diff --git a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
index df664f4b5c..6aedcbe7cf 100644
--- a/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
+++ b/kubernetes/pi/apps/observability/kube-prometheus-stack/app/externalsecret.yaml
@@ -17,7 +17,7 @@ spec:
           config:
             access_key: {{ .AWS_ACCESS_KEY_ID }}
             bucket: thanos
-            endpoint: rook-ceph-rgw.${PRIMARY_DOMAIN}
+            endpoint: rgw.${PRIMARY_DOMAIN}
             insecure: true
             region: ""
             secret_key: {{ .AWS_SECRET_ACCESS_KEY }}
diff --git a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/cephobjectstoreuser.yaml b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/cephobjectstoreuser.yaml
new file mode 100644
index 0000000000..432b015c1e
--- /dev/null
+++ b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/cephobjectstoreuser.yaml
@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/ceph.rook.io/cephobjectstoreuser_v1.json
+apiVersion: ceph.rook.io/v1
+kind: CephObjectStoreUser
+metadata:
+  name: cluster-admin
+spec:
+  # Ref: https://rook.io/docs/rook/v1.13/Storage-Configuration/Object-Storage-RGW/object-storage/
+  store: ceph-objectstore
+  displayName: Cluster Admin
diff --git a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
index fd4603fee6..d001270260 100644
--- a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
+++ b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml
@@ -69,7 +69,7 @@ spec:
             memory: 1Gi
         osd:
           requests:
-            cpu: 500m
+            cpu: 400m
             memory: 2Gi
           limits:
             memory: 6Gi
@@ -111,7 +111,7 @@ spec:
             requiredDuringSchedulingIgnoredDuringExecution:
               nodeSelectorTerms:
                 - matchExpressions:
-                    - key: node-role.kubernetes.io/control-plane
+                    - key: node-role.kubernetes.io/worker
                       operator: Exists
         mon: *placement
     cephBlockPools:
diff --git a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
index 99974dc489..a127dd32d5 100644
--- a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
+++ b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/kustomization.yaml
@@ -3,5 +3,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./cephobjectstoreuser.yaml
   - ./helmrelease.yaml
-  - ./rgw-external.yaml
diff --git a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml b/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml
deleted file mode 100644
index 76fb16f337..0000000000
--- a/kubernetes/teyvat/apps/rook-ceph/rook-ceph/cluster/rgw-external.yaml
+++ /dev/null
@@ -1,53 +0,0 @@
----
-# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/ceph.rook.io/cephobjectstoreuser_v1.json
-apiVersion: ceph.rook.io/v1
-kind: CephObjectStoreUser
-metadata:
-  name: cluster-admin
-spec:
-  # https://rook.io/docs/rook/v1.13/Storage-Configuration/Object-Storage-RGW/object-storage/
-  store: ceph-objectstore
-  displayName: Cluster Admin
-# ---
-# apiVersion: v1
-# kind: Service
-# metadata:
-#   name: rook-ceph-rgw-ceph-objectstore-external
-#   namespace: rook-ceph
-#   labels:
-#     app: rook-ceph-rgw
-#     rook_cluster: rook-ceph
-#     rook_object_store: ceph-objectstore
-# spec:
-#   type: NodePort
-#   selector:
-#     app: rook-ceph-rgw
-#     rook_cluster: rook-ceph
-#     rook_object_store: ceph-objectstore
-#   ports:
-#     - name: rgw
-#       port: 80
-#       protocol: TCP
-#       targetPort: 80
-#   sessionAffinity: None
-# ---
-# apiVersion: networking.k8s.io/v1
-# kind: Ingress
-# metadata:
-#   name: rook-ceph-rgw
-# spec:
-#   ingressClassName: internal
-#   rules:
-#     - host: &host rook-ceph-rgw.${SECRET_DOMAIN}
-#       http:
-#         paths:
-#           - backend:
-#               service:
-#                 name: rook-ceph-rgw-ceph-objectstore-external
-#                 port:
-#                   number: 80
-#             path: /
-#             pathType: Prefix
-#   tls:
-#     - hosts:
-#         - *host