diff --git a/CHANGELOG.md b/CHANGELOG.md
index 279f59c46..c30b9ad43 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,24 @@
+# 2020-03-02
+
+## Breaking changes / known issues when upgrading
+
+- upgrading an existing Helm release of `wire-server` needs to be enforced (i.e. `--force`) or done by reinstalling it
+
+## Features
+
+- enable Helm v3 support
+- Helm charts:
+  - nginz: Expose internal sso settings and custom backends (#178, #191)
+  - brig: New option setUserMaxPermClients is now available for brig (#185)
+  - cannon: comply with K8s StatefulSetSpec (#187)
+
+## Other updates
+
+- Skip flaky test in brig-integration (#184)
+- Ansible: fix mc policy set (#181) - thanks @kvaps
+- Ansible: Fix setting heap size for ES (#188)
+
+
 # 2020-01-09
 
 ## Features
diff --git a/ansible/download_kubespray.yml b/ansible/download_kubespray.yml
index 893cf9724..1d9d4dfe3 100644
--- a/ansible/download_kubespray.yml
+++ b/ansible/download_kubespray.yml
@@ -1,4 +1,6 @@
 # download a specific version of kubespray
+# Note: installing it via ansible-galaxy would re-arrange its content (roles/etcd is misplaced)
+#       the reason for this behaviour is yet to be known
 # Usage: see Makefile
 - name: download kubespray
   hosts: localhost
@@ -9,7 +11,7 @@
     # uses
     # kube_version = "v1.14.2"
     # helm_version = "v2.13.1"
-    # (if needed, these can be overridding in the hosts.ini under the [k8s-cluster:vars] section)
+    # (if needed, these can be overridden in the hosts.ini under the [k8s-cluster:vars] section)
     # also see download_cli_binaries.yml to see client-side versions of `kubectl` and `helm`.
     kubespray_version: e2f5a9748e4dbfe2fdba7931198b0b5f1f4bdc7e
   tasks:
diff --git a/ansible/elasticsearch.yml b/ansible/elasticsearch.yml
index 66d290008..e40e1ab5f 100644
--- a/ansible/elasticsearch.yml
+++ b/ansible/elasticsearch.yml
@@ -4,9 +4,7 @@
   vars:
     # The following sets java heap size to 1GB (default is 2GB)
     # comment that line when deploying on machines with >= 4GB memory.
-    es_jvm_custom_parameters:
-      - "-Xmx1g"
-      - "-Xms1g"
+    es_heap_size: "1g"
 
     es_enable_xpack: false
     es_xpack_features: [] # disable features
diff --git a/ansible/hosts.example.ini b/ansible/hosts.example.ini
index 0112c6b61..e3f727bc6 100644
--- a/ansible/hosts.example.ini
+++ b/ansible/hosts.example.ini
@@ -21,10 +21,15 @@ restund02         ansible_host=X.X.X.X
 # * 'ip' is the IP to bind to (if multiple network interfaces are in use)
 #   omit 'ip' if you only have one network interface
 #   FIXME: note that kubespray has a test for if IP == ANSIBLE_HOST?
+kubenode01        ansible_host=X.X.X.X ip=Y.Y.Y.Y
+kubenode02        ansible_host=X.X.X.X ip=Y.Y.Y.Y
+kubenode03        ansible_host=X.X.X.X ip=Y.Y.Y.Y
+
+# etcd resides on dedicated machines
 # * etcd_member_name needs to be set on all hosts that run etcd (and must be different)
-kubenode01        ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd1
-kubenode02        ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd2
-kubenode03        ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd3
+etcd01            ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd1
+etcd02            ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd2
+etcd03            ansible_host=X.X.X.X ip=Y.Y.Y.Y etcd_member_name=etcd3
 
 ### databases ###
 
@@ -81,9 +86,9 @@ kubenode03
 # must be an odd number of servers! (playbooks will fail otherwise)
 # See https://coreos.com/etcd/docs/latest/v2/admin_guide.html#optimal-cluster-size
 [etcd]
-kubenode01
-kubenode02
-kubenode03
+etcd01
+etcd02
+etcd03
 
 [kube-node]
 kubenode01
diff --git a/ansible/minio.yml b/ansible/minio.yml
index d64b33908..4f07ac2ba 100644
--- a/ansible/minio.yml
+++ b/ansible/minio.yml
@@ -60,7 +60,7 @@
       tags: mc-config
 
     - name: "make the 'public' bucket world-accessible"
-      shell: "mc policy public local/public"
+      shell: "mc policy set public local/public"
       run_once: true
       tags: mc-config
 
diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
index 50d1d99d1..df655b764 100644
--- a/charts/brig/templates/configmap.yaml
+++ b/charts/brig/templates/configmap.yaml
@@ -182,5 +182,8 @@ data:
       {{- if .setSearchSameTeamOnly }}
       setSearchSameTeamOnly: {{ .setSearchSameTeamOnly }}
       {{- end }}
+      {{- if .setUserMaxPermClients }}
+      setUserMaxPermClients: {{ .setUserMaxPermClients }}
+      {{- end }}
     {{- end }}
   {{- end }}
diff --git a/charts/brig/templates/tests/brig-integration.yaml b/charts/brig/templates/tests/brig-integration.yaml
index 43fc70c3a..6b0cc63ef 100644
--- a/charts/brig/templates/tests/brig-integration.yaml
+++ b/charts/brig/templates/tests/brig-integration.yaml
@@ -51,7 +51,9 @@ spec:
     # to get certain behaviour. This doesn't work on kubernetes because brig
     # is a different pod than brig-integration and they can't both mouht the
     # same file-system.
-    command: ["brig-integration", "--pattern", "!/turn/"]
+    # The other test, "user.auth.cookies.limit", is skipped as it is flaky.
+    # This is tracked in https://github.com/zinfra/backend-issues/issues/1150.
+    command: ["brig-integration", "--pattern", "!/turn/ && !/user.auth.cookies.limit/"]
     volumeMounts:
     - name: "brig-integration"
       mountPath: "/etc/wire/integration"
diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml
index bcd600cc5..bdaf0cc29 100644
--- a/charts/brig/values.yaml
+++ b/charts/brig/values.yaml
@@ -69,6 +69,8 @@ config:
     setDeleteThrottleMillis: 100
     # Allow search within same team only. Default: false
     # setSearchSameTeamOnly: false|true
+    # Set max number of user clients. Default: 7
+    # setUserMaxPermClients: <int>
   smtp:
     passwordFile: /etc/wire/brig/secrets/smtp-password.txt
 turnStatic:
diff --git a/charts/cannon/templates/statefulset.yaml b/charts/cannon/templates/statefulset.yaml
index 5505a4fc1..b30a6078a 100644
--- a/charts/cannon/templates/statefulset.yaml
+++ b/charts/cannon/templates/statefulset.yaml
@@ -21,6 +21,7 @@ spec:
   replicas: {{ .Values.replicaCount }}
   updateStrategy:
     type: RollingUpdate
+  podManagementPolicy: Parallel
   template:
     metadata:
       labels:
@@ -29,7 +30,6 @@ spec:
       annotations:
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
     spec:
-      podManagementPolicy: Parallel
       terminationGracePeriodSeconds: {{ .Values.drainTimeout }} # should be higher than the sleep duration of preStop
       containers:
       - name: cannon
diff --git a/charts/nginz/values.yaml b/charts/nginz/values.yaml
index 47ba679a6..ef078a357 100644
--- a/charts/nginz/values.yaml
+++ b/charts/nginz/values.yaml
@@ -280,6 +280,15 @@ nginx_conf:
       - staging
       disable_zauth: true
       basic_auth: true
+    - path: ~* ^/custom-backend/by-domain/([^/]*)$
+      disable_zauth: true
+      envs:
+      - all
+    - path: ~* ^/i/custom-backend/by-domain/([^/]*)$
+      disable_zauth: true
+      basic_auth: true
+      envs:
+      - staging
     - path: ~* ^/teams/api-docs
       envs:
       - all
@@ -303,13 +312,36 @@ nginx_conf:
       max_body_size: 256k
       envs:
       - all
+    - path: /i/sso
+      disable_zauth: true
+      basic_auth: true
+      envs:
+      - staging
     - path: /sso-initiate-bind
       envs:
       - all
+    - path: /sso/initiate-login
+      envs:
+      - all
+      disable_zauth: true
+      allow_credentials: true
+    - path: /sso/finalize-login
+      envs:
+      - all
+      disable_zauth: true
+      allow_credentials: true
     - path: /sso
       envs:
       - all
       disable_zauth: true
+    - path: /scim/v2
+      envs:
+      - all
+      disable_zauth: true
+      allow_credentials: true
+    - path: /scim
+      envs:
+      - all
     proxy:
     - path: /proxy
       envs:
diff --git a/terraform/examples/create-infrastructure.tf b/terraform/examples/create-infrastructure.tf
index f7bd30105..2cb8dfc58 100644
--- a/terraform/examples/create-infrastructure.tf
+++ b/terraform/examples/create-infrastructure.tf
@@ -28,6 +28,17 @@ resource "hcloud_server" "node" {
   location = "nbg1"
 }
 
+resource "hcloud_server" "etcd" {
+  count       = 3
+  name        = "etcd${count.index}"
+  image       = "ubuntu-18.04"
+  server_type = "cx41"
+  ssh_keys    = ["hetznerssh-key"]
+
+  # Nuremberg (for choices see `hcloud datacenter list`)
+  location = "nbg1"
+}
+
 resource "hcloud_server" "redis" {
   count       = 0
   name        = "redis${count.index}"
@@ -88,6 +99,14 @@ resource "null_resource" "vpnkube" {
 
   triggers = {
     ip     = "10.10.1.${10 + count.index}"
+  }
+}
+
+resource "null_resource" "vpnetcd" {
+  count = "${length(hcloud_server.etcd)}"
+
+  triggers = {
+    ip     = "10.10.1.${60 + count.index}"
     member = "etcd_${count.index}"
   }
 }
@@ -128,14 +147,15 @@ data "template_file" "inventory" {
   template = "${file("inventory.tpl")}"
 
   vars = {
-    connection_strings_node          = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s ip=%s etcd_member_name=%s", hcloud_server.node.*.name, hcloud_server.node.*.ipv4_address, null_resource.vpnkube.*.triggers.ip, null_resource.vpnkube.*.triggers.ip, null_resource.vpnkube.*.triggers.member))}"
+    connection_strings_node          = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s ip=%s", hcloud_server.node.*.name, hcloud_server.node.*.ipv4_address, null_resource.vpnkube.*.triggers.ip, null_resource.vpnkube.*.triggers.ip))}"
+    connection_strings_etcd          = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s ip=%s etcd_member_name=%s", hcloud_server.etcd.*.name, hcloud_server.etcd.*.ipv4_address, null_resource.vpnetcd.*.triggers.ip, null_resource.vpnetcd.*.triggers.ip, null_resource.vpnetcd.*.triggers.member))}"
     connection_strings_cassandra     = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s", hcloud_server.cassandra.*.name, hcloud_server.cassandra.*.ipv4_address, null_resource.vpncass.*.triggers.ip))}"
     connection_strings_elasticsearch = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s", hcloud_server.elasticsearch.*.name, hcloud_server.elasticsearch.*.ipv4_address, null_resource.vpnes.*.triggers.ip))}"
     connection_strings_minio         = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s", hcloud_server.minio.*.name, hcloud_server.minio.*.ipv4_address, null_resource.vpnminio.*.triggers.ip))}"
     connection_strings_redis         = "${join("\n", formatlist("%s ansible_host=%s vpn_ip=%s", hcloud_server.redis.*.name, hcloud_server.redis.*.ipv4_address, null_resource.vpnredis.*.triggers.ip))}"
     connection_strings_restund       = "${join("\n", formatlist("%s ansible_host=%s", hcloud_server.restund.*.name, hcloud_server.restund.*.ipv4_address))}"
     list_master                      = "${join("\n",hcloud_server.node.*.name)}"
-    list_etcd                        = "${join("\n",hcloud_server.node.*.name)}"
+    list_etcd                        = "${join("\n",hcloud_server.etcd.*.name)}"
     list_node                        = "${join("\n",hcloud_server.node.*.name)}"
     list_cassandra                   = "${join("\n",hcloud_server.cassandra.*.name)}"
     list_elasticsearch               = "${join("\n",hcloud_server.elasticsearch.*.name)}"
diff --git a/terraform/examples/inventory.tpl b/terraform/examples/inventory.tpl
index 12b8f74b8..8c056de38 100644
--- a/terraform/examples/inventory.tpl
+++ b/terraform/examples/inventory.tpl
@@ -1,5 +1,6 @@
 [all]
 ${connection_strings_node}
+${connection_strings_etcd}
 ${connection_strings_minio}
 ${connection_strings_elasticsearch}
 ${connection_strings_cassandra}