diff --git a/build/templates/values.yaml b/build/templates/values.yaml
index e7ef6ccf..069662ed 100644
--- a/build/templates/values.yaml
+++ b/build/templates/values.yaml
@@ -540,6 +540,9 @@ tls:
       nodeCertExpiryWindow: 168h
 
   selfSigner:
+    # Additional labels to apply to the Pod of this Job.
+    labels: {}
+
     # Additional annotations to apply to the Pod of this Job.
     annotations: {}
 
diff --git a/cockroachdb/Chart.yaml b/cockroachdb/Chart.yaml
index 2dd565f4..7b98fb07 100644
--- a/cockroachdb/Chart.yaml
+++ b/cockroachdb/Chart.yaml
@@ -2,7 +2,7 @@
 apiVersion: v1
 name: cockroachdb
 home: https://www.cockroachlabs.com
-version: 14.0.0
+version: 14.0.2
 appVersion: 24.2.0
 description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
 icon: https://raw.githubusercontent.com/cockroachdb/cockroach/master/docs/media/cockroach_db.png
diff --git a/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml b/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
index 903c42f7..4cd53900 100644
--- a/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
+++ b/cockroachdb/templates/cronjob-ca-certSelfSigner.yaml
@@ -20,8 +20,24 @@ spec:
     spec:
       backoffLimit: 1
       template:
+        metadata:
+        {{- with .Values.tls.selfSigner.labels }}
+          labels: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.annotations }}
+          annotations: {{- toYaml . | nindent 12 }}
+        {{- end }}
         spec:
           restartPolicy: Never
+        {{- with .Values.tls.selfSigner.affinity }}
+          affinity: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.nodeSelector }}
+          nodeSelector: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.tolerations }}
+          tolerations: {{- toYaml . | nindent 12 }}
+        {{- end }}
           containers:
           - name: cert-rotate-job
             image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
diff --git a/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml b/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
index 5c9f6d99..d500cbeb 100644
--- a/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
+++ b/cockroachdb/templates/cronjob-client-node-certSelfSigner.yaml
@@ -19,8 +19,24 @@ spec:
     spec:
       backoffLimit: 1
       template:
+        metadata:
+        {{- with .Values.tls.selfSigner.labels }}
+          labels: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.annotations }}
+          annotations: {{- toYaml . | nindent 12 }}
+        {{- end }}
         spec:
           restartPolicy: Never
+        {{- with .Values.tls.selfSigner.affinity }}
+          affinity: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.nodeSelector }}
+          nodeSelector: {{- toYaml . | nindent 12 }}
+        {{- end }}
+        {{- with .Values.tls.selfSigner.tolerations }}
+          tolerations: {{- toYaml . | nindent 12 }}
+        {{- end }}
           containers:
           - name: cert-rotate-job
             image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
diff --git a/cockroachdb/templates/job-certSelfSigner.yaml b/cockroachdb/templates/job-certSelfSigner.yaml
index 7242a68b..54ed2cad 100644
--- a/cockroachdb/templates/job-certSelfSigner.yaml
+++ b/cockroachdb/templates/job-certSelfSigner.yaml
@@ -24,6 +24,9 @@ spec:
         app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+      {{- with .Values.tls.selfSigner.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     {{- with .Values.tls.selfSigner.annotations }}
       annotations: {{- toYaml . | nindent 8 }}
     {{- end }}
@@ -38,18 +41,15 @@ spec:
         runAsNonRoot: true
     {{- end }}
       restartPolicy: Never
-    {{- if or .Values.tls.selfSigner.nodeAffinity }}
-      affinity:
-      {{- with .Values.tls.selfSigner.nodeAffinity }}
-        nodeAffinity: {{- toYaml . | nindent 10 }}
-      {{- end }}
+    {{- with .Values.tls.selfSigner.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
     {{- end }}
-      {{- with .Values.tls.selfSigner.nodeSelector }}
+    {{- with .Values.tls.selfSigner.nodeSelector }}
       nodeSelector: {{- toYaml . | nindent 8 }}
-      {{- end }}
-      {{- with .Values.tls.selfSigner.tolerations }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.tolerations }}
       tolerations: {{- toYaml . | nindent 8 }}
-      {{- end }}
+    {{- end }}
       containers:
         - name: cert-generate-job
           image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
@@ -76,7 +76,7 @@ spec:
         {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
           securityContext:
             allowPrivilegeEscalation: false
-            capabilities:  
+            capabilities:
               drop: ["ALL"]
         {{- end }}
       serviceAccountName: {{ template "selfcerts.fullname" . }}
diff --git a/cockroachdb/templates/job-cleaner.yaml b/cockroachdb/templates/job-cleaner.yaml
index 5b6dc52f..1503ac45 100644
--- a/cockroachdb/templates/job-cleaner.yaml
+++ b/cockroachdb/templates/job-cleaner.yaml
@@ -24,6 +24,12 @@ spec:
         app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name | quote }}
         app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
+      {{- with .Values.tls.selfSigner.labels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.tls.selfSigner.annotations }}
+      annotations: {{- toYaml . | nindent 8 }}
+    {{- end }}
     spec:
     {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
       securityContext:
@@ -35,6 +41,15 @@ spec:
         runAsNonRoot: true
     {{- end }}
       restartPolicy: Never
+    {{- with .Values.tls.selfSigner.affinity }}
+      affinity: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.nodeSelector }}
+      nodeSelector: {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tls.selfSigner.tolerations }}
+      tolerations: {{- toYaml . | nindent 8 }}
+    {{- end }}
       containers:
         - name: cleaner
           image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
@@ -48,7 +63,7 @@ spec:
         {{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
           securityContext:
             allowPrivilegeEscalation: false
-            capabilities:  
+            capabilities:
               drop: ["ALL"]
         {{- end }}
       serviceAccountName: {{ template "rotatecerts.fullname" . }}
diff --git a/cockroachdb/values.yaml b/cockroachdb/values.yaml
index aaa9e3da..44f79d41 100644
--- a/cockroachdb/values.yaml
+++ b/cockroachdb/values.yaml
@@ -541,6 +541,9 @@ tls:
       nodeCertExpiryWindow: 168h
 
   selfSigner:
+    # Additional labels to apply to the Pod of this Job.
+    labels: {}
+
     # Additional annotations to apply to the Pod of this Job.
     annotations: {}