diff --git a/CHANGELOG.md b/CHANGELOG.md
index ba87b80..3b24cf0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.3.18] - 2026-04-26
+
+### Changed
+
+- **Docker Compose:** **`docker-compose.override.yml`** sets the same **`ReverseProxy__Clusters__*__Destinations__d1__Address`** environment variables as Kubernetes (**`http://server:5000/`** / **`http://client:5173/`** on the Compose network), so YARP behavior does not depend only on baked-in **`appsettings.json`**.
+- **Helm:** Optional **`components.reverseproxy.kubernetesUpstreamHosts`** (default **`true`**) toggles injection of in-cluster upstream URLs; set **`false`** only for custom Service naming. Single-replica and HA clusters use the same DNS pattern.
+
+### Fixed
+
+- **Helm / reverseproxy:** YARP upstreams defaulted to Compose hostnames **`server`** / **`client`**, which do not resolve in Kubernetes. The chart sets **`ReverseProxy__Clusters__*__Destinations__d1__Address`** to **`http://<release-fullname>-server:<port>/`** and **`http://<release-fullname>-client:<port>/`** when **`kubernetesUpstreamHosts`** is enabled (ports from **`components.server.service.port`** and **`components.client.service.port`**).
+
 ## [3.3.17] - 2026-04-26
 
 ### Changed
diff --git a/src/MaksIT.CertsUI/MaksIT.CertsUI.csproj b/src/MaksIT.CertsUI/MaksIT.CertsUI.csproj
index a9b89d9..e72d1d9 100644
--- a/src/MaksIT.CertsUI/MaksIT.CertsUI.csproj
+++ b/src/MaksIT.CertsUI/MaksIT.CertsUI.csproj
@@ -1,7 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk.Web">
 
   <PropertyGroup>
-    <Version>3.3.17</Version>
+    <Version>3.3.18</Version>
     <TargetFramework>net10.0</TargetFramework>
     <Nullable>enable</Nullable>
     <ImplicitUsings>enable</ImplicitUsings>
diff --git a/src/docker-compose.override.yml b/src/docker-compose.override.yml
index 6697d5c..dc77a5f 100644
--- a/src/docker-compose.override.yml
+++ b/src/docker-compose.override.yml
@@ -9,6 +9,9 @@ services:
     environment:
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_HTTP_PORTS: "8080"
+      # Same YARP keys as Helm (Kubernetes uses <fullname>-server/client). Compose uses service names server / client.
+      ReverseProxy__Clusters__webapiCluster__Destinations__d1__Address: "http://server:5000/"
+      ReverseProxy__Clusters__webuiCluster__Destinations__d1__Address: "http://client:5173/"
     ports:
       - "8080:8080"
     networks:
diff --git a/src/docker-compose.yml b/src/docker-compose.yml
index 6ed8801..47468aa 100644
--- a/src/docker-compose.yml
+++ b/src/docker-compose.yml
@@ -1,5 +1,5 @@
 # Naming: maksit-certs-ui-<role> for containers and local images (parallel to maksit-vault-* in the Vault repo).
-# DOCKER_REGISTRY is optional (e.g. cr.example.com/); YARP still targets Compose service names client / server in appsettings.json.
+# DOCKER_REGISTRY is optional (e.g. cr.example.com/). YARP upstreams: docker-compose.override.yml sets ReverseProxy__* env (Compose DNS: client / server); Kubernetes uses Helm-injected <fullname>-client|server.
 name: maksit-certs-ui
 
 services:
diff --git a/src/helm/templates/NOTES.txt b/src/helm/templates/NOTES.txt
index 75f5978..a1b16ab 100644
--- a/src/helm/templates/NOTES.txt
+++ b/src/helm/templates/NOTES.txt
@@ -2,7 +2,7 @@ Thank you for installing **{{ .Chart.Name }}**.
 
 Release: {{ .Release.Name }} / namespace {{ .Release.Namespace }}
 
-Services use ClusterIP; expose via ingress, gateway, or kubectl port-forward.
+Services use ClusterIP; expose via ingress, gateway, or kubectl port-forward. **reverseproxy:** with **`components.reverseproxy.kubernetesUpstreamHosts: true`** (default), YARP destinations are set by env to **`http://<fullname>-server:<serverPort>/`** and **`http://<fullname>-client:<clientPort>/`** (same pattern for single-node and HA replica counts). Docker Compose uses **`docker-compose.override.yml`** env to **`http://server:…`** / **`http://client:…`** instead (no Helm).
 
 ------------------------------------------------------------
 ## Components
diff --git a/src/helm/templates/deployments.yaml b/src/helm/templates/deployments.yaml
index 917f138..ae505d6 100644
--- a/src/helm/templates/deployments.yaml
+++ b/src/helm/templates/deployments.yaml
@@ -65,9 +65,18 @@ spec:
           ports:
             - name: http
               containerPort: {{ $tgt }}
-          {{- if $comp.env }}
+          {{- $rpK8sUpstream := true }}
+          {{- if eq $compName "reverseproxy" }}
+          {{- if hasKey $comp "kubernetesUpstreamHosts" }}
+          {{- $raw := index $comp "kubernetesUpstreamHosts" }}
+          {{- if or (eq $raw false) (eq ($raw | toString | lower) "false") (eq ($raw | toString) "0") }}
+          {{- $rpK8sUpstream = false }}
+          {{- end }}
+          {{- end }}
+          {{- end }}
+          {{- if or $comp.env (eq $compName "reverseproxy") }}
           env:
-            {{- range $comp.env }}
+            {{- range ($comp.env | default list) }}
             - name: {{ .name }}
               {{- if hasKey . "valueFrom" }}
               valueFrom:
@@ -76,6 +85,17 @@ spec:
               value: {{ .value | quote }}
               {{- end }}
             {{- end }}
+            {{- if and (eq $compName "reverseproxy") $rpK8sUpstream }}
+            {{- $fn := include "certs-ui.fullname" $root }}
+            {{- $client := index $root.Values.components "client" | default dict }}
+            {{- $server := index $root.Values.components "server" | default dict }}
+            {{- $cport := ($client.service | default dict).port | default 5173 }}
+            {{- $sport := ($server.service | default dict).port | default 5000 }}
+            - name: ReverseProxy__Clusters__webapiCluster__Destinations__d1__Address
+              value: {{ printf "http://%s-server:%v/" $fn $sport | quote }}
+            - name: ReverseProxy__Clusters__webuiCluster__Destinations__d1__Address
+              value: {{ printf "http://%s-client:%v/" $fn $cport | quote }}
+            {{- end }}
           {{- end }}
           {{- with $comp.livenessProbe }}
           livenessProbe:
diff --git a/src/helm/values.yaml b/src/helm/values.yaml
index a0aa5d2..7af0576 100644
--- a/src/helm/values.yaml
+++ b/src/helm/values.yaml
@@ -240,6 +240,14 @@ components:
 
   reverseproxy:
     replicaCount: 1
+    # kubernetesUpstreamHosts: when true (default), Helm adds YARP destination env on the reverseproxy pod (see templates/deployments.yaml).
+    # Example: helm install acme ./chart → fullname acme-certs-ui, server port 5000 / client port 5173 (defaults below) yields:
+    #   ReverseProxy__Clusters__webapiCluster__Destinations__d1__Address=http://acme-certs-ui-server:5000/
+    #   ReverseProxy__Clusters__webuiCluster__Destinations__d1__Address=http://acme-certs-ui-client:5173/
+    # Ports mirror components.server.service.port and components.client.service.port. Docker Compose: set the same two env keys in
+    # docker-compose.override.yml to http://server:5000/ and http://client:5173/ (Compose service names), not Helm.
+    # false: Helm does not inject those env vars — supply addresses yourself (custom Service names, mesh, external hosts).
+    kubernetesUpstreamHosts: true
     image:
       registry: cr.maks-it.com
       repository: certs-ui/reverseproxy