/reporter/docker/Reporter.Dockerfile',
+    './workers/scanner/docker/Scanner.Dockerfile'
+  ],
+  labels=["ort-server"]
+)
+
+custom_build(
+  'advisor-worker-image',
+  './gradlew :workers:advisor:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/advisor/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/advisor/build/classes', './workers/advisor/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'analyzer-worker-image',
+  './gradlew :workers:analyzer:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/analyzer/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/analyzer/build/classes', './workers/analyzer/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'config-worker-image',
+  './gradlew :workers:config:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/config/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/config/build/classes', './workers/config/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'evaluator-worker-image',
+  './gradlew :workers:evaluator:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/evaluator/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/evaluator/build/classes', './workers/evaluator/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'notifier-worker-image',
+  './gradlew :workers:notifier:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/notifier/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/notifier/build/classes', './workers/notifier/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'reporter-worker-image',
+  './gradlew :workers:reporter:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/reporter/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/reporter/build/classes', './workers/reporter/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+custom_build(
+  'scanner-worker-image',
+  './gradlew :workers:scanner:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./workers/scanner/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=['./workers/scanner/build/classes', './workers/scanner/build.gradle.kts'],
+  match_in_env_vars=True,
+)
+
+helm_repo('grafana-repo', 'https://grafana.github.io/helm-charts', labels=['helm_repos'])
+
+helm_resource(
+  'loki-stack',
+  'grafana/loki-stack',
+  resource_deps=['grafana-repo'],
+  namespace='ort-server',
+  flags=[
+    '--values=./scripts/kubernetes/loki-values.yaml',
+  ],
+  deps=['./scripts/kubernetes/loki-values.yaml'],
+  labels=['monitoring'],
+)
+
+k8s_yaml('./scripts/kubernetes/alloy-config.yaml')
+
+helm_resource(
+  'alloy',
+  'grafana/alloy',
+  resource_deps=['grafana-repo'],
+  namespace='ort-server',
+  flags=[
+    '--values=./scripts/kubernetes/grafana-alloy-values.yaml',
+  ],
+  deps=['./scripts/kubernetes/grafana-alloy-values.yaml', './scripts/kubernetes/alloy-config.yaml'],
+  labels=['monitoring'],
+)
+
+k8s_resource(
+  workload='loki-stack',
+  port_forwards=["19000:3000"],
+  extra_pod_selectors={'app.kubernetes.io/name': 'grafana'},
+  discovery_strategy='selectors-only')
+
+custom_build(
+  'kubernetes-jobmonitor-image',
+  './gradlew :transport:kubernetes-jobmonitor:jibDockerBuild --image $EXPECTED_REF',
+  live_update= [
+    sync('./transport/kubernetes-jobmonitor/build/classes/kotlin/main', '/app/classes')
+  ],
+  deps=[
+    './transport/kubernetes-jobmonitor/build/classes',
+    './transport/kubernetes-jobmonitor/build.gradle.kts',
+    './scripts/kubernetes/jobmonitor.application.conf'],
+  match_in_env_vars=True,
+)
+
+configmap_create('ort-jobmonitor-config',
+  namespace='ort-server',
+  from_file=['application.conf=./scripts/kubernetes/jobmonitor.application.conf'])
+
+k8s_yaml('./scripts/kubernetes/kubernetes-jobmonitor.yaml')
+
+k8s_resource(
+  workload='kubernetes-jobmonitor',
+  resource_deps=['rabbitmq', 'rabbitmq-terraform', 'postgresql'],
+  labels=['ort-server'],
+)
diff --git a/scripts/kubernetes/README.md b/scripts/kubernetes/README.md
new file mode 100644
index 0000000000..75362ecc7e
--- /dev/null
+++ b/scripts/kubernetes/README.md
@@ -0,0 +1,24 @@
+# Setup
+
+## Keycloak
+
+Expoted the following clients from Docker Compose setup through the UI and imported them to the
+Kubernetes setup through the UI:
+
+1. ort-server
+2. ort-server-ui
+3. ort-server-ui-dev
+
+Changed ort-server client authentication on and added "Service accounts roles" as authentication
+flow. Created a client secret and added it the the manifest as "KEYCLOAK_API_SECRET". Added admin to
+service accounts roles.
+
+Create client scope "ort-server-client" with "Display on consent screen" off.
+
+Configure mapper:
+
+- Mapper type: Audience.
+- Name: ORT-server-audience-mapping
+- Included Client Audience: ort-server
+
+Add the client scope to ort-server-ui-dev.
diff --git a/scripts/kubernetes/alloy-config.yaml b/scripts/kubernetes/alloy-config.yaml
new file mode 100644
index 0000000000..7eb4a94e73
--- /dev/null
+++ b/scripts/kubernetes/alloy-config.yaml
@@ -0,0 +1,145 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: alloy-config
+  namespace: ort-server
+data:
+  config.alloy: |
+    logging {
+      level = "info"
+      format = "logfmt"
+    }
+
+    discovery.kubernetes "ort_server_deployment_pods" {
+      role = "pod"
+
+      selectors {
+        role = "pod"
+        label = "app=ort-server"
+      }
+
+      namespaces {
+        own_namespace = true
+      }
+    }
+
+    discovery.relabel "ort_server_deployment_containers" {
+      targets = discovery.kubernetes.ort_server_deployment_pods.targets
+
+      rule {
+        action = "labelmap"
+        regex = "__meta_kubernetes_(namespace|(pod_(node_name|name|container_image)))"
+      }
+
+      rule {
+        source_labels = ["__meta_kubernetes_pod_label_app"]
+        target_label = "app"
+      }
+
+      rule {
+        source_labels = ["__meta_kubernetes_pod_label_component"]
+        target_label = "component"
+      }
+
+      rule {
+        action = "keep"
+        source_labels = ["__meta_kubernetes_pod_container_name"]
+        regex = "^(ort-server|kubernetes-jobmonitor)$"
+      }
+    }
+
+    discovery.kubernetes "ort_server_worker_pods" {
+      role = "pod"
+    
+      selectors {
+        role = "pod"
+        label = "ort-worker in (advisor, analyzer, config, evaluator, reporter, scanner)"
+      }
+
+      namespaces {
+        own_namespace = true
+      }
+    }
+    
+    discovery.relabel "ort_server_worker_relabelled" {
+      targets = discovery.kubernetes.ort_server_worker_pods.targets
+
+      rule {
+        action = "labelmap"
+        regex = "__meta_kubernetes_(namespace|(pod_(node_name|name|container_image)))"
+      }
+
+      rule {
+        source_labels = ["__meta_kubernetes_pod_label_ort_worker"]
+        target_label = "component"
+      }
+
+      rule {
+        source_labels = ["__meta_kubernetes_pod_label_run_id"]
+        target_label = "run_id"
+      }
+    }
+
+    loki.source.kubernetes "ort_server_deployment_logs" {
+      targets = discovery.relabel.ort_server_deployment_containers.output
+      forward_to = [loki.process.parse_logs.receiver]
+    }
+
+    loki.source.kubernetes "ort_server_worker_logs" {
+      targets = discovery.relabel.ort_server_worker_relabelled.output
+      forward_to = [loki.process.parse_logs.receiver]
+    }
+
+    loki.process "parse_logs" {
+      forward_to = [loki.write.cockpit_logs_endpoint.receiver]
+  
+      stage.regex {
+        expression = "^(?P<time>\\d{4}-\\d{2}-\\d{2} \\d{2}:\\d{2}:\\d{2}\\.\\d{3}) \\[(?P<thread>[^\\]]+)\\] level=(?P<level>\\w+) (?P<message>.+)\\n$"
+      }
+
+      stage.labels {
+        values = {
+          app = "",
+          component = "",
+          run_id = "",
+          thread = "",
+          level = "",
+          namespace = "",
+          pod_name = "",
+          pod_node_name = "",
+          pod_container_name = "",
+          pod_container_image = "",
+        }
+      }
+    
+      stage.timestamp {
+        source = "time"
+        format = "2006-01-02 15:04:05.000"
+      }
+  
+      stage.output {
+        source = "message"
+      }
+    }
+
+    loki.write "cockpit_logs_endpoint" {
+      endpoint {
+        url = "http://loki-stack:3100/loki/api/v1/push"
+      }
+    }
+
+    discovery.relabel "ort_server_core_pods" {
+      targets = discovery.kubernetes.ort_server_deployment_pods.targets
+
+      rule {
+        action = "keep"
+        source_labels = ["__meta_kubernetes_pod_label_component"]
+        regex = "^core$"
+      }
+
+      rule {
+        action = "keep"
+        source_labels = ["__address__"]
+        regex = ".*:9108$"
+      }
+    }
diff --git a/scripts/kubernetes/config.application.conf b/scripts/kubernetes/config.application.conf
new file mode 100644
index 0000000000..525d6d10c7
--- /dev/null
+++ b/scripts/kubernetes/config.application.conf
@@ -0,0 +1,58 @@
+# Copyright (C) 2023 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# License-Filename: LICENSE
+
+configManager {
+  secretProvider = secret-file
+  configSecretFileList = /mnt/secrets/secrets.properties
+  allowSecretsFromConfig = true
+
+  fileProvider = local-config
+  localConfigDir = /mnt/config
+}
+
+database {
+  host = "postgresql"
+  port = 5432
+  name = "ort"
+  schema = "ort_server"
+  username = "postgres"
+  password = "postgres"
+  connectionTimeout = 30000
+  idleTimeout = 600000
+  keepaliveTime = 0
+  maxLifetime = 1800000
+  maximumPoolSize = 5
+  minimumIdle = 5
+  sslMode = "disable"
+}
+
+config {
+  receiver {
+    type = "kubernetes"
+  }
+}
+
+orchestrator {
+  sender {
+    type = "rabbitMQ"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "orchestrator_queue"
+  }
+}
+
+rabbitMqUser="admin"
+rabbitMqPassword="admin"
diff --git a/scripts/kubernetes/core.yaml b/scripts/kubernetes/core.yaml
new file mode 100644
index 0000000000..406ba2733f
--- /dev/null
+++ b/scripts/kubernetes/core.yaml
@@ -0,0 +1,111 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: ort-server
+    component: core
+  name: ort-server-core
+  namespace: ort-server
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: 8080
+    - name: metrics
+      port: 9108
+      targetPort: 9108
+  selector:
+    app: ort-server
+    component: core
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: core-configuration
+  namespace: ort-server
+data:
+  PUBLIC_SCHEME: http
+  PUBLIC_FQDN: localhost
+  PUBLIC_PORT: "8080"
+  PORT: "8080"
+  UI_HOSTS: localhost:5173
+  DB_HOST: postgresql
+  DB_PORT: "5432"
+  DB_NAME: ort
+  DB_SCHEMA: ort_server
+  DB_USERNAME: postgres
+  DB_PASSWORD: postgres
+  DB_SSL_MODE: disable
+  JWT_URI: "http://keycloak.ort-server.svc.cluster.local/realms/ort-server/protocol/openid-connect/certs"
+  JWT_ISSUER: "http://localhost:8081/realms/ort-server"
+  JWT_REALM: "ort-server"
+  KEYCLOAK_ACCESS_TOKEN_URL: "http://keycloak.ort-server.svc.cluster.local/realms/ort-server/protocol/openid-connect/token"
+  KEYCLOAK_API_URL: "http://keycloak.ort-server.svc.cluster.local/admin/realms/ort-server"
+  KEYCLOAK_API_USER: "keycloak-admin"
+  KEYCLOAK_API_SECRET: "keycloak-admin"
+  ORCHESTRATOR_SENDER_TRANSPORT_TYPE: rabbitMQ
+  ORCHESTRATOR_SENDER_TRANSPORT_SERVER_URI: amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672
+  ORCHESTRATOR_SENDER_TRANSPORT_QUEUE_NAME: orchestrator_queue
+  GRAPHITE_HOST: graphite
+  GRAPHITE_PORT: "2003"
+  CORE_SECRET_PROVIDER: secret-file
+  CORE_SECRET_FILES: "/app/resources/secrets.properties"
+  ALLOW_SECRETS_FROM_CONFIG: "true"
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ort-server-core
+  namespace: ort-server
+  labels:
+    app: ort-server
+    component: core
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ort-server
+      component: core
+  template:
+    metadata:
+      labels:
+        app: ort-server
+        component: core
+    spec:
+      volumes:
+        - name: ort-core-config-volume
+          configMap:
+            name: ort-core-config
+        - name: ort-core-config-secrets
+          secret:
+            secretName: ort-secrets
+      containers:
+        - name: ort-server
+          image: core
+          ports:
+            - containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: core-configuration
+          volumeMounts:
+            - name: ort-core-config-secrets
+              mountPath: /app/resources/secrets.properties
+              subPath: secrets.properties
+              readOnly: true
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "500m"
+            limits:
+              memory: "2Gi"
+              cpu: "1"
+          livenessProbe:
+             failureThreshold: 6
+             httpGet:
+               path: /api/v1/liveness
+               port: 8080
+               scheme: HTTP
+             periodSeconds: 10
+             successThreshold: 1
+             timeoutSeconds: 5
diff --git a/scripts/kubernetes/grafana-alloy-values.yaml b/scripts/kubernetes/grafana-alloy-values.yaml
new file mode 100644
index 0000000000..a9f9786115
--- /dev/null
+++ b/scripts/kubernetes/grafana-alloy-values.yaml
@@ -0,0 +1,9 @@
+controller:
+  type: deployment
+  replicas: 1
+
+alloy:
+  configMap:
+    create: false
+    name: alloy-config
+    key: config.alloy
diff --git a/scripts/kubernetes/jobmonitor.application.conf b/scripts/kubernetes/jobmonitor.application.conf
new file mode 100644
index 0000000000..b1a3dfe3c4
--- /dev/null
+++ b/scripts/kubernetes/jobmonitor.application.conf
@@ -0,0 +1,76 @@
+# Copyright (C) 2023 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# License-Filename: LICENSE
+
+configManager {
+  secretProvider = secret-file
+  configSecretFileList = /app/resources/secrets.properties
+  allowSecretsFromConfig = true
+}
+
+jobMonitor {
+  namespace = "ort-server"
+  enableWatching = true
+  enableReaper = true
+  reaperInterval = 600
+  reaperMaxAge = 600
+  recentlyProcessedInterval = 60
+  enableLongRunningJobs = true
+  longRunningJobsInterval = 600
+  enableLostJobs = true
+  lostJobsInterval = 120
+  lostJobsMinAge = 30
+  timeouts {
+    config = 1
+    config = ${?MONITOR_TIMEOUT_CONFIG}
+    analyzer = 120
+    analyzer = ${?MONITOR_TIMEOUT_ANALYZER}
+    advisor = 2
+    advisor = ${?MONITOR_TIMEOUT_ADVISOR}
+    scanner = 1440
+    scanner = ${?MONITOR_TIMEOUT_SCANNER}
+    evaluator = 5
+    evaluator = ${?MONITOR_TIMEOUT_EVALUATOR}
+    reporter = 30
+    reporter = ${?MONITOR_TIMEOUT_REPORTER}
+    notifier = 10
+    notifier = ${?MONITOR_TIMEOUT_NOTIFIER}
+  }
+}
+
+database {
+  host = "postgresql"
+  port = 5432
+  name = "ort"
+  schema = "ort_server"
+  username = "postgres"
+  password = "postgres"
+  connectionTimeout = 30000
+  idleTimeout = 600000
+  keepaliveTime = 0
+  maxLifetime = 1800000
+  maximumPoolSize = 5
+  minimumIdle = 5
+  sslMode = "disable"
+}
+
+orchestrator {
+  sender {
+    type = "rabbitMQ"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "orchestrator_queue"
+  }
+}
diff --git a/scripts/kubernetes/keycloak/.gitignore b/scripts/kubernetes/keycloak/.gitignore
new file mode 100644
index 0000000000..2faf43d0a1
--- /dev/null
+++ b/scripts/kubernetes/keycloak/.gitignore
@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/scripts/kubernetes/keycloak/.terraform.lock.hcl b/scripts/kubernetes/keycloak/.terraform.lock.hcl
new file mode 100644
index 0000000000..f2dbbf7611
--- /dev/null
+++ b/scripts/kubernetes/keycloak/.terraform.lock.hcl
@@ -0,0 +1,27 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/mrparkers/keycloak" {
+  version     = "4.4.0"
+  constraints = "4.4.0"
+  hashes = [
+    "h1:FH9j76zRv05qxk7I/w0mycmBEuew/+XP+Qx+Ptz/onw=",
+    "zh:0116d63fb4a4436d67cc793038899e0de23c3a5c78f5bf3cf76ee006ad886979",
+    "zh:0fa399fcdeef21dd914ff7413b8489e47900cbe7bc65b50eeb0d75b71a2b561d",
+    "zh:30371fee6d0ae438908b1bf03278f6d0a0cb2992a97814028676a05a55d92f19",
+    "zh:39218a95fe6430ac2b44470cb991dbb98f57c5306017a80b81d3a319855094f4",
+    "zh:3b436c471cde4eb9120f609e3aecf12d383e8032aeb9cd12c7476faa7c8b4afb",
+    "zh:9a2a5cc77332e6cd9f6d101d3aff35520a2361fc02f4d436fe176dbd5351f24b",
+    "zh:9a89cc61c303100174cda3783b13fa4f6e2648eb436c1259d1c72264998534e8",
+    "zh:b588cd78d9939523de1fa8202c2757c497a20dcf2bf67cf4daf61836194bfe3a",
+    "zh:c04e6ac2367f55d9cd0893ebebbecb9da685312077e8a7fff299b8d8009955d5",
+    "zh:c23286693edf2024272219f6728bb7eded5ee087956fc527a63f10ea9ec9c9e4",
+    "zh:d7a29a2023f17b24236079789931d53662a2696b13d30140cb75dc0e693a1f94",
+    "zh:ddc0cad0a8ec9e5afc4f4502aed75089c3e9e0bc6da9d4b796728ef5580b94ef",
+    "zh:de8833a1a0a726401380e52302892de782dddb7efa51122c33104dde8e119561",
+    "zh:dee864f90327b149d126d603c5ed58cc196682153ebd1bfa73dd67398f6cbe38",
+    "zh:f63ef9950ebb06fa1daad784a3d0f342803f65404107186bdadb3198ce4d03b2",
+    "zh:f6d2414fec3fcaefc80cbe8e49647221dbbcfd2fe1b0f7619bd68d06c93c30f4",
+    "zh:fb659b5a21ba0ad9ec1c7484f167c51c752abea84dd27e726cc3567e7006e99e",
+  ]
+}
diff --git a/scripts/kubernetes/keycloak/clients.json b/scripts/kubernetes/keycloak/clients.json
new file mode 100644
index 0000000000..88666d62e9
--- /dev/null
+++ b/scripts/kubernetes/keycloak/clients.json
@@ -0,0 +1,91 @@
+{
+    "enabled": true,
+    "realm": "master",
+    "clientScopes": [
+        {
+            "name": "ort-server-client",
+            "description": "Shared scope for clients interacting with the ORT Server",
+            "protocol": "openid-connect",
+            "attributes": {
+                "include.in.token.scope": "false",
+                "display.on.consent.screen": "false"
+            },
+            "protocolMappers": [
+                {
+                    "name": "ORT-server-audience-mapper",
+                    "protocol": "openid-connect",
+                    "protocolMapper": "oidc-audience-mapper",
+                    "consentRequired": false,
+                    "config": {
+                        "included.client.audience": "ort-server",
+                        "id.token.claim": "false",
+                        "access.token.claim": "true",
+                        "userinfo.token.claim": "false"
+                    }
+                }
+            ]
+        }
+    ],
+    "clients": [
+        {
+            "clientId": "ort-server",
+            "name": "ORT Server",
+            "description": "",
+            "rootUrl": "",
+            "adminUrl": "",
+            "baseUrl": "",
+            "surrogateAuthRequired": false,
+            "enabled": true,
+            "alwaysDisplayInConsole": false,
+            "clientAuthenticatorType": "client-secret",
+            "redirectUris": [
+                "http://localhost:8081/*",
+                "http://localhost:8080/*"
+            ],
+            "webOrigins": [],
+            "notBefore": 0,
+            "bearerOnly": false,
+            "consentRequired": false,
+            "standardFlowEnabled": true,
+            "implicitFlowEnabled": false,
+            "directAccessGrantsEnabled": true,
+            "serviceAccountsEnabled": false,
+            "publicClient": true,
+            "frontchannelLogout": true,
+            "protocol": "openid-connect",
+            "attributes": {
+                "oidc.ciba.grant.enabled": "false",
+                "backchannel.logout.session.required": "true",
+                "post.logout.redirect.uris": "+",
+                "display.on.consent.screen": "false",
+                "oauth2.device.authorization.grant.enabled": "false",
+                "backchannel.logout.revoke.offline.tokens": "false"
+            },
+            "authenticationFlowBindingOverrides": {},
+            "fullScopeAllowed": true,
+            "nodeReRegistrationTimeout": -1,
+            "defaultClientScopes": [
+                "ort-server-client",
+                "web-origins",
+                "acr",
+                "roles",
+                "profile",
+                "email"
+            ],
+            "optionalClientScopes": [
+                "address",
+                "phone",
+                "offline_access",
+                "microprofile-jwt"
+            ],
+            "access": {
+                "view": true,
+                "configure": true,
+                "manage": true
+            }
+        }
+    ],
+    "attributes": {
+        "custom": "test-step01"
+    }
+}
diff --git a/scripts/kubernetes/keycloak/keycloak.tf b/scripts/kubernetes/keycloak/keycloak.tf
new file mode 100644
index 0000000000..f57f5f6cd1
--- /dev/null
+++ b/scripts/kubernetes/keycloak/keycloak.tf
@@ -0,0 +1,222 @@
+terraform {
+  required_providers {
+    keycloak = {
+      source = "mrparkers/keycloak"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "keycloak" {
+    client_id     = "admin-cli"
+    username      = "keycloak-admin"
+    password      = "keycloak-admin"
+    url           = "http://localhost:8081"
+}
+
+resource "keycloak_realm" "realm" {
+  realm   = "ort-server"
+  enabled = true
+}
+
+data "keycloak_openid_client" "realm_management" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = "realm-management"
+}
+
+data "keycloak_role" "create-client" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "create-client"
+}
+
+data "keycloak_role" "impersonation" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "impersonation"
+}
+
+data "keycloak_role" "manage-authorization" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-authorization"
+}
+
+data "keycloak_role" "manage-clients" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-clients"
+}
+
+data "keycloak_role" "manage-events" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-events"
+}
+
+data "keycloak_role" "manage-realm" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-realm"
+}
+
+data "keycloak_role" "manage-users" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "manage-users"
+}
+
+data "keycloak_role" "query-clients" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "query-clients"
+}
+
+data "keycloak_role" "query-groups" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = data.keycloak_openid_client.realm_management.id
+  name      = "query-groups"
+}
+
+resource "keycloak_role" "admin" {
+  realm_id    = keycloak_realm.realm.id
+  name        = "admin"
+  description = "Admin"
+  composite_roles = [
+    data.keycloak_role.create-client.id,
+    data.keycloak_role.impersonation.id,
+    data.keycloak_role.manage-authorization.id,
+    data.keycloak_role.manage-clients.id,
+    data.keycloak_role.manage-events.id,
+    data.keycloak_role.manage-realm.id,
+    data.keycloak_role.manage-users.id,
+    data.keycloak_role.query-clients.id,
+    data.keycloak_role.query-groups.id,
+  ]
+}
+
+resource "keycloak_openid_client" "openid_client" {
+  realm_id            = keycloak_realm.realm.id
+  client_id           = "ort-server"
+  name                = "ORT Server"
+  enabled             = true
+
+  access_type         = "PUBLIC"
+  valid_redirect_uris = [
+    "http://localhost:8080/*",
+    "http://localhost:8081/*",
+    "http://localhost:5173/*"
+  ]
+  valid_post_logout_redirect_uris = [
+    "+"
+  ]
+
+  web_origins = [
+    "*",
+  ]
+
+  standard_flow_enabled = true
+  direct_access_grants_enabled = true
+  frontchannel_logout_enabled = true
+}
+
+resource "keycloak_openid_client_scope" "openid_client_scope" {
+  realm_id               = keycloak_realm.realm.id
+  name                   = "ort-server-client"
+  description            = "Shared scope for clients interacting with the ORT Server"
+  include_in_token_scope = false
+}
+
+resource "keycloak_openid_audience_protocol_mapper" "audience_mapper" {
+  realm_id        = keycloak_realm.realm.id
+  client_scope_id = keycloak_openid_client_scope.openid_client_scope.id
+  name            = "ORT-server-audience-mapper"
+
+  included_client_audience = keycloak_openid_client.openid_client.client_id
+  add_to_id_token = false
+  add_to_access_token = true
+}
+
+resource "keycloak_openid_client_default_scopes" "client_default_scopes" {
+  realm_id  = keycloak_realm.realm.id
+  client_id = keycloak_openid_client.openid_client.id
+
+  default_scopes = [
+    "acr",
+    "profile",
+    "email",
+    "roles",
+    "web-origins",
+    keycloak_openid_client_scope.openid_client_scope.name,
+  ]
+}
+
+resource "keycloak_role" "superuser" {
+  realm_id    = keycloak_realm.realm.id
+  client_id   = keycloak_openid_client.openid_client.id
+  name        = "superuser"
+  description = "This role is auto-generated, do not edit or remove."
+}
+
+resource "keycloak_group" "superusers" {
+  realm_id = keycloak_realm.realm.id
+  name     = "SUPERUSERS"
+}
+
+resource "keycloak_group_roles" "group_roles" {
+  realm_id = keycloak_realm.realm.id
+  group_id = keycloak_group.superusers.id
+
+  role_ids = [
+    keycloak_role.superuser.id,
+    keycloak_role.superuser.id,
+  ]
+}
+
+resource "keycloak_user" "ort_admin" {
+  realm_id   = keycloak_realm.realm.id
+  username   = "admin"
+  enabled    = true
+
+  email      = "admin@oss-review-toolkit.org"
+  first_name = "Ort"
+  last_name  = "Admin"
+
+  initial_password {
+    value     = "admin"
+    temporary = false
+  }
+}
+
+resource "keycloak_user_groups" "ort_admin_roles" {
+  realm_id = keycloak_realm.realm.id
+  user_id = keycloak_user.ort_admin.id
+
+  group_ids  = [
+    keycloak_group.superusers.id
+  ]
+}
+
+resource "keycloak_user" "realm_admin" {
+  realm_id   = keycloak_realm.realm.id
+  username   = "keycloak-admin"
+  enabled    = true
+
+  email      = "realm-admin@oss-review-toolkit.org"
+  first_name = "Realm"
+  last_name  = "Admin"
+
+  initial_password {
+    value     = "keycloak-admin"
+    temporary = false
+  }
+}
+
+resource "keycloak_user_roles" "realm_admin_roles" {
+  realm_id = keycloak_realm.realm.id
+  user_id  = keycloak_user.realm_admin.id
+
+  role_ids = [
+    keycloak_role.admin.id
+  ]
+}
diff --git a/scripts/kubernetes/kubernetes-jobmonitor.yaml b/scripts/kubernetes/kubernetes-jobmonitor.yaml
new file mode 100644
index 0000000000..ebb63d88be
--- /dev/null
+++ b/scripts/kubernetes/kubernetes-jobmonitor.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: jobmonitor
+  namespace: ort-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: ort-server
+  name: jobmonitor-watcher
+rules:
+  - apiGroups: ["core"]
+    resources: ["pods"]
+    verbs: ["list", "get", "delete"]
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["list", "watch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: jobmonitor-watcher-binding
+  namespace: ort-server
+subjects:
+  - kind: ServiceAccount
+    name: jobmonitor
+    namespace: ort-server
+roleRef:
+  kind: Role
+  name: jobmonitor-watcher
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kubernetes-jobmonitor
+  namespace: ort-server
+  labels:
+    app: ort-server
+    component: kubernetes-jobmonitor
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ort-server
+      component: kubernetes-jobmonitor
+  template:
+    metadata:
+      labels:
+        app: ort-server
+        component: kubernetes-jobmonitor
+    spec:
+      serviceAccountName: jobmonitor
+      volumes:
+        - name: ort-jobmonitor-config-volume
+          configMap: 
+            name: ort-jobmonitor-config
+        - name: ort-secrets
+          secret: 
+            secretName: ort-secrets
+      containers:
+        - name: kubernetes-jobmonitor
+          image: "kubernetes-jobmonitor-image"
+          volumeMounts:
+            - name: ort-jobmonitor-config-volume
+              mountPath: /app/resources/application.conf
+              subPath: application.conf
+              readOnly: true
+            - name: ort-secrets
+              mountPath: /app/resources/secrets.properties
+              subPath: secrets.properties
+              readOnly: true
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "250m"
+            limits:
+              memory: "2Gi"
+              cpu: "1"
diff --git a/scripts/kubernetes/loki-values.yaml b/scripts/kubernetes/loki-values.yaml
new file mode 100644
index 0000000000..8054c10330
--- /dev/null
+++ b/scripts/kubernetes/loki-values.yaml
@@ -0,0 +1,24 @@
+deploymentMode: SingleBinary
+loki:
+  auth_enabled: false
+  commonConfig:
+    replication_factor: 1
+  storage:
+    type: 'filesystem'
+  schemaConfig:
+    configs:
+    - from: "2024-01-01"
+      store: tsdb
+      index:
+        prefix: loki_index_
+        period: 24h
+      object_store: filesystem
+      schema: v13
+
+grafana:
+  enabled: true
+  adminUser: admin
+  adminPassword: admin
+
+promtail:
+  enabled: false
diff --git a/scripts/kubernetes/namespace.yaml b/scripts/kubernetes/namespace.yaml
new file mode 100644
index 0000000000..a3fa91d3a9
--- /dev/null
+++ b/scripts/kubernetes/namespace.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ort-server
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: keycloak
diff --git a/scripts/kubernetes/orchestrator.application.conf b/scripts/kubernetes/orchestrator.application.conf
new file mode 100644
index 0000000000..6525deb7a1
--- /dev/null
+++ b/scripts/kubernetes/orchestrator.application.conf
@@ -0,0 +1,141 @@
+# Copyright (C) 2022 The ORT Server Authors (See <https://github.com/eclipse-apoapsis/ort-server/blob/main/NOTICE>)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# License-Filename: LICENSE
+
+configManager {
+  secretProvider = secret-file
+  configSecretFileList = "/app/resources/secrets.properties"
+  allowSecretsFromConfig = true
+}
+
+database {
+  host = "postgresql"
+  port = 5432
+  name = "ort"
+  schema = "ort_server"
+  username = "postgres"
+  password = "postgres"
+  connectionTimeout = 30000
+  idleTimeout = 600000
+  keepaliveTime = 0
+  maxLifetime = 1800000
+  maximumPoolSize = 5
+  minimumIdle = 5
+  sslMode = "disable"
+}
+
+orchestrator {
+  receiver {
+    type = "rabbitMQ"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "orchestrator_queue"
+  }
+}
+
+# For some reason these are not part of the orchestrator.receiver block.
+rabbitMqUser=admin
+rabbitMqPassword=admin
+
+config {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?CONFIG_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets ort-config-worker-config->/app/resources/application.conf|application.conf ort-config-secret->/mnt/config"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "analyzer_queue"
+  }
+}
+
+analyzer {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?ANALYZER_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "analyzer_queue"
+  }
+}
+
+advisor {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?ADVISOR_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "advisor_queue"
+  }
+}
+
+scanner {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?SCANNER_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "scanner_queue"
+  }
+}
+
+evaluator {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?EVALUATOR_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "evaluator_queue"
+  }
+}
+
+reporter {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?REPORTER_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "reporter_queue"
+  }
+}
+
+notifier {
+  sender {
+    type = "kubernetes"
+    namespace = "ort-server"
+    imageName = ${?NOTIFIER_SENDER_TRANSPORT_IMAGE_NAME}
+    imagePullPolicy = "IfNotPresent"
+    enableDebugLogging = false
+    mountSecrets = "ort-secrets->/mnt/secrets"
+    serverUri = "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+    queueName = "notifier_queue"
+  }
+}
diff --git a/scripts/kubernetes/orchestrator.yaml b/scripts/kubernetes/orchestrator.yaml
new file mode 100644
index 0000000000..b436a78060
--- /dev/null
+++ b/scripts/kubernetes/orchestrator.yaml
@@ -0,0 +1,140 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: orchestrator
+  namespace: ort-server
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: ort-server
+  name: orchestrator-job-creator
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["create"]
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ort-server-secret-configmap
+  namespace: ort-server
+data:
+  secrets: |
+    rabbitMqUser=admin
+    rabbitMqPassword=admin
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: orchestrator-job-creator-binding
+  namespace: ort-server
+subjects:
+  - kind: ServiceAccount
+    name: orchestrator
+    namespace: ort-server
+roleRef:
+  kind: Role
+  name: orchestrator-job-creator
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ort-server-orchestrator
+  namespace: ort-server
+  labels:
+    app: ort-server
+    component: orchestrator
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ort-server
+      component: orchestrator
+  template:
+    metadata:
+      labels:
+        app: ort-server
+        component: orchestrator
+    spec:
+      serviceAccountName: orchestrator
+      volumes:
+        - name: ort-orchestrator-config-volume
+          configMap: 
+            name: ort-orchestrator-config
+        - name: ort-orchestrator-config-secrets
+          secret: 
+            secretName: ort-secrets
+      containers:
+        - name: ort-server
+          image: "ort-server-orchestrator"
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - name: ort-orchestrator-config-volume
+              mountPath: /app/resources/application.conf
+              subPath: application.conf
+              readOnly: true
+            - name: ort-orchestrator-config-secrets
+              mountPath: /app/resources/secrets.properties
+              subPath: secrets.properties
+              readOnly: true
+          env:
+            - name: DB_HOST
+              value: "postgresql"
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_NAME
+              value: ort
+            - name: DB_SCHEMA
+              value: ort_server
+            - name: DB_USERNAME
+              value: postgres
+            - name: DB_PASSWORD
+              value: postgres
+            - name: DB_SSL_MODE
+              value: disable
+            # This is the queue configuration for communicating back from the workers to the orchestrator.
+            - name: ORCHESTRATOR_SENDER_TRANSPORT_TYPE
+              value: "rabbitMQ"
+            - name: ORCHESTRATOR_SENDER_TRANSPORT_SERVER_URI
+              value: "amqp://rabbitmq-headless.ort-server.svc.cluster.local:5672"
+            - name: ORCHESTRATOR_SENDER_TRANSPORT_QUEUE_NAME
+              value: orchestrator_queue
+
+            - name: ANALYZER_MOUNT_SECRETS
+              value: "ort-secrets->/mnt/secrets|secrets.properties"
+            - name: ANALYZER_ANALYZER_SECRET_PROVIDER
+              value: secret-file
+            - name: ANALYZER_ANALYZER_SECRET_FILES
+              value: /mnt/secrets/secrets.properties
+            
+            - name: REPORTER_MOUNT_SECRETS
+              value: "ort-secrets->/mnt/secrets|secrets.properties"
+            - name: REPORTER_REPORTER_SECRET_PROVIDER
+              value: secret-file
+            - name: REPORTER_REPORTER_SECRET_FILES
+              value: /mnt/secrets/secrets.properties
+            
+            - name: ANALYZER_SENDER_TRANSPORT_IMAGE_NAME
+              value: "analyzer-worker-image"
+            - name: ADVISOR_SENDER_TRANSPORT_IMAGE_NAME
+              value: "advisor-worker-image"
+            - name: CONFIG_SENDER_TRANSPORT_IMAGE_NAME
+              value: "config-worker-image"
+            - name: EVALUATOR_SENDER_TRANSPORT_IMAGE_NAME
+              value: "evaluator-worker-image"
+            - name: NOTIFIER_SENDER_TRANSPORT_IMAGE_NAME
+              value: "notifier-worker-image"
+            - name: REPORTER_SENDER_TRANSPORT_IMAGE_NAME
+              value: "reporter-worker-image"
+            - name: SCANNER_SENDER_TRANSPORT_IMAGE_NAME
+              value: "scanner-worker-image"
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "500m"
+            limits:
+              memory: "2Gi"
+              cpu: "1"
diff --git a/scripts/kubernetes/rabbitmq/.gitignore b/scripts/kubernetes/rabbitmq/.gitignore
new file mode 100644
index 0000000000..2faf43d0a1
--- /dev/null
+++ b/scripts/kubernetes/rabbitmq/.gitignore
@@ -0,0 +1,37 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Ignore transient lock info files created by terraform apply
+.terraform.tfstate.lock.info
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
diff --git a/scripts/kubernetes/rabbitmq/.terraform.lock.hcl b/scripts/kubernetes/rabbitmq/.terraform.lock.hcl
new file mode 100644
index 0000000000..051ba6b85b
--- /dev/null
+++ b/scripts/kubernetes/rabbitmq/.terraform.lock.hcl
@@ -0,0 +1,24 @@
+# This file is maintained automatically by "tofu init".
+# Manual edits may be lost in future updates.
+
+provider "registry.opentofu.org/cyrilgdn/rabbitmq" {
+  version     = "1.8.0"
+  constraints = "1.8.0"
+  hashes = [
+    "h1:PZrZsZvFQJd3hwfv7j/drVvQEL42n6yxV9zhXWjfDwA=",
+    "zh:0a8bd3de84ccd39b55057403fd9d1adbb024caccfcffb879ac894858ba9f06a0",
+    "zh:16f80a580d481970bbedf86e8e5da07078f0d7f1a8a86392e8ef6e1b9f4ca1d9",
+    "zh:1b143c6ca964da5da0e0f94866ade50dedc8f4a7397b1c033ffd267e1db4c6e7",
+    "zh:36b600a063e20855da864bc01ece5e5cec7501d48afeb3dae723921845110daa",
+    "zh:6cb23dd9444dcfa560bde1bc5a9c7beb41449796573a8ff03bebe31f2d2afccb",
+    "zh:744ff00cb46a989b4326195b911b2a6210d0ee217b59c565d70cb27cb05f12d1",
+    "zh:a32e346142598a0a6e28ee56c3c4d92a62fd32dd646f72a5458c81c91ec0bed2",
+    "zh:a8a9d7f5956f50ea2a6b445372b5eec1361d13833795a4a9f511ed0d12ef8c09",
+    "zh:b2a1e820efb46ac7a811c9171e2b401c7a17a1e8b1af3ea10da65e157ec4163f",
+    "zh:bf6dfd3dfc95a88007b86a895c0b1d2a9e97727daed84f3a8bd94fbd839f5faf",
+    "zh:c62c848d9adac85388a49b9fd92e365f69edc6a269252af6e91c83a5178d888b",
+    "zh:cca4abc203005c79e98be13f7332af79f97f4119da53daa0ea3e748eb37a7e5d",
+    "zh:dea734c047c9ee76133cc58b2c7235b6a6cf5d739c2249573a5ca83799307eca",
+    "zh:e468d5cd8b48704b3b5a5081d11f25486a979a749efbf07b5f1d6567b1cf5e3f",
+  ]
+}
diff --git a/scripts/kubernetes/rabbitmq/rabbitmq.tf b/scripts/kubernetes/rabbitmq/rabbitmq.tf
new file mode 100644
index 0000000000..bf7fff1fc1
--- /dev/null
+++ b/scripts/kubernetes/rabbitmq/rabbitmq.tf
@@ -0,0 +1,105 @@
+terraform {
+  required_providers {
+    rabbitmq = {
+      source = "cyrilgdn/rabbitmq"
+      version = "1.8.0"
+    }
+  }
+}
+
+provider "rabbitmq" {
+  endpoint = "http://localhost:15672"
+  username = "admin"
+  password = "admin"
+}
+
+resource "rabbitmq_queue" "advisor" {
+  name  = "advisor_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "analyzer" {
+  name  = "analyzer_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "config" {
+  name  = "config_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "evaluator" {
+  name  = "evaluator_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "orchestrator" {
+  name  = "orchestrator_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "reporter" {
+  name  = "reporter_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
+
+resource "rabbitmq_queue" "scanner" {
+  name  = "scanner_queue"
+  vhost = "/"
+
+  settings {
+    durable     = true
+    auto_delete = false
+    arguments = {
+      "x-queue-type" : "classic",
+    }
+  }
+}
diff --git a/scripts/kubernetes/ui.yaml b/scripts/kubernetes/ui.yaml
new file mode 100644
index 0000000000..59cfb00cd6
--- /dev/null
+++ b/scripts/kubernetes/ui.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ort-server-ui
+  namespace: ort-server
+  labels:
+    app: ort-server
+    component: ui
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+  selector:
+    app: ort-server
+    component: ui
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ort-server-ui
+  namespace: ort-server
+  labels:
+    app: ort-server
+    component: ui
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ort-server
+      component: ui
+  template:
+    metadata:
+      labels:
+        app: ort-server
+        component: ui
+    spec:
+      containers:
+        - name: ort-server
+          image: ort-server-ui
+          ports:
+            - containerPort: 8080
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "200m"
+            limits:
+              memory: "1Gi"
+              cpu: "500m"
+          env:
+            - name: UI_URL
+              value: "http://localhost:18082"
+            - name: UI_API_URL
+              value: "http://localhost:8080"
+            - name: UI_AUTHORITY
+              value: "http://localhost:8081/realms/master"
+            - name: UI_CLIENT_ID
+              value: "ort-server-ui"