diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
new file mode 100644
index 000000000..a6dd646db
--- /dev/null
+++ b/.devcontainer/devcontainer.json
@@ -0,0 +1,11 @@
+{
+    "name": "devcontainer",
+    "image": "ghcr.io/kubefirst/devcontainers/full:latest",
+    "features": {},
+    "customizations": {
+      "vscode": {
+        "extensions": [],
+        "settings": {}
+      }
+    }
+}
diff --git a/.editorconfig b/.editorconfig
new file mode 100644
index 000000000..8de40a7b5
--- /dev/null
+++ b/.editorconfig
@@ -0,0 +1,18 @@
+# editorconfig.org
+root = true
+
+[*]
+indent_style = space
+indent_size = 2
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.go]
+indent_style = tab
+indent_size = 4
+
+[Makefile]
+indent_style = tab
+indent_size = 4
diff --git a/akamai-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/akamai-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/akamai-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/akamai-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/akamai-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/akamai-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/akamai-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/akamai-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/akamai-github/templates/mgmt/components/argocd/kustomization.yaml b/akamai-github/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/akamai-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/akamai-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/akamai-github/templates/mgmt/components/kubefirst/console.yaml b/akamai-github/templates/mgmt/components/kubefirst/console.yaml
index a7a0e7cc9..df130b7f1 100644
--- a/akamai-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/akamai-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc22
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/akamai-github/terraform/akamai/main.tf b/akamai-github/terraform/akamai/main.tf
index 0fcb71ab5..1c8ab565f 100644
--- a/akamai-github/terraform/akamai/main.tf
+++ b/akamai-github/terraform/akamai/main.tf
@@ -35,7 +35,7 @@ locals {
 
 resource "linode_lke_cluster" "kubefirst" {
   label       = local.cluster_name
-  k8s_version = "1.28"
+  k8s_version = "1.30"
   region      = "us-central"
   tags        = ["<CLUSTER_NAME>"]
 
diff --git a/akamai-github/terraform/github/repos.tf b/akamai-github/terraform/github/repos.tf
index 5126eb8a9..93e1e125c 100644
--- a/akamai-github/terraform/github/repos.tf
+++ b/akamai-github/terraform/github/repos.tf
@@ -26,7 +26,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME> "
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -55,7 +55,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/akamai-github/terraform/github/teams.tf b/akamai-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/akamai-github/terraform/github/teams.tf
+++ b/akamai-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/akamai-github/terraform/users/admins/data_sources.tf b/akamai-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/akamai-github/terraform/users/admins/data_sources.tf
+++ b/akamai-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/akamai-github/terraform/users/developers/data_sources.tf b/akamai-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/akamai-github/terraform/users/developers/data_sources.tf
+++ b/akamai-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/akamai-github/terraform/users/users.tf b/akamai-github/terraform/users/users.tf
index 672aa9857..d70c8fceb 100644
--- a/akamai-github/terraform/users/users.tf
+++ b/akamai-github/terraform/users/users.tf
@@ -20,11 +20,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -32,7 +32,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
diff --git a/akamai-github/terraform/vault/oidc-groups.tf b/akamai-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/akamai-github/terraform/vault/oidc-groups.tf
+++ b/akamai-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/akamai-gitlab/atlantis.yaml b/akamai-gitlab/atlantis.yaml
new file mode 100644
index 000000000..ed8f5cf2c
--- /dev/null
+++ b/akamai-gitlab/atlantis.yaml
@@ -0,0 +1,23 @@
+version: 3
+automerge: true
+projects:
+  - dir: terraform/<CLOUD_PROVIDER>
+    terraform_version: 1.3.8
+    autoplan:
+      enabled: true
+      when_modified: ['**/*.tf', '*.tf*']
+  - dir: terraform/<GIT_PROVIDER>
+    terraform_version: 1.3.8
+    autoplan:
+      enabled: true
+      when_modified: ['**/*.tf', '*.tf*']
+  - dir: terraform/users
+    terraform_version: 1.3.8
+    autoplan:
+      enabled: true
+      when_modified: ['**/*.tf', '**/modules/*.tf', '**/admins/*.tf', '**/developers/*.tf', '*.tf*']
+  - dir: terraform/vault
+    terraform_version: 1.3.8
+    autoplan:
+      enabled: true
+      when_modified: ['**/*.tf', '*.tf*']
diff --git a/akamai-gitlab/registry/environments/.gitkeep b/akamai-gitlab/registry/environments/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/akamai-gitlab/registry/environments/development/docker-config.yaml b/akamai-gitlab/registry/environments/development/docker-config.yaml
new file mode 100644
index 000000000..abce40648
--- /dev/null
+++ b/akamai-gitlab/registry/environments/development/docker-config.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: development-docker-config
+spec:
+  refreshInterval: 10s
+  secretStoreRef:
+    name: vault-kv-secret
+    kind: ClusterSecretStore
+  target:
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .dockerconfig | toString }}"
+    name: docker-config
+    creationPolicy: Owner
+  data:
+    - secretKey: "dockerconfig"
+      remoteRef:
+        property: dockerconfig
+        key: dockerconfigjson
diff --git a/akamai-gitlab/registry/environments/development/metaphor.yaml b/akamai-gitlab/registry/environments/development/metaphor.yaml
new file mode 100644
index 000000000..729c9a8ea
--- /dev/null
+++ b/akamai-gitlab/registry/environments/development/metaphor.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: development-environment-metaphor
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/development/metaphor
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: development
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/registry/environments/development/metaphor/Chart.yaml b/akamai-gitlab/registry/environments/development/metaphor/Chart.yaml
new file mode 100644
index 000000000..add07d286
--- /dev/null
+++ b/akamai-gitlab/registry/environments/development/metaphor/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+dependencies:
+  - name: metaphor
+    repository: http://chartmuseum.chartmuseum.svc.cluster.local:8080
+    version: 0.0.1-rc.awaiting-ci
+description: metaphor example application
+name: metaphor
+type: application
+version: 1.0.0
diff --git a/akamai-gitlab/registry/environments/development/metaphor/values.yaml b/akamai-gitlab/registry/environments/development/metaphor/values.yaml
new file mode 100644
index 000000000..5a2bd320e
--- /dev/null
+++ b/akamai-gitlab/registry/environments/development/metaphor/values.yaml
@@ -0,0 +1,36 @@
+metaphor:
+  annotations: |
+    linkerd.io/inject: "enabled"
+  labels: |
+    mirror.linkerd.io/exported: "true"
+  image:
+    repository: <CONTAINER_REGISTRY_URL>/metaphor
+  imagePullSecrets:
+    - name: docker-config
+  ingress:
+    className: nginx
+    enabled: true
+    annotations:
+      <CERT_MANAGER_ISSUER_ANNOTATION_1>
+      <CERT_MANAGER_ISSUER_ANNOTATION_2>
+      <CERT_MANAGER_ISSUER_ANNOTATION_3>
+      <CERT_MANAGER_ISSUER_ANNOTATION_4>
+      nginx.ingress.kubernetes.io/service-upstream: "true"
+    hosts:
+      - host: metaphor-development.<DOMAIN_NAME>
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: metaphor-tls
+        hosts:
+          - metaphor-development.<DOMAIN_NAME>
+  metaphor:
+    host: https://metaphor-development.<DOMAIN_NAME>/api
+    console: https://kubefirst.<DOMAIN_NAME>
+
+  clusterSecretStoreName: vault-kv-secret
+  vaultSecretPath: development/metaphor
+  configs:
+    configOne: development-config-one
+    configTwo: development-config-two
diff --git a/akamai-gitlab/registry/environments/production/docker-config.yaml b/akamai-gitlab/registry/environments/production/docker-config.yaml
new file mode 100644
index 000000000..a5bc0b0b0
--- /dev/null
+++ b/akamai-gitlab/registry/environments/production/docker-config.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: production-docker-config
+spec:
+  refreshInterval: 10s
+  secretStoreRef:
+    name: vault-kv-secret
+    kind: ClusterSecretStore
+  target:
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .dockerconfig | toString }}"
+    name: docker-config
+    creationPolicy: Owner
+  data:
+    - secretKey: "dockerconfig"
+      remoteRef:
+        property: dockerconfig
+        key: dockerconfigjson
diff --git a/akamai-gitlab/registry/environments/production/metaphor.yaml b/akamai-gitlab/registry/environments/production/metaphor.yaml
new file mode 100644
index 000000000..67732dd26
--- /dev/null
+++ b/akamai-gitlab/registry/environments/production/metaphor.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production-environment-metaphor
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: "45"
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/production/metaphor
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: production
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/registry/environments/production/metaphor/Chart.yaml b/akamai-gitlab/registry/environments/production/metaphor/Chart.yaml
new file mode 100644
index 000000000..add07d286
--- /dev/null
+++ b/akamai-gitlab/registry/environments/production/metaphor/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+dependencies:
+  - name: metaphor
+    repository: http://chartmuseum.chartmuseum.svc.cluster.local:8080
+    version: 0.0.1-rc.awaiting-ci
+description: metaphor example application
+name: metaphor
+type: application
+version: 1.0.0
diff --git a/akamai-gitlab/registry/environments/production/metaphor/values.yaml b/akamai-gitlab/registry/environments/production/metaphor/values.yaml
new file mode 100644
index 000000000..fa6fdc551
--- /dev/null
+++ b/akamai-gitlab/registry/environments/production/metaphor/values.yaml
@@ -0,0 +1,36 @@
+metaphor:
+  annotations: |
+    linkerd.io/inject: "enabled"
+  labels: |
+    mirror.linkerd.io/exported: "true"
+  image:
+    repository: <CONTAINER_REGISTRY_URL>/metaphor
+  imagePullSecrets:
+    - name: docker-config
+  ingress:
+    className: nginx
+    enabled: true
+    annotations:
+      <CERT_MANAGER_ISSUER_ANNOTATION_1>
+      <CERT_MANAGER_ISSUER_ANNOTATION_2>
+      <CERT_MANAGER_ISSUER_ANNOTATION_3>
+      <CERT_MANAGER_ISSUER_ANNOTATION_4>
+      nginx.ingress.kubernetes.io/service-upstream: "true"
+    hosts:
+      - host: metaphor-production.<DOMAIN_NAME>
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: metaphor-tls
+        hosts:
+          - metaphor-production.<DOMAIN_NAME>
+  metaphor:
+    host: https://metaphor-production.<DOMAIN_NAME>/api
+    console: https://kubefirst.<DOMAIN_NAME>
+
+  clusterSecretStoreName: vault-kv-secret
+  vaultSecretPath: production/metaphor
+  configs:
+    configOne: production-config-one
+    configTwo: production-config-two
diff --git a/akamai-gitlab/registry/environments/staging/docker-config.yaml b/akamai-gitlab/registry/environments/staging/docker-config.yaml
new file mode 100644
index 000000000..ca0da599e
--- /dev/null
+++ b/akamai-gitlab/registry/environments/staging/docker-config.yaml
@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: staging-docker-config
+spec:
+  refreshInterval: 10s
+  secretStoreRef:
+    name: vault-kv-secret
+    kind: ClusterSecretStore
+  target:
+    template:
+      type: kubernetes.io/dockerconfigjson
+      data:
+        .dockerconfigjson: "{{ .dockerconfig | toString }}"
+    name: docker-config
+    creationPolicy: Owner
+  data:
+    - secretKey: "dockerconfig"
+      remoteRef:
+        property: dockerconfig
+        key: dockerconfigjson
diff --git a/akamai-gitlab/registry/environments/staging/metaphor.yaml b/akamai-gitlab/registry/environments/staging/metaphor.yaml
new file mode 100644
index 000000000..ffabfac66
--- /dev/null
+++ b/akamai-gitlab/registry/environments/staging/metaphor.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-environment-metaphor
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/staging/metaphor
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: staging
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/registry/environments/staging/metaphor/Chart.yaml b/akamai-gitlab/registry/environments/staging/metaphor/Chart.yaml
new file mode 100644
index 000000000..add07d286
--- /dev/null
+++ b/akamai-gitlab/registry/environments/staging/metaphor/Chart.yaml
@@ -0,0 +1,9 @@
+apiVersion: v2
+dependencies:
+  - name: metaphor
+    repository: http://chartmuseum.chartmuseum.svc.cluster.local:8080
+    version: 0.0.1-rc.awaiting-ci
+description: metaphor example application
+name: metaphor
+type: application
+version: 1.0.0
diff --git a/akamai-gitlab/registry/environments/staging/metaphor/values.yaml b/akamai-gitlab/registry/environments/staging/metaphor/values.yaml
new file mode 100644
index 000000000..c80894a39
--- /dev/null
+++ b/akamai-gitlab/registry/environments/staging/metaphor/values.yaml
@@ -0,0 +1,36 @@
+metaphor:
+  annotations: |
+    linkerd.io/inject: "enabled"
+  labels: |
+    mirror.linkerd.io/exported: "true"
+  image:
+    repository: <CONTAINER_REGISTRY_URL>/metaphor
+  imagePullSecrets:
+    - name: docker-config
+  ingress:
+    className: nginx
+    enabled: true
+    annotations:
+      <CERT_MANAGER_ISSUER_ANNOTATION_1>
+      <CERT_MANAGER_ISSUER_ANNOTATION_2>
+      <CERT_MANAGER_ISSUER_ANNOTATION_3>
+      <CERT_MANAGER_ISSUER_ANNOTATION_4>
+      nginx.ingress.kubernetes.io/service-upstream: "true"
+    hosts:
+      - host: metaphor-staging.<DOMAIN_NAME>
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: metaphor-tls
+        hosts:
+          - metaphor-staging.<DOMAIN_NAME>
+  metaphor:
+    host: https://metaphor-staging.<DOMAIN_NAME>/api
+    console: https://kubefirst.<DOMAIN_NAME>
+
+  clusterSecretStoreName: vault-kv-secret
+  vaultSecretPath: staging/metaphor
+  configs:
+    configOne: staging-config-one
+    configTwo: staging-config-two
diff --git a/akamai-gitlab/templates/mgmt/actions-runner-controller.yaml b/akamai-gitlab/templates/mgmt/actions-runner-controller.yaml
new file mode 100644
index 000000000..fdc2e5883
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/actions-runner-controller.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: actions-runner-controller-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/actions-runner-controller
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/appprojects.yaml b/akamai-gitlab/templates/mgmt/appprojects.yaml
new file mode 100644
index 000000000..a72971ae2
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/appprojects.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-projects
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/argocd-appprojects
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/argo-workflows.yaml b/akamai-gitlab/templates/mgmt/argo-workflows.yaml
new file mode 100644
index 000000000..c3b3da006
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/argo-workflows.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/argo-workflows
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/argocd.yaml b/akamai-gitlab/templates/mgmt/argocd.yaml
new file mode 100644
index 000000000..aff31c243
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/argocd.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-kustomized-app
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: argocd
+    name: in-cluster
+  project: default
+  source:
+    path: registry/clusters/<CLUSTER_NAME>/components/argocd
+    repoURL: '<GITOPS_REPO_URL>'
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/akamai-gitlab/templates/mgmt/atlantis.yaml b/akamai-gitlab/templates/mgmt/atlantis.yaml
new file mode 100644
index 000000000..7618ce235
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/atlantis.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/atlantis
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: atlantis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/cert-issuers.yaml b/akamai-gitlab/templates/mgmt/cert-issuers.yaml
new file mode 100644
index 000000000..e4a32c26f
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/cert-issuers.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-issuers
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/cert-manager.yaml b/akamai-gitlab/templates/mgmt/cert-manager.yaml
new file mode 100644
index 000000000..da101a165
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/cert-manager.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/cert-manager
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/chartmuseum.yaml b/akamai-gitlab/templates/mgmt/chartmuseum.yaml
new file mode 100644
index 000000000..97e88125c
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/chartmuseum.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chartmuseum-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/chartmuseum
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: chartmuseum
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/cloudflare-origin-ca-issuer.yaml b/akamai-gitlab/templates/mgmt/cloudflare-origin-ca-issuer.yaml
new file mode 100644
index 000000000..a648c94d1
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/cloudflare-origin-ca-issuer.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-cloudflare-origin-ca-issuer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '19'
+spec:
+  project: default
+  source:
+    repoURL: ghcr.io/cloudflare/origin-ca-issuer-charts
+    chart: origin-ca-issuer
+    targetRevision: 0.5.2
+    helm:
+      values: |-
+        global:
+          rbac:
+            create: true
+        controller:
+          image:
+            repository: cloudflare/origin-ca-issuer
+            tag: v0.6.1
+            pullPolicy: Always
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/cloudflare-origin-issuer-crd.yaml b/akamai-gitlab/templates/mgmt/cloudflare-origin-issuer-crd.yaml
new file mode 100644
index 000000000..a45cbbd69
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/cloudflare-origin-issuer-crd.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-origin-issuer-crd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '19'
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/cloudflare/origin-ca-issuer
+    path: deploy/crds
+    targetRevision: v0.6.1
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/cluster-secret-store.yaml b/akamai-gitlab/templates/mgmt/cluster-secret-store.yaml
new file mode 100644
index 000000000..b41bcf86f
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/cluster-secret-store.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-secret-store
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/clusterrolebinding.yaml b/akamai-gitlab/templates/mgmt/clusterrolebinding.yaml
new file mode 100644
index 000000000..35bf79f3a
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/clusterrolebinding.yaml
@@ -0,0 +1,119 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argocd-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argocd
+    namespace: argocd
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: github-runner-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: github-runner
+    namespace: github-runner
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-admin-admin-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-admin
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-admin-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-admin
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: argo-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-developer-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-developer
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: argo-view
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-admin-crb
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-server
+    namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-crossplane-admin-crb
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-server
+    namespace: argocd
diff --git a/akamai-gitlab/templates/mgmt/clusters.yaml b/akamai-gitlab/templates/mgmt/clusters.yaml
new file mode 100644
index 000000000..15dc510fd
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/clusters.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: clusters
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '1000'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/clusters
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/actions-runner-controller/application.yaml b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/application.yaml
new file mode 100644
index 000000000..eda48ffcf
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/application.yaml
@@ -0,0 +1,134 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: actions-runner-contoller
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://actions-runner-controller.github.io/actions-runner-controller
+    targetRevision: 0.20.2
+    helm:
+      values: |-
+        labels: {}
+
+        replicaCount: 1
+
+        webhookPort: 9443
+        syncPeriod: 1m
+        defaultScaleDownDelay: 10m
+
+        enableLeaderElection: true
+        authSecret:
+          enabled: true
+          name: "controller-manager"
+
+        dockerRegistryMirror: ""
+        image:
+          repository: "summerwind/actions-runner-controller"
+          actionsRunnerRepositoryAndTag: "summerwind/actions-runner:latest"
+          dindSidecarRepositoryAndTag: "docker:dind"
+          pullPolicy: IfNotPresent
+          # The default image-pull secrets name for self-hosted runner container.
+          # It's added to spec.ImagePullSecrets of self-hosted runner pods.
+          actionsRunnerImagePullSecrets: []
+
+        imagePullSecrets: []
+        nameOverride: ""
+        fullnameOverride: ""
+
+        runner:
+          statusUpdateHook:
+            enabled: false
+
+        rbac:
+          {}
+
+        serviceAccount:
+          create: true
+          annotations: {}
+          name: ""
+
+        podAnnotations: {}
+
+        podLabels: {}
+
+        podSecurityContext:
+          {}
+
+        securityContext:
+          {}
+
+        service:
+          type: ClusterIP
+          port: 443
+          annotations: {}
+
+        metrics:
+          serviceAnnotations: {}
+          serviceMonitor: false
+          serviceMonitorLabels: {}
+          port: 8443
+          proxy:
+            enabled: true
+            image:
+              repository: quay.io/brancz/kube-rbac-proxy
+              tag: v0.13.0
+
+        resources:
+          {}
+
+        nodeSelector: {}
+
+        tolerations: []
+
+        affinity: {}
+
+        podDisruptionBudget:
+          enabled: false
+
+        priorityClassName: ""
+
+        env:
+          {}
+          # specify additional environment variables for the controller pod.
+          # It's possible to specify either key vale pairs e.g.:
+          # http_proxy: "proxy.com:8080"
+          # https_proxy: "proxy.com:8080"
+          # no_proxy: ""
+
+          # or a list of complete environment variable definitions e.g.:
+          # - name: GITHUB_APP_INSTALLATION_ID
+          #   valueFrom:
+          #     secretKeyRef:
+          #       key: some_key_in_the_secret
+          #       name: some-secret-name
+          #       optional: true
+
+        additionalVolumes: []
+
+        additionalVolumeMounts: []
+
+        scope:
+          singleNamespace: false
+          watchNamespace: ""
+
+        certManagerEnabled: true
+
+        admissionWebHooks:
+          {}
+    chart: actions-runner-controller
+  destination:
+    name: in-cluster
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
diff --git a/akamai-gitlab/templates/mgmt/components/actions-runner-controller/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/externalsecret.yaml
new file mode 100644
index 000000000..8d2657e16
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/externalsecret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: controller-manager
+  namespace: github-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: controller-manager
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  data:
+    - remoteRef:
+        key: ci-secrets
+        property: PERSONAL_ACCESS_TOKEN
+      secretKey: github_token
diff --git a/akamai-gitlab/templates/mgmt/components/actions-runner-controller/wait.yaml b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/wait.yaml
new file mode 100644
index 000000000..3d73dde85
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/actions-runner-controller/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-arc
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-arc
+    namespace: github-runner
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-actions-runner-controller
+  namespace: github-runner
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - github-runner
+            - --label
+            - app.kubernetes.io/name=actions-runner-controller
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-arc
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/application.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/application.yaml
new file mode 100644
index 000000000..6c5decdd0
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/application.yaml
@@ -0,0 +1,91 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://argoproj.github.io/argo-helm
+    targetRevision: 0.20.1
+    helm:
+      values: |-
+        nameOverride: argo
+        executor:
+          resources:
+            requests:
+              cpu: 200m
+              memory: 256Mi
+            limits:
+              cpu: 1
+              memory: 1024Mi
+        server:
+          secure: false
+          extraArgs:
+          - --auth-mode=client
+          - --auth-mode=sso
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              <CERT_MANAGER_ISSUER_ANNOTATION_1>
+              <CERT_MANAGER_ISSUER_ANNOTATION_2>
+              <CERT_MANAGER_ISSUER_ANNOTATION_3>
+              <CERT_MANAGER_ISSUER_ANNOTATION_4>
+            hosts:
+              - argo.<DOMAIN_NAME>
+            paths: 
+              - /
+            pathType: Prefix
+            tls:
+              - secretName: argo-tls
+                hosts:
+                  - argo.<DOMAIN_NAME>
+          sso:
+            issuer: https://vault.<DOMAIN_NAME>/v1/identity/oidc/provider/kubefirst
+            clientId:
+              name: argo-secrets
+              key: client-id
+            clientSecret:
+              name: argo-secrets
+              key: client-secret
+            redirectUrl: https://argo.<DOMAIN_NAME>/oauth2/callback
+            scopes:
+              - email
+              - openid
+              - groups
+              - user
+              - profile
+            # RBAC Config. >= v2.12
+            rbac:
+              enabled: true
+        useDefaultArtifactRepo: true
+        useStaticCredentials: true
+        artifactRepository:
+          archiveLogs: false
+          s3:
+            accessKeySecret:
+              name: ci-secrets
+              key: accesskey
+            secretKeySecret:
+              name: ci-secrets
+              key: secretkey
+            insecure: false
+            bucket: <KUBEFIRST_STATE_STORE_BUCKET>
+            endpoint: us-east-1.linodeobjects.com
+            region: us-east-1
+            useSDKCreds: false
+            encryptionOptions:
+              enableEncryption: false
+    chart: argo-workflows
+  destination:
+    name: in-cluster
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/argo-workflows-cwfts.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/argo-workflows-cwfts.yaml
new file mode 100644
index 000000000..d67cd4efc
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/argo-workflows-cwfts.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-cwfts
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/argo-workflows/cwfts
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/cloudflareissuer.yaml
new file mode 100644
index 000000000..0e2593d4e
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: argo
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: argo
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-git.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-git.yaml
new file mode 100644
index 000000000..f49e9056e
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-git.yaml
@@ -0,0 +1,178 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-git
+  annotations:
+    argocd.argoproj.io/sync-wave: '55'
+spec:
+  templates:
+    - name: checkout-with-gitops-ssh
+      inputs:
+        parameters:
+          - name: appName
+          - name: branch
+            default: main
+          - name: gitUrlNoProtocol
+        artifacts:
+          - name: repo-source
+            path: '/src/{{inputs.parameters.appName}}'
+            git:
+              repo: '{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.appName}}.git'
+              branch: '{{inputs.parameters.branch}}'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              sshPrivateKeySecret:
+                name: ci-secrets
+                key: SSH_PRIVATE_KEY
+          - name: gitops-source
+            path: /src/gitops
+            git:
+              repo: '{{inputs.parameters.gitUrlNoProtocol}}/gitops.git'
+              branch: 'main'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              sshPrivateKeySecret:
+                name: ci-secrets
+                key: SSH_PRIVATE_KEY
+      container:
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        args:
+          - ls -la /src &&
+            ls -la /src/{{inputs.parameters.appName}}
+      outputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+    - name: checkout-with-gitops-https
+      inputs:
+        parameters:
+          - name: appName
+          - name: branch
+            default: main
+          - name: gitUrlNoProtocol
+        artifacts:
+          - name: repo-source
+            path: '/src/{{inputs.parameters.appName}}'
+            git:
+              repo: '{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.appName}}.git'
+              branch: '{{inputs.parameters.branch}}'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              usernameSecret:
+                name: ci-secrets
+                key: BASIC_AUTH_USER
+              passwordSecret:
+                name: ci-secrets
+                key: PERSONAL_ACCESS_TOKEN 
+          - name: gitops-source
+            path: /src/gitops
+            git:
+              repo: '{{inputs.parameters.gitUrlNoProtocol}}/gitops.git'
+              branch: 'main'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              usernameSecret:
+                name: ci-secrets
+                key: BASIC_AUTH_USER
+              passwordSecret:
+                name: ci-secrets
+                key: PERSONAL_ACCESS_TOKEN
+      container:
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        args:
+          - ls -la /src &&
+            ls -la /src/{{inputs.parameters.appName}}
+      outputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+    - name: pull-commit-push-ssh
+      retryStrategy:        
+        limit: '5'
+      # todo get ssh item not all secrets
+      volumes:
+        - name: ssh-key
+          secret:
+            defaultMode: 256
+            secretName: ci-secrets
+      inputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+        parameters:
+          - name: commitMessage
+          - name: gitUrlNoProtocol
+          - name: repoName
+      container:
+        workingDir: '/src/{{inputs.parameters.repoName}}'
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        volumeMounts:
+          - mountPath: '/mnt/secrets'
+            name: ssh-key
+            readOnly: true
+        args:
+          - set -e;
+
+            eval `ssh-agent -s`;
+            mkdir $HOME/.ssh;
+            cat /mnt/secrets/SSH_PRIVATE_KEY > $HOME/.ssh/id_ed25519;
+            echo -n "\\n" >> $HOME/.ssh/id_ed25519;
+            chmod 0600 $HOME/.ssh/id_ed25519;
+            ssh-add $HOME/.ssh/id_ed25519;
+
+            echo "Host *" >> $HOME/.ssh/config;
+            echo "  StrictHostKeyChecking no" >> $HOME/.ssh/config;
+            echo "  User git" >> $HOME/.ssh/config;
+            echo "  IdentitiesOnly yes" >> $HOME/.ssh/config;
+            echo "  UserKnownHostsFile /dev/null" >> $HOME/.ssh/config;
+            chmod 0700 $HOME/.ssh/config;
+
+            git config --global user.email 'k-ray@example.com';
+            git config --global user.name 'kbot';
+            git remote set-url origin '{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.repoName}}.git';
+            git remote -v;
+            git status;
+            git pull;
+            git add .;
+            git commit -m "{{inputs.parameters.commitMessage}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
+            git push;
+    - name: pull-commit-push-https
+      retryStrategy:
+        limit: '5'
+      # todo get ssh item not all secrets
+      inputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+        parameters:
+          - name: commitMessage
+          - name: gitUrlNoProtocol
+          - name: repoName
+      container:
+        workingDir: '/src/{{inputs.parameters.repoName}}'
+        image: golang:latest
+        command: ['/bin/bash', '-c']
+        env:
+        - name: GIT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: ci-secrets
+              key: PERSONAL_ACCESS_TOKEN
+        args:
+          - set -e;
+
+            git config --global user.email 'k-ray@example.com';
+            git config --global user.name 'kbot';
+            echo "set url to https://kbot:token@<GIT_PROVIDER>.com/the_rest_of_the input slug";
+            input_url='{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.repoName}}.git';
+            origin_url="${input_url/"https://<GIT_PROVIDER>.com"/"https://kbot:$GIT_TOKEN@<GIT_PROVIDER>.com"}";   
+            git remote set-url origin $origin_url;
+            git remote -v;
+            git status;
+            git pull;
+            git add .;
+            git commit -m "{{inputs.parameters.commitMessage}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
+            git push;
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-helm.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-helm.yaml
new file mode 100644
index 000000000..795309cb0
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-helm.yaml
@@ -0,0 +1,129 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-helm
+  annotations:
+    argocd.argoproj.io/sync-wave: '55'
+spec:
+  templates:
+  - name: get-chart-version
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [python3]
+      workingDir: '/src/{{inputs.parameters.appName}}'
+      source: |
+        import yaml, semver
+        with open('./{{inputs.parameters.chartDir}}/Chart.yaml') as f:
+            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
+            print(chart_yaml['version'])
+  - name: set-chart-versions
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+        - name: chartVersion
+        - name: shortSha
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [bash]
+      workingDir: '/src/{{inputs.parameters.appName}}'
+      source: |
+        set -e
+        NEW_CHART_VERSION={{inputs.parameters.chartVersion}}
+        echo "setting ./{{inputs.parameters.chartDir}}/Chart.yaml to version: ${NEW_CHART_VERSION}"
+        sed -i "s/version:.*/version: ${NEW_CHART_VERSION}/g" /src/{{inputs.parameters.appName}}/{{inputs.parameters.chartDir}}/Chart.yaml
+        echo "setting ./{{inputs.parameters.chartDir}}/Chart.yaml to appVersion: {{inputs.parameters.shortSha}}"
+        sed -i "s/appVersion:.*/appVersion: '{{inputs.parameters.shortSha}}'/g" /src/{{inputs.parameters.appName}}/{{inputs.parameters.chartDir}}/Chart.yaml
+        echo "adjusted chart:"
+        cat /src/{{inputs.parameters.appName}}/{{inputs.parameters.chartDir}}/Chart.yaml
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+  - name: publish-chart
+    retryStrategy:
+      limit: '5'
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+    container:
+      image: kubefirst/chubbo:0.2
+      command: ['bash', '-c']
+      workingDir: '/src/{{inputs.parameters.appName}}'
+      args:
+        - helm repo add kubefirst http://chartmuseum.chartmuseum.svc.cluster.local:8080 --username ${BASIC_AUTH_USER} --password ${BASIC_AUTH_PASS} || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
+          helm push {{inputs.parameters.chartDir}} kubefirst || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
+      env:
+      - name: BASIC_AUTH_PASS
+        valueFrom:
+          secretKeyRef:
+            name: ci-secrets
+            key: BASIC_AUTH_PASS
+      - name: BASIC_AUTH_USER
+        valueFrom:
+          secretKeyRef:
+            name: ci-secrets
+            key: BASIC_AUTH_USER
+  - name: set-environment-version
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: chartVersion
+        - name: environment
+        - name: fullChartPath
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [bash]
+      workingDir: '/src/gitops'
+      source: |
+        set -e
+        echo "setting wrapper Chart.yaml to version: {{inputs.parameters.chartVersion}}"
+        sed -i "s/  version:.*/  version: {{inputs.parameters.chartVersion}}/g" "{{inputs.parameters.fullChartPath}}"
+        echo "updated {{inputs.parameters.environment}} wrapper chart version to {{inputs.parameters.chartVersion}}"
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+  - name: increment-chart-minor
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+        - name: chartVersion
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [python3]
+      workingDir: '/src/{{inputs.parameters.appName}}'
+      source: |
+        import yaml, semver
+        with open('./{{inputs.parameters.chartDir}}/Chart.yaml') as f:
+            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
+            chart_version = semver.parse('{{inputs.parameters.chartVersion}}')
+            next_chart_version = '{}.{}.0'.format(chart_version['major'],chart_version['minor']+1)
+            chart_yaml['version'] = next_chart_version
+        with open('./{{inputs.parameters.chartDir}}/Chart.yaml', 'w') as f:
+            yaml.dump(chart_yaml, f)
+        print('prepared next release in {{inputs.parameters.chartDir}} with bumped chart version after releasing {}'.format(next_chart_version))
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-kaniko.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-kaniko.yaml
new file mode 100644
index 000000000..02d9b8986
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/cwfts/cwft-kaniko.yaml
@@ -0,0 +1,84 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-kaniko
+spec:
+  entrypoint: build-push
+  templates:
+  - name: build-push-ssh
+    inputs:
+      parameters:
+      - name: appName
+      - name: branch
+      - name: containerRegistryURL
+      - name: gitUrlNoProtocol
+      artifacts:
+      - name: app-source
+        path: '/src/{{inputs.parameters.appName}}'
+        git:
+          repo: '{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.appName}}.git'
+          branch: '{{inputs.parameters.branch}}'
+          singleBranch: true
+          insecureIgnoreHostKey: true
+          sshPrivateKeySecret:
+            name: ci-secrets
+            key: SSH_PRIVATE_KEY
+    volumes:
+    - name: docker-config
+      secret:
+        secretName: 'container-registry-auth'
+    container:
+      image: gcr.io/kaniko-project/executor:latest
+      volumeMounts:
+      - name: docker-config
+        mountPath: /.docker
+      env:
+      - name: DOCKER_CONFIG
+        value: /.docker
+      args:
+      - '--dockerfile'
+      - 'Dockerfile'
+      - '--context'
+      - 'dir:///src/{{inputs.parameters.appName}}/'
+      - '--destination'
+      - '{{inputs.parameters.containerRegistryURL}}'
+  - name: build-push-https
+    inputs:
+      parameters:
+      - name: appName
+      - name: branch
+      - name: containerRegistryURL
+      - name: gitUrlNoProtocol
+      artifacts:
+      - name: app-source
+        path: '/src/{{inputs.parameters.appName}}'
+        git:
+          repo: '{{inputs.parameters.gitUrlNoProtocol}}/{{inputs.parameters.appName}}.git'
+          branch: '{{inputs.parameters.branch}}'
+          singleBranch: true
+          insecureIgnoreHostKey: true
+          usernameSecret:
+            name: ci-secrets
+            key: BASIC_AUTH_USER
+          passwordSecret:
+            name: ci-secrets
+            key: PERSONAL_ACCESS_TOKEN
+    volumes:
+    - name: docker-config
+      secret:
+        secretName: 'container-registry-auth'
+    container:
+      image: gcr.io/kaniko-project/executor:latest
+      volumeMounts:
+      - name: docker-config
+        mountPath: /.docker
+      env:
+      - name: DOCKER_CONFIG
+        value: /.docker
+      args:
+      - '--dockerfile'
+      - 'Dockerfile'
+      - '--context'
+      - 'dir:///src/{{inputs.parameters.appName}}/'
+      - '--destination'
+      - '{{inputs.parameters.containerRegistryURL}}'
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/externalsecret.yaml
new file mode 100644
index 000000000..a276c8c48
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/externalsecret.yaml
@@ -0,0 +1,59 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ci-secrets
+  namespace: argo
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: ci-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /ci-secrets
+---
+apiVersion: 'external-secrets.io/v1beta1'
+kind: ExternalSecret
+metadata:
+  name: argo-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: argo-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: oidc/argo
+        property: client_id
+      secretKey: client-id
+    - remoteRef:
+        key: oidc/argo
+        property: client_secret
+      secretKey: client-secret
+---
+apiVersion: 'external-secrets.io/v1beta1'
+kind: ExternalSecret
+metadata:
+  name: container-registry-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: container-registry-auth
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: registry-auth
+        property: auth
+      secretKey: config.json
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/serviceaccount.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/serviceaccount.yaml
new file mode 100644
index 000000000..b18f586de
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/serviceaccount.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-admin
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+    # The rule is an expression used to determine if this service account
+    # should be used.
+    # * `groups` - an array of the OIDC groups
+    # * `iss` - the issuer ("argo-server")
+    # * `sub` - the subject (typically the username)
+    # Must evaluate to a boolean.
+    # If you want an account to be the default to use, this rule can be "true".
+    # Details of the expression language are available in
+    # https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md.
+    workflows.argoproj.io/rbac-rule: "'admins' in groups"
+    # The precedence is used to determine which service account to use whe
+    # Precedence is an integer. It may be negative. If omitted, it defaults to "0".
+    # Numerically higher values have higher precedence (not lower, which maybe
+    # counter-intuitive to you).
+    # If two rules match and have the same precedence, then which one used will
+    # be arbitrary.
+    workflows.argoproj.io/rbac-rule-precedence: '1'
+secrets:
+- name: argo-admin
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-developer
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+    workflows.argoproj.io/rbac-rule: "'developers' in groups"
+    workflows.argoproj.io/rbac-rule-precedence: '0'
+secrets:
+- name: argo-developer
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argo-admin
+  annotations:
+    kubernetes.io/service-account.name: argo-admin
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argo-developer
+  annotations:
+    kubernetes.io/service-account.name: argo-developer
+type: kubernetes.io/service-account-token
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
new file mode 100644
index 000000000..47beecc62
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-wait
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/argo-workflows/wait
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/wait.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/wait.yaml
new file mode 100644
index 000000000..0a16d771b
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/wait.yaml
@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-argo
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-argo
+    namespace: argo
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-argo-workflow-controller
+  namespace: argo
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - argo
+            - --label
+            - app.kubernetes.io/name=argo-workflow-controller
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-argo
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-argo-server
+  namespace: argo
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - argo
+            - --label
+            - app.kubernetes.io/name=argo-server
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-argo
diff --git a/akamai-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/akamai-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
new file mode 100644
index 000000000..c90d10ff9
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-vault-tls
+  namespace: vault
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-toolkit-vault-tls
+  namespace: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-view
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-vault-tls
+    namespace: vault
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+  name: wait-vault-tls
+  namespace: vault
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - certificate
+            - --namespace
+            - vault
+            - --name
+            - vault-tls
+            - --timeout-seconds
+            - '3600'
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-vault-tls
diff --git a/akamai-gitlab/templates/mgmt/components/argocd-appprojects/.gitkeep b/akamai-gitlab/templates/mgmt/components/argocd-appprojects/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/argocd-cm.yaml b/akamai-gitlab/templates/mgmt/components/argocd/argocd-cm.yaml
new file mode 100644
index 000000000..9e2433ea6
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/argocd-cm.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: 'https://argocd.<DOMAIN_NAME>'
+  oidc.config: |
+    name: Vault
+    issuer: https://vault.<DOMAIN_NAME>/v1/identity/oidc/provider/kubefirst
+    clientID: $argocd-oidc-secret:clientId
+    clientSecret: $argocd-oidc-secret:clientSecret
+    requestedScopes: ["openid", "groups", "user", "profile", "email"]
+    requestedIDTokenClaims: {"groups": {"essential": true}}
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/argocd-cmd-params-cm.yaml b/akamai-gitlab/templates/mgmt/components/argocd/argocd-cmd-params-cm.yaml
new file mode 100644
index 000000000..c3b99b953
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/argocd-cmd-params-cm.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  # ssl terminated at ingress-nginx and forwarded
+  # to allow for cloudflare origin issuer certificates
+  server.insecure: 'true'
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml b/akamai-gitlab/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml
new file mode 100644
index 000000000..472a6846d
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/argocd-oidc-restart-job.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-restart-job
+subjects:
+  - kind: ServiceAccount
+    name: argocd-oidc-restart-job
+    namespace: argocd
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+spec:
+  template:
+    spec:
+      containers:
+        - name: argocd-oidc-restart-job
+          image: public.ecr.aws/bitnami/kubectl:1.24
+          command:
+            - /bin/sh
+            - -c
+            - echo restarting argocd-server in 15 seconds && sleep 15 && echo restarting && kubectl -n argocd get deployment/argocd-server -oyaml | kubectl -n argocd replace --force -f -
+      restartPolicy: OnFailure
+      serviceAccountName: argocd-oidc-restart-job
+
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/argocd-ui-ingress.yaml b/akamai-gitlab/templates/mgmt/components/argocd/argocd-ui-ingress.yaml
new file mode 100644
index 000000000..0f7d2f84b
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/argocd-ui-ingress.yaml
@@ -0,0 +1,58 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-http-ingress
+  namespace: argocd
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    <CERT_MANAGER_ISSUER_ANNOTATION_1>
+    <CERT_MANAGER_ISSUER_ANNOTATION_2>
+    <CERT_MANAGER_ISSUER_ANNOTATION_3>
+    <CERT_MANAGER_ISSUER_ANNOTATION_4>
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: http
+    host: argocd.<DOMAIN_NAME>
+  tls:
+  - hosts:
+    - argocd.<DOMAIN_NAME>
+    secretName: argocd-ingress-http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-grpc-ingress
+  namespace: argocd
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+    <CERT_MANAGER_ISSUER_ANNOTATION_1>
+    <CERT_MANAGER_ISSUER_ANNOTATION_2>
+    <CERT_MANAGER_ISSUER_ANNOTATION_3>
+    <CERT_MANAGER_ISSUER_ANNOTATION_4>
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
+    host: grpc.argocd.<DOMAIN_NAME>
+  tls:
+  - hosts:
+    - grpc-argocd.<DOMAIN_NAME>
+    secretName: argocd-ingress-grpc
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/argocd/cloudflareissuer.yaml
new file mode 100644
index 000000000..58ec02576
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: argocd
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/externalsecrets.yaml b/akamai-gitlab/templates/mgmt/components/argocd/externalsecrets.yaml
new file mode 100644
index 000000000..e4a5ede28
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/externalsecrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: "external-secrets.io/v1alpha1"
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: argocd-oidc-secret
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        conversionStrategy: Default
+        key: oidc/argocd
+        property: client_secret
+      secretKey: clientSecret
+    - remoteRef:
+        conversionStrategy: Default
+        key: oidc/argocd
+        property: client_id
+      secretKey: clientId
diff --git a/akamai-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/akamai-gitlab/templates/mgmt/components/argocd/kustomization.yaml
new file mode 100644
index 000000000..362b89122
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+
+# To upgrade ArgoCD, increment the version here
+# https://github.com/argoproj/argo-cd/tags
+resources:
+  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - argocd-ui-ingress.yaml
+  - externalsecrets.yaml
+  - argocd-oidc-restart-job.yaml
+
+patchesStrategicMerge:
+  - argocd-cm.yaml
+  - argocd-cmd-params-cm.yaml
+  
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/akamai-gitlab/templates/mgmt/components/atlantis/application.yaml b/akamai-gitlab/templates/mgmt/components/atlantis/application.yaml
new file mode 100644
index 000000000..95812e153
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/atlantis/application.yaml
@@ -0,0 +1,69 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://runatlantis.github.io/helm-charts
+    chart: atlantis
+    targetRevision: 4.11.2
+    helm:
+      values: |-
+        statefulSet:
+          annotations:
+            secret.reloader.stakater.com/reload: "atlantis-secrets"
+        atlantisUrl: https://atlantis.<DOMAIN_NAME>
+        orgAllowlist: <ATLANTIS_ALLOW_LIST>
+        hidePrevPlanComments: true
+        serviceAccount:
+          create: false
+          mount: true
+        resources:
+          limits:
+            cpu: 400m
+            memory: 1Gi
+          requests:
+            cpu: 400m
+            memory: 512Mi
+        ingress:
+          enabled: true
+          annotations:
+            <CERT_MANAGER_ISSUER_ANNOTATION_1>
+            <CERT_MANAGER_ISSUER_ANNOTATION_2>
+            <CERT_MANAGER_ISSUER_ANNOTATION_3>
+            <CERT_MANAGER_ISSUER_ANNOTATION_4>
+          path: /
+          host: atlantis.<DOMAIN_NAME>
+          ingressClassName: "nginx"
+          tls:
+            - secretName: atlantis-tls
+              hosts:
+                - atlantis.<DOMAIN_NAME>
+        loadEnvFromSecrets:
+          - atlantis-secrets
+        repoConfig: |
+          ---
+          repos:
+          - id: <ATLANTIS_ALLOW_LIST>
+            workflow: default
+            allowed_overrides: [apply_requirements]
+            apply_requirements: [mergeable]
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: atlantis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/components/atlantis/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/atlantis/cloudflareissuer.yaml
new file mode 100644
index 000000000..1926218e6
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/atlantis/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: atlantis
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: atlantis
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/atlantis/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/atlantis/externalsecret.yaml
new file mode 100644
index 000000000..334d4bf0a
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/atlantis/externalsecret.yaml
@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: atlantis-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: atlantis-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /atlantis
diff --git a/akamai-gitlab/templates/mgmt/components/atlantis/wait.yaml b/akamai-gitlab/templates/mgmt/components/atlantis/wait.yaml
new file mode 100644
index 000000000..8ceb214fa
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/atlantis/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-atlantis
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-atlantis
+    namespace: atlantis
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-atlantis
+  namespace: atlantis
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - statefulset
+            - --namespace
+            - atlantis
+            - --label
+            - app=atlantis
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-atlantis
diff --git a/akamai-gitlab/templates/mgmt/components/cert-issuers/clusterissuers.yaml b/akamai-gitlab/templates/mgmt/components/cert-issuers/clusterissuers.yaml
new file mode 100644
index 000000000..8b67ffefe
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/cert-issuers/clusterissuers.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
diff --git a/akamai-gitlab/templates/mgmt/components/cert-manager/application.yaml b/akamai-gitlab/templates/mgmt/components/cert-manager/application.yaml
new file mode 100644
index 000000000..ad0d96c83
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/cert-manager/application.yaml
@@ -0,0 +1,28 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/cert-manager/wait-todo.yaml b/akamai-gitlab/templates/mgmt/components/cert-manager/wait-todo.yaml
new file mode 100644
index 000000000..e69de29bb
diff --git a/akamai-gitlab/templates/mgmt/components/chartmuseum/application.yaml b/akamai-gitlab/templates/mgmt/components/chartmuseum/application.yaml
new file mode 100644
index 000000000..47cbbd645
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/chartmuseum/application.yaml
@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chartmuseum
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://chartmuseum.github.io/charts
+    targetRevision: 3.9.3
+    helm:
+      values: |-
+        env:
+          open:
+            AUTH_ANONYMOUS_GET: true
+            STORAGE: amazon
+            STORAGE_AMAZON_BUCKET: <KUBEFIRST_STATE_STORE_BUCKET>
+            STORAGE_AMAZON_PREFIX: kubefirst-charts
+            STORAGE_AMAZON_REGION: us-east-1
+            STORAGE_AMAZON_ENDPOINT: https://us-east-1.linodeobjects.com
+            DISABLE_API: false
+          existingSecret: chartmuseum-secrets
+          existingSecretMappings:
+            BASIC_AUTH_USER: BASIC_AUTH_USER
+            BASIC_AUTH_PASS: BASIC_AUTH_PASS
+            AWS_ACCESS_KEY_ID: AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY: AWS_SECRET_ACCESS_KEY
+        ingress:
+          enabled: true
+          pathType: "Prefix"
+          annotations:
+            <CERT_MANAGER_ISSUER_ANNOTATION_1>
+            <CERT_MANAGER_ISSUER_ANNOTATION_2>
+            <CERT_MANAGER_ISSUER_ANNOTATION_3>
+            <CERT_MANAGER_ISSUER_ANNOTATION_4>
+          hosts:
+            - name: chartmuseum.<DOMAIN_NAME>
+              path: /
+              tls: true
+              tlsSecret: chartmuseum-tls
+          ingressClassName: nginx
+    chart: chartmuseum
+  destination:
+    name: in-cluster
+    namespace: chartmuseum
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/chartmuseum/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/chartmuseum/cloudflareissuer.yaml
new file mode 100644
index 000000000..64630f820
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/chartmuseum/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: chartmuseum
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: chartmuseum
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/chartmuseum/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/chartmuseum/externalsecret.yaml
new file mode 100644
index 000000000..020f387cf
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/chartmuseum/externalsecret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: chartmuseum-secrets
+  namespace: chartmuseum
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: chartmuseum-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /chartmuseum
diff --git a/akamai-gitlab/templates/mgmt/components/chartmuseum/wait.yaml b/akamai-gitlab/templates/mgmt/components/chartmuseum/wait.yaml
new file mode 100644
index 000000000..131c8e5f3
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/chartmuseum/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-chartmuseum
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-chartmuseum
+    namespace: chartmuseum
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-chartmuseum
+  namespace: chartmuseum
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - chartmuseum
+            - --label
+            - app.kubernetes.io/name=chartmuseum
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-chartmuseum
diff --git a/akamai-gitlab/templates/mgmt/components/cluster-secret-store/clustersecretstore.yaml b/akamai-gitlab/templates/mgmt/components/cluster-secret-store/clustersecretstore.yaml
new file mode 100644
index 000000000..dc3995cc2
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/cluster-secret-store/clustersecretstore.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-kv-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  provider:
+    vault:
+      server: 'http://vault.vault.svc:8200'
+      # Path is the mount path of the Vault KV backend endpoint
+      path: 'secret'
+      version: 'v2'
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "vault-secrets"
+          namespace: external-secrets-operator
+          key: "vault-token"
+      # auth:
+      #   kubernetes:
+      #     # Path where the Kubernetes authentication backend is mounted in Vault
+      #     mountPath: 'kubernetes/kubefirst'
+      #     # A required field containing the Vault Role to assume.
+      #     role: 'external-secrets'
+      #     serviceAccountRef:
+      #       name: 'external-secrets'
+      #       namespace: 'external-secrets-operator'
diff --git a/akamai-gitlab/templates/mgmt/components/cluster-secret-store/wait.yaml b/akamai-gitlab/templates/mgmt/components/cluster-secret-store/wait.yaml
new file mode 100644
index 000000000..26bd264ed
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/cluster-secret-store/wait.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-operator-view
+subjects:
+- kind: ServiceAccount
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+  name: wait-vault-kv-secret
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: wait
+        image: public.ecr.aws/bitnami/kubectl:1.24
+        command:
+        - /bin/sh
+        - -c
+        - |
+          while ! kubectl get clustersecretstore/vault-kv-secret --namespace external-secrets-operator; do echo "waiting for external secrets store to be valid, sleeping 5 seconds"; sleep 5; done
+      restartPolicy: OnFailure
+      serviceAccountName: eso-clustersecretstore
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/clusters/.gitkeep b/akamai-gitlab/templates/mgmt/components/clusters/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system.yaml
new file mode 100644
index 000000000..55e14e582
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-system
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/crossplane/crossplane-system
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml
new file mode 100644
index 000000000..72e3d807f
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml
@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  name: crossplane-secrets
+  namespace: crossplane-system
+spec:
+  dataFrom:
+  - extract:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: /crossplane
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: crossplane-secrets
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: git-credentials
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: git-credentials
+    template:
+      engineVersion: v2
+      data:
+        creds: |
+          https://{{ .username }}:{{ .password }}@github.com
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: crossplane
+        property: username
+        conversionStrategy: Default
+      secretKey: username
+    - remoteRef:
+        key: crossplane
+        property: password
+        conversionStrategy: Default
+      secretKey: password
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-system.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-system.yaml
new file mode 100644
index 000000000..598920503
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-system.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  destination:
+    name: in-cluster 
+    namespace: crossplane-system
+  source:
+    repoURL: https://charts.crossplane.io/stable
+    chart: crossplane
+    targetRevision: 1.12.2
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/provider.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/provider.yaml
new file mode 100644
index 000000000..aad40ccc2
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/provider.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-provider
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/crossplane/provider
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/provider/controllerconfig.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
new file mode 100644
index 000000000..c4636b1ba
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/provider/controllerconfig.yaml
@@ -0,0 +1,15 @@
+apiVersion: pkg.crossplane.io/v1alpha1
+kind: ControllerConfig
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+  labels:
+    app: crossplane-provider-terraform
+  name: terraform-config
+spec:
+  args:
+  - -d
+  - --poll=2m
+  envFrom:
+  - secretRef:
+      name: crossplane-secrets
diff --git a/akamai-gitlab/templates/mgmt/components/crossplane/provider/terraform-provider.yaml b/akamai-gitlab/templates/mgmt/components/crossplane/provider/terraform-provider.yaml
new file mode 100644
index 000000000..6403c68ab
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/crossplane/provider/terraform-provider.yaml
@@ -0,0 +1,16 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: crossplane-provider-terraform
+spec:
+  controllerConfigRef:
+    name: terraform-config
+  ignoreCrossplaneConstraints: false
+  package: xpkg.upbound.io/upbound/provider-terraform:v0.12.0
+  packagePullPolicy: IfNotPresent
+  revisionActivationPolicy: Automatic
+  revisionHistoryLimit: 1
+  skipDependencyResolution: false
+ 
diff --git a/akamai-gitlab/templates/mgmt/components/external-dns/application.yaml b/akamai-gitlab/templates/mgmt/components/external-dns/application.yaml
new file mode 100644
index 000000000..e9b5624df
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/external-dns/application.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: 1.14.4
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
+        domainFilters:
+        - <EXTERNAL_DNS_DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-secrets
+              key: token
+    chart: external-dns
+  destination:
+    name: in-cluster
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/external-dns/wait.yaml b/akamai-gitlab/templates/mgmt/components/external-dns/wait.yaml
new file mode 100644
index 000000000..a42e75f26
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/external-dns/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-toolkit
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-toolkit
+    namespace: external-dns
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit
+  namespace: external-dns
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-dns
+            - --label
+            - app.kubernetes.io/name=external-dns
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
diff --git a/akamai-gitlab/templates/mgmt/components/external-secrets-operator/external-secrets-operator.yaml b/akamai-gitlab/templates/mgmt/components/external-secrets-operator/external-secrets-operator.yaml
new file mode 100644
index 000000000..1ccada0a7
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/external-secrets-operator/external-secrets-operator.yaml
@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-operator
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: in-cluster
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/akamai-gitlab/templates/mgmt/components/external-secrets-operator/wait.yaml b/akamai-gitlab/templates/mgmt/components/external-secrets-operator/wait.yaml
new file mode 100644
index 000000000..7352d764c
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/external-secrets-operator/wait.yaml
@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-eso
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-eso
+    namespace: external-secrets-operator
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets-cert-controller
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets-cert-controller
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets-webhook
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets-webhook
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
diff --git a/akamai-gitlab/templates/mgmt/components/github-runner/runnerdeployment.yaml b/akamai-gitlab/templates/mgmt/components/github-runner/runnerdeployment.yaml
new file mode 100644
index 000000000..cce93eb20
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/github-runner/runnerdeployment.yaml
@@ -0,0 +1,15 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: actions-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  replicas: 2
+  template:
+    spec:
+      organization: <GITHUB_OWNER>
+      image: summerwind/actions-runner-dind
+      serviceAccountName: github-runner
+      dockerdWithinRunnerContainer: true
+      automountServiceAccountToken: true
diff --git a/akamai-gitlab/templates/mgmt/components/github-runner/serviceaccount.yaml b/akamai-gitlab/templates/mgmt/components/github-runner/serviceaccount.yaml
new file mode 100644
index 000000000..6e2d55674
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/github-runner/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: github-runner
+  namespace: github-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
diff --git a/akamai-gitlab/templates/mgmt/components/ingress-nginx/application.yaml b/akamai-gitlab/templates/mgmt/components/ingress-nginx/application.yaml
new file mode 100644
index 000000000..bfb81ad38
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/ingress-nginx/application.yaml
@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.10.0
+    helm:
+      values: |-
+        controller:
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: in-cluster
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/ingress-nginx/wait.yaml b/akamai-gitlab/templates/mgmt/components/ingress-nginx/wait.yaml
new file mode 100644
index 000000000..4e4b41ce9
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/ingress-nginx/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-ingress-nginx
+    namespace: ingress-nginx
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-ingress-nginx
+  namespace: ingress-nginx
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - ingress-nginx
+            - --label
+            - app.kubernetes.io/name=ingress-nginx
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-ingress-nginx
diff --git a/akamai-gitlab/templates/mgmt/components/kubefirst/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/kubefirst/cloudflareissuer.yaml
new file mode 100644
index 000000000..a9ad3e28c
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/kubefirst/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: kubefirst
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: kubefirst
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/kubefirst/console.yaml b/akamai-gitlab/templates/mgmt/components/kubefirst/console.yaml
new file mode 100644
index 000000000..a7a0e7cc9
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -0,0 +1,72 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubefirst
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+spec:
+  project: default
+  source:
+    repoURL: https://charts.kubefirst.com
+    targetRevision: 2.4.14-rc22
+    chart: kubefirst
+    helm:
+      values: |-
+        global:
+          cloudProvider: "<CLOUD_PROVIDER>"
+          clusterId: "<CLUSTER_ID>"
+          clusterType: "<CLUSTER_TYPE>"
+          domainName: "<DOMAIN_NAME>"
+          gitProvider: "<GIT_PROVIDER>"
+          installMethod: "helm"
+          kubefirstClient: "<KUBEFIRST_CLIENT>"
+          kubefirstTeam: "<KUBEFIRST_TEAM>"
+          kubefirstTeamInfo: "<KUBEFIRST_TEAM_INFO>"
+          kubefirstVersion: "<KUBEFIRST_VERSION>"
+          useTelemetry: "<USE_TELEMETRY>"
+        kubefirst-api-ee:
+          extraEnv:
+            IN_CLUSTER: "true"
+        kubefirst-api:
+          isClusterZero: "false"
+          extraEnv:
+            IN_CLUSTER: "true"
+            CLUSTER_NAME: "<CLUSTER_NAME>"
+            ENTERPRISE_API_URL: "http://kubefirst-kubefirst-api-ee.kubefirst.svc.cluster.local"
+        console:
+          isClusterZero: "false"
+          domain: "<DOMAIN_NAME>"
+          extraEnvSecrets:
+            CLIENT_ID:
+              name: kubefirst-console-secrets
+              key: client_id
+            SECRET_ID:
+              name: kubefirst-console-secrets
+              key: client_secret
+          ingress:
+            enabled: "true"
+            className: nginx
+            annotations:
+              <CERT_MANAGER_ISSUER_ANNOTATION_1>
+              <CERT_MANAGER_ISSUER_ANNOTATION_2>
+              <CERT_MANAGER_ISSUER_ANNOTATION_3>
+              <CERT_MANAGER_ISSUER_ANNOTATION_4>
+            hosts:
+              - host: kubefirst.<DOMAIN_NAME>
+                paths:
+                  - path: /
+                    pathType: Prefix
+            tls:
+              - secretName: kubefirst-tls
+                hosts:
+                  - kubefirst.<DOMAIN_NAME>
+  destination:
+    name: in-cluster
+    namespace: kubefirst
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/components/kubefirst/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/kubefirst/externalsecret.yaml
new file mode 100644
index 000000000..ffe387fe6
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/kubefirst/externalsecret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: kubefirst-console-secrets
+  namespace: kubefirst
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  dataFrom:
+    - extract:
+        key: /oidc/console
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  target:
+    name: kubefirst-console-secrets
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/kubefirst/wait.yaml b/akamai-gitlab/templates/mgmt/components/kubefirst/wait.yaml
new file mode 100644
index 000000000..2ca1ed176
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/kubefirst/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-console
+  namespace: kubefirst
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-console
+  namespace: kubefirst
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-console
+  namespace: kubefirst
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-console
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-console
+    namespace: kubefirst
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-console
+  namespace: kubefirst
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - kubefirst
+            - --label
+            - app.kubernetes.io/name=console
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-console
diff --git a/akamai-gitlab/templates/mgmt/components/nginx-apex/config-map.yaml b/akamai-gitlab/templates/mgmt/components/nginx-apex/config-map.yaml
new file mode 100644
index 000000000..a937cee8f
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/nginx-apex/config-map.yaml
@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: index-html-configmap
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+      <head>
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>Kubefirst</title>
+        <link rel="preconnect" href="https://fonts.googleapis.com" />
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+        <link href="https://fonts.googleapis.com/css2?family=Roboto&display=swap" rel="stylesheet" />
+
+        <style>
+          html,
+          body {
+            font-family: 'Roboto', sans-serif;
+            margin: 0;
+            padding: 0;
+          }
+
+          .main {
+            align-items: center;
+            background-color: #f8fafc;
+            display: flex;
+            flex-direction: column;
+            height: 100vh;
+            justify-content: center;
+            width: 100%;
+          }
+
+          .content {
+            align-items: center;
+            display: flex;
+            flex-direction: column;
+            max-width: 699px;
+            text-align: center;
+          }
+
+          h4 {
+            color: #18181b;
+            font-family: 'Roboto';
+            font-style: normal;
+            font-weight: 400;
+            font-size: 32px;
+            line-height: 40px;
+          }
+
+          p {
+            color: #374151;
+            font-family: 'Roboto';
+            font-style: normal;
+            font-weight: 400;
+            font-size: 16px;
+            line-height: 24px;
+          }
+
+          a {
+            color: #8851c8;
+            text-decoration: none;
+          }
+
+          a:hover {
+            text-decoration: underline;
+          }
+        </style>
+      </head>
+      <body>
+        <div class="main">
+          <div>
+            <img
+              src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL4AAAEICAYAAADhkE5BAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAEatSURBVHgB7X19kFzFde/pu6vV7ko2iyQQxpIZSSF+gRiW2BgbJ2ZlByTjJIgyElSeY4k/UkhyXhDPH3lJVawVryp5wU4BKUeSy38gJX4pB0Eh4kAkwNaSegF/kLDIFjECSSMkYj4ksRjQ7mp3p1+f7nO6+96du3vvzJ3ZmdH9lVYzc+d+zcyvT5/+ndOnBeRoeaxatalnZNaZVRLgGvWyF4TsAQkFensIQBTVtqKQ4mFoKw3s+e72IrQ4BORoWVy3ZsMqIeF29bQPUkHsEG2lLa3cAHLiNyHCFlwW1K9YACmU5ZZDIIJBEKWjUIIbwCO8+qEHQMonS1IMBrPkYOiE4+r4IOiTINd6PUFRgNiyZ9fWHdCCyInfRFh5yx/1yYmJzZDKgsuHu8Y61+3efc9Qkr1X3rS+TwbiPm4AUoj+x+7fugVaDDnxmwBo4Yc7RjcrMm7ibWjBJYjnBJQG1fai3ohWW8rNk88gdnSNddyRlPwI1QD6Fen1uVqR/DnxGxzXfU756QHcp5724GvlfuyAMv73ylvWF2RJ7ENLLaTcCe3QD+NCkRfW0i5F0SaXp/HbQ+QvwY2PPbhtN7QI2iFHw+K6NRs3KxL343O08BMwfsfju749WG5fORFs1v6+IvieB7avo83rVIPo5wYhJwQ2oOWQEOo8/Yr86lAx1EqkR+QWv0ERIr2UW5CEU+2/Ys2GI2Ttl6t9B/z3dG8wIZ5VT3tUj3Frqw5Y0yCAHA2HFTdvvN1ZennrdKRHYvNgNEp6vQ3dmwC0j66VmxxnJ/FRHdFkaUDo+yoZ0ivW37Nn1/YdkAI4EC63XYg2dpEKkOPs9PFlaULJdaKwYvWGoqLEgBTBw4/d/80Z9WGxMZZKpWvkBKxSd2jIq1QcdY/r1D3uFm3Bzj3f/eZAuWPRoq9YvVERW/Zq9Qfgjug+eG70a9VfEXKcfT5+n7KIs2ed2YckibxVxEZQ74glqTF3K5Kvmn7v+IjqytXr16lBKA5etfwYBKWduF9UCs19fIOzdnCro5/tI4r8Yp0MVARUhlwA1QCUb13jBuBLkHxdMMGpwb27tl2BG65d/Ye9bbJ9ky9LtoG48dFdWyepO7786J0PG7jpQUry3r0Pbt8EOXJVh4ERS90IHMGgljkrYdKLQXWdG0tjoldp9g9htHXvru2r4vdHnz1Yt+f+v9056bxo+ZH84YY8pF5v2fvAtnsgh0ZO/Aj04DIa+KlBzgrLj0h6FVVdjlFVClaVJT7jupvW7xBC4L0NKcu/vJzl159DNeSSFNrSd0/MHkgTtT0bkBM/BqR9o8/cpzcohaXrzOwtWRDI88dD0VS65hH1dEi5OufGHa8azUNmTCCUS7T1CsiRGrmOHwMkoyLfckUwo5CoweGwGhRnIYOyH657Es+NoufYsHqM61Ueo2dm32r2k72fWbMhwaA4RxQ58acB+sXKKi9RLC0i0ZRFror86M6Q/10s5z4pN+ZefFQS691x5xhQvY7dT4obIEdq5MRPALTEIpDLDfl1zsu+uEDRdBABE1U8XO79kTMd93AjUy5NLPmlkORy6fycHCmREz8houQfnjX6EFQCIfvMQ6lswExb85K8Vb/AAJby56M9DKUo3G7OJ56EHKmRD25Twk/4wgHv3vu33ZHyWBy8gho/TPnd+wEp4OAawJNqfHC5Cj2vA6PNp041zmGQW/yU0JZfyhv1C2WRpxqETkZ7Af8XJrA09XV2bd/hxhY4JpCqIcj7FOkxANUjTJAtJ32FyIlfAXQGpIqC4nNlge9L6u9LOaHTJBSB30qyv1aW7t+2BFONVXO5V09CwUdMPVaKU076ypFPRKkQoxOd/bPbRm9AhWak4wxa4f7pjhEqoKRIr54FRUgBSjUegByZIbf4FcIfhOI812QSp1FghIA8ijrDyIlfBXxLbKb+5WgW5MSvEjgt0DyT6yrV9nPUHznxq4Rv9cnXzxTYmK7//Y291635ozw1IUPkg9sMIEtwrwgAa9pgUKkfKoCeH9A53quVHxlcBFAqqM29w3K0AGMogU7gbg0TdzH3i7GE8QK+DoLS0KP/UD5TtBGRB7AygJnVNYqBqZ5yVQ4YK9ds7NcFnwTsVn9PQkkFo8yA100WmQKibfaSPd+9pwh1BBL8TPeZQmkMenXwjBpkJN+fMTTdNMlGQU78jLByzYYdUmIOv7h3766tm1besqlQKo33CjFRMARHcmuSVzwOqOW0wZQE15gzpxvmzunSz197/WTk3cYuPJsTv0pYgsvSDTjApc06tRgyhhBiy577t/ZDFZjkUslSryk6G0/w7u5OmD/vXFj8/vfB4kXvg3988BG9/cEd34A53d12v/3PH4THB36o/wix0yRnGrmPnxBIcJg404ckUZZd+eDGgsuJ0Z4y1qM26o65biLE9TjDMNpjhguIEp9XI0rw+fPmwQfU8/nzw3Nivj/wFJw4+aay8qdgacER/7JLflX/fX71Z+GrW+7BXqAwAfLZ61dvvKLRyJ8TvwxwgncgOtb63b0iuHlTwoxBTq4MEUtw2yCl/c8CCY7kXvT+C2HB/B71XD0qwkcJHgdsHEj8Q8XjiviLJr2/8Lz5sPOb/xv+euvfaeuvyI9zGK5oJLcnJ34ZtEGbcgVKjViNoLDi5g2bkhJ8wXy03hfAPLTcyoIv1tZ7HnR3dUI1WKTO88KLh+Fw8Zh69bHY/W5bu1rtcxwbSE/aup21Rk78MpiAYDCYSdMejx7lndxdL4LHYcE848m9euLklPvhwPdrX7kN1n7xz/FlH2ayxile9UZO/DIYG+soKnkSGg31JngcFi+6UD8ePvLKtPui23P1lZfBUz/Zj9MpMQg3AA2AnPhlgAloK9ZsKE6ldNQSSPBf/ZUl2pfG5x/8laXQ1d1Vd4LHgYn/2hsn4d3Tp0PKTjmsuv5Tmviqp8Jplw3hQubEj4UYrOV81qQKSiMCGyD+nR4egXfeHZ4kab72xim47NcuhoXnz9fblhYW89sFlFMbocZPTvw4yNLRLMIczUzwqYD3f/r4L2D/gRfh2j5D8O07HoDdj/7A7rN+3U3a2qOvjy4P9hAYJFNvzbi0mRO/DFAilKUxiUk4SdGqBI8Dfs5jivhIZgRGbn3SI76z6xHVKD6me4RlhffrfTEyDDnxZxZTaeBxx5TTwNHnbRT/u17A7wBhiV9G4UE3iHH+eQv0ozR5STOOs4L4lQR5GkVBaVTgd4FAVwex9KLFOnfn3XdP233Qx2f/f+H582irDgrOOFqK+JPSCrCGDUVdc4JnC/yuEGzx0Y/fetef6mjtoeIr2rX50sYv2P2XXcQRXm14ZhxNR/ypsggnpRV4HM8Jni1wPMPKDpIfB6/4d9fm8mWGfGUHGgANS/w4gvPEDA05ObpaTgNv1QHmTIOVHbTwSPqpgD0Cu0LYM9d7XkEUM058JvjEBLolk2ceacjJSVZnk4LSqGBl5/U3TiTa/4Lz5sEhHAOgOwqwA2YQM0Z8XOxMTkxsHobRXkVwUlHC8mFO8MYGKzuYpZkEmMmp9xUz7+7Unfi0GNl9ivR28jTP5EEt+IMXL4FP9/1mTvAmACs7h44mJ75GinkFtUJdiY9Fl4ZLo3YdJwxu4B9OXsC8bVQEuru64IrLLoEcjQ9Wdl5//WSi/RcuYC3fVIyeSdSN+P7iZajvfmnjH2jCM5aRNXhZ+Yw5mgOs7GCgipWdqbBsyfv5aQFmGHWrq6MnIhDp79q8KUR6xPn0pZ089aaWyHI0B9gdRWVnOmDDQLcWoWMuM4i6EB9rvQMtooakL2cZOJEJcfLkm5CjOcAD3DTKDkKURmc0daEuxOfFznAS8lTdIUb7EC+/8l+QozlQibKDKM2wslNzH59kywI+x4HsVOBEJtSG4SrI0QSoVNkRpcpSFzjvKgjGB6uZvF5z4vNiCB//6GXTD37oSzl1Knd1mgVVKDtTujrTJhaWAizW2w8VoubEFxJ6Me667KLF0+6bKzvNB1R2EJUqO9PWKyqTWAhmU1WxgDpYfHOD0S8Eczawe1y4YL6dohZVdvIEsuYA5kSZOjvT5+ywsqN+/54VqzfISusVTddjTIfa6/hCDEVzbXAghJW2OHcbB734509RQ2Wnm7rRHI0NTApE4qfO2akOBagCNVd1BC10ZooPGdz59W+FJizgFLXDpArkyk7zgd2dtMpOleipJhZQc+JLYeZX+sWHePKCj1ffOKUfQ8pOjqbAAg5iHa0r8auKBdTexx+HogjCxYcuu/RiO2WNwZY+V3Zqh9OnR2Dwpwe0eDCsxlDDw8MwT1lrVGaqmbfwwYuX6se0yk61qCYWUHPiB7PkoJwQISuPU9Komq4e6PzB6uvtoChXdrIHjpf+6V+egKd+9B9T7nf1VR+G3/vMp1M3gK4uUyMflZ0kBaY8ZacqVBoLQNSc+BhkUKN3XS/en6KG1XTxtZ6Z431RubKTLb4/8G/wT48+kSj/6akf/bv++73rfxt+VzWApMDfyCo7R46rHv1Xp9zfU3agGlSj7NQpSU0U8f+oe6O/gIh14ClqiOHTw5CjcnzvX74P333wn1Mn/WFDwWPTYBGlLhxO6Odzzk6VKECFqAvxhZDP4WO5QW05sL//85cOQ47KgJYbCVwp8FjsLZKClZ3XEvr5M63s1ClJzSg7SYm/lKK8eZZmZcDv7XuPprPY5ZDURUJw6sKho9OnJyOmC3QlRaXKTl0morCyE3V14sDFh06eyle+rwTP/vR5OBGjiqEbed01V8HSJYuVm9kFT//kOV3JuJy/jaR/Yt//0z7/dMCKcgg/XjMVsiJ+pcpOXYjPyg6O+JOAiw/hqhs50uP7+8q7KDwJyCfd1VdeDp9XPTGrbJPOpdydJMRnJSipsoOSdhaoVNmpi6tD6aNDnMg0HTh352Su5acGBv7irH3cJCBTCKp82Xq0+kmCiazsIHBRuOmQlcWvVNmp29RDVnbSTlHL/fx0iCM9SoxTkQ3fi7PCSdNHFqWclJIR+QtQAeo22RyVHSmhN20iE37pWZYZQffpmDrnseOv6tdd2lL1qMjlMl27p9mB0dhyWJhAPkRRodw4LKnxYWVnukXhGFw6vEr0VFKZrW7E18qOhLVpiw+dPJnNABd91SeU73tiCvcJf7jfu/7TOoJ5NiJuDNZNkdnpwMrOdIvCMTgvq1qQslNMc0z9iE/KTtpEpmOvVJe6gNbqvv/7QKKBMo4p7vsO7nsEbv7c7zRl1JitbhSo3kw36IxT3ebPT7ZetVV2jiSTNJdllKxWibJTNx8flR18TJvIdKyK9GQk/Tf+5tup1SEM/tz5f/6mKcuc8MJsUaCw8Pe7Ho09DlPD49yOD8ScMwp2SXlRuOmQFfEV8wuQEnUjPk8MTqrscCJTpYNbzERE0p+oUBlC67/1238PzQbspThbMordj/xAV6vzZUvU73HtKiR+OWBJx7hepNy10yg752ek7Ch/IrWkWd/amQL0Epopp6hp8qcd4H5vzxMVk56BPQWODT7d9wloJmCCWVwvh6Ua8Y8l4+lSDNKOd1DZMdMQj0+bluDPuKsSqSXNOsqZeg3BJ/ExbfGhtLOxsKE8sS8+zwRlu9vWrYYvffELptbP+fGNME3YvlGAFn+6+qNI+OlIj9Y+LfHDys704LysKtGDxYjTHFDnasmo5UuotbLz7P4Dse/x/N7oNuzqy3X3SPoXXjykiHQpNBPWfX41HPurv9HWtxJgD3urOkdazJSyM9I+glZ/IOn+dbX4IEtFfKi1sjP40/8sux0LWkVJz8DtcQGcwf3lz9fIQH/7y3/8h9bnTgMk/VfUsUl9+9CxbPHrrOyACAppdq8r8ScgqIuyc+x4+f1vvP5TUx63KmbyxbEmnfiOJPzzP/njVGMUdG2+po6phPQIVpXqreykXUa0bq4O+mAjbeM9cmIidfGhtMpOnE8+3WArbkocKkTNCrT8t6iYxLXLP6HHKwdfOjLJ/cFe4fIPXaLHBXGKUJrr2UXhlLKztDB1slp2yk66ZUQzJ/6Ui7ZNuP3qoexEMV0A5913W3fGF1pw9tmRlDy7rau7K/NAHVp9VJXqq+yky9Ksivi6ICzWxsRF22QJu5reYRjtmWpVQkYtc3Z4/mcUzx14Ca6+8rLY4+IG3QvmpxIMGh5slWsFlDSR+HXO2Smg0d29+55ESkh1Pn5pYh2U4G5Fesxp7VN/iRmStvhQGmUHK3uVw7d27Ir1O1HaiwviLHp/sshlDoMF8wwN6q3soKeRdN+qiM9TCitBLZWdOO0ZrcrGr/ylrdrG2P/8QTMRI8bqfOIsTVqrFFw6vO45O2PJB7hVuTqceFYJaqns4AAtzt3R5P/qX5gyJypwhT3PVGUuMIjTCunK9QRr+cmLC9Rf2anK4nPiWSXgKWrToVJlZ91/v2nK9/FH2X/g4LS1XSoJ4pzt4EXhEEnIPxPKTlXE5ymFUCGw+NB0YOUHlYg0qQNo9dMURSoHPL5SPftsBwsRSQoM+LWUqkNyZSeDAJaZUlgJkhYfYvLHBabikLYimA88Lskk6xzlwWtjpa2lVCUKSXN2qiY+F4uqBEmLD3EqQSUVlJG8t37+psShe7RUGOrPSV8d0hJ/aYIVc5IgqbJTdQCLpxRCBUgqd7HFrzTNGFUedH1QW35i4N/KNiAcxPaqyOXVV30kr9eZAVjZSVtLqVqQsjPt2LN64leh7CSVu5j4x6uYhoi+OjYA/MOxwsmTp/TjArW9FtHLsx2s7KStpVQtkio7VROfi0VVAk5kmrasNMldJzIqNaIjl4vyoFQtwcpO0ryspYXqXR2BE51KpURiS9XEpzLgUCnSJDLlpcObCzheOq3cyiR5WazsJCkdjgSX6M5IcVRAaXACJgbnjM0pJk1XQGSTpEZTCqECpE1kyheFax7gABfHU5UuCpcFweOQCfFxSqGssKJV2kQmTFbLI6nNgcUpK6vxjDvFqHu7xjr6syB4HDKaiFK5lp82kSlfFK55wMpO2rwsZUjPqSXpEdkQn6YUVoK0iUz5onDNA1Z20uZlVbt4cxJkQ/y25JN8o0g7RS1fFK55EFV2poM3A64ANUYmxB8Z6ayqW0pTfIiVnRzNAc7ZSVklu6rFm5MgE+IPoD8m0hXt9JFk8MPKDiIvHd484AFu2lpK1SzenAQZVlkQFacopy0+9HKTVj04G8HZrWln3FWzeHMSZEd8WToKFSJXdloXnByYWtmpYvHmJMiM+AIqn4aYKzutCy5X0mjKTmbE52JRlSBXdloX7Oo0mrKTGfHHxjqKUAVyZad1saABlZ3MiJ8rOzniwOVeGknZybh2Zq7s5JiMLlpDq5GUnWxLCGplp7Lc/HdOJyvfF1J2roIcdcLryj8/cvRl/Vg8egyOKEP1ulLj/sdt6+CqK6+Y8lhOXWgkZSdT4qOyI6EyJJ2ixgPc4dzHrwniCB6XJ/96AimaF4VrJGUnU+KjshNAZdRPOimZ12tNu6BbjjDSErwczMSR6XtqTlvgWkrTzrirg7KTKfFR2Zk9axQqRZopaidzLX9aIImRzJrUamD5hnr+s+cPJh5kMpDgqKgtuWgxFNSfef6BxIWgeFE4vTbWkeN6lfWp4HGgosWbkyBT4qOys2LNhopnY6G7c21f8ilqWZQObwX4BC9qK35KWfNjdSf4VOBF4bCW0nTER/CMu0oWb06CGiwMgcqOLEAFSFN8CBvJz186DJ+Yf/YUdM2S4EjuJRctgvOUWLBEk3xBhqX8JoMDWWlqKT0+cLJmyk72xK9C2UlTfAiJ36paPhIcCY1/byhSV0rw8y2p5ykL/gFYotzE8xfMz6hcXzo4ZSddSZlKFm9OgsyJX42yk1Tu4uJDJ0/VdHZazREdYJrXx1INMBGNRPA4sLKT1OI7P1/WRNLMnPjVKDu1XhRuppCFgoJoBoLHgcdiSWspeStQ1kTSzJz41Sg7tV4UrtbISiLkAeZ5itRI9l+/5IM19b/rAV/ZSVJLyWsYPWmW+EmKzImvlZ3VG/AmK1o4aiYWhUsLJPbPnn8hJBGiFauU4FkrKI0KVnbS1lJKu3hzEtRquU/M2elLsT+35p5aLgqXBs0gETYb7OLPKWspyTbRLMTH0uGir8wbQ1iDRw+AA/kcFpzF2ptYhnDlmo39UsrNaYsPpVkUrhyylgiR0Gc7wePAyk7qReFqoOzUhPhG2RGD5Qgee5CuzSNquijcEfK7qyG4P8BkDRz/mmGAOdNgZSf9onDpFm9OgpoQf8+u7TvUw45UB2FtnonaKTvog//P/3UnJEUzKyiNijhlB3vu7zzwz6r3HYFrr/mYit4bN8gRP/sszVr5+KnBVZdrpezgl4xkjlr4nOD1QzllB3X9O7/+LRu81AvyqUax6vpP+W5iIWtlp2GIr0FVl2ul7PzOZz6t99dkzwk+I8ABrq/sPPXMc5Mi9g89sk8T31d2aImfiic6RdFQxOeqy7VSdn73M/m6VjMNlDQxpZyVnbllAllz5nbZ56zsJF3iJykynnpYLUzV5bRT1KpVdnLUDwvmmfAOKzsfv/JyvdC2jxs/8yn73PbIGSerNZarUwdlJ8fMYvGisLKD7sxdmzfB4wM/1JYdB7aXXTJ92nK1aCjic55Pq+bs5HDE95Ud9OM/v/qzZfdn/1+AzMzNQTSUq8O1edIWH8pLjTQP9MJ7tIZZklpKXItHtFe++Eg5NBTx/do8aYoPmeU7c/I3C1zp8Kld2v2YA2Xyn4qP/sPW1rX4BqY2T9riQ3mdneYBlw6frpbSt3Y8oB8FiAHIGI1HfKq6nHTCQq7sNB+Y+FPl7Dz06A+4RyhCW2kLZIyGIz5XXU47Re1EXnWhacCLwsXl7Dw+8LS19krruHfKHK8K0VhyJjhlJ2lJQSb+8VzSbBpwlmY5AQMtvXVxpNyy54Ht90AN0HDE5xlcSYsP8RS1Y8dzH79ZwIvCoSiB5J/b3QWPPfkj2P3ID5x8aUjfDzVCwxHfr82TpvgQfon4x1JZjsbD6dMjuhCYH3fZ+NW/jM5cG5IluHXvg9t3Qw3RcMQ3MLV50hYfQqvPK3DkmDn4BMdFPE7p57/QyWlRMOnV2G5ABvBw1+jsHbVe3BnRmMSn2jxpiw/hAPeDkKNeSENwwpAQMARSyZMCjmKKygRMDM4Zm1OsB9l9NCTxuTZP0ilq7O7kpcNrAwwOniCCn1CyMQoJ2LtOsSpN7BRTaBA0JPGtsnMknaSZLwpXHZDgLytSnzx1ShH7VW29T5481dQEj0NDEp+VnXLFhx56dJ+WOjGDLzpFLV8ULhnOJoLHoSGJ7ys7fvGh7Urf3a10XgSmsWL68vq1N01aFC5XdgwqIDgCSb4TAlkUE3Kwc7xzsN7+dz3QoKoOwig7PEXtsHpk0jNQ9/2D1dfD3DndVtnBH7ubAiRnA3CAOTw8DC+8dFgPKrGe6EF6nhSLgl+DE/IYjMh38GWPFPDmY/+4rSaBo0ZB4xKflJ3pig9hoAtdIZ6ihslqi1uQ+BUoKIlxvPSf0BNcoJ8j+VXwqH/F6o2Fvbu23gotisYlfiCKUHLKDlr9ZVREivHxj15mB7atsihcLQk+FYZKr0KnmAvvCc6Ft0t4LblOkb+3a6xjee7q1BHoX0ol+vrKzte+cht8Z9cj2rLj4PbGzy637/EAt1mUnZki+FRAaz8SKnQte4dnndm3atWmliN/wxJ/RA2qWNnhOjv496WNXyi7f6MqOxVo4A0GJP/oQ+rJcmghNCzxqerygHrahwpO3JxMxkwrOxUqKM2CPuX23NdKPn8Dqzp6gvFOCaIP1Rx0a6bK1PSLD9VS2Wlxgk8Bue66NRuLj92/NfNJITOByharqiOUpXkWu1scyG7+8vop973z69vhqZ/sh3Wfvwk+cVV1i8KdrQRvFx3QFcyBOcE8mBvMk53BHPFO6RQUR/fr92UJbnzswW01zZysBxra4iNKMHZrAO37nv7x/h4c2E7l8qRVdirRwNV4uygrXM60kYAEV6SGuW1I8HPt804xB+e46iGuBKkN4wJYLN8pvSlOjB0DEcB9K29Z39RRW0TDE//xXd8eXLl6/R3K5bkPiX/o6DFY/4XVk6pvIeKUnUoUFE1wnAYpxVEBpUHOIjzdceZ25YL1QxMBSd3TfoF+RGKfO+t9cnbQLfRSZYI6fdWakfBMdoR5bZ78t66PwzMTb8JI6Z0eOSHugyYf7E7r6qy85Y/6ZEneoL6YPvU9mPpvEoqq6Q+KQDy857vfHIA64LrPbViF1gZoiSHM08G/ZRctsmXmnvrxfrjzG9v1wPbjytWphuDl5Dtl6QrqRz8CDQpttduV1Q7mKiveY5+jdQdakE/gyCm0OB9uAUd4KfQTfK0gNfNxk3pUVh+e+eUj5rAA7tjbxNHdWOJrorXB3QlWKS+qr27Lnl1bd0CNgcSDcdGvfoa1kA42yYrzwLEef9ruesWaDUegAdyc9qBDWfCFSGo5t61HzG0/VwefcLsPxVcpibSAXBbu97bvRaB5zvtEegBEcXi//gPMrW+TVzSry1OW+OoHRsJvgnRnumfv/dvugDrANQBcMED6y0HWLItwxc0bb4eSrKuFQyIbN0WRvO09RPJ5yoLPmvZYZa3BmGvQj0LEd+4Rgvvc5/dsm8FzKasv3hnXvejA3l3bmtLlmfRtoF6L0hVUBLFjJrRe3RDALC4BNYB2cUpiX62svSZ4Gw0023rUc+WqtJsBJ/9ETD4mIr2hCWtcE94zxF8JmtDGvdHkl25XPic9hgjPsI1C72TONTT2Ggy+9bh5X8rlex7YPgBNhtAHVTrtZkxQgmrQ5L5fOVRnDMJAgvd0XKAIfq6crZ6/p32eMASXZqApmczkaQMQKWUZky2I/naDZ5rBkl7/o9YiNdP5Wn7jgMg28G5B3w/1CubxwC//FU6M6hIwTWn17ZeZ4cCtqX2/KCr9XrQFx8GlfjxXkd345Gw1w+QDUlckWKWFCchEJfbyLgES0I1UhbHa+kSaxSXqCey5rcUGew1BjSzcSfBZ7J2BbYjcKagHpe7AD0/spn2bz+pbOVNOBJshNNqvGEruCnB8kG6M0KCY7nsJEXyWUVJmK1dlVsBKiueISEcyyzHBFldafoNxS/Tg0z/aWm/wiG38H6/rlqIkQyqluQTvIYAblpQBNhzh/J3AuDTSSDt0fhwG0z26BoSfV1zQtRReHT6Md6K+o2zXoa01PB0/m66czrUWWoT46kfuQ8qhHz531rnaejPB0RdvC2igaT0VsB6C4TAZTsMe/WZgW5KxwNLJKOy4m5eW2dI0Aknkt/dGV/L2t01U+Ofwrk8NQdOYyU6XkbSfCDv95pZsg7SDArho7uVSER/f6Vt50/q+ZrL6unYmavWQLXqu//2NvdDkUIGzdTig7WyfC7+5cLXsnf/bsOycD8PC7mUwp+NcaG/rQLNrGB6QR60tqnvUVjUgqxyw3ZdmWyCM1aV9zXlMy1CE1MYY/QjcRxj/XdtiOh6YyvoeAteLCFMRlfan++B7Ctz94XmlAKfg23sw5xbccgPTU3nv6+M6Z3WLntkL6eBgFTQRzFc0MV6AjEGLdTU11E+PPRcU3vMh+2N7xNZdPtJW+KQgIkkhQw3BvJZ0HhIPtUMhw+fDdsHXIB+fiC2QgLrxhMiLjUCYbQF4DYg8erq2vU4g7D7caLkRmI9MvUEg+H7NUMPs6//p4wrv/RB/W2txSU5oEhjii6AAOUIgibQPn2ur5oiiLSzZXUsutx0sycCR3RJOko/N+5pWYyy5fh6Qx43npkYC4esACCao8a+UVy+kGxfgLTMxpfkTko+TOK2N79P1NqbRBXRvAVj5UzcCPN7tS66/+Szqu5EUOOsZnj26DpoE1Cnioms5fChm6K4bSd/ZMcdY7EA6t0UIKTwCsvuiLbIhiusB2DXXZJNsnYXXkEL7kjsDTFq22PzcNDkAR27daox/jpba3KchqeCewmwXxpUy8S3js0s+HzVl/37589nhhesFbI8Hi95D9etKcAM0CdgbLELWaPbGVDJuzgVzl0npBBUiITh3gXxy6xrgPgFZb24gAY0HAwpAEbm4IfE51WvnrgTGjWF/3u8ViOiSrul8/kCCtfwgnXsFEHrkxqX3Y/+d3SW6Z+963LDMQDigcQZ9Rnze07mQv7W+ZnF3NPFxmh/ocH9mGGrGaB7DuDkmFaKn6zxDvMD4wexXMylJ4OBoKjCR2HWg/YDJLwPKAaMlOSRZcut7I4R3M+QO+e4K+91eI7TXt5ab7tn3/TW5hdvmSE/3C6anMqS2vY3g/Vgx0vdLRgD3O6frfOhsn6PfG5l1pikGufrrHzCZiFkurlWEZsYE+fad+gflyBBHPp3vHJCaYpQbQzQh7H62ZwDn62tQA7KWnBoHW3qPrNL449hgSuimSGtxBSs4wh3nKUzOatshgvX/Q4N02m58fudCSXKR+Fx+YzINH4T97Gr/BXMW8bd3DTQB7FJAWIgfskPvitUb9jXTKN+HYrT2VXu6FjKhzEAwkDyoYy+bfX07mPUUEM+vF+D3ApNdJhl6lG48ICwZ9Ym16gO+asNKkWlAEHKLLInt2ERaokr/PcH3Z3sV0I1a8CBWjw1MYwfwDYHkOSvndC6kUbWKezQBLPG1a1KS90KVwBx5yo/vG541+iwnkDUXjJuDXTh18SThCSaMUXACK0dK9o0lqTHAOrgnJYbI7zcGbzwQbgjs4rAMSlaY3KNJUmikAfFzGsCSgkT7MYHtNh3z5QG3SWQQVs+XWjmiroMH52AHy8rP7z5f0JdXaAaDF1r8bXSisx9ouc1KgDOgsPzH1rv+lGdIYZ7LvutXN08wqw9/NMrCnNs5zwWbhOe784BS2CCQYOspPJeD5EZHZk0S4akkTGAXnOL9PMXIv65tEDIsmYpQr+L3NtZNQVUHXANrA+EkTIDQPYS0e0FjG9sAWfWR1u9X72Ewr3OW8fNHO0b7oMERIj76+qNjHcvVB0o9mfjjV14Od/WbLAWsdnDX5k2W/BMg961c88W10ATo7BzXjXTu7B4VmZ0VJZN0A1HNDOr6pWc1pRvg6v2cb8z+vm0M1AjYDfGOYffCuSAc0dVav2l81i0R5AOF3RWWW831PYlS0m2Hjufz8b4BEx68c4P/edz+phcQuocEFMSM4WhkiLg3Vty0YZP6ULez9ZsKuFwPEj0KrGv511v/Dp7+yXP6tfol+hu9PMWKm9XnLsHdC+Yugksv/C3zDbkEHCBfW4BLipFAabte4piTQPzXIvqG245cl372JITPbwYGAC5FWT/as+vmJCLnnXR9oG7IjhvAzFKBcLKa/nx8HT6F4GktwjsP8N3jYUdP/kwUT/4Ud94tgtmJJyXt+e49RagzYte53fvAtnu6zsy+Qn0Dt+oPIpxSo5/jNgk78fX+Awdh+84HJp0Da91s/spttjIC5vpjzj80MkqygA9zOntsdx5yBwLPMpqcGm0BS+TmhI4JS4kSzIxuA+fTS6v6kFWVofQD6efX8PWlYOtvegkhWB4FckWCyHnsI2nxYM9tmgWPV+zno6RnT8oNuUbe98AD7Nkdc/gmVsmJ0SNJ/zDBDeoMAVVC9wwC7sbn6ON/7cu3la2AgBUS8I+uuls1qlvrVY8RFSZI2v1KPZm9579d+DG44JylUtrURyKItM+BkxjZUIJxUkxESoS/W3/6XhTl5r96UwfNxBTaxyZZUq/DZl5bXeoSrHWPu3CZbRwHCN079UIk4vvHmCtEzvPOyJD89yP/kppTM5HPH0CVwJ4Bb1w9HcJKxl/dck/ZRdvQ6mOj0IqPsgh1VXyQ9DLhH1VxmD2r2/jZbQCeDy68nBWg3Boe7Alvm6eHS7dvZJuz8CWr46OMSBFXp8mbwBLr+DZq6ieclVCRaQOI9FBl7wUmZYTqsYu7dx63mGsa764NXDZo+Px28N7WPv1c4EZB1cRHYGvFWVfqCyhiCT8k/2GvnDfj6o9ePknxaVi5k35U9Nv1jxs4+ZB+bCShmcEUGpyGBoIgJpPOEpzIpc/NDUOPE3ikEJBl5QAXtQEvPVjatAQ6VnqDbOt20XWw4Uj7nLa7DsOeD3QDokZluhXtjAWBUYNsnKGNj8V7EbKzo7tqD6JeyIT4CJxqKAK53JH/bnh84OlJ+0UVH0X+Z7GUCTQYOmfPdX44q/csI7LKzb67sGnGYAd/3DhsAxBhP94OMA1Nww3GHGOmn2iFxZGWSMb3wSnRgvahgBNr9sIqQXQdbcHZUTKZmNQAhZ2GaB6dUsXBrBK4ZDW/ofufSythTYDMiI9A8o+qATH68EbR+Xvn13tA8v/tX/2ZlkAVetQX+1DDDXrNoNO48MbF8IinB4Pej08SZwCuAVBTIVo78gNZ7EA4rZ8yKWWEaDZqTBn8gs4vifCuJwLXmNwxvK9NVnOv8QNyNIE+H5HeuDxgPxcT3nxG02tQQwW6Gyu74nHR2j6NijbIGMWf/3Dk0IFn/vHiSz6C32Df/udfhHdOD8NHei8J7dfRMQv6PvERLXn+/MUj+L31Lfv1j8KhAz95EjLGr1x6JWqtqaKJhQt+XRGwzZCBqCycmaBKHX7cEziwa10UG+XUbwKR2iqhgghu3QNNLDeacNafjifrbgTQgHwebmD2fAL8442FN/dhd2d3C6xgyYE32kFIGyoj/99MOKeGzJ+XG6/3fbxy8iCMT4xBGqhDd770/DNFqCNqVjtT+f39SqbCr2szLtL22hsn4Msqqhst9b1+3U1a9sSeQa+9tGZD7977t90IMww1UGNZ3Eol9ANr5VuzL7BCuhh653V47qUfeDRNBDHN66mOEVO8Vy30eT55+S2ud9FbnTvkmrZpEZPiCA2Omt+qX/My4t+HgOOB7TsfhHffPY0vi2qwvLxciRIzGG4vQArIiQlc0SOVxf/kFbdwWIiMmoZxEsBX/IyXMfT260IRH1oJ+B0I+y3Q5xaBnd1O243UQ53Vjw58T4yceTfNZSAIgjvU0alSZaqt2VqXNupXIpuK/CiH3vmNb7EcWpb8K9ds7Fcmt+bjgU/+xi3uhZSmW5d2i2DCG2ZI8dbbb8BzL7YY8X/jZrAUkXaCC42UzVcQNQI//tn3IC3xK0Bx765tS6AK1KVMOJJXkX85kl8pPoUv/slf6GQ2GtxaYAAMGwXFArTio9ylG8sFN7DhLDxvXpLLq15kOLRaYhK47t2M/zwVBrxYlvN1g/oYkXpCj0eY8KRdUXqCYJvPr/X+oQI+yYBxHVyqNSn2H3gRskDd6uMj+ftWbbpidsfofWpAu2rL17+lg1rRhR64R7hTva/I2qO+6n0rbt4wqSzhtdd8bNp1sRi4hhbmDKUB/7Q28CRD77LjK6QrONZy4AnnpNxI7w2ww2LXA4SMQ1JcfeVlsQv6RYEy+dov/jlkgUzlzOmA2Z84cOVJL6E0Bg9a7rzrz2DV9Z8yG0pwd93lTk8iZJmQJUabhuzSFKjnbzFYnd77HoRTc0xevuBZYRBqHA2OuhKfgYqPT/4t39gO754+PWk/VHz8BDcs3iol1GeSA/2QRrsGW7SJdXZr3agxtJ6jA5yAJkQ4Gu2ivGBjCnYecLNgRoiP0OTHzE+Aoad/vB82fuUvY3N81q+9iV5hmUN5O9QDZnK4nWRCf1Iw0QOXuWhtf6uBNCwbTDOWXnJSRKjRe/p+M2DGiI/Ys2v7jhKMLwcvx6cc+Vd99lPa9SmnBNUM3o/qkd9EO42Q4Vl80ZoWX1tyAd40REGT0m3KtZmWiDvLpur5ZpT4CFzczc/xQcWHJ674YMWnXuS3k60D4HQFl6wWhJPVbL5LqyFw34OfhiFcUp2eY0y+fu7qpIXN8QExiCkMqPjEDXpRzakHeMAqXVA/lKwGkWS1lrT4dkDrEtMEZay6HCNO0APZTN9BQxAfoRWfXVuv4EoPcYpP3cB+Kw/oyMd1+fJAFt+bPdVqcK5cKBFOcM9n5UtK5qtfzkLVlRwahviMvQ9u3+QrPqi/l1N8ag76oQObiOVyHG1CF+5hvkHRVIkqSWF7skjaNAVuJRsGyl6tp6tzpvtMAapAwxEfgYqP+hr1ZGUMPn21v/ygt6bguaac6sspuS5lmGpg0vMW1HW8lGnwYxnC5u5TirUv7dYJ1Zahb0jiI3BKo1J89KyuqaY01gxRjd7Ll+fX1CDs81ZDqJY+uztW2xfWEHjv1a31qwu1JvER5RSfQ0ePQV1gZ1CVmTVly3sLsPu0ILhwlAwoM9sM9gFslQdpZU5P4K0TSgWoAg1vp+yURlJ8MNhVH/CPKaLTCAXXTjM9gBnUtaSL77R6kjOFJbx0A39vfm89DYC4HKpAU3TQSH5f8akLBE/YllbaFG1CugEd+/o057aO3Xy9YHN0bJCOp2EKP2VD2OmR9W38VSk7TeWZGsXHFLGqOVzUFmyFZM5SdH4+2LmqLSho2nr65N5NTlYD6Ss7os6Nvxplp/mGZIEoQh0g/YFtwNFZm7SlLZz/w8uWzM6UriIbJ6s5ZQdCiXqiuZSdFtQisgEv8ECVDYQNzYN0UUrBMidAKzr5fm0eN+3GRmwll1bxDEBdv4RqlJ26TURpNmA9eCqkBGzGeGa5JgLmKEoTuJJNlZeYHDSz3nwyjmnY2bfmE9scfErZhPra/AJUiKYlPmr7jz/5w0T77n/+IKSFnXZnqgRbfstI1UlTT8Tm8bQUrPsmrA0QXvFQabN0gN9J/xWgTJ30d6RCBB4qV3aalviYwVkuizMrSGvCTNFU8mdNRbOSK75kle2g9Uy+XfuKPiNNuKeOgJORJVMfKmn8OIe2inm0BagQTUf80oQcDAKxI80x6sfBEoXppC8ROp4mXBvyQxu1Aml/6Fa1+MadcZ/dQNht9Ioi15WO73XJeTGpcrbx4WUvpqJfdsnFdjtOUMdUFuwBVt6yqVBJff2mI/5jD27D1VpSrdiyYs2GPpCVE5/XjUXYAnw8yKM56a3o49vPJ7zPzpq9BKrkTB4hokJVR6j4zJ4Htg1Et69cvX6dOvV9mI4enZD+0wMH4RC6PhNn+tTLHZASuaoTB5IzRRAKyYNZmVxtaDMFWnmiSksSH8G5SCzvkoJjrX5I0oRMMQGBLjJ1uDg5TWVpgZYXrXDZoZz4caAJ5tKG6/nRVD3miCYnL7Ssxac4hTfhXLCkqZUvUyzXrvmbJcbGOor4iKkq0dR0S3wJF0EFyIkfC2lX/wNvxT+aZsizkmwSmxQVe7gNDNfgpfBydvza+pSvJGtg8fXC47QE1Wuvnwq9t3DBArpDWZGWnxM/DgH97ByVNCsdhrT80MogrWvxbXKerZ0jwmkbwi6aUYu2b2pqRivhLVtiq68VoALkxI+Dc3GkjVjabEywUqdNVGtBVYdTNHySSxvHdjk6JYiUYckSsnQUH6J+Pg54aSHxHlR2ICXyyG0crKIhRKhKoBH4NNGlDdhS1mKr2X3hSfTAH53LaZrl6ICMf9TWZ7Wgmzr3IJ771ROTJyFdcN48reyI0ii6O0VIgbOC+EouuzXpvlir0xzEvCerb3egQK0N2tLWFo3cClqpgiO2JpAFtB4i5WyYBTH8uEZmQGUHL3f4yCuT3sMBLrpAlSwofVYQP43lWbF6g3li3RthX2l6By5nQUdxWdxrQR9feHn39jNzmxfYyQUqiF2yxVZEDaLXqOzMnjWqUxtQ2fEXFmFlR4lLqVMXch8/Dm7KoS2opEnPg13dI5TC83BbDS5y68Y7XDbRxTfCC0lnjFopOznxY8DatRS8hCavKAi86qBwCk9rZmf6QSsvoCfBW8HRrq3F849rcyOZKzs58WNAKxPaagIypFW7CsEiEE7jbjVE1Ct8nLSWbmCmY0INAlgWNVB2clUnDuTmSL0GhDPuCJJvaBRgSNDW0Q7nLDzPvevvGTmtjLlcmu3++1B2H3ft6D7Ce1fCFNfT2Zicm+QdZ1OU9TuCxzq1avu1UHZy4sfAWHH60YVLTMPFz3h5ZQ1qAXPn98CHfvu33AmMzKGfcHYjr5hY7nrajZIeWSPHOEKGGxYvvxM+lq9jB+J2YgGz11zPu7b94D75aeGXyS2EHD3h9gviP1vVaIMBJe9kquzkrk4chDfNgn1d9ucpZG8XjLB/0q4UrglpB4Xmz9adDJ2HrgWkirj97YLOofqcdrFaaWtamu5IeNMg+f6EG4w6N40XtrD5N5LcdnDjGvAGsTTXmF0bCH8vAkKV1WqBkZFOnbLMyo4PdHf0x0+p7OTEjwNXEYsQlZPTPL+fqw6YLl9XVRNa8eGyg1Sdgfxi4O10TjdI5FRnOjeT3mVGeoSkKX/mDkKrrNPCDU51kdLLLCXimnul/eizuuJQrqGYEBXfp2vwtlGxAGArq9UAWtkBMOSPKjtE/LTKTk78OOjfUP8JtywQWVBLf7CW0pCEk9ekHRQyKTS524St1GBnLtlGBCHLbDRxaZ8LW9hKUrkTLl7r8mb0eaW3HVxD0/4Z78v3H0i+hpSCpVq+Pk8tjChWghw9rqwm3EBf1jZLtayyc9mldoJKAVIgJ34cmIhe0VQbzGkLk41XDdFhfK/GJM7U4ufSuToR1wksiUIEjlh/fV0h2CrztEBHNu+8XhlzasD60NACdnQ+/VmsBfcaItjeIPpdyNA92O/AulK1gtTzTMspO4RUyk5O/Dj4BIkWkfKDOdaf5iC+JaJkK+1P1vAtvUf02OtZKZH8fH4vkjwWzpYkF8lWdyaLH5k0Ivne7F+4p7KNw50TQj0S34Mf4a0ZqJ5SOWXH+fmjid2dnPhxEO4xOsuIO3qfpKEIbsAT9txxwisvHnrtkynmeqHrlHkv3HtIOzGEQ2zS1fu0pAU3NuEFL/xG7dw1+wgQ/ixS+i6d97lrAjlupMpyyg67O2mUnZz4cTADN4CwwmGJBV5lNTs9jxdHYNfFjAeEy+2Xvjsiwj69O6dxp7weJXDjB+Gu4ZHUuiW8WBuwEOsasACnLpWi5DZNhAe60Ybk3bew9XVA8Bq3dP9Ad1ITBLOk9vHLKTucv5NG2cmJHwOrbRvrKK2QHZBdZrLR4BCIaGZhNCCFQ0uOZgDM6o11TYTXA7gsdyZ2ySvkBFTiw1+B0KkxVODE3ZU3/oBIw/JctvAYwxsPSG/Ajg0tkD7BJd8HuNdUSc003BoZfSwcDKTs4FREH8soWU3dSwESIg9gxYD1c/Pr0gws8CI+eicagOpdyL0xAiIRyrQGOki7ExxYMlWqzBt6X9rAbkMAXMEK2L0CjlW5/AibOSlNsEnYwJXeysuV6PvzUob5eKqTA/Y6tiEJdzFpz8cfRgD3ZmYFJK48UXugny97t+/cBRcsmA+Hjh5XKs8rfqGpXqygvNvIn1MiJ34M9ECSf3pg0oHZYElGtXWkcxUoY11SyEcTnfVttOJBIPwsCMcp4V4I5pjU7oQ1tBxGMkFYvoeQYwPO4kp7rxzg4vpAZk+6AWF7C2og7Kz4ZBbunHarsG2ABicSatwA1K0/p+6vd4o1EnqGZ42+uWL1xh2irbSFeomyyF2dGAjPHaB1XKULKAnrRnB01S4IZ/cB56vzczsQlH5yV8QtIV3d+ufk9oQHz/qxBN7UR+vLe6/DvjoXeeWF3ERkzrCwtTH156Gehe7JFpAFsOMC7T61CV74rbaqjv4m4JyEe66TE+LIijUb7o7bIyd+DMKkNIEsm5Zs3QHy6dsi/rNwCo6wKbzhwWzEv5bCDmLDyo20DQ98SVREB6D2GqHjeSAupCW2Ps53acz9SuE+q6RGhbmYoUZLjYXGMeTiUGOxS4DWBorED6krrEp1kIRNyvo/W24BiZz4cfA6fB055egrWUMOLJXAUcYNVkHY9IaQsgIhx0QIXy4kh8RTcoBzb+wK6nQP3r3YwJghH3jKktXgzYQZYAlVWqXJU4XCnw/8HHvwBsi2p5HCxRZcc6mN1deWOy3pLWSvcn8eim7NiR8DESGRtZYkRXIOGqo1msgR+ZEJOik4pbc7iZCm67lcHpCe62GtPDlQ5h5KqFgDhCOt3n0KKvLkB9RYbmRXy6gx7v7sbDJuHOEIMC8Ap2dbiYBEKSFcIhx/xoyBZQTRckN16Ftx84bQOXLix8BQw1v6J/BlQis/0o8f8sltcCsaXZVO0wdprb2kxiNDrpWRDaX3nIa3ZoAKnGtjI6jh3oDvR1LvZIkpQjq9je5yrwa2sYC01h8EyTfCG8fQcZxeYa+R9e8gxGbIAiXY7Ls8OfFj4LIp+aelQaHx2yWlD5D7wg1EaSxeZqPO3WnzJmzTQNBPF+ZGYMcGtJ0S0yRZVWBrr8+nCe8ajz9opfsVnEZg798Nmo0QU6YwFNjUZKEtuwzIAAjXQ5X740CfzNjFv+5zG1apyxcgG/SMzDpj3aWc+HEQEkQ4sgq+rY/6v6ZhCHCDSjPYlM6ftgNP9snL5AAJa1X9gXVg/Xvp/HnBcwHMOdnNcQNr9+u6nkoIz13jVAbbMPxrmt4MGy4dL8Bl9TiDYDNL+S/LnyAQN0C2uIaf5Dp+HIST2CWE5HYp7bu8p4HkASuAjREJOwGbNH9LEDojEZ2v4Z0LhBU0SWJ3r80JhbsBc03hL9jgVCh6j88M0r9n/zj//t257NiDjjDhYXsGmqWFLSJrHT95JDbR2UD28fOc+HHQUU2zDpaJQgkOroZrCbgxqQiR17USIkMJvIgrcc+ts8VRVyYxtzCwRwCNgm2giIhpY0hOS+fRAGUxu6YBNqBGUTQ9X5BdMRui09cm9w1tOwWVqYKanSJpboi3Q/bApLNsvacCP8mJHwOrjlhWgfXJmezcCwCQESQCGDKZvcxcVBuq9ebGhluPBBA2j0eSNu43CLckF/cXInS3fD3hTmfWp2PjLb37oQZtZ+FKZ+FdmgWKtZ7FB2ocAly/I4whYIk0Y5bWEjnx4xAYAlNOCoXnrd0FsENFA6uZ44Yg5BBZ8gCwEy6dA0QGW0oaqNqmJD1/yV7Ccz94MMDBVENce1qqA6Qv6rlYhsDGLdHPvcZN90YL3LEPJu12vgY1MeOeWXNvr5ed7dfLA2XamAb5ST64jYMAL3DlUgaELSwlQ+nKTvlg3V4450fw4BcM7VxmJg92gbM3SZEBO0imRxcPEDYxDkKZmE6aNK/JQpvPwdmj1Iat1s+f082tBSDJ030Wb8aX8BsIGLmUBrqlGiQtlJ6ETCGP8rOc+HEQVkP3tXhSUGSIdPTci9waRQdYR28jzdtFPIUNctF75ppgieZfM/wnvX3C92bvwTUWU/M1ZnpiuFFRAltkXoCXGuGlQwNPNA/FN6zGnxHU3aRa62za80Fgz5cTPw7+j+hJhGaOqpBhkrnn6r3wdtLC7WR1R2phnaDQNEZ3Pa7kEH3uXSt0f7ZB0q9qI7MA4YS1ybO/hHd+K8H6qRoyMqqwRsAL8mWt4+tivyJd+e8pUNyza+sOfpETPw5hi2eTvjjkP8kSezVqLEFc6gKE8nZ88gVebxFpFHaAza4Sk931Puwi2eP9KG0ocOYai4QyPYm7N3f/oXm64d4i0guWPJk2W8gJuAMygLrBLf7rnPgxGB8dA0cm86hz4wOvTo0mEkhruT2fH7zcGE0MPgeTz+wvw++JsBshKM7qNTQtLvpujy1CxbqKDF0LhE9Uf6zAx/v72nuY1JNFGjmUj+Rmr+ro5V1L8l6oBricqGftETnxJ0PP3hl9+zT9yNqCykg6sjeodSQFv6qaq0jGWY/SpgMLN8jkVF5vAGr+B2kHspwiPXlCuNmTzyu4IYKEiFtF9yJkeFwgrBsG7n1zzujc3tAg3ruPQHo9WA1MvsLeB7dvUn3PTqgA6o4GuiY6+6Pbc+JHIcQAPrx19IS1bCYPXZA1ZFfBqjgipJwIm57L828po5JzfSgAFQhHRJ5MbnsLIj1Ze56/a90oa72BGoe0WZIlup8SXUPPFQBOO7aWXzBpKefHLWVk7gt4wg3dC/cyXgU4ujYAGwcxfuYMjLxlpgEGHcG00//S4LEHtq9Tnd2WVAdpS79tebmpiDnxI1A/oS5cdOrgq7brZ+nOWXzcUUhfJuSMFyP70TarAPl+usuk9EhstHXPQjs3hEjoE5Keu4oLXOMG3zJyK0nrZvaWlxDnXdclqYF0jcH8SQjlIlHxWg5SsWEX4Z7h1MHX+GssPvoPWwchY6jBbr9ok0vU5XYC9cxloLaLe0swfgX2FHHnygNYEYyc6bhn9qzRzW8dPQn4d05hPgcz9f+uN+epIwD+oI4kRKC3jNMrbQU1yfqLORf7UNIFtQT/o3OorSXppfwAJarxu9QTCGBiglXT7RFkzEXAsSoBZOelN+nduG10WgGhYJkNXNkP4T6zvdqxf32BNphesxagebTr8PnKm9b3AaY1ECZgYnDO2JxiksnmtXHKmhwrb9qwQ/3Ma2f3dEPvbZ+Ets52yybiJuWrQCiqCf736SV5eXyx7/o703MZ3Q7k7QCE45ehH0248twici6I7Md5FTQcd/twpyZEqBqDjNxG5H5Dz489eRBeHtDELyqrvHyqid6NgNzVKYOR8dmb1K9ZHB06DT/b+bRSeMatZeeMR0zXFbwaildt2PfBrcsRWEPrRVPd4Jf2gVDeOw16aWArhRsku/eZtpMGnO4++HjznPooEZYkeaQi/XGI5y5RCrQ7n3c93P7yky8w6fFk9zY66RFtkGMSij//4cjFv/aR59Svum7snVEYOvQG9Fx8PrR3z2LTCC7ll6w9yZdAZbo5eYv8fsGzlKy2Tv6E3ikwdHKznNyYwM/7F9yteNo/u1s8qZ32F9aP987hn8+vd2nlVb42e0NGqTHR39DAmvZTn/nYvhfg2MBB88WpwaTyq/uhCZATPwYvPf9M8eJLP3JU/cSrkPynfv4qnLNkAXS8txOEJbR1dQxxidi2dr0X1fRIbQbAXkBKM0tYvxt8AlqCkgG2DUxvINUI6DzAjdGAr2UJS/fIZ7CNz16fhrRcoU3YxijpdFRhQWCcQxzc9R/w6jNHzemU3KhIvx6aBAJyTIlrV/9hbyDasbRFAV9fePVSeN/HlkDnvC79fsSxZ5JO6SC7SSG8h7Q5zp4fzmQMDQ7MAe46YlLUSDtSNAAO7Qd8HeEPViW4pLOY59Rm7PDhF08dgZd/cBDGR8bMJY2lr3ZCeF2REz8BVt6yviBLYh+Tf3ZPF3zg0x+E835jkcdr8slDpfrsg/REQJrmxONJIVkoNe8CeISUntYSaUouM8Zc2xCet1vJJnQf1BOFUo39ZukajLtx93l+eeQkHPv+QXjriC3VPaTOcseeXdt3QJMhJ34KKPmsX9HidvVUz9affW43nH/FIjj/w4vV8y6f4OQakFwI5AIxsVibtMy11pimkADnubNOKQRElR0rEzltFNhYS/bUedYU59/zD+43xBC8Rqkvray6OHXgNXj9P475hMc3d4tAkb4JBrLlkBM/JdD6w7joR7nT3z7/kgvgvA8vgnmXLCRSIjzFkDaFZlPRdp6hFd5mOeisMr9mm+93D97b/n35DUaUWX2RehW/ZqY+6u0jp+DEgV/AG/9+3Lk05nwDauctOnOyiZETv0LENYD2zlkw79KFcO6lF0DP0vk6BhD+miMuuU9cS0jfq6FnxOrQkX6swEW4QnNk+TQifHHhxhRgXbS3Dp+CU8+/Cm8qCz/y5unoXbYE4Rk58auEbgAT0Kf0TOUCTV557xxF/u4L3wvnLJsPc973XjUo7rZECxPXq2qgN9AglmcjSjf/1uyv97I+O7NYgNeD2Ggw9waSJ/fKseExcfq/fgmn/+stOKmI/q567lt2Aob/dwpZ2t0qhGfkxM8QuhGUgnWKYTdAzPKTOBZQ5DeNQTWK9q5Z+nl7J2WP0KR0cJHhUJkPMFlwQnqjCUNyAHDzYa1qMz48DhMjY/LdV34pzpw6DW//4pfw9qFTkyy6h5Ylu4+c+DUC9wTKyPbJAK5hRWgqzLnwHNUQ2nVj6FANBJ8jsbGhgLPZGn7XMD5yBsZPj6lHTXKYUGQfOTUMo4roZax4FEqZgUF1jw+LCTnYymT3kRO/TsCGUBoTvUGb6FX0vVwxuAApFyXOAIbkIJ4TUBrEpK7Hd3078yzKZkBO/BkGBsjaZFuPVA1COTE9ysJfBFRBTBG0R3kxPcrQo3zaE3OKIeXC62xE5d2gro6uSlF1FG9BIIuiJIfSZC2eLfj/Gnqa9xaQxeUAAAAASUVORK5CYII="
+            />
+          </div>
+          <div class="content">
+            <h4>Hello World!</h4>
+            <p>
+              Kubefirst has added this apex site at the domain’s apex to allow the Google bots to safely
+              onboard the cluster’s new domain.
+            </p>
+            <p>
+              You can adjust this site in your new
+              <a href="" onClick="redirectToGitops()">kubefirst gitops repository</a>.
+            </p>
+            <p><a href="" onClick="redirectToDocs()">Learn more about</a> this apex site.</p>
+          </div>
+        </div>
+        <script>
+          const gitProvider = '<GIT_PROVIDER>';
+          const githubOwner = '<GITHUB_OWNER>';
+          const gitlabOwner = '<GITLAB_OWNER>';
+          function redirectToGitops() {
+            window.open(`https://${gitProvider}.com/${githubOwner || gitlabOwner}/gitops`, '_blank');
+          }
+
+          function redirectToDocs() {
+            window.open(
+              `https://docs.kubefirst.io/kubefirst/civo/${gitProvider}/user-creation`,
+              '_blank',
+            );
+          }
+        </script>
+      </body>
+    </html>
\ No newline at end of file
diff --git a/akamai-gitlab/templates/mgmt/components/nginx-apex/ingress.yaml b/akamai-gitlab/templates/mgmt/components/nginx-apex/ingress.yaml
new file mode 100644
index 000000000..0b1f951b9
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/nginx-apex/ingress.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-apex
+  namespace: default
+  labels:
+    app.kubernetes.io/name: nginx
+    app.kubernetes.io/instance: nginx
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    <CERT_MANAGER_ISSUER_ANNOTATION_1>
+    <CERT_MANAGER_ISSUER_ANNOTATION_2>
+    <CERT_MANAGER_ISSUER_ANNOTATION_3>
+    <CERT_MANAGER_ISSUER_ANNOTATION_4>
+spec:
+  rules:
+  - host: <DOMAIN_NAME>
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: nginx
+            port:
+              name: http
+  tls:
+  - hosts:
+    - <DOMAIN_NAME>
+    secretName: nginx-apex-tls
diff --git a/akamai-gitlab/templates/mgmt/components/nginx-apex/kustomization.yaml b/akamai-gitlab/templates/mgmt/components/nginx-apex/kustomization.yaml
new file mode 100644
index 000000000..512cc53be
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/nginx-apex/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+
+resources:
+  - github.com:kubefirst/manifests.git/nginx/apex?ref=main
+  - ingress.yaml
+  - config-map.yaml
diff --git a/akamai-gitlab/templates/mgmt/components/nginx-apex/wait.yaml b/akamai-gitlab/templates/mgmt/components/nginx-apex/wait.yaml
new file mode 100644
index 000000000..c146d3562
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/nginx-apex/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-nginx-apex
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-nginx-apex
+    namespace: nginx-apex
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-nginx-apex
+  namespace: nginx-apex
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - nginx-apex
+            - --label
+            - app.kubernetes.io/name=nginx-apex
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-nginx-apex
diff --git a/akamai-gitlab/templates/mgmt/components/reloader/application.yaml b/akamai-gitlab/templates/mgmt/components/reloader/application.yaml
new file mode 100644
index 000000000..08dc04cdb
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/reloader/application.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/components/reloader/wait.yaml b/akamai-gitlab/templates/mgmt/components/reloader/wait.yaml
new file mode 100644
index 000000000..1130124f4
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/reloader/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-reloader
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-reloader
+    namespace: reloader
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-reloader
+  namespace: reloader
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - reloader
+            - --label
+            - app=reloader-reloader
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-reloader
diff --git a/akamai-gitlab/templates/mgmt/components/secrets/externalsecret.yaml b/akamai-gitlab/templates/mgmt/components/secrets/externalsecret.yaml
new file mode 100644
index 000000000..ce0d29df5
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/secrets/externalsecret.yaml
@@ -0,0 +1,15 @@
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: external-dns-secrets
+#   namespace: external-dns
+# spec:
+#   target:
+#     name: external-dns-secrets
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault-kv-secret
+#   refreshInterval: 10s
+#   dataFrom:
+#   - extract:
+#       key: /external-dns
diff --git a/akamai-gitlab/templates/mgmt/components/vault/application.yaml b/akamai-gitlab/templates/mgmt/components/vault/application.yaml
new file mode 100644
index 000000000..b36ebd549
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/vault/application.yaml
@@ -0,0 +1,71 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://helm.releases.hashicorp.com
+    targetRevision: 0.22.0
+    helm:
+      values: |-
+        server:
+          affinity: ""
+          ha:
+            enabled: true
+            replicas: 3
+            raft:
+              enabled: true
+              setNodeId: true
+              config: |
+                ui = true
+                listener "tcp" {
+                  tls_disable     = 1
+                  address         = "[::]:8200"
+                  cluster_address = "[::]:8201"
+                }
+                storage "raft" {
+                  path = "/vault/data"
+                }
+                service_registration "kubernetes" {}
+          ingress:
+            enabled: true
+            annotations: 
+              <CERT_MANAGER_ISSUER_ANNOTATION_1>
+              <CERT_MANAGER_ISSUER_ANNOTATION_2>
+              <CERT_MANAGER_ISSUER_ANNOTATION_3>
+              <CERT_MANAGER_ISSUER_ANNOTATION_4>
+            ingressClassName: "nginx"
+            pathType: Prefix
+            # When HA mode is enabled and K8s service registration is being used,
+            # configure the ingress to point to the Vault active service.
+            # activeService: true
+            hosts:
+              - host: vault.<DOMAIN_NAME>
+            tls:
+              - secretName: vault-tls
+                hosts:
+                  - vault.<DOMAIN_NAME>
+          ui:
+            enabled: true
+            serviceType: "ClusterIP"
+            serviceNodePort: null
+            externalPort: 8200
+    chart: vault
+  destination:
+    name: in-cluster
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      jsonPointers:
+        - /webhooks
diff --git a/akamai-gitlab/templates/mgmt/components/vault/cloudflareissuer.yaml b/akamai-gitlab/templates/mgmt/components/vault/cloudflareissuer.yaml
new file mode 100644
index 000000000..f5ea945b7
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/vault/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: cloudflare-creds
+#   namespace: vault
+#   annotations:
+#     argocd.argoproj.io/sync-wave: "0"
+# spec:
+#   target:
+#     name: cloudflare-creds
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: vault-kv-secret
+#   refreshInterval: 10s
+#   data:
+#   - remoteRef:
+#       key: cloudflare
+#       property: origin-ca-api-key
+#     secretKey: origin-ca-api-key
+# ---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: vault
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/akamai-gitlab/templates/mgmt/components/vault/wait.yaml b/akamai-gitlab/templates/mgmt/components/vault/wait.yaml
new file mode 100644
index 000000000..5b40231bc
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/components/vault/wait.yaml
@@ -0,0 +1,87 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit
+  namespace: vault
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit
+  namespace: vault
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ''
+    resources:
+      - secrets
+    verbs:
+      - get
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit
+  namespace: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit
+    namespace: vault
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-vault-unseal
+  namespace: vault
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - vault-unseal
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '21'
+  name: wait-vault-init-complete
+  namespace: vault
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - vault-init-complete
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: wait
+          env:
+            - name: VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: vault-unseal-secret
+                  key: root-token
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit
diff --git a/akamai-gitlab/templates/mgmt/crossplane.yaml b/akamai-gitlab/templates/mgmt/crossplane.yaml
new file mode 100644
index 000000000..2b750e840
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/crossplane.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/crossplane
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/akamai-gitlab/templates/mgmt/development.yaml b/akamai-gitlab/templates/mgmt/development.yaml
new file mode 100644
index 000000000..430831071
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/development.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: development
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/development
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: development
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/external-dns.yaml b/akamai-gitlab/templates/mgmt/external-dns.yaml
new file mode 100644
index 000000000..198f60a7d
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/external-dns.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/external-dns
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/external-secrets-operator.yaml b/akamai-gitlab/templates/mgmt/external-secrets-operator.yaml
new file mode 100644
index 000000000..e0cbe9eca
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/external-secrets-operator.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-operator-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/external-secrets-operator
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/github-runner.yaml b/akamai-gitlab/templates/mgmt/github-runner.yaml
new file mode 100644
index 000000000..6478d6846
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/github-runner.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: github-runner-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/github-runner
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/ingress-nginx.yaml b/akamai-gitlab/templates/mgmt/ingress-nginx.yaml
new file mode 100644
index 000000000..aba47a9a4
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/ingress-nginx.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/ingress-nginx
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/kubefirst.yaml b/akamai-gitlab/templates/mgmt/kubefirst.yaml
new file mode 100644
index 000000000..41dbd85a9
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/kubefirst.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kubefirst-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '70'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/kubefirst
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: kubefirst
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/nginx-apex.yaml b/akamai-gitlab/templates/mgmt/nginx-apex.yaml
new file mode 100644
index 000000000..4c2772a73
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/nginx-apex.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: nginx-apex-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '11'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/nginx-apex
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/production.yaml b/akamai-gitlab/templates/mgmt/production.yaml
new file mode 100644
index 000000000..0751a6496
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/production.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: production
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/production
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: production
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/registry.yaml b/akamai-gitlab/templates/mgmt/registry.yaml
new file mode 100644
index 000000000..74b3224d8
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/registry.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '1001'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/reloader.yaml b/akamai-gitlab/templates/mgmt/reloader.yaml
new file mode 100644
index 000000000..84503375c
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/reloader.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/reloader
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/secrets.yaml b/akamai-gitlab/templates/mgmt/secrets.yaml
new file mode 100644
index 000000000..3cd7d3c35
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/secrets.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: secrets
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '120'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/secrets
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/mgmt/staging.yaml b/akamai-gitlab/templates/mgmt/staging.yaml
new file mode 100644
index 000000000..c75c684a6
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/staging.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/staging
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: staging
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/mgmt/vault.yaml b/akamai-gitlab/templates/mgmt/vault.yaml
new file mode 100644
index 000000000..31220c4f3
--- /dev/null
+++ b/akamai-gitlab/templates/mgmt/vault.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<CLUSTER_NAME>/components/vault
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/0-providerconfig.yaml b/akamai-gitlab/templates/workload-cluster/0-providerconfig.yaml
new file mode 100644
index 000000000..cac4df032
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/0-providerconfig.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-provider-config
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/provider-config
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/10-infrastructure.yaml b/akamai-gitlab/templates/workload-cluster/10-infrastructure.yaml
new file mode 100644
index 000000000..5e2a0defc
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/10-infrastructure.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/20-argocd-connection.yaml b/akamai-gitlab/templates/workload-cluster/20-argocd-connection.yaml
new file mode 100644
index 000000000..a8536ee9a
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/20-argocd-connection.yaml
@@ -0,0 +1,63 @@
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: <WORKLOAD_CLUSTER_NAME>
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+      engineVersion: v2
+      data:
+        name: "{{ .cluster_name }}"
+        server: "{{ .host }}"
+        clusterResources: "true"
+        config: |
+          {
+            "bearerToken": "{{ .argocd_manager_sa_token }}",
+            "tlsClientConfig": {
+                "caData": "{{ .cluster_ca_certificate | b64enc }}",
+                "certData": "{{ .client_certificate | b64enc }}",
+                "insecure": false,
+                "keyData": "{{ .client_key | b64enc }}"
+              }
+          }
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: argocd_manager_sa_token
+      secretKey: argocd_manager_sa_token
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: host
+      secretKey: host
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_name
+      secretKey: cluster_name
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_ca_certificate
+        conversionStrategy: Default
+      secretKey: cluster_ca_certificate
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: client_certificate
+        conversionStrategy: Default
+      secretKey: client_certificate
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: client_key
+        conversionStrategy: Default
+      secretKey: client_key
+
diff --git a/akamai-gitlab/templates/workload-cluster/30-cert-manager.yaml b/akamai-gitlab/templates/workload-cluster/30-cert-manager.yaml
new file mode 100644
index 000000000..c5d4cb25d
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/30-cert-manager.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-manager
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/30-external-dns.yaml b/akamai-gitlab/templates/workload-cluster/30-external-dns.yaml
new file mode 100644
index 000000000..ec20e60b4
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/30-external-dns.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-dns
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: 1.14.4
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
+        domainFilters:
+        - <WORKLOAD_EXTERNAL_DNS_DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-secrets
+              key: token
+    chart: external-dns
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml b/akamai-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml
new file mode 100644
index 000000000..c09c2bc73
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml
@@ -0,0 +1,71 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-secrets-operator
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth2
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'cluster-admin'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/akamai-gitlab/templates/workload-cluster/30-ingress-nginx.yaml b/akamai-gitlab/templates/workload-cluster/30-ingress-nginx.yaml
new file mode 100644
index 000000000..7221cd66c
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/30-ingress-nginx.yaml
@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.10.0
+    helm:
+      values: |-
+        controller:
+          podAnnotations:
+            linkerd.io/inject: enabled
+          ingressClass: nginx
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/30-reloader.yaml b/akamai-gitlab/templates/workload-cluster/30-reloader.yaml
new file mode 100644
index 000000000..2336f6b12
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/30-reloader.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-reloader
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/workload-cluster/40-cloudflare-origin-issuer-crd.yaml b/akamai-gitlab/templates/workload-cluster/40-cloudflare-origin-issuer-crd.yaml
new file mode 100644
index 000000000..4f366651e
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/40-cloudflare-origin-issuer-crd.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-origin-issuer-crd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://github.com/cloudflare/origin-ca-issuer
+    path: deploy/crds
+    targetRevision: v0.6.1
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-cluster/40-clusterissuers.yaml b/akamai-gitlab/templates/workload-cluster/40-clusterissuers.yaml
new file mode 100644
index 000000000..e45d89d86
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/40-clusterissuers.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-issuers
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/40-clustersecretstore.yaml b/akamai-gitlab/templates/workload-cluster/40-clustersecretstore.yaml
new file mode 100644
index 000000000..82bbdf5e3
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/40-clustersecretstore.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cluster-secret-store
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/41-cloudflare-origin-ca-issuer.yaml b/akamai-gitlab/templates/workload-cluster/41-cloudflare-origin-ca-issuer.yaml
new file mode 100644
index 000000000..851e73895
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/41-cloudflare-origin-ca-issuer.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-cloudflare-origin-ca-issuer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '41'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: ghcr.io/cloudflare/origin-ca-issuer-charts
+    chart: origin-ca-issuer
+    targetRevision: 0.5.2
+    helm:
+      values: |-
+        global:
+          rbac:
+            create: true
+        controller:
+          image:
+            repository: cloudflare/origin-ca-issuer
+            tag: v0.6.1
+            pullPolicy: Always
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-cluster/45-cloudflare-origin-issuer.yaml b/akamai-gitlab/templates/workload-cluster/45-cloudflare-origin-issuer.yaml
new file mode 100644
index 000000000..d118509ca
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/45-cloudflare-origin-issuer.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-origin-issuer
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cloudflare-origin-issuer
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-cluster/45-environment.yaml b/akamai-gitlab/templates/workload-cluster/45-environment.yaml
new file mode 100644
index 000000000..66cba38b5
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/45-environment.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-environment
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/<WORKLOAD_CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml b/akamai-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml
new file mode 100644
index 000000000..f3c94e429
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml
@@ -0,0 +1,55 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: <WORKLOAD_CLUSTER_NAME> description
+  sourceRepos:
+  - '<GITOPS_REPO_URL>'
+  - 'https://kubernetes.github.io/ingress-nginx'
+  - 'https://kubernetes-sigs.github.io/external-dns'
+  - 'https://charts.jetstack.io'
+  - 'https://charts.external-secrets.io'
+  - 'https://helm.datadoghq.com'
+  - 'https://stakater.github.io/stakater-charts'
+  - 'https://chartmuseum.<DOMAIN_NAME>'
+  - 'https://charts.loft.sh'
+  - 'https://github.com/cloudflare/origin-ca-issuer'
+  - 'https://cloudflare.github.io/origin-ca-issuer/charts'
+  - '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  destinations:
+  - namespace: external-dns
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: datadog
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: default
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: <WORKLOAD_CLUSTER_NAME>
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: external-secrets-operator
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: reloader
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: cert-manager
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: ingress-nginx
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: kube-system
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+    server: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  roles:
+  - description: <WORKLOAD_CLUSTER_NAME>-admin-role
+    groups:
+    - admins
+    name: admin-role
+    policies:
+    - p, proj:<WORKLOAD_CLUSTER_NAME>:admin-role, applications, *, <WORKLOAD_CLUSTER_NAME>/*, allow
diff --git a/akamai-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml b/akamai-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml
new file mode 100644
index 000000000..97711a762
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
diff --git a/akamai-gitlab/templates/workload-cluster/cloudflare-origin-issuer/cloudflare-issuer.yaml b/akamai-gitlab/templates/workload-cluster/cloudflare-origin-issuer/cloudflare-issuer.yaml
new file mode 100644
index 000000000..741e2760c
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/cloudflare-origin-issuer/cloudflare-issuer.yaml
@@ -0,0 +1,31 @@
+# apiVersion: external-secrets.io/v1beta1
+# kind: ExternalSecret
+# metadata:
+#   name: cloudflare-creds
+#   namespace: <WORKLOAD_CLUSTER_NAME>
+#   annotations:
+#     argocd.argoproj.io/sync-wave: "0"
+# spec:
+#   target:
+#     name: cloudflare-creds
+#   secretStoreRef:
+#     kind: ClusterSecretStore
+#     name: <WORKLOAD_CLUSTER_NAME>-vault-kv-secret
+#   refreshInterval: 10s
+#   data:
+#   - remoteRef:
+#       key: cloudflare
+#       property: origin-ca-api-key
+#     secretKey: origin-ca-api-key
+# ---
+# apiVersion: cert-manager.k8s.cloudflare.com/v1
+# kind: OriginIssuer
+# metadata:
+#   name: cloudflare-origin-issuer
+#   namespace: <WORKLOAD_CLUSTER_NAME>
+# spec:
+#   requestType: OriginECC
+#   auth:
+#     serviceKeyRef:
+#       key: origin-ca-api-key
+#       name: cloudflare-creds
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml b/akamai-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml
new file mode 100644
index 000000000..b6e90f68a
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-vault-kv-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  provider:
+    vault:
+      server: 'https://vault.<DOMAIN_NAME>'
+      path: 'secret'
+      version: 'v2'
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "<WORKLOAD_CLUSTER_NAME>-cluster-vault-bootstrap"
+          key: "vault-token"
diff --git a/akamai-gitlab/templates/workload-cluster/infrastructure/wait.yaml b/akamai-gitlab/templates/workload-cluster/infrastructure/wait.yaml
new file mode 100644
index 000000000..f409abaa6
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/infrastructure/wait.yaml
@@ -0,0 +1,24 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure-wait
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+spec:
+  template:
+    spec:
+      serviceAccountName: argocd-server
+      containers:
+      - name: wait
+        image: bitnami/kubectl:1.25.12
+        command:
+        - /bin/sh
+        - -c
+        - |
+          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>; do echo "waiting for cluster to provision"; sleep 5; done
+      restartPolicy: Never
+  backoffLimit: 1
+
+
+
diff --git a/akamai-gitlab/templates/workload-cluster/infrastructure/workspace.yaml b/akamai-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
new file mode 100644
index 000000000..8aba21372
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
@@ -0,0 +1,235 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+    crossplane.io/external-name: <WORKLOAD_CLUSTER_NAME>
+spec:
+  providerConfigRef:
+    name: <WORKLOAD_CLUSTER_NAME>
+  forProvider:
+    source: Inline
+    module: |
+      variable "instance_size" {
+        type    = string
+        default = "g4s.kube.medium"
+      }
+
+      variable "node_count" {
+        type    = number
+        default = "<WORKLOAD_NODE_COUNT>"
+      }
+
+      locals {
+        cluster_name = "<WORKLOAD_CLUSTER_NAME>"
+      }
+
+      resource "civo_network" "kubefirst" {
+        label = local.cluster_name
+      }
+
+      resource "civo_firewall" "kubefirst" {
+        name                 = local.cluster_name
+        network_id           = civo_network.kubefirst.id
+        create_default_rules = true
+      }
+
+      resource "civo_kubernetes_cluster" "kubefirst" {
+        name        = local.cluster_name
+        network_id  = civo_network.kubefirst.id
+        firewall_id = civo_firewall.kubefirst.id
+        pools {
+          label      = local.cluster_name
+          size       = var.instance_size
+          node_count = var.node_count
+        }
+      }
+
+      resource "vault_generic_secret" "clusters" {
+        path = "secret/clusters/${local.cluster_name}"
+
+        data_json = jsonencode(
+          {
+            kubeconfig             = civo_kubernetes_cluster.kubefirst.kubeconfig
+            client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+            client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+            cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+            host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
+            cluster_name           = local.cluster_name
+            argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
+          }
+        )
+      }
+
+      provider "kubernetes" {
+        host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
+        client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+        client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+        cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+      }
+
+      resource "kubernetes_cluster_role_v1" "argocd_manager" {
+        metadata {
+          name = "argocd-manager-role"
+        }
+
+        rule {
+          api_groups = ["*"]
+          resources  = ["*"]
+          verbs      = ["*"]
+        }
+        rule {
+          non_resource_urls = ["*"]
+          verbs = ["*"]
+        }
+      }
+
+
+      resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
+        metadata {
+          name = "argocd-manager-role-binding"
+        }
+        role_ref {
+          api_group = "rbac.authorization.k8s.io"
+          kind      = "ClusterRole"
+          name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
+        }
+        subject {
+          kind      = "ServiceAccount"
+          name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
+          namespace = "kube-system"
+        }
+      }
+
+      resource "kubernetes_service_account_v1" "argocd_manager" {
+        metadata {
+          name = "argocd-manager"
+          namespace = "kube-system"
+        }
+        secret {
+          name = "argocd-manager-token"
+        }
+      }
+
+      resource "kubernetes_secret_v1" "argocd_manager" {
+        metadata {
+          name = "argocd-manager-token"
+          namespace = "kube-system"
+          annotations = {
+            "kubernetes.io/service-account.name" = "argocd-manager"
+          }
+        }
+        type = "kubernetes.io/service-account-token"
+        depends_on = [ kubernetes_service_account_v1.argocd_manager ]
+      }
+
+      resource "kubernetes_namespace_v1" "external_dns" {
+        metadata {
+          name = "external-dns"
+        }
+      }
+
+      data "vault_generic_secret" "external_dns" {
+        path = "secret/external-dns"
+      }
+
+      resource "kubernetes_secret_v1" "external_dns" {
+        metadata {
+          name = "external-dns-secrets"
+          namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
+        }
+        data = {
+          token = data.vault_generic_secret.external_dns.data["token"]
+        }
+        type = "Opaque"
+      }
+
+
+      resource "kubernetes_namespace_v1" "external_secrets_operator" {
+        metadata {
+          name = "external-secrets-operator"
+        }
+      }
+
+      resource "kubernetes_namespace_v1" "environment" {
+        metadata {
+          name = "<WORKLOAD_CLUSTER_NAME>"
+        }
+      }
+
+      data "vault_generic_secret" "docker_config" {
+        path = "secret/dockerconfigjson"
+      }
+
+      resource "kubernetes_secret_v1" "image_pull" {
+        metadata {
+          name = "docker-config"
+          namespace = kubernetes_namespace_v1.environment.metadata.0.name
+        }
+
+        data = {
+          ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
+        }
+
+        type = "kubernetes.io/dockerconfigjson"
+      }
+
+      data "vault_generic_secret" "external_secrets_operator" {
+        path = "secret/atlantis"
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
+        metadata {
+          name = "${local.cluster_name}-cluster-vault-bootstrap"
+          namespace = kubernetes_namespace_v1.environment.metadata.0.name
+        }
+        data = {
+          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+        }
+        type = "Opaque"
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets_operator" {
+        metadata {
+          name = "${local.cluster_name}-cluster-vault-bootstrap"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+        }
+        data = {
+          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+        }
+        type = "Opaque"
+      }
+
+      resource "kubernetes_service_account_v1" "external_secrets" {
+        metadata {
+          name = "external-secrets"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+        }
+        secret {
+          name = "external-secrets-token"
+        }
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets" {
+        metadata {
+          name = "external-secrets-token"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+          annotations = {
+            "kubernetes.io/service-account.name" = "external-secrets"
+          }
+        }
+        type = "kubernetes.io/service-account-token"
+        depends_on = [ kubernetes_service_account_v1.external_secrets ]
+      }
+
+      resource "kubernetes_config_map" "kubefirst_cm" {
+        metadata {
+          name = "kubefirst-cm"
+          namespace = "kube-system"
+        }
+
+        data = {
+          mgmt_cluster_id = "<CLUSTER_ID>"
+        }
+      }
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml b/akamai-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
new file mode 100644
index 000000000..584031233
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -0,0 +1,51 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  configuration: |
+      terraform {
+        backend "s3" {
+          bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+          key      = "registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure/provider-config/terraform.tfstate"
+          endpoint = "https://us-east-1.linodeobjects.com"
+
+          region = "<CLOUD_REGION>"
+
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          force_path_style            = true
+        }
+        required_providers {
+          civo = {
+            source = "civo/civo"
+          }
+          kubernetes = {
+            source = "hashicorp/kubernetes"
+            version = "2.23.0"
+          }
+          vault = {
+            source = "hashicorp/vault"
+            version = "3.19.0"
+          }
+        }
+      }
+      provider "civo" {
+        region = "<WORKLOAD_CLUSTER_REGION>"
+      }
+  credentials:
+  - filename: gen-nothing
+    source: None
+    secretRef:
+      namespace: crossplane-system
+      name: civo-creds
+      key: token
+  - filename: .git-credentials
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: git-credentials
+      key: creds
diff --git a/akamai-gitlab/templates/workload-cluster/registry-workload-cluster.yaml b/akamai-gitlab/templates/workload-cluster/registry-workload-cluster.yaml
new file mode 100644
index 000000000..f925b88dd
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/registry-workload-cluster.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry-<WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/workload-cluster/workload-cluster-environment/metaphor.yaml b/akamai-gitlab/templates/workload-cluster/workload-cluster-environment/metaphor.yaml
new file mode 100644
index 000000000..e8a66cfc7
--- /dev/null
+++ b/akamai-gitlab/templates/workload-cluster/workload-cluster-environment/metaphor.yaml
@@ -0,0 +1,27 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-metaphor
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/<WORKLOAD_CLUSTER_NAME>/metaphor
+    targetRevision: HEAD
+    helm:
+      valueFiles:
+        - values.yaml
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/0-providerconfig.yaml b/akamai-gitlab/templates/workload-vcluster/0-providerconfig.yaml
new file mode 100644
index 000000000..cac4df032
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/0-providerconfig.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-provider-config
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/provider-config
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/10-infrastructure.yaml b/akamai-gitlab/templates/workload-vcluster/10-infrastructure.yaml
new file mode 100644
index 000000000..5e2a0defc
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/10-infrastructure.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/15-bootstrap.yaml b/akamai-gitlab/templates/workload-vcluster/15-bootstrap.yaml
new file mode 100644
index 000000000..4c29b41e6
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/15-bootstrap.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-bootstrap
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '15'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/bootstrap
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/20-argocd-connection.yaml b/akamai-gitlab/templates/workload-vcluster/20-argocd-connection.yaml
new file mode 100644
index 000000000..a8536ee9a
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/20-argocd-connection.yaml
@@ -0,0 +1,63 @@
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: <WORKLOAD_CLUSTER_NAME>
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+      engineVersion: v2
+      data:
+        name: "{{ .cluster_name }}"
+        server: "{{ .host }}"
+        clusterResources: "true"
+        config: |
+          {
+            "bearerToken": "{{ .argocd_manager_sa_token }}",
+            "tlsClientConfig": {
+                "caData": "{{ .cluster_ca_certificate | b64enc }}",
+                "certData": "{{ .client_certificate | b64enc }}",
+                "insecure": false,
+                "keyData": "{{ .client_key | b64enc }}"
+              }
+          }
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: argocd_manager_sa_token
+      secretKey: argocd_manager_sa_token
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: host
+      secretKey: host
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_name
+      secretKey: cluster_name
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_ca_certificate
+        conversionStrategy: Default
+      secretKey: cluster_ca_certificate
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: client_certificate
+        conversionStrategy: Default
+      secretKey: client_certificate
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: client_key
+        conversionStrategy: Default
+      secretKey: client_key
+
diff --git a/akamai-gitlab/templates/workload-vcluster/30-cert-manager.yaml b/akamai-gitlab/templates/workload-vcluster/30-cert-manager.yaml
new file mode 100644
index 000000000..c5d4cb25d
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/30-cert-manager.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-manager
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/30-external-dns.yaml b/akamai-gitlab/templates/workload-vcluster/30-external-dns.yaml
new file mode 100644
index 000000000..ec20e60b4
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/30-external-dns.yaml
@@ -0,0 +1,42 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-dns
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: 1.14.4
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
+        domainFilters:
+        - <WORKLOAD_EXTERNAL_DNS_DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-secrets
+              key: token
+    chart: external-dns
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/30-external-secrets-operator.yaml b/akamai-gitlab/templates/workload-vcluster/30-external-secrets-operator.yaml
new file mode 100644
index 000000000..c09c2bc73
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/30-external-secrets-operator.yaml
@@ -0,0 +1,71 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-secrets-operator
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth2
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'cluster-admin'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/akamai-gitlab/templates/workload-vcluster/30-ingress-nginx.yaml b/akamai-gitlab/templates/workload-vcluster/30-ingress-nginx.yaml
new file mode 100644
index 000000000..7221cd66c
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/30-ingress-nginx.yaml
@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.10.0
+    helm:
+      values: |-
+        controller:
+          podAnnotations:
+            linkerd.io/inject: enabled
+          ingressClass: nginx
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/30-reloader.yaml b/akamai-gitlab/templates/workload-vcluster/30-reloader.yaml
new file mode 100644
index 000000000..2336f6b12
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/30-reloader.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-reloader
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/templates/workload-vcluster/40-cloudflare-origin-issuer-crd.yaml b/akamai-gitlab/templates/workload-vcluster/40-cloudflare-origin-issuer-crd.yaml
new file mode 100644
index 000000000..4f366651e
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/40-cloudflare-origin-issuer-crd.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-origin-issuer-crd
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://github.com/cloudflare/origin-ca-issuer
+    path: deploy/crds
+    targetRevision: v0.6.1
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/40-clusterissuers.yaml b/akamai-gitlab/templates/workload-vcluster/40-clusterissuers.yaml
new file mode 100644
index 000000000..e45d89d86
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/40-clusterissuers.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-issuers
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/40-clustersecretstore.yaml b/akamai-gitlab/templates/workload-vcluster/40-clustersecretstore.yaml
new file mode 100644
index 000000000..82bbdf5e3
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/40-clustersecretstore.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cluster-secret-store
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/41-cloudflare-origin-ca-issuer.yaml b/akamai-gitlab/templates/workload-vcluster/41-cloudflare-origin-ca-issuer.yaml
new file mode 100644
index 000000000..851e73895
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/41-cloudflare-origin-ca-issuer.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-cloudflare-origin-ca-issuer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '41'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: ghcr.io/cloudflare/origin-ca-issuer-charts
+    chart: origin-ca-issuer
+    targetRevision: 0.5.2
+    helm:
+      values: |-
+        global:
+          rbac:
+            create: true
+        controller:
+          image:
+            repository: cloudflare/origin-ca-issuer
+            tag: v0.6.1
+            pullPolicy: Always
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/45-cloudflare-origin-issuer.yaml b/akamai-gitlab/templates/workload-vcluster/45-cloudflare-origin-issuer.yaml
new file mode 100644
index 000000000..d118509ca
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/45-cloudflare-origin-issuer.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cloudflare-origin-issuer
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cloudflare-origin-issuer
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/45-environment.yaml b/akamai-gitlab/templates/workload-vcluster/45-environment.yaml
new file mode 100644
index 000000000..66cba38b5
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/45-environment.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-environment
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/<WORKLOAD_CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/akamai-gitlab/templates/workload-vcluster/appproject-workload-cluster.yaml b/akamai-gitlab/templates/workload-vcluster/appproject-workload-cluster.yaml
new file mode 100644
index 000000000..f3c94e429
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/appproject-workload-cluster.yaml
@@ -0,0 +1,55 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: <WORKLOAD_CLUSTER_NAME> description
+  sourceRepos:
+  - '<GITOPS_REPO_URL>'
+  - 'https://kubernetes.github.io/ingress-nginx'
+  - 'https://kubernetes-sigs.github.io/external-dns'
+  - 'https://charts.jetstack.io'
+  - 'https://charts.external-secrets.io'
+  - 'https://helm.datadoghq.com'
+  - 'https://stakater.github.io/stakater-charts'
+  - 'https://chartmuseum.<DOMAIN_NAME>'
+  - 'https://charts.loft.sh'
+  - 'https://github.com/cloudflare/origin-ca-issuer'
+  - 'https://cloudflare.github.io/origin-ca-issuer/charts'
+  - '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  destinations:
+  - namespace: external-dns
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: datadog
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: default
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: <WORKLOAD_CLUSTER_NAME>
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: external-secrets-operator
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: reloader
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: cert-manager
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: ingress-nginx
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: kube-system
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+    server: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  roles:
+  - description: <WORKLOAD_CLUSTER_NAME>-admin-role
+    groups:
+    - admins
+    name: admin-role
+    policies:
+    - p, proj:<WORKLOAD_CLUSTER_NAME>:admin-role, applications, *, <WORKLOAD_CLUSTER_NAME>/*, allow
diff --git a/akamai-gitlab/templates/workload-vcluster/bootstrap/workspace.yaml b/akamai-gitlab/templates/workload-vcluster/bootstrap/workspace.yaml
new file mode 100644
index 000000000..36e7cb600
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/bootstrap/workspace.yaml
@@ -0,0 +1,229 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-bootstrap
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+    crossplane.io/external-name: <WORKLOAD_CLUSTER_NAME>-bootstrap
+spec:
+  providerConfigRef:
+    name: <WORKLOAD_CLUSTER_NAME>
+  forProvider:
+    source: Inline
+    module: |
+      variable "cluster_name" {
+        type = string
+        default = "<WORKLOAD_CLUSTER_NAME>"
+      }
+      provider "kubernetes" {
+        alias = "local"
+      }
+      data "kubernetes_secret_v1" "vcluster_kubeconfig" {
+        provider = "kubernetes.local"
+        metadata {
+          name = "vc-<WORKLOAD_CLUSTER_NAME>"
+          namespace = "<WORKLOAD_CLUSTER_NAME>"
+        }
+      }      
+
+      resource "vault_generic_secret" "clusters" {
+        path = "secret/clusters/${var.cluster_name}"
+
+        data_json = jsonencode(
+          {
+            kubeconfig              = data.kubernetes_secret_v1.vcluster_kubeconfig.data.config
+            client_certificate      = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).users[0].user.client-certificate-data)
+            client_key              = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).users[0].user.client-key-data)
+            cluster_ca_certificate  = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).clusters[0].cluster.certificate-authority-data)
+            host                    = "https://<WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>"
+            cluster_name            = var.cluster_name
+            argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
+          }
+        )
+      }
+
+      provider "kubernetes" {
+        alias = "target"
+        host = "https://<WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>"
+
+        client_certificate     = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).users[0].user.client-certificate-data)
+        client_key             = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).users[0].user.client-key-data)
+        cluster_ca_certificate = base64decode(yamldecode(data.kubernetes_secret_v1.vcluster_kubeconfig.data.config).clusters[0].cluster.certificate-authority-data)
+      }
+
+      resource "kubernetes_cluster_role_v1" "argocd_manager" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "argocd-manager-role"
+        }
+
+        rule {
+          api_groups = ["*"]
+          resources  = ["*"]
+          verbs      = ["*"]
+        }
+        rule {
+          non_resource_urls = ["*"]
+          verbs = ["*"]
+        }
+      }
+
+
+      resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "argocd-manager-role-binding"
+        }
+        role_ref {
+          api_group = "rbac.authorization.k8s.io"
+          kind      = "ClusterRole"
+          name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
+        }
+        subject {
+          kind      = "ServiceAccount"
+          name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
+          namespace = "kube-system"
+        }
+      }
+
+      resource "kubernetes_service_account_v1" "argocd_manager" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "argocd-manager"
+          namespace = "kube-system"
+        }
+        secret {
+          name = "argocd-manager-token"
+        }
+      }
+
+      resource "kubernetes_secret_v1" "argocd_manager" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "argocd-manager-token"
+          namespace = "kube-system"
+          annotations = {
+            "kubernetes.io/service-account.name" = "argocd-manager"
+          }
+        }
+        type = "kubernetes.io/service-account-token"
+        depends_on = [ kubernetes_service_account_v1.argocd_manager ]
+      }
+
+      resource "kubernetes_namespace_v1" "external_dns" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "external-dns"
+        }
+      }
+
+      data "vault_generic_secret" "external_dns" {
+        path = "secret/external-dns"
+      }
+
+      resource "kubernetes_secret_v1" "external_dns" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "external-dns-secrets"
+          namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
+        }
+        data = {
+          token = data.vault_generic_secret.external_dns.data["token"]
+        }
+        type = "Opaque"
+      }
+
+
+      resource "kubernetes_namespace_v1" "external_secrets_operator" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "external-secrets-operator"
+        }
+      }
+
+      data "vault_generic_secret" "external_secrets_operator" {
+        path = "secret/atlantis"
+      }
+
+      resource "kubernetes_namespace_v1" "environment" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "<WORKLOAD_CLUSTER_NAME>"
+        }
+      }
+
+      data "vault_generic_secret" "docker_config" {
+        path = "secret/dockerconfigjson"
+      }
+
+      resource "kubernetes_secret_v1" "image_pull" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "docker-config"
+          namespace = kubernetes_namespace_v1.environment.metadata.0.name
+        }
+
+        data = {
+          ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
+        }
+
+        type = "kubernetes.io/dockerconfigjson"
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "${var.cluster_name}-cluster-vault-bootstrap"
+          namespace = kubernetes_namespace_v1.environment.metadata.0.name
+        }
+        data = {
+          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+        }
+        type = "Opaque"
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets_operator" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "${var.cluster_name}-cluster-vault-bootstrap"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+        }
+        data = {
+          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+        }
+        type = "Opaque"
+      }
+
+      resource "kubernetes_service_account_v1" "external_secrets" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "external-secrets"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+        }
+        secret {
+          name = "external-secrets-token"
+        }
+      }
+
+      resource "kubernetes_secret_v1" "external_secrets" {
+        provider = "kubernetes.target"
+        metadata {
+          name = "external-secrets-token"
+          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+          annotations = {
+            "kubernetes.io/service-account.name" = "external-secrets"
+          }
+        }
+        type = "kubernetes.io/service-account-token"
+        depends_on = [ kubernetes_service_account_v1.external_secrets ]
+      }
+
+      resource "kubernetes_config_map" "kubefirst_cm" {
+        metadata {
+          name = "kubefirst-cm"
+          namespace = "kube-system"
+        }
+        data = {
+          mgmt_cluster_id = "<CLUSTER_ID>"
+        }
+      }
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/cert-issuers/clusterissuers.yaml b/akamai-gitlab/templates/workload-vcluster/cert-issuers/clusterissuers.yaml
new file mode 100644
index 000000000..97711a762
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/cert-issuers/clusterissuers.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
diff --git a/akamai-gitlab/templates/workload-vcluster/cloudflare-origin-issuer/cloudflare-issuer.yaml b/akamai-gitlab/templates/workload-vcluster/cloudflare-origin-issuer/cloudflare-issuer.yaml
new file mode 100644
index 000000000..d7ea001a4
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/cloudflare-origin-issuer/cloudflare-issuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: <WORKLOAD_CLUSTER_NAME>-vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: <WORKLOAD_CLUSTER_NAME>
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/cluster-secret-store/clustersecretstore.yaml b/akamai-gitlab/templates/workload-vcluster/cluster-secret-store/clustersecretstore.yaml
new file mode 100644
index 000000000..b6e90f68a
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/cluster-secret-store/clustersecretstore.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-vault-kv-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  provider:
+    vault:
+      server: 'https://vault.<DOMAIN_NAME>'
+      path: 'secret'
+      version: 'v2'
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "<WORKLOAD_CLUSTER_NAME>-cluster-vault-bootstrap"
+          key: "vault-token"
diff --git a/akamai-gitlab/templates/workload-vcluster/infrastructure/vcluster.yaml b/akamai-gitlab/templates/workload-vcluster/infrastructure/vcluster.yaml
new file mode 100644
index 000000000..593c6d0af
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/infrastructure/vcluster.yaml
@@ -0,0 +1,50 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://charts.loft.sh
+    targetRevision: 0.15.5
+    chart: vcluster-k8s
+    helm:
+      values: |
+        syncer:
+          extraArgs:
+          - --tls-san=<WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>
+          - --kube-config-context-name=<WORKLOAD_CLUSTER_NAME>
+          - --out-kube-config-server=https://<WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>
+          replicas: 4
+        ingress:
+          enabled: true
+          pathType: ImplementationSpecific
+          apiVersion: networking.k8s.io/v1
+          ingressClassName: "nginx"
+          host: <WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>
+          annotations:
+            nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+            nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+            nginx.ingress.kubernetes.io/ssl-redirect: "true"
+            <CERT_MANAGER_ISSUER_ANNOTATION_1>
+            <CERT_MANAGER_ISSUER_ANNOTATION_2>
+            <CERT_MANAGER_ISSUER_ANNOTATION_3>
+            <CERT_MANAGER_ISSUER_ANNOTATION_4>
+          tls:
+            - secretName: <WORKLOAD_CLUSTER_NAME>-tls
+              hosts:
+                - <WORKLOAD_CLUSTER_NAME>.<DOMAIN_NAME>
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
\ No newline at end of file
diff --git a/akamai-gitlab/templates/workload-vcluster/infrastructure/wait.yaml b/akamai-gitlab/templates/workload-vcluster/infrastructure/wait.yaml
new file mode 100644
index 000000000..bc168ae18
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/infrastructure/wait.yaml
@@ -0,0 +1,131 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-toolkit
+  namespace: <WORKLOAD_CLUSTER_NAME>
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kubernetes-toolkit
+  namespace: <WORKLOAD_CLUSTER_NAME>
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubernetes-toolkit
+  namespace: <WORKLOAD_CLUSTER_NAME>
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-toolkit
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-toolkit
+    namespace: <WORKLOAD_CLUSTER_NAME>
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit-vcluster-api
+  namespace: <WORKLOAD_CLUSTER_NAME>
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - <WORKLOAD_CLUSTER_NAME>
+            - --label
+            - app=vcluster-api
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit-vcluster-controller
+  namespace: <WORKLOAD_CLUSTER_NAME>
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - <WORKLOAD_CLUSTER_NAME>
+            - --label
+            - app=vcluster-controller
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit-vcluster
+  namespace: <WORKLOAD_CLUSTER_NAME>
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - <WORKLOAD_CLUSTER_NAME>
+            - --label
+            - app=vcluster
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit-vcluster-etcd
+  namespace: <WORKLOAD_CLUSTER_NAME>
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - statefulset
+            - --namespace
+            - <WORKLOAD_CLUSTER_NAME>
+            - --label
+            - app=vcluster-etcd
+          image: public.ecr.aws/kubefirst/kubernetes-toolkit:0.0.8
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
diff --git a/akamai-gitlab/templates/workload-vcluster/provider-config/providerconfig.yaml b/akamai-gitlab/templates/workload-vcluster/provider-config/providerconfig.yaml
new file mode 100644
index 000000000..584031233
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/provider-config/providerconfig.yaml
@@ -0,0 +1,51 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  configuration: |
+      terraform {
+        backend "s3" {
+          bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+          key      = "registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure/provider-config/terraform.tfstate"
+          endpoint = "https://us-east-1.linodeobjects.com"
+
+          region = "<CLOUD_REGION>"
+
+          skip_credentials_validation = true
+          skip_metadata_api_check     = true
+          skip_region_validation      = true
+          force_path_style            = true
+        }
+        required_providers {
+          civo = {
+            source = "civo/civo"
+          }
+          kubernetes = {
+            source = "hashicorp/kubernetes"
+            version = "2.23.0"
+          }
+          vault = {
+            source = "hashicorp/vault"
+            version = "3.19.0"
+          }
+        }
+      }
+      provider "civo" {
+        region = "<WORKLOAD_CLUSTER_REGION>"
+      }
+  credentials:
+  - filename: gen-nothing
+    source: None
+    secretRef:
+      namespace: crossplane-system
+      name: civo-creds
+      key: token
+  - filename: .git-credentials
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: git-credentials
+      key: creds
diff --git a/akamai-gitlab/templates/workload-vcluster/registry-workload-cluster.yaml b/akamai-gitlab/templates/workload-vcluster/registry-workload-cluster.yaml
new file mode 100644
index 000000000..f925b88dd
--- /dev/null
+++ b/akamai-gitlab/templates/workload-vcluster/registry-workload-cluster.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry-<WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/akamai-gitlab/terraform/akamai/main.tf b/akamai-gitlab/terraform/akamai/main.tf
new file mode 100644
index 000000000..0fcb71ab5
--- /dev/null
+++ b/akamai-gitlab/terraform/akamai/main.tf
@@ -0,0 +1,58 @@
+terraform {
+  backend "s3" {
+    bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+    key      = "terraform/civo/terraform.tfstate"
+    endpoint = "https://<CLUSTER_NAME>.us-east-1.linodeobjects.com" #! edit
+
+    region = "us-east-1" #! edit
+
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+  required_providers {
+    linode = {
+      source  = "linode/linode"
+      version = "2.16.0"
+    }
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "2.23.0"
+    }
+    vault = {
+      source  = "hashicorp/vault"
+      version = "3.19.0"
+    }
+  }
+}
+provider "linode" {}
+
+locals {
+  cluster_name         = "<CLUSTER_NAME>"
+  kube_config_filename = "../../../kubeconfig"
+}
+
+resource "linode_lke_cluster" "kubefirst" {
+  label       = local.cluster_name
+  k8s_version = "1.28"
+  region      = "us-central"
+  tags        = ["<CLUSTER_NAME>"]
+
+  pool {
+    # NOTE: If count is undefined, the initial node count will
+    # equal the minimum autoscaler node count.
+    type = "<NODE_TYPE>" # "g6-standard-4" 4
+
+    autoscaler {
+      min = tonumber("<NODE_COUNT>") # tonumber() is used for a string token value
+      max = tonumber("<NODE_COUNT>") # tonumber() is used for a string token value
+    }
+  }
+}
+
+resource "local_file" "kubeconfig" {
+  content  = base64decode(linode_lke_cluster.kubefirst.kubeconfig)
+  filename = local.kube_config_filename
+}
+
diff --git a/akamai-gitlab/terraform/gitlab/groups.tf b/akamai-gitlab/terraform/gitlab/groups.tf
new file mode 100644
index 000000000..da300caa0
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/groups.tf
@@ -0,0 +1,29 @@
+data "gitlab_group" "owner" {
+  group_id = tonumber(var.owner_group_id)
+}
+
+resource "gitlab_group" "admins" {
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
+  parent_id   = data.gitlab_group.owner.group_id
+  description = "admins group"
+}
+
+resource "gitlab_group" "developers" {
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
+  parent_id   = data.gitlab_group.owner.group_id
+  description = "developers group"
+}
+
+resource "gitlab_group_share_group" "admins" {
+  group_id       = data.gitlab_group.owner.id
+  share_group_id = gitlab_group.admins.id
+  group_access   = "owner"
+}
+
+resource "gitlab_group_share_group" "developers" {
+  group_id       = data.gitlab_group.owner.id
+  share_group_id = gitlab_group.developers.id
+  group_access   = "maintainer"
+}
diff --git a/akamai-gitlab/terraform/gitlab/main.tf b/akamai-gitlab/terraform/gitlab/main.tf
new file mode 100644
index 000000000..a5e31ef65
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/main.tf
@@ -0,0 +1,24 @@
+terraform {
+  backend "s3" {
+    bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+    key      = "terraform/gitlab/terraform.tfstate"
+    endpoint = "https://objectstore.<CLOUD_REGION>.civo.com"
+
+    region = "<CLOUD_REGION>"
+
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+  required_providers {
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = "15.8.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+}
diff --git a/akamai-gitlab/terraform/gitlab/modules/project/main.tf b/akamai-gitlab/terraform/gitlab/modules/project/main.tf
new file mode 100644
index 000000000..dd07ab656
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/modules/project/main.tf
@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    gitlab = {
+      source  = "gitlabhq/gitlab"
+      version = "15.8.0"
+    }
+  }
+}
+
+resource "gitlab_project" "project" {
+  name                   = var.project_name
+  archived               = var.archived
+  visibility_level       = "private"
+  default_branch         = var.default_branch
+  namespace_id           = var.group_name
+  import_url             = var.import_url
+  initialize_with_readme = var.initialize_with_readme
+  shared_runners_enabled = false
+  # https://docs.gitlab.com/ee/user/packages/container_registry/
+  only_allow_merge_if_all_discussions_are_resolved = true
+  only_allow_merge_if_pipeline_succeeds            = var.only_allow_merge_if_pipeline_succeeds
+  remove_source_branch_after_merge                 = var.remove_source_branch_after_merge
+}
diff --git a/akamai-gitlab/terraform/gitlab/modules/project/outputs.tf b/akamai-gitlab/terraform/gitlab/modules/project/outputs.tf
new file mode 100644
index 000000000..2f1cbfd56
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/modules/project/outputs.tf
@@ -0,0 +1,8 @@
+output "repo_url" {
+  value       = gitlab_project.project.web_url
+  description = "gitlab project url"
+}
+
+output "path" {
+  value = gitlab_project.project.path_with_namespace
+}
diff --git a/akamai-gitlab/terraform/gitlab/modules/project/variables.tf b/akamai-gitlab/terraform/gitlab/modules/project/variables.tf
new file mode 100644
index 000000000..9fcea95e2
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/modules/project/variables.tf
@@ -0,0 +1,54 @@
+variable "archived" {
+  description = "whether to archive the repo (make it readonly)"
+  type        = bool
+  default     = false
+}
+
+variable "create_deploy_key" {
+  description = "whether or not to create a deploy key for ci to commit to the repo"
+  type        = bool
+  default     = false
+}
+
+variable "create_ecr" {
+  description = "whether or not to create the ecr repository"
+  type        = bool
+  default     = false
+}
+
+variable "default_branch" {
+  description = "specifies what the default branch is for the repository"
+  type        = string
+  default     = "main"
+}
+
+variable "group_name" {
+  description = "the group name the repository belongs to"
+  type        = string
+}
+
+variable "import_url" {
+  description = "import url of the git repository"
+  type        = string
+  default     = null
+}
+variable "initialize_with_readme" {
+  description = "whether or not to add a readme at project creation"
+  type        = bool
+  default     = true
+}
+
+variable "only_allow_merge_if_pipeline_succeeds" {
+  description = "set to true once your branch or mr has a successful pipeline you can depend on"
+  type        = bool
+}
+
+variable "project_name" {
+  description = "the name of the project"
+  type        = string
+}
+
+variable "remove_source_branch_after_merge" {
+  description = "whether or not we should remove source branch after a merge"
+  type        = bool
+}
diff --git a/akamai-gitlab/terraform/gitlab/projects.tf b/akamai-gitlab/terraform/gitlab/projects.tf
new file mode 100644
index 000000000..bbf5c01b5
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/projects.tf
@@ -0,0 +1,29 @@
+module "metaphor" {
+  source       = "./modules/project"
+  group_name   = data.gitlab_group.owner.id
+  project_name = "<METAPHOR_REPO_NAME>"
+  # create_ecr                            = true
+  initialize_with_readme                = false
+  only_allow_merge_if_pipeline_succeeds = false
+  remove_source_branch_after_merge      = true
+}
+
+module "gitops" {
+  source       = "./modules/project"
+  group_name   = data.gitlab_group.owner.id
+  project_name = "<GIT_REPO_NAME> "
+  # create_ecr                            = true
+  initialize_with_readme                = false
+  only_allow_merge_if_pipeline_succeeds = false
+  remove_source_branch_after_merge      = true
+}
+
+resource "gitlab_project_hook" "atlantis" {
+  project               = module.gitops.path
+  url                   = var.atlantis_repo_webhook_url
+  token                 = var.atlantis_repo_webhook_secret
+  merge_requests_events = true
+  push_events           = true
+  note_events           = true
+}
+
diff --git a/akamai-gitlab/terraform/gitlab/vars.tf b/akamai-gitlab/terraform/gitlab/vars.tf
new file mode 100644
index 000000000..c35c799ac
--- /dev/null
+++ b/akamai-gitlab/terraform/gitlab/vars.tf
@@ -0,0 +1,13 @@
+variable "owner_group_id" {
+  description = "gitlab owner group id"
+  type        = string
+}
+variable "atlantis_repo_webhook_url" {
+  description = "webhook url for atlantis for the gitops project"
+  type        = string
+}
+
+variable "atlantis_repo_webhook_secret" {
+  description = "webhook secret for atlantis for the gitops project"
+  type        = string
+}
diff --git a/akamai-gitlab/terraform/users/admins/admin-one.tf b/akamai-gitlab/terraform/users/admins/admin-one.tf
new file mode 100644
index 000000000..556ad5ff4
--- /dev/null
+++ b/akamai-gitlab/terraform/users/admins/admin-one.tf
@@ -0,0 +1,19 @@
+# # note: uncomment the below to create a new admin, and be sure to
+# # adjust module name admin_one below to your admin's firstname_lastname.
+# # create as many admin modules files as you have admin personnel.
+
+# # For Single Sign On: be sure to also add the new user to the admins-outputs.tf
+
+# module "admin_one" {
+#   source = "../modules/user/github"
+
+#   acl_policies            = ["admin"]
+#   email                   = "your.admin@your-company.io"
+#   first_name              = "Admin"
+#   github_username         = "admin-one-github-username"
+#   last_name               = "One"
+#   team_id                 = data.github_team.admins.id
+#   username                = "aone"
+#   user_disabled           = false
+#   userpass_accessor       = data.vault_auth_backend.userpass.accessor
+# }
diff --git a/akamai-gitlab/terraform/users/admins/admins-outputs.tf b/akamai-gitlab/terraform/users/admins/admins-outputs.tf
new file mode 100644
index 000000000..8fe585e05
--- /dev/null
+++ b/akamai-gitlab/terraform/users/admins/admins-outputs.tf
@@ -0,0 +1,8 @@
+# every admin that is added to the platform will need to have their ID
+# added to this list so that its client id is added to the group in vault
+output "vault_identity_entity_ids" {
+  value = [
+    module.kbot.vault_identity_entity_id,
+    # module.admin_one.vault_identity_entity_id,
+  ]
+}
diff --git a/akamai-gitlab/terraform/users/admins/data_sources.tf b/akamai-gitlab/terraform/users/admins/data_sources.tf
new file mode 100644
index 000000000..1331a4653
--- /dev/null
+++ b/akamai-gitlab/terraform/users/admins/data_sources.tf
@@ -0,0 +1,7 @@
+data "github_team" "admins" {
+  slug = "<ADMIN_TEAM>"
+}
+
+data "vault_auth_backend" "userpass" {
+  path = "userpass"
+}
diff --git a/akamai-gitlab/terraform/users/admins/kbot.tf b/akamai-gitlab/terraform/users/admins/kbot.tf
new file mode 100644
index 000000000..3ffdc1ea0
--- /dev/null
+++ b/akamai-gitlab/terraform/users/admins/kbot.tf
@@ -0,0 +1,20 @@
+module "kbot" {
+  # kbot is your automation user for all automation
+  # on the platform that needs a bot account
+  source = "../modules/user/github"
+
+  acl_policies      = ["admin"]
+  email             = "<ALERTS_EMAIL>"
+  first_name        = "K"
+  github_username   = "<GITHUB_USER>"
+  last_name         = "Bot"
+  team_id           = data.github_team.admins.id
+  initial_password  = var.initial_password
+  username          = "kbot"
+  user_disabled     = false
+  userpass_accessor = data.vault_auth_backend.userpass.accessor
+}
+
+variable "initial_password" {
+  type = string
+}
diff --git a/akamai-gitlab/terraform/users/developers/data_sources.tf b/akamai-gitlab/terraform/users/developers/data_sources.tf
new file mode 100644
index 000000000..471e1c444
--- /dev/null
+++ b/akamai-gitlab/terraform/users/developers/data_sources.tf
@@ -0,0 +1,7 @@
+data "github_team" "developers" {
+  slug = "<DEVELOPER-TEAM>"
+}
+
+data "vault_auth_backend" "userpass" {
+  path = "userpass"
+}
diff --git a/akamai-gitlab/terraform/users/developers/developer-one.tf b/akamai-gitlab/terraform/users/developers/developer-one.tf
new file mode 100644
index 000000000..7ee54eb6a
--- /dev/null
+++ b/akamai-gitlab/terraform/users/developers/developer-one.tf
@@ -0,0 +1,20 @@
+# # note: uncomment the below to create a new developer, and be sure to
+# # adjust module name developer_one below to your developer's firstname_lastname.
+# # create as many developer module files as you have developer personnel.
+
+# # For Single Sign On: be sure to also add the new user to the developers-outputs.tf
+
+# module "developer_one" {
+#   source = "../modules/user/github"
+# 
+#   acl_policies            = ["developer"]
+#   email                   = "dev.one@example.com"
+#   first_name              = "Dev"
+#   github_username         = "developer-ones-github-username"
+#   team_id                 = data.github_team.developers.id
+#   last_name               = "One"
+#   username                = "done"
+#   user_disabled           = false
+#   userpass_accessor       = data.vault_auth_backend.userpass.accessor
+# }
+#
diff --git a/akamai-gitlab/terraform/users/developers/developers-outputs.tf b/akamai-gitlab/terraform/users/developers/developers-outputs.tf
new file mode 100644
index 000000000..f70604e7e
--- /dev/null
+++ b/akamai-gitlab/terraform/users/developers/developers-outputs.tf
@@ -0,0 +1,7 @@
+# every developer that is added to the platform will need to have their ID
+# added to this list so that its client id is added to the group in vault
+output "vault_identity_entity_ids" {
+  value = [
+    # module.developer_one.vault_identity_entity_id,
+  ]
+}
diff --git a/akamai-gitlab/terraform/users/modules/user/github/main.tf b/akamai-gitlab/terraform/users/modules/user/github/main.tf
new file mode 100644
index 000000000..1ee0d08a3
--- /dev/null
+++ b/akamai-gitlab/terraform/users/modules/user/github/main.tf
@@ -0,0 +1,115 @@
+resource "vault_identity_entity" "user" {
+  name     = var.username
+  disabled = var.user_disabled
+  metadata = {
+    email      = var.email
+    first_name = var.first_name
+    last_name  = var.last_name
+  }
+}
+
+output "vault_identity_entity_id" {
+  value = vault_identity_entity.user.id
+}
+
+resource "vault_identity_entity_alias" "user" {
+  name           = var.username
+  mount_accessor = var.userpass_accessor
+  canonical_id   = vault_identity_entity.user.id
+}
+
+resource "random_password" "password" {
+  length           = 25
+  special          = true
+  override_special = "!#$@"
+}
+
+resource "vault_generic_endpoint" "user" {
+  depends_on           = [vault_generic_endpoint.user_password] # avoids race condition
+  path                 = "auth/userpass/users/${var.username}"
+  ignore_absent_fields = true
+
+  data_json = jsonencode(
+    {
+      policies  = var.acl_policies,
+      token_ttl = "1h"
+    }
+  )
+}
+
+resource "vault_generic_endpoint" "user_password" {
+  path                 = "auth/userpass/users/${var.username}"
+  ignore_absent_fields = true
+  lifecycle {
+    ignore_changes = [data_json]
+  }
+
+  # note: this resource includes the initial password and only gets applied once
+  # changes to the user should be managed by the vault_generic_endpoint named "user" above
+  data_json = jsonencode(
+    {
+      password  = var.initial_password != "" ? var.initial_password : random_password.password.result,
+      policies  = var.acl_policies,
+      token_ttl = "1h"
+    }
+  )
+}
+
+resource "vault_generic_secret" "user" {
+  path = "users/${var.username}"
+
+  data_json = <<EOT
+{
+  "initial-password": "${var.initial_password != "" ? var.initial_password : random_password.password.result}"
+}
+EOT
+}
+
+variable "acl_policies" {
+  type = list(string)
+}
+
+variable "username" {
+  type        = string
+  description = "a distinct username that is unique to this user throughout the kubefirst ecosystem"
+}
+
+variable "user_disabled" {
+  type    = bool
+  default = false
+}
+
+variable "userpass_accessor" {
+  type = string
+}
+
+variable "github_username" {
+  type = string
+}
+
+variable "email" {
+  type = string
+}
+
+variable "first_name" {
+  type = string
+}
+
+variable "last_name" {
+  type = string
+}
+
+variable "initial_password" {
+  type    = string
+  default = ""
+}
+
+variable "team_id" {
+  description = "the github team id to place the user"
+}
+
+resource "github_team_membership" "team_membership" {
+  count    = var.user_disabled == true ? 0 : 1
+  team_id  = var.team_id
+  username = var.github_username
+}
diff --git a/akamai-gitlab/terraform/users/users.tf b/akamai-gitlab/terraform/users/users.tf
new file mode 100644
index 000000000..d70c8fceb
--- /dev/null
+++ b/akamai-gitlab/terraform/users/users.tf
@@ -0,0 +1,70 @@
+terraform {
+  backend "s3" {
+    bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+    key      = "terraform/users/terraform.tfstate"
+    endpoint = "https://<CLUSTER_NAME>.us-east-1.linodeobjects.com" #! edit
+
+    region = "us-east-1" #! edit
+
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+  required_providers {
+    github = {
+      source  = "integrations/github"
+      version = "~> 5.17.0"
+    }
+  }
+}
+
+data "github_team" "admins" {
+  slug = "<ADMIN_TEAM>"
+}
+
+data "github_team" "developers" {
+  slug = "<DEVELOPER-TEAM>"
+}
+
+data "vault_auth_backend" "userpass" {
+  path = "userpass"
+}
+
+data "vault_identity_group" "admins" {
+  group_name = "<ADMIN_TEAM>"
+}
+
+variable "initial_password" {
+  type    = string
+  default = ""
+}
+
+module "admins" {
+  source = "./admins"
+
+  initial_password = var.initial_password
+}
+
+resource "vault_identity_group_member_entity_ids" "admins_membership" {
+  member_entity_ids = module.admins.vault_identity_entity_ids
+
+  group_id = data.vault_identity_group.admins.group_id
+}
+
+# # after you add your first developer to the platform be sure to 
+# # uncomment everything below this comment to initialize the 
+# # developers module
+
+# data "vault_identity_group" "developers" {
+#   group_name = "developers"
+# }
+
+# module "developers" {
+#   source = "./developers"
+# }
+
+# resource "vault_identity_group_member_entity_ids" "developers_membership" {
+#   member_entity_ids = module.developers.vault_identity_entity_ids
+#   group_id = data.vault_identity_group.developers.group_id
+# }
diff --git a/akamai-gitlab/terraform/vault/kubernetes-auth-backend.tf b/akamai-gitlab/terraform/vault/kubernetes-auth-backend.tf
new file mode 100644
index 000000000..b38e5d1bc
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/kubernetes-auth-backend.tf
@@ -0,0 +1,41 @@
+provider "kubernetes" {
+  config_path = "<KUBE_CONFIG_PATH>"
+}
+
+data "linode_lke_clusters" "kubefirst" {
+  filter {
+    name   = "tags"
+    values = ["<CLUSTER_NAME>"]
+  }
+}
+
+data "linode_lke_cluster" "kubefirst" {
+  id = data.linode_lke_clusters.kubefirst.lke_clusters.0.id
+}
+resource "vault_auth_backend" "k8s" {
+  type = "kubernetes"
+  path = "kubernetes/kubefirst"
+}
+
+resource "vault_kubernetes_auth_backend_config" "k8s" {
+  backend         = vault_auth_backend.k8s.path
+  kubernetes_host = data.linode_lke_cluster.kubefirst.api_endpoints[0]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_atlantis" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "atlantis"
+  bound_service_account_names      = ["atlantis"]
+  bound_service_account_namespaces = ["*"]
+  token_ttl                        = 86400
+  token_policies                   = ["admin", "default"]
+}
+
+resource "vault_kubernetes_auth_backend_role" "k8s_external_secrets" {
+  backend                          = vault_auth_backend.k8s.path
+  role_name                        = "external-secrets"
+  bound_service_account_names      = ["external-secrets"]
+  bound_service_account_namespaces = ["*"]
+  token_ttl                        = 86400
+  token_policies                   = ["admin", "default"]
+}
diff --git a/akamai-gitlab/terraform/vault/kv-mounts.tf b/akamai-gitlab/terraform/vault/kv-mounts.tf
new file mode 100644
index 000000000..5ff07d6b8
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/kv-mounts.tf
@@ -0,0 +1,11 @@
+resource "vault_mount" "secret" {
+  path        = "secret"
+  type        = "kv-v2"
+  description = "the default vault kv v2 backend"
+}
+
+resource "vault_mount" "users" {
+  path        = "users"
+  type        = "kv-v2"
+  description = "kv v2 backend"
+}
diff --git a/akamai-gitlab/terraform/vault/main.tf b/akamai-gitlab/terraform/vault/main.tf
new file mode 100644
index 000000000..e36f11b0e
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/main.tf
@@ -0,0 +1,27 @@
+terraform {
+  backend "s3" {
+    bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+    key      = "terraform/vault/terraform.tfstate"
+    endpoint = "https://<CLUSTER_NAME>.us-east-1.linodeobjects.com" #! edit
+
+    region = "us-east-1" #! edit
+
+    skip_credentials_validation = true
+    skip_metadata_api_check     = true
+    skip_region_validation      = true
+    force_path_style            = true
+  }
+  required_providers {
+    linode = {
+      source  = "linode/linode"
+      version = "2.16.0"
+    }
+    vault = {
+      source = "hashicorp/vault"
+    }
+  }
+}
+
+provider "vault" {
+  skip_tls_verify = "true"
+}
diff --git a/akamai-gitlab/terraform/vault/modules/oidc-client/main.tf b/akamai-gitlab/terraform/vault/modules/oidc-client/main.tf
new file mode 100644
index 000000000..d9d6be803
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/modules/oidc-client/main.tf
@@ -0,0 +1,64 @@
+resource "vault_identity_oidc_assignment" "app" {
+  name      = var.app_name
+  group_ids = var.identity_group_ids
+}
+
+resource "vault_identity_oidc_client" "app" {
+  name          = var.app_name
+  key           = var.oidc_provider_key_name
+  redirect_uris = var.redirect_uris
+  assignments = [
+    vault_identity_oidc_assignment.app.name,
+  ]
+  id_token_ttl     = 2400
+  access_token_ttl = 7200
+  client_type      = "confidential"
+}
+
+output "vault_oidc_app_name" {
+  value = vault_identity_oidc_client.app.name
+}
+
+variable "app_name" {
+  type = string
+}
+
+variable "identity_group_ids" {
+  type = list(string)
+}
+
+variable "oidc_provider_key_name" {
+  type = string
+}
+
+variable "redirect_uris" {
+  type = list(string)
+}
+
+variable "secret_mount_path" {
+  type = string
+}
+
+data "vault_identity_oidc_client_creds" "creds" {
+  name = var.app_name
+
+  depends_on = [
+    vault_identity_oidc_client.app
+  ]
+
+}
+
+resource "vault_generic_secret" "creds" {
+  path = "${var.secret_mount_path}/oidc/${var.app_name}"
+
+  depends_on = [
+    vault_identity_oidc_client.app
+  ]
+
+  data_json = <<EOT
+{
+  "client_id" : "${data.vault_identity_oidc_client_creds.creds.client_id}",
+  "client_secret" : "${data.vault_identity_oidc_client_creds.creds.client_secret}"
+}
+EOT
+}
diff --git a/akamai-gitlab/terraform/vault/oidc-clients.tf b/akamai-gitlab/terraform/vault/oidc-clients.tf
new file mode 100644
index 000000000..19d775b10
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/oidc-clients.tf
@@ -0,0 +1,49 @@
+module "argo" {
+  source = "./modules/oidc-client"
+
+  depends_on = [
+    vault_identity_oidc_provider.kubefirst
+  ]
+
+  app_name               = "argo"
+  identity_group_ids     = [vault_identity_group.admins.id, vault_identity_group.developers.id]
+  oidc_provider_key_name = vault_identity_oidc_key.key.name
+  redirect_uris = [
+    "<ARGO_WORKFLOWS_INGRESS_URL>/oauth2/callback",
+  ]
+  secret_mount_path = "secret"
+}
+
+module "argocd" {
+  source = "./modules/oidc-client"
+
+  depends_on = [
+    vault_identity_oidc_provider.kubefirst
+  ]
+
+  app_name               = "argocd"
+  identity_group_ids     = [vault_identity_group.admins.id, vault_identity_group.developers.id]
+  oidc_provider_key_name = vault_identity_oidc_key.key.name
+  redirect_uris = [
+    "<ARGOCD_INGRESS_URL>/auth/callback",
+  ]
+  secret_mount_path = "secret"
+}
+
+module "console" {
+  source = "./modules/oidc-client"
+
+  depends_on = [
+    vault_identity_oidc_provider.kubefirst
+  ]
+
+  app_name               = "console"
+  identity_group_ids     = [vault_identity_group.admins.id, vault_identity_group.developers.id]
+  oidc_provider_key_name = vault_identity_oidc_key.key.name
+  redirect_uris = [
+    "https://kubefirst.<DOMAIN_NAME>/api/auth/callback/vault",
+  ]
+  secret_mount_path = "secret"
+}
+
+# todo kubectl-oidc
diff --git a/akamai-gitlab/terraform/vault/oidc-groups.tf b/akamai-gitlab/terraform/vault/oidc-groups.tf
new file mode 100644
index 000000000..b2cc82df9
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/oidc-groups.tf
@@ -0,0 +1,33 @@
+resource "vault_identity_group" "developers" {
+  name     = "<DEVELOPER-TEAM>"
+  type     = "internal"
+  policies = ["developer"]
+
+  # `resource "vault_identity_group_member_entity_ids"` manages this in `developers.tf` 
+  lifecycle {
+    ignore_changes = [
+      member_entity_ids
+    ]
+  }
+
+  metadata = {
+    version = "2"
+  }
+}
+
+resource "vault_identity_group" "admins" {
+  name     = "<ADMIN_TEAM>"
+  type     = "internal"
+  policies = ["admin"]
+
+  # `resource "vault_identity_group_member_entity_ids"` manages this in `admins.tf` 
+  lifecycle {
+    ignore_changes = [
+      member_entity_ids
+    ]
+  }
+
+  metadata = {
+    version = "2"
+  }
+}
diff --git a/akamai-gitlab/terraform/vault/oidc-provider.tf b/akamai-gitlab/terraform/vault/oidc-provider.tf
new file mode 100644
index 000000000..2d976df8e
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/oidc-provider.tf
@@ -0,0 +1,20 @@
+resource "vault_identity_oidc_key" "key" {
+  name               = "kubefirst"
+  algorithm          = "RS256"
+  allowed_client_ids = ["*"] # todo make explicit list of client ids
+}
+
+resource "vault_identity_oidc_provider" "kubefirst" {
+  name          = "kubefirst"
+  https_enabled = true
+  issuer_host   = "<VAULT_INGRESS_NO_HTTPS_URL>"
+  allowed_client_ids = [
+    "*" # todo make explicit list of client ids
+  ]
+  scopes_supported = [
+    vault_identity_oidc_scope.group_scope.name,
+    vault_identity_oidc_scope.user_scope.name,
+    vault_identity_oidc_scope.email_scope.name,
+    vault_identity_oidc_scope.profile_scope.name
+  ]
+}
diff --git a/akamai-gitlab/terraform/vault/oidc-scopes.tf b/akamai-gitlab/terraform/vault/oidc-scopes.tf
new file mode 100644
index 000000000..989ac7f30
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/oidc-scopes.tf
@@ -0,0 +1,42 @@
+resource "vault_identity_oidc_scope" "group_scope" {
+  name        = "groups"
+  template    = <<EOF
+{
+  "groups": {{identity.entity.groups.names}}
+}
+EOF
+  description = "Groups scope."
+}
+
+resource "vault_identity_oidc_scope" "user_scope" {
+  name        = "user"
+  template    = <<EOF
+{
+    "username": {{identity.entity.aliases.${vault_auth_backend.userpass.accessor}.name}},
+    "contact": {
+        "email": {{identity.entity.metadata.email}}
+    }
+}
+EOF
+  description = "User scope."
+}
+
+resource "vault_identity_oidc_scope" "email_scope" {
+  name        = "email"
+  template    = <<EOF
+{
+  "email": {{identity.entity.metadata.email}}
+}
+EOF
+  description = "Email scope."
+}
+
+resource "vault_identity_oidc_scope" "profile_scope" {
+  name        = "profile"
+  template    = <<EOF
+{
+  "profile": {{identity.entity.metadata.email}}
+}
+EOF
+  description = "Profile scope."
+}
diff --git a/akamai-gitlab/terraform/vault/policies.tf b/akamai-gitlab/terraform/vault/policies.tf
new file mode 100644
index 000000000..93bf58075
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/policies.tf
@@ -0,0 +1,250 @@
+resource "vault_policy" "admin" {
+  name = "admin"
+
+  policy = <<EOT
+
+# Create and manage entities and groups
+path "identity/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Configure the OIDC auth method
+path "auth/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Write ACL policies
+path "sys/policies/acl/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Allow default access to secret
+path "secret/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "aws/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Allow default access to secret
+path "avp/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# List enabled secrets engine
+path "sys/mounts" {
+  capabilities = [ "read", "list" ]
+}
+  
+# allow admins to manage auth methods
+path "/sys/auth*" {
+    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# allow admins to manage auth methods
+path "sys/auth/*" {
+  capabilities = [ "create", "read", "update", "delete", "list" ]
+}
+
+# Allow tokens to look up their own properties
+path "auth/token/lookup-self" {
+    capabilities = ["read"]
+}
+
+# Allow tokens to renew themselves
+path "auth/token/renew-self" {
+    capabilities = ["update"]
+}
+
+# Allow tokens to revoke themselves
+path "auth/token/revoke-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own capabilities on a path
+path "sys/capabilities-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own entity by id or name
+path "identity/entity/id/{{identity.entity.id}}" {
+  capabilities = ["read"]
+}
+path "identity/entity/name/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+
+# Allow a token to look up its resultant ACL from all policies. This is useful
+# for UIs. It is an internal path because the format may change at any time
+# based on how the internal ACL features and capabilities change.
+path "sys/internal/ui/resultant-acl" {
+    capabilities = ["read"]
+}
+
+# Allow a token to renew a lease via lease_id in the request body; old path for
+# old clients, new path for newer
+path "sys/renew" {
+    capabilities = ["update"]
+}
+path "sys/leases/renew" {
+    capabilities = ["update"]
+}
+
+# Allow looking up lease properties. This requires knowing the lease ID ahead
+# of time and does not divulge any sensitive information.
+path "sys/leases/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to manage its own cubbyhole
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Allow a token to wrap arbitrary values in a response-wrapping token
+path "sys/wrapping/wrap" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up the creation time and TTL of a given
+# response-wrapping token
+path "sys/wrapping/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to unwrap a response-wrapping token. This is a convenience to
+# avoid client token swapping since this is also part of the response wrapping
+# policy.
+path "sys/wrapping/unwrap" {
+    capabilities = ["update"]
+}
+
+# Allow general purpose tools
+path "sys/tools/hash" {
+    capabilities = ["update"]
+}
+path "sys/tools/hash/*" {
+    capabilities = ["update"]
+}
+
+# Allow checking the status of a Control Group request if the user has the
+# accessor
+path "sys/control-group/request" {
+    capabilities = ["update"]
+}
+EOT
+}
+
+resource "vault_policy" "developer" {
+  name = "developer"
+
+  policy = <<EOT
+# Allow full write access to developers, without delete
+# Obviously it's your vault now, feel free to change the rules
+path "secret/*" {
+    capabilities = ["create", "read", "update", "list"]
+}
+
+path "aws/creds/KubernetesDeveloper" {
+    capabilities = ["read"]
+}
+
+# List available secrets engines to retrieve accessor ID
+path "sys/mounts" {
+  capabilities = [ "read" ]
+}
+
+# Allow tokens to look up their own properties
+path "auth/token/lookup-self" {
+    capabilities = ["read"]
+}
+
+# Allow tokens to renew themselves
+path "auth/token/renew-self" {
+    capabilities = ["update"]
+}
+
+# Allow tokens to revoke themselves
+path "auth/token/revoke-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own capabilities on a path
+path "sys/capabilities-self" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up its own entity by id or name
+path "identity/entity/id/{{identity.entity.id}}" {
+  capabilities = ["read"]
+}
+path "identity/entity/name/{{identity.entity.name}}" {
+  capabilities = ["read"]
+}
+
+
+# Allow a token to look up its resultant ACL from all policies. This is useful
+# for UIs. It is an internal path because the format may change at any time
+# based on how the internal ACL features and capabilities change.
+path "sys/internal/ui/resultant-acl" {
+    capabilities = ["read"]
+}
+
+# Allow a token to renew a lease via lease_id in the request body; old path for
+# old clients, new path for newer
+path "sys/renew" {
+    capabilities = ["update"]
+}
+path "sys/leases/renew" {
+    capabilities = ["update"]
+}
+
+# Allow looking up lease properties. This requires knowing the lease ID ahead
+# of time and does not divulge any sensitive information.
+path "sys/leases/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to manage its own cubbyhole
+path "cubbyhole/*" {
+    capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+# Allow a token to wrap arbitrary values in a response-wrapping token
+path "sys/wrapping/wrap" {
+    capabilities = ["update"]
+}
+
+# Allow a token to look up the creation time and TTL of a given
+# response-wrapping token
+path "sys/wrapping/lookup" {
+    capabilities = ["update"]
+}
+
+# Allow a token to unwrap a response-wrapping token. This is a convenience to
+# avoid client token swapping since this is also part of the response wrapping
+# policy.
+path "sys/wrapping/unwrap" {
+    capabilities = ["update"]
+}
+
+# Allow general purpose tools
+path "sys/tools/hash" {
+    capabilities = ["update"]
+}
+path "sys/tools/hash/*" {
+    capabilities = ["update"]
+}
+
+# Allow checking the status of a Control Group request if the user has the
+# accessor
+path "sys/control-group/request" {
+    capabilities = ["update"]
+}
+EOT
+}
diff --git a/akamai-gitlab/terraform/vault/secrets.tf b/akamai-gitlab/terraform/vault/secrets.tf
new file mode 100644
index 000000000..511ef8f2c
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/secrets.tf
@@ -0,0 +1,184 @@
+resource "random_password" "chartmuseum_password" {
+  length           = 22
+  special          = true
+  override_special = "!#$"
+}
+
+resource "vault_generic_secret" "chartmuseum_secrets" {
+  path = "secret/chartmuseum"
+
+  data_json = jsonencode(
+    {
+      BASIC_AUTH_USER       = "kbot",
+      BASIC_AUTH_PASS       = random_password.chartmuseum_password.result,
+      AWS_ACCESS_KEY_ID     = var.aws_access_key_id,
+      AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "civo_creds" {
+  path = "secret/argo"
+
+  data_json = jsonencode(
+    {
+      accesskey = var.aws_access_key_id,
+      secretkey = var.aws_secret_access_key,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "crossplane" {
+  path = "secret/crossplane"
+
+  data_json = jsonencode(
+    {
+      AWS_ACCESS_KEY_ID     = var.aws_access_key_id,
+      AWS_SECRET_ACCESS_KEY = var.aws_secret_access_key,
+      LINODE_TOKEN          = var.akamai_token
+      VAULT_ADDR            = "http://vault.vault.svc.cluster.local:8200"
+      VAULT_TOKEN           = var.vault_token
+      password              = var.github_token
+      username              = "<GITHUB_USER>"
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "docker_config" {
+  path = "secret/dockerconfigjson"
+
+  data_json = jsonencode(
+    {
+      dockerconfig = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "regsitry_auth" {
+  path = "secret/registry-auth"
+
+  data_json = jsonencode(
+    {
+      auth = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "development_metaphor" {
+  path = "secret/development/metaphor"
+  # note: these secrets are not actually sensitive.
+  # do not hardcode passwords in git under normal circumstances.
+  data_json = <<EOT
+{
+  "SECRET_ONE" : "development secret 1",
+  "SECRET_TWO" : "development secret 2"
+}
+EOT
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "staging_metaphor" {
+  path = "secret/staging/metaphor"
+  # note: these secrets are not actually sensitive.
+  # do not hardcode passwords in git under normal circumstances.
+  data_json = <<EOT
+{
+  "SECRET_ONE" : "staging secret 1",
+  "SECRET_TWO" : "staging secret 2"
+}
+EOT
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "production_metaphor" {
+  path = "secret/production/metaphor"
+  # note: these secrets are not actually sensitive.
+  # do not hardcode passwords in git under normal circumstances.
+  data_json = <<EOT
+{
+  "SECRET_ONE" : "production secret 1",
+  "SECRET_TWO" : "production secret 2"
+}
+EOT
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "ci_secrets" {
+  path = "secret/ci-secrets"
+
+  data_json = jsonencode(
+    {
+      accesskey             = var.aws_access_key_id,
+      secretkey             = var.aws_secret_access_key,
+      BASIC_AUTH_USER       = "kbot",
+      BASIC_AUTH_PASS       = random_password.chartmuseum_password.result,
+      SSH_PRIVATE_KEY       = var.kbot_ssh_private_key,
+      PERSONAL_ACCESS_TOKEN = var.github_token,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "cloudflare" {
+  path = "secret/cloudflare"
+
+  data_json = jsonencode(
+    {
+      origin-ca-api-key = var.cloudflare_origin_ca_api_key,
+      cf-api-key        = var.cloudflare_api_key,
+      cloudflare-token  = var.cloudflare_api_key,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
+
+resource "vault_generic_secret" "atlantis_secrets" {
+  path = "secret/atlantis"
+
+  data_json = jsonencode(
+    {
+      ARGO_SERVER_URL                     = "argo.argo.svc.cluster.local:2746",
+      ATLANTIS_GH_HOSTNAME                = "github.com",
+      ATLANTIS_GH_TOKEN                   = var.github_token,
+      ATLANTIS_GH_USER                    = "<GITHUB_USER>",
+      ATLANTIS_GH_WEBHOOK_SECRET          = var.atlantis_repo_webhook_secret,
+      TF_VAR_atlantis_repo_webhook_secret = var.atlantis_repo_webhook_secret,
+      TF_VAR_atlantis_repo_webhook_url    = var.atlantis_repo_webhook_url,
+      AWS_ACCESS_KEY_ID                   = var.aws_access_key_id,
+      AWS_SECRET_ACCESS_KEY               = var.aws_secret_access_key,
+      TF_VAR_aws_access_key_id            = var.aws_access_key_id,
+      TF_VAR_aws_secret_access_key        = var.aws_secret_access_key,
+      TF_VAR_b64_docker_auth              = var.b64_docker_auth,
+      LINODE_TOKEN                        = var.akamai_token,
+      TF_VAR_akamai_token                 = var.akamai_token,
+      GITHUB_OWNER                        = "<GITHUB_OWNER>",
+      GITHUB_TOKEN                        = var.github_token,
+      TF_VAR_github_token                 = var.github_token,
+      TF_VAR_kbot_ssh_public_key          = var.kbot_ssh_public_key,
+      TF_VAR_kbot_ssh_private_key         = var.kbot_ssh_private_key,
+      TF_VAR_cloudflare_origin_ca_api_key = var.cloudflare_origin_ca_api_key
+      TF_VAR_cloudflare_api_key           = var.cloudflare_api_key
+      VAULT_ADDR                          = "http://vault.vault.svc.cluster.local:8200",
+      TF_VAR_vault_addr                   = "http://vault.vault.svc.cluster.local:8200",
+      VAULT_TOKEN                         = var.vault_token,
+      TF_VAR_vault_token                  = var.vault_token,
+    }
+  )
+
+  depends_on = [vault_mount.secret]
+}
diff --git a/akamai-gitlab/terraform/vault/userpass-auth-backend.tf b/akamai-gitlab/terraform/vault/userpass-auth-backend.tf
new file mode 100644
index 000000000..5d39464c8
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/userpass-auth-backend.tf
@@ -0,0 +1,4 @@
+resource "vault_auth_backend" "userpass" {
+  type = "userpass"
+  path = "userpass"
+}
diff --git a/akamai-gitlab/terraform/vault/variables.tf b/akamai-gitlab/terraform/vault/variables.tf
new file mode 100644
index 000000000..ea8640be2
--- /dev/null
+++ b/akamai-gitlab/terraform/vault/variables.tf
@@ -0,0 +1,60 @@
+locals {
+  cluster_name = "<CLUSTER_NAME>"
+}
+
+variable "b64_docker_auth" {
+  type = string
+}
+
+variable "cloudflare_origin_ca_api_key" {
+  type    = string
+  default = ""
+}
+
+variable "cloudflare_api_key" {
+  type    = string
+  default = ""
+}
+
+variable "akamai_token" {
+  type = string
+}
+
+variable "github_token" {
+  type = string
+}
+
+variable "kbot_ssh_private_key" {
+  default = ""
+  type    = string
+}
+
+variable "kbot_ssh_public_key" {
+  default = ""
+  type    = string
+}
+
+variable "atlantis_repo_webhook_secret" {
+  default = ""
+  type    = string
+}
+
+variable "atlantis_repo_webhook_url" {
+  default = ""
+  type    = string
+}
+
+variable "aws_access_key_id" {
+  default = ""
+  type    = string
+}
+
+variable "aws_secret_access_key" {
+  default = ""
+  type    = string
+}
+
+variable "vault_token" {
+  default = ""
+  type    = string
+}
diff --git a/aws-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/aws-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/aws-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/aws-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..875f33fdd 100644
--- a/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/aws-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true    
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/aws-github/templates/mgmt/components/argocd/kustomization.yaml b/aws-github/templates/mgmt/components/argocd/kustomization.yaml
index 444b05eed..c1ea9f22c 100644
--- a/aws-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/aws-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/aws-github/templates/mgmt/components/kubefirst/console.yaml b/aws-github/templates/mgmt/components/kubefirst/console.yaml
index c2970caef..7d1da9696 100644
--- a/aws-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/aws-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
index a9e5c13dc..08316413e 100644
--- a/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
+++ b/aws-github/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -16,15 +16,19 @@ spec:
         required_providers {
           kubernetes = {
             source = "hashicorp/kubernetes"
-            version = "2.23.0"
+            version = ">= 2.23.0, < 3.0.0"
           }
           vault = {
             source = "hashicorp/vault"
-            version = "3.19.0"
+            version = ">= 3.19.0, < 4.0.0"
+          }
+          random = {
+            source = "hashicorp/random"
+            version = ">= 3.6.2, < 4.0.0"
           }
           aws = {
             source = "hashicorp/aws"
-            version = "5.30.0"
+            version = ">= 5.30.0, < 6.0.0"
           }
         }
       }
diff --git a/aws-github/terraform/aws/eks/main.tf b/aws-github/terraform/aws/eks/main.tf
index 925727e17..d8ddea09c 100644
--- a/aws-github/terraform/aws/eks/main.tf
+++ b/aws-github/terraform/aws/eks/main.tf
@@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
   name            = "<CLUSTER_NAME>"
-  cluster_version = "1.26"
+  cluster_version = "1.29"
   region          = "<CLOUD_REGION>"
 
   vpc_cidr = "10.0.0.0/16"
@@ -36,7 +36,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.10.0"
+  version = "20.10.0"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version
@@ -74,28 +74,6 @@ module "eks" {
   subnet_ids               = module.vpc.private_subnets
   control_plane_subnet_ids = module.vpc.intra_subnets
 
-  manage_aws_auth_configmap = true
-
-  aws_auth_roles = [
-    # managed node group is automatically added to the configmap
-    {
-      rolearn  = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/KubernetesAdmin"
-      username = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/KubernetesAdmin"
-      groups   = ["system:masters"]
-    },
-    {
-      rolearn  = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
-      username = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
-      groups   = ["system:masters"]
-    },
-    {
-      rolearn  = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
-      username = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
-      groups   = ["system:masters"]
-    },
-  ]
-
-
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
     instance_types = ["<NODE_TYPE>"]
@@ -122,6 +100,42 @@ module "eks" {
     }
   }
 
+  # Enable admin permissions for the cluster creator
+  enable_cluster_creator_admin_permissions = true
+
+  access_entries = {
+    
+    argocd_<CLUSTER_NAME> = {
+      cluster_name      = "<CLUSTER_NAME>"
+      principal_arn     = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+      username          = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+      policy_associations = {
+        view_deployments = {
+          policy_arn   = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+      }
+    }
+
+    atlantis_<CLUSTER_NAME> = {
+      cluster_name      = "<CLUSTER_NAME>"
+      principal_arn     = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
+      username          = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
+      policy_associations = {
+        view_deployments = {
+          policy_arn   = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+      }
+    }
+  }
+
   tags = local.tags
 }
 
@@ -165,7 +179,7 @@ module "vpc" {
 
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name             = upper("VPC-CNI-IRSA-<CLUSTER_NAME>")
   attach_vpc_cni_policy = true
@@ -186,7 +200,7 @@ module "vpc_cni_irsa" {
 
 module "aws_ebs_csi_driver" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = upper("EBS-CSI-DRIVER-<CLUSTER_NAME>")
 
@@ -348,7 +362,7 @@ EOT
 
 module "argo_workflows" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "argo-${local.name}"
   role_policy_arns = {
@@ -367,7 +381,7 @@ module "argo_workflows" {
 
 module "argocd" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "argocd-${local.name}"
   role_policy_arns = {
@@ -387,7 +401,7 @@ module "argocd" {
 
 module "atlantis" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "atlantis-${local.name}"
   role_policy_arns = {
@@ -405,7 +419,7 @@ module "atlantis" {
 
 module "cert_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "cert-manager-${local.name}"
   role_policy_arns = {
@@ -455,7 +469,7 @@ EOT
 
 module "chartmuseum" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "chartmuseum-${local.name}"
   role_policy_arns = {
@@ -528,7 +542,7 @@ data "aws_iam_policy_document" "crossplane_custom_trust_policy" {
 
 module "ecr_publish_permissions_sync" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "ecr-publish-permissions-sync-${local.name}"
   role_policy_arns = {
@@ -547,7 +561,7 @@ module "ecr_publish_permissions_sync" {
 
 module "external_dns" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "external-dns-${local.name}"
   role_policy_arns = {
@@ -598,7 +612,7 @@ EOT
 
 module "kubefirst_api" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "kubefirst-api-${local.name}"
   role_policy_arns = {
@@ -618,7 +632,7 @@ module "kubefirst_api" {
 
 module "vault" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "vault-${local.name}"
   role_policy_arns = {
diff --git a/aws-github/terraform/aws/modules/workload-cluster/main.tf b/aws-github/terraform/aws/modules/workload-cluster/main.tf
index c95b575a6..2b5da2eb2 100644
--- a/aws-github/terraform/aws/modules/workload-cluster/main.tf
+++ b/aws-github/terraform/aws/modules/workload-cluster/main.tf
@@ -1,8 +1,7 @@
-data "aws_caller_identity" "current" {}
 data "aws_availability_zones" "available" {}
 
 locals {
-  cluster_version = "1.26"
+  cluster_version = "1.29"
   vpc_cidr        = "10.0.0.0/16"
   azs             = slice(data.aws_availability_zones.available.names, 0, 3)
   tags = {
@@ -13,38 +12,17 @@ locals {
 ################################################################################
 # EKS Module
 ################################################################################
-module "iam_node_group_role" {
-  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-
-  create_role = true
-
-  role_name_prefix = "${var.cluster_name}-node-group"
-
-  custom_role_policy_arns = [
-    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
-    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
-    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
-  ]
-  number_of_custom_role_policy_arns = 3
-}
-
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.10.0"
+  version = "~> 20.0"
 
   cluster_name                   = var.cluster_name
   cluster_version                = local.cluster_version
   cluster_endpoint_public_access = true
   create_kms_key                 = false
   cluster_encryption_config      = {}
-  create_iam_role                = false
-  iam_role_arn                   = module.iam_node_group_role.iam_role_arn
+
   cluster_addons = {
-    # AWS launch CoreDNS itself with their add-on https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
-    # coredns = {
-    #   most_recent = true
-    #   resolve_conflicts = "OVERWRITE"
-    # }
     aws-ebs-csi-driver = {
       most_recent              = true
       service_account_role_arn = module.aws_ebs_csi_driver.iam_role_arn
@@ -70,21 +48,9 @@ module "eks" {
   subnet_ids               = module.vpc.private_subnets
   control_plane_subnet_ids = module.vpc.intra_subnets
 
-  manage_aws_auth_configmap = false
-
-  # aws_auth_roles = [
-  #   # managed node group is automatically added to the configmap
-  #   {
-  #     rolearn  = ""
-  #     username = ""
-  #     groups   = ["system:masters"]
-  #   },
-  # ]
-
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
     instance_types = [var.node_type]
-
     # We are using the IRSA created below for permissions
     # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
     # and then turn this off after the cluster/node group is created. Without this initial policy,
@@ -107,16 +73,23 @@ module "eks" {
     }
   }
 
-  tags = local.tags
+  enable_cluster_creator_admin_permissions = true
+  tags                                     = local.tags
 }
 
 ################################################################################
 # Supporting Resources
 ################################################################################
 
+# Avoid collisions for generated values
+resource "random_integer" "id" {
+  min = 1000
+  max = 9999
+}
+
 module "vpc" {
   source  = "terraform-aws-modules/vpc/aws"
-  version = "4.0.2"
+  version = "~> 5.9.0"
 
   name = var.cluster_name
   cidr = local.vpc_cidr
@@ -150,7 +123,7 @@ module "vpc" {
 
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "~> 5.42.0"
 
   role_name             = upper("VPC-CNI-IRSA-${var.cluster_name}")
   attach_vpc_cni_policy = true
@@ -158,7 +131,6 @@ module "vpc_cni_irsa" {
     AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
   }
 
-
   oidc_providers = {
     main = {
       provider_arn               = module.eks.oidc_provider_arn
@@ -171,7 +143,7 @@ module "vpc_cni_irsa" {
 
 module "aws_ebs_csi_driver" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "~> 5.42.0"
 
   role_name = upper("EBS-CSI-DRIVER-${var.cluster_name}")
 
@@ -190,7 +162,7 @@ module "aws_ebs_csi_driver" {
 }
 
 resource "aws_iam_policy" "aws_ebs_csi_driver" {
-  name        = "aws-ebs-csi-driver-${var.cluster_name}"
+  name        = "aws-ebs-csi-driver-${var.cluster_name}-${random_integer.id.result}"
   path        = "/"
   description = "policy for aws ebs csi driver"
 
@@ -331,9 +303,10 @@ resource "aws_iam_policy" "aws_ebs_csi_driver" {
 EOT
 }
 
+
 module "cert_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "~> 5.42.0"
 
   role_name = "cert-manager-${var.cluster_name}"
   role_policy_arns = {
@@ -350,7 +323,7 @@ module "cert_manager" {
 }
 
 resource "aws_iam_policy" "cert_manager" {
-  name        = "cert-manager-${var.cluster_name}"
+  name        = "cert-manager-${var.cluster_name}-${random_integer.id.result}"
   path        = "/"
   description = "policy for external dns to access route53 resources"
 
@@ -381,9 +354,10 @@ resource "aws_iam_policy" "cert_manager" {
 EOT
 }
 
+
 module "external_dns" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "~> 5.42.0"
 
   role_name = "external-dns-${var.cluster_name}"
   role_policy_arns = {
@@ -400,7 +374,7 @@ module "external_dns" {
 }
 
 resource "aws_iam_policy" "external_dns" {
-  name        = "external-dns-${var.cluster_name}"
+  name        = "external-dns-${var.cluster_name}-${random_integer.id.result}"
   path        = "/"
   description = "policy for external dns to access route53 resources"
 
diff --git a/aws-github/terraform/aws/modules/workload-cluster/variables.tf b/aws-github/terraform/aws/modules/workload-cluster/variables.tf
index b809c8039..01c8d01ea 100644
--- a/aws-github/terraform/aws/modules/workload-cluster/variables.tf
+++ b/aws-github/terraform/aws/modules/workload-cluster/variables.tf
@@ -19,4 +19,3 @@ variable "node_type" {
   default     = "t3.medium"
   type        = string
 }
-
diff --git a/aws-github/terraform/github/repos.tf b/aws-github/terraform/github/repos.tf
index 1c3f320ce..c04c7b891 100644
--- a/aws-github/terraform/github/repos.tf
+++ b/aws-github/terraform/github/repos.tf
@@ -21,7 +21,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -50,7 +50,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/aws-github/terraform/github/teams.tf b/aws-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/aws-github/terraform/github/teams.tf
+++ b/aws-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/aws-github/terraform/users/admins/data_sources.tf b/aws-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/aws-github/terraform/users/admins/data_sources.tf
+++ b/aws-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/aws-github/terraform/users/developers/data_sources.tf b/aws-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/aws-github/terraform/users/developers/data_sources.tf
+++ b/aws-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/aws-github/terraform/users/users.tf b/aws-github/terraform/users/users.tf
index ec25ff5c8..0cd2fb72d 100644
--- a/aws-github/terraform/users/users.tf
+++ b/aws-github/terraform/users/users.tf
@@ -15,11 +15,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -27,7 +27,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -52,7 +52,7 @@ resource "vault_identity_group_member_entity_ids" "admins_membership" {
 # # developers module
 
 # data "vault_identity_group" "developers" {
-#   group_name = "developers"
+#   group_name = "<DEVELOPER-TEAM>"
 # }
 
 # module "developers" {
diff --git a/aws-github/terraform/vault/oidc-groups.tf b/aws-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/aws-github/terraform/vault/oidc-groups.tf
+++ b/aws-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/aws-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/aws-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/aws-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/aws-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/aws-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/aws-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/aws-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index ef44dac20..1b7fd9651 100644
--- a/aws-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/aws-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/aws-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml b/aws-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml
index 72e3d807f..f8ec71b45 100644
--- a/aws-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml
+++ b/aws-gitlab/templates/mgmt/components/crossplane/crossplane-system/crossplane-secrets.yaml
@@ -33,7 +33,7 @@ spec:
       engineVersion: v2
       data:
         creds: |
-          https://{{ .username }}:{{ .password }}@github.com
+          https://{{ .username }}:{{ .password }}@gitlab.com
   secretStoreRef:
     kind: ClusterSecretStore
     name: vault-kv-secret
@@ -48,4 +48,4 @@ spec:
         key: crossplane
         property: password
         conversionStrategy: Default
-      secretKey: password
\ No newline at end of file
+      secretKey: password
diff --git a/aws-gitlab/templates/mgmt/components/kubefirst/console.yaml b/aws-gitlab/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..7d1da9696 100644
--- a/aws-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/aws-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
@@ -34,6 +34,10 @@ spec:
             IN_CLUSTER: "true"
             CLUSTER_NAME: "<CLUSTER_NAME>"
             ENTERPRISE_API_URL: "http://kubefirst-kubefirst-api-ee.kubefirst.svc.cluster.local"
+          serviceAccount:
+            create: true
+            annotations:
+              eks.amazonaws.com/role-arn: arn:aws:iam::<AWS_ACCOUNT_ID>:role/kubefirst-api-<CLUSTER_NAME>
         console:
           isClusterZero: "false"
           domain: "<DOMAIN_NAME>"
diff --git a/aws-gitlab/templates/workload-cluster/0-providerconfig.yaml b/aws-gitlab/templates/workload-cluster/0-providerconfig.yaml
new file mode 100644
index 000000000..cac4df032
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/0-providerconfig.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-provider-config
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/provider-config
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/10-infrastructure.yaml b/aws-gitlab/templates/workload-cluster/10-infrastructure.yaml
new file mode 100644
index 000000000..5e2a0defc
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/10-infrastructure.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/15-infrastructure-bootstrap.yaml b/aws-gitlab/templates/workload-cluster/15-infrastructure-bootstrap.yaml
new file mode 100644
index 000000000..73c759631
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/15-infrastructure-bootstrap.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure-bootstrap
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '15'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure-bootstrap
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: <WORKLOAD_CLUSTER_NAME>
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/20-argocd-connection.yaml b/aws-gitlab/templates/workload-cluster/20-argocd-connection.yaml
new file mode 100644
index 000000000..263636c88
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/20-argocd-connection.yaml
@@ -0,0 +1,54 @@
+apiVersion: "external-secrets.io/v1beta1"
+kind: ExternalSecret
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: <WORKLOAD_CLUSTER_NAME>
+    template:
+      metadata:
+        labels:
+          argocd.argoproj.io/secret-type: cluster
+      engineVersion: v2
+      data:
+        name: "{{ .cluster_name }}"
+        server: "{{ .host }}"
+        clusterResources: "true"
+        config: |
+          {
+              "awsAuthConfig": {
+                  "clusterName": "{{ .cluster_name }}",
+                  "roleARN": "{{ .argocd_role_arn }}"
+              },
+              "tlsClientConfig": {
+                  "insecure": false,
+                  "caData": "{{ .cluster_ca_certificate }}"
+              }
+          }
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: argocd_role_arn
+        conversionStrategy: Default
+      secretKey: argocd_role_arn
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_ca_certificate
+        conversionStrategy: Default
+      secretKey: cluster_ca_certificate
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: cluster_name
+      secretKey: cluster_name
+    - remoteRef:
+        key: clusters/<WORKLOAD_CLUSTER_NAME>
+        property: host
+      secretKey: host
diff --git a/aws-gitlab/templates/workload-cluster/30-cert-manager.yaml b/aws-gitlab/templates/workload-cluster/30-cert-manager.yaml
new file mode 100644
index 000000000..676bfa216
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/30-cert-manager.yaml
@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-manager
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+          annotations:
+            eks.amazonaws.com/role-arn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/cert-manager-<WORKLOAD_CLUSTER_NAME>'
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/30-external-dns.yaml b/aws-gitlab/templates/workload-cluster/30-external-dns.yaml
new file mode 100644
index 000000000..f19ed5c5e
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/30-external-dns.yaml
@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-dns
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: 1.14.4
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+          annotations:
+            eks.amazonaws.com/role-arn: 'arn:aws:iam::<AWS_ACCOUNT_ID>:role/external-dns-<WORKLOAD_CLUSTER_NAME>'
+        provider: <EXTERNAL_DNS_PROVIDER_NAME>
+        sources:
+        - ingress
+        domainFilters:
+        - <WORKLOAD_EXTERNAL_DNS_DOMAIN_NAME>
+        env:
+        - name: <EXTERNAL_DNS_PROVIDER_TOKEN_ENV_NAME>
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-secrets
+              key: token
+    chart: external-dns
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml b/aws-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml
new file mode 100644
index 000000000..c09c2bc73
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/30-external-secrets-operator.yaml
@@ -0,0 +1,71 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-external-secrets-operator
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-eso-kubernetes-external-secrets-auth2
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'cluster-admin'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/aws-gitlab/templates/workload-cluster/30-ingress-nginx.yaml b/aws-gitlab/templates/workload-cluster/30-ingress-nginx.yaml
new file mode 100644
index 000000000..b858bdf69
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/30-ingress-nginx.yaml
@@ -0,0 +1,36 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.10.0
+    helm:
+      values: |-
+        controller:
+          ingressClass: nginx
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/30-reloader.yaml b/aws-gitlab/templates/workload-cluster/30-reloader.yaml
new file mode 100644
index 000000000..2336f6b12
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/30-reloader.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-reloader
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/aws-gitlab/templates/workload-cluster/40-clusterissuers.yaml b/aws-gitlab/templates/workload-cluster/40-clusterissuers.yaml
new file mode 100644
index 000000000..e45d89d86
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/40-clusterissuers.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cert-issuers
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/40-clustersecretstore.yaml b/aws-gitlab/templates/workload-cluster/40-clustersecretstore.yaml
new file mode 100644
index 000000000..82bbdf5e3
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/40-clustersecretstore.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-cluster-secret-store
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: <WORKLOAD_CLUSTER_NAME>
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: <WORKLOAD_CLUSTER_NAME>
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/45-environment.yaml b/aws-gitlab/templates/workload-cluster/45-environment.yaml
new file mode 100644
index 000000000..0b6165033
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/45-environment.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-environment
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '45'
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/environments/<WORKLOAD_ENVIRONMENT>
+    targetRevision: HEAD
+  destination:
+    name: in-cluster
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/aws-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml b/aws-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml
new file mode 100644
index 000000000..cca9c21f2
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/appproject-workload-cluster.yaml
@@ -0,0 +1,55 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  description: <WORKLOAD_CLUSTER_NAME> description
+  sourceRepos:
+  - '<GITOPS_REPO_URL>'
+  - 'https://kubernetes.github.io/ingress-nginx'
+  - 'https://kubernetes-sigs.github.io/external-dns'
+  - 'https://charts.jetstack.io'
+  - 'https://charts.external-secrets.io'
+  - 'https://helm.datadoghq.com'
+  - 'https://stakater.github.io/stakater-charts'
+  - 'https://chartmuseum.feedkray.one'
+  - 'https://charts.loft.sh'
+  - 'https://github.com/cloudflare/origin-ca-issuer'
+  - 'https://cloudflare.github.io/origin-ca-issuer/charts'
+  - '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  destinations:
+  - namespace: external-dns
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: datadog
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: default
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: <WORKLOAD_ENVIRONMENT>
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: external-secrets-operator
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: reloader
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: cert-manager
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: ingress-nginx
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: kube-system
+    name: <WORKLOAD_CLUSTER_NAME>
+  - namespace: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+    server: '*' # Adding wildcard for the gitops catalog. This wildcard can be removed from the template or after provisioning
+  clusterResourceWhitelist:
+  - group: '*'
+    kind: '*'
+  roles:
+  - description: <WORKLOAD_CLUSTER_NAME>-admin-role
+    groups:
+    - admins
+    name: admin-role
+    policies:
+    - p, proj:<WORKLOAD_CLUSTER_NAME>:admin-role, applications, *, <WORKLOAD_CLUSTER_NAME>/*, allow
\ No newline at end of file
diff --git a/aws-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml b/aws-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml
new file mode 100644
index 000000000..97711a762
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/cert-issuers/clusterissuers.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: <ALERTS_EMAIL>
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
diff --git a/aws-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml b/aws-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml
new file mode 100644
index 000000000..b6e90f68a
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/cluster-secret-store/clustersecretstore.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-vault-kv-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  provider:
+    vault:
+      server: 'https://vault.<DOMAIN_NAME>'
+      path: 'secret'
+      version: 'v2'
+      auth:
+        # points to a secret that contains a vault token
+        # https://www.vaultproject.io/docs/auth/token
+        tokenSecretRef:
+          name: "<WORKLOAD_CLUSTER_NAME>-cluster-vault-bootstrap"
+          key: "vault-token"
diff --git a/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/wait.yaml b/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/wait.yaml
new file mode 100644
index 000000000..fa6ee5794
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/wait.yaml
@@ -0,0 +1,24 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure-bootstrap-wait
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+spec:
+  template:
+    spec:
+      serviceAccountName: argocd-server
+      containers:
+      - name: wait
+        image: bitnami/kubectl:1.25.12
+        command:
+        - /bin/sh
+        - -c
+        - |
+          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>-infrastructure-bootstrap; do echo "waiting for cluster to provision"; sleep 5; done
+      restartPolicy: Never
+  backoffLimit: 1
+
+
+
diff --git a/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/workspace.yaml b/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/workspace.yaml
new file mode 100644
index 000000000..c30fc4a41
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/infrastructure-bootstrap/workspace.yaml
@@ -0,0 +1,13 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure-bootstrap
+spec:
+  providerConfigRef: 
+    name: <WORKLOAD_CLUSTER_NAME>
+  forProvider:
+    source: Remote
+    module: <WORKLOAD_CLUSTER_BOOTSTRAP_TERRAFORM_MODULE_URL>
+    vars:
+    - key: cluster_name
+      value: "<WORKLOAD_CLUSTER_NAME>"
\ No newline at end of file
diff --git a/aws-gitlab/templates/workload-cluster/infrastructure/wait.yaml b/aws-gitlab/templates/workload-cluster/infrastructure/wait.yaml
new file mode 100644
index 000000000..233111aaa
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/infrastructure/wait.yaml
@@ -0,0 +1,24 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure-wait
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+spec:
+  template:
+    spec:
+      serviceAccountName: argocd-server
+      containers:
+      - name: wait
+        image: bitnami/kubectl:1.25.12
+        command:
+        - /bin/sh
+        - -c
+        - |
+          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>-infrastructure; do echo "waiting for cluster to provision"; sleep 5; done
+      restartPolicy: Never
+  backoffLimit: 1
+
+
+
diff --git a/aws-gitlab/templates/workload-cluster/infrastructure/workspace.yaml b/aws-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
new file mode 100644
index 000000000..786561e72
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
@@ -0,0 +1,19 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: Workspace
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
+spec:
+  providerConfigRef: 
+    name: <WORKLOAD_CLUSTER_NAME>
+  forProvider:
+    source: Remote
+    module: <WORKLOAD_CLUSTER_TERRAFORM_MODULE_URL>
+    vars:
+    - key: cluster_name
+      value: "<WORKLOAD_CLUSTER_NAME>"
+    - key: cluster_region
+      value: "<WORKLOAD_CLUSTER_REGION>"
+    - key: node_count
+      value: "<WORKLOAD_NODE_COUNT>"
+    - key: node_type
+      value: "<WORKLOAD_NODE_TYPE>"
diff --git a/aws-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml b/aws-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
new file mode 100644
index 000000000..a9e5c13dc
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -0,0 +1,46 @@
+apiVersion: tf.upbound.io/v1beta1
+kind: ProviderConfig
+metadata:
+  name: <WORKLOAD_CLUSTER_NAME>
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  configuration: |
+      terraform {
+        backend "s3" {
+          bucket   = "<KUBEFIRST_STATE_STORE_BUCKET>"
+          key      = "registry/clusters/<WORKLOAD_CLUSTER_NAME>/infrastructure/provider-config/terraform.tfstate"
+          region = "<CLOUD_REGION>"
+          encrypt = true
+        }
+        required_providers {
+          kubernetes = {
+            source = "hashicorp/kubernetes"
+            version = "2.23.0"
+          }
+          vault = {
+            source = "hashicorp/vault"
+            version = "3.19.0"
+          }
+          aws = {
+            source = "hashicorp/aws"
+            version = "5.30.0"
+          }
+        }
+      }
+      provider "aws" {
+        region = "<WORKLOAD_CLUSTER_REGION>"
+      }
+  credentials:
+  - filename: gen-nothing
+    source: None
+    secretRef:
+      namespace: crossplane-system
+      name: no-creds
+      key: token
+  - filename: .git-credentials
+    source: Secret
+    secretRef:
+      namespace: crossplane-system
+      name: git-credentials
+      key: creds
diff --git a/aws-gitlab/templates/workload-cluster/registry-workload-cluster.yaml b/aws-gitlab/templates/workload-cluster/registry-workload-cluster.yaml
new file mode 100644
index 000000000..f925b88dd
--- /dev/null
+++ b/aws-gitlab/templates/workload-cluster/registry-workload-cluster.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry-<WORKLOAD_CLUSTER_NAME>
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: <GITOPS_REPO_URL>
+    path: registry/clusters/<WORKLOAD_CLUSTER_NAME>
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/aws-gitlab/terraform/aws/eks/main.tf b/aws-gitlab/terraform/aws/eks/main.tf
index 8330ba014..40ddbe366 100644
--- a/aws-gitlab/terraform/aws/eks/main.tf
+++ b/aws-gitlab/terraform/aws/eks/main.tf
@@ -19,7 +19,7 @@ data "aws_availability_zones" "available" {}
 
 locals {
   name            = "<CLUSTER_NAME>"
-  cluster_version = "1.26"
+  cluster_version = "1.29"
   region          = "<CLOUD_REGION>"
 
   vpc_cidr = "10.0.0.0/16"
@@ -36,7 +36,7 @@ locals {
 
 module "eks" {
   source  = "terraform-aws-modules/eks/aws"
-  version = "19.10.0"
+  version = "20.20.0"
 
   cluster_name                   = local.name
   cluster_version                = local.cluster_version
@@ -74,8 +74,6 @@ module "eks" {
   subnet_ids               = module.vpc.private_subnets
   control_plane_subnet_ids = module.vpc.intra_subnets
 
-  manage_aws_auth_configmap = false
-
   eks_managed_node_group_defaults = {
     ami_type       = "AL2_x86_64"
     instance_types = ["<NODE_TYPE>"]
@@ -87,14 +85,8 @@ module "eks" {
     # See https://github.com/aws/containers-roadmap/issues/1666 for more context
     iam_role_attach_cni_policy = true
   }
-  iam_role_additional_policies = {
-
-  }
-
+  
   eks_managed_node_groups = {
-    iam_role_additional_policies = {
-      S3Access = "arn:aws:iam::126827061464:policy/cert-manager-cyje-77"
-    }
     # Default node group - as provided by AWS EKS
     default_node_group = {
       desired_size = tonumber("<NODE_COUNT>") # tonumber() is used for a string token value
@@ -108,6 +100,42 @@ module "eks" {
     }
   }
 
+  # Enable admin permissions for the cluster creator
+  enable_cluster_creator_admin_permissions = true
+
+  access_entries = {
+    
+    argocd_<CLUSTER_NAME> = {
+      cluster_name      = "<CLUSTER_NAME>"
+      principal_arn     = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+      username          = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+      policy_associations = {
+        view_deployments = {
+          policy_arn   = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+      }
+    }
+
+    atlantis_<CLUSTER_NAME> = {
+      cluster_name      = "<CLUSTER_NAME>"
+      principal_arn     = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
+      username          = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/atlantis-<CLUSTER_NAME>"
+      policy_associations = {
+        view_deployments = {
+          policy_arn   = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSViewPolicy"
+          access_scope = {
+            namespaces = ["default"]
+            type       = "namespace"
+          }
+        }
+      }
+    }
+  }
+
   tags = local.tags
 }
 
@@ -151,7 +179,7 @@ module "vpc" {
 
 module "vpc_cni_irsa" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name             = upper("VPC-CNI-IRSA-<CLUSTER_NAME>")
   attach_vpc_cni_policy = true
@@ -159,6 +187,8 @@ module "vpc_cni_irsa" {
     AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
   }
 
+
+
   oidc_providers = {
     main = {
       provider_arn               = module.eks.oidc_provider_arn
@@ -171,7 +201,7 @@ module "vpc_cni_irsa" {
 
 module "aws_ebs_csi_driver" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = upper("EBS-CSI-DRIVER-<CLUSTER_NAME>")
 
@@ -333,7 +363,7 @@ EOT
 
 module "argo_workflows" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "argo-${local.name}"
   role_policy_arns = {
@@ -350,9 +380,29 @@ module "argo_workflows" {
   tags = local.tags
 }
 
+module "argocd" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.40.0"
+
+  role_name = "argocd-${local.name}"
+  role_policy_arns = {
+    argocd = "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess",
+  }
+  assume_role_condition_test = "StringLike"
+  allow_self_assume_role     = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["argocd:argocd-application-controller", "argocd:argocd-server"]
+    }
+  }
+
+  tags = local.tags
+}
+
 module "atlantis" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "atlantis-${local.name}"
   role_policy_arns = {
@@ -370,7 +420,7 @@ module "atlantis" {
 
 module "cert_manager" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "cert-manager-${local.name}"
   role_policy_arns = {
@@ -420,7 +470,7 @@ EOT
 
 module "chartmuseum" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "chartmuseum-${local.name}"
   role_policy_arns = {
@@ -436,29 +486,92 @@ module "chartmuseum" {
   tags = local.tags
 }
 
-module "crossplane" {
-  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+module "crossplane_custom_trust" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.33.0"
+module "crossplane_custom_trust" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+  version = "5.33.0"
 
+  create_role = true
+  create_role = true
 
   role_name = "crossplane-${local.name}"
-  role_policy_arns = {
-    crossplane = "arn:aws:iam::aws:policy/AdministratorAccess",
+
+  create_custom_role_trust_policy = true
+  custom_role_trust_policy        = data.aws_iam_policy_document.crossplane_custom_trust_policy.json
+  custom_role_policy_arns         = ["arn:aws:iam::aws:policy/AdministratorAccess"]
+}
+
+data "aws_iam_policy_document" "crossplane_custom_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    condition {
+      test     = "StringEquals"
+      variable = "${split("arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/", module.eks.oidc_provider_arn)[1]}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+
+    condition {
+      test     = "StringLike"
+      variable = "${split("arn:aws:iam::<AWS_ACCOUNT_ID>:oidc-provider/", module.eks.oidc_provider_arn)[1]}:sub"
+      values   = ["system:serviceaccount:crossplane-system:crossplane-provider-terraform-<CLUSTER_NAME>"]
+    }
+
+    principals {
+      type        = "Federated"
+      identifiers = [module.eks.oidc_provider_arn]
+    }
   }
-  assume_role_condition_test = "StringLike"
-  oidc_providers = {
-    main = {
-      provider_arn               = module.eks.oidc_provider_arn
-      namespace_service_accounts = ["crossplane-system:crossplane-provider-terraform-*"]
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::<AWS_ACCOUNT_ID>:role/KubernetesAdmin"]
     }
   }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
 
-  tags = local.tags
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-${local.name}"]
+    }
+  }
+
+    principals {
+      type        = "Federated"
+      identifiers = [module.eks.oidc_provider_arn]
+    }
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::<AWS_ACCOUNT_ID>:role/KubernetesAdmin"]
+    }
+  }
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "AWS"
+      identifiers = ["arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-${local.name}"]
+    }
+  }
 }
 
 module "ecr_publish_permissions_sync" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "ecr-publish-permissions-sync-${local.name}"
   role_policy_arns = {
@@ -477,7 +590,7 @@ module "ecr_publish_permissions_sync" {
 
 module "external_dns" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "external-dns-${local.name}"
   role_policy_arns = {
@@ -526,9 +639,29 @@ resource "aws_iam_policy" "external_dns" {
 EOT
 }
 
+module "kubefirst_api" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.40.0"
+
+  role_name = "kubefirst-api-${local.name}"
+  role_policy_arns = {
+    kubefirst = "arn:aws:iam::aws:policy/AmazonEC2FullAccess",
+  }
+  assume_role_condition_test = "StringLike"
+  allow_self_assume_role     = true
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kubefirst:kubefirst-kubefirst-api"]
+    }
+  }
+
+  tags = local.tags
+}
+
 module "vault" {
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.32.0"
+  version = "5.40.0"
 
   role_name = "vault-${local.name}"
   role_policy_arns = {
diff --git a/aws-gitlab/terraform/aws/modules/bootstrap/bootstrap.tf b/aws-gitlab/terraform/aws/modules/bootstrap/bootstrap.tf
new file mode 100644
index 000000000..08465c502
--- /dev/null
+++ b/aws-gitlab/terraform/aws/modules/bootstrap/bootstrap.tf
@@ -0,0 +1,127 @@
+
+data "vault_generic_secret" "cluster" {
+  path = "secret/clusters/${var.cluster_name}"
+}
+
+data "aws_eks_cluster" "cluster" {
+  name = var.cluster_name
+}
+
+data "aws_eks_cluster_auth" "cluster" {
+  name = var.cluster_name
+}
+
+provider "kubernetes" {
+  host                   = data.vault_generic_secret.cluster.data["host"]
+  cluster_ca_certificate = base64decode(data.vault_generic_secret.cluster.data["cluster_ca_certificate"])
+  token                  = data.aws_eks_cluster_auth.cluster.token
+}
+
+resource "kubernetes_namespace_v1" "external_dns" {
+  metadata {
+    name = "external-dns"
+  }
+}
+
+data "vault_generic_secret" "external_dns" {
+  path = "secret/external-dns"
+}
+
+resource "kubernetes_secret_v1" "external_dns" {
+  metadata {
+    name      = "external-dns-secrets"
+    namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
+  }
+  data = {
+    token = data.vault_generic_secret.external_dns.data["token"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_namespace_v1" "external_secrets_operator" {
+  metadata {
+    name = "external-secrets-operator"
+  }
+}
+
+resource "kubernetes_namespace_v1" "environment" {
+  metadata {
+    name = var.cluster_name
+  }
+}
+
+data "vault_generic_secret" "docker_config" {
+  path = "secret/dockerconfigjson"
+}
+
+resource "kubernetes_secret_v1" "image_pull" {
+  metadata {
+    name      = "docker-config"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+
+  data = {
+    ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+}
+
+data "vault_generic_secret" "external_secrets_operator" {
+  path = "secret/atlantis"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_service_account_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  secret {
+    name = "external-secrets-token"
+  }
+}
+
+resource "kubernetes_secret_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets-token"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+    annotations = {
+      "kubernetes.io/service-account.name" = "external-secrets"
+    }
+  }
+  type       = "kubernetes.io/service-account-token"
+  depends_on = [kubernetes_service_account_v1.external_secrets]
+}
+
+resource "kubernetes_config_map" "kubefirst_cm" {
+  metadata {
+    name      = "kubefirst-cm"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mgmt_cluster_id = "8ikfaj"
+  }
+}
diff --git a/aws-gitlab/terraform/aws/modules/bootstrap/variables.tf b/aws-gitlab/terraform/aws/modules/bootstrap/variables.tf
new file mode 100644
index 000000000..880ddbcf0
--- /dev/null
+++ b/aws-gitlab/terraform/aws/modules/bootstrap/variables.tf
@@ -0,0 +1,4 @@
+variable "cluster_name" {
+  description = "the name of the cluster"
+  type        = string
+}
diff --git a/aws-gitlab/terraform/aws/modules/workload-cluster/main.tf b/aws-gitlab/terraform/aws/modules/workload-cluster/main.tf
new file mode 100644
index 000000000..c95b575a6
--- /dev/null
+++ b/aws-gitlab/terraform/aws/modules/workload-cluster/main.tf
@@ -0,0 +1,447 @@
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {}
+
+locals {
+  cluster_version = "1.26"
+  vpc_cidr        = "10.0.0.0/16"
+  azs             = slice(data.aws_availability_zones.available.names, 0, 3)
+  tags = {
+    kubefirst = "true"
+  }
+}
+
+################################################################################
+# EKS Module
+################################################################################
+module "iam_node_group_role" {
+  source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
+
+  create_role = true
+
+  role_name_prefix = "${var.cluster_name}-node-group"
+
+  custom_role_policy_arns = [
+    "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
+    "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
+    "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
+  ]
+  number_of_custom_role_policy_arns = 3
+}
+
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "19.10.0"
+
+  cluster_name                   = var.cluster_name
+  cluster_version                = local.cluster_version
+  cluster_endpoint_public_access = true
+  create_kms_key                 = false
+  cluster_encryption_config      = {}
+  create_iam_role                = false
+  iam_role_arn                   = module.iam_node_group_role.iam_role_arn
+  cluster_addons = {
+    # AWS launch CoreDNS itself with their add-on https://docs.aws.amazon.com/eks/latest/userguide/managing-coredns.html
+    # coredns = {
+    #   most_recent = true
+    #   resolve_conflicts = "OVERWRITE"
+    # }
+    aws-ebs-csi-driver = {
+      most_recent              = true
+      service_account_role_arn = module.aws_ebs_csi_driver.iam_role_arn
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent              = true
+      before_compute           = true
+      service_account_role_arn = module.vpc_cni_irsa.iam_role_arn
+      configuration_values = jsonencode({
+        env = {
+          # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html
+          ENABLE_PREFIX_DELEGATION = "true"
+          WARM_PREFIX_TARGET       = "1"
+        }
+      })
+    }
+  }
+
+  vpc_id                   = module.vpc.vpc_id
+  subnet_ids               = module.vpc.private_subnets
+  control_plane_subnet_ids = module.vpc.intra_subnets
+
+  manage_aws_auth_configmap = false
+
+  # aws_auth_roles = [
+  #   # managed node group is automatically added to the configmap
+  #   {
+  #     rolearn  = ""
+  #     username = ""
+  #     groups   = ["system:masters"]
+  #   },
+  # ]
+
+  eks_managed_node_group_defaults = {
+    ami_type       = "AL2_x86_64"
+    instance_types = [var.node_type]
+
+    # We are using the IRSA created below for permissions
+    # However, we have to deploy with the policy attached FIRST (when creating a fresh cluster)
+    # and then turn this off after the cluster/node group is created. Without this initial policy,
+    # the VPC CNI fails to assign IPs and nodes cannot join the cluster
+    # See https://github.com/aws/containers-roadmap/issues/1666 for more context
+    iam_role_attach_cni_policy = true
+  }
+
+  eks_managed_node_groups = {
+    # Default node group - as provided by AWS EKS
+    default_node_group = {
+      desired_size = tonumber(var.node_count) # tonumber() is used for a string token value
+      min_size     = tonumber(var.node_count) # tonumber() is used for a string token value
+      max_size     = tonumber(var.node_count) # tonumber() is used for a string token value
+      # By default, the module creates a launch template to ensure tags are propagated to instances, etc.,
+      # so we need to disable it to use the default template provided by the AWS EKS managed node group service
+      use_custom_launch_template = false
+
+      disk_size = 50
+    }
+  }
+
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "4.0.2"
+
+  name = var.cluster_name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+  intra_subnets   = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 52)]
+
+  enable_ipv6            = true
+  create_egress_only_igw = true
+
+  public_subnet_ipv6_prefixes  = [0, 1, 2]
+  private_subnet_ipv6_prefixes = [3, 4, 5]
+  intra_subnet_ipv6_prefixes   = [6, 7, 8]
+
+  enable_nat_gateway   = true
+  single_nat_gateway   = true
+  enable_dns_hostnames = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
+
+module "vpc_cni_irsa" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.0"
+
+  role_name             = upper("VPC-CNI-IRSA-${var.cluster_name}")
+  attach_vpc_cni_policy = true
+  role_policy_arns = {
+    AmazonEKS_CNI_Policy = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
+  }
+
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node"]
+    }
+  }
+
+  tags = local.tags
+}
+
+module "aws_ebs_csi_driver" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.0"
+
+  role_name = upper("EBS-CSI-DRIVER-${var.cluster_name}")
+
+  role_policy_arns = {
+    admin = aws_iam_policy.aws_ebs_csi_driver.arn
+  }
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["kube-system:aws-node", "kube-system:ebs-csi-controller-sa"]
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_iam_policy" "aws_ebs_csi_driver" {
+  name        = "aws-ebs-csi-driver-${var.cluster_name}"
+  path        = "/"
+  description = "policy for aws ebs csi driver"
+
+  policy = <<EOT
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateSnapshot",
+        "ec2:AttachVolume",
+        "ec2:DetachVolume",
+        "ec2:ModifyVolume",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeInstances",
+        "ec2:DescribeSnapshots",
+        "ec2:DescribeTags",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeVolumesModifications"
+      ],
+      "Resource": "*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateTags"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:snapshot/*"
+      ],
+      "Condition": {
+        "StringEquals": {
+          "ec2:CreateAction": [
+            "CreateVolume",
+            "CreateSnapshot"
+          ]
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteTags"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:volume/*",
+        "arn:aws:ec2:*:*:snapshot/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CreateVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "aws:RequestTag/CSIVolumeName": "*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/CSIVolumeName": "*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteVolume"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteSnapshot"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
+        }
+      }
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:DeleteSnapshot"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringLike": {
+          "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
+        }
+      }
+    }
+  ]
+}
+EOT
+}
+
+module "cert_manager" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.0"
+
+  role_name = "cert-manager-${var.cluster_name}"
+  role_policy_arns = {
+    cert_manager = aws_iam_policy.cert_manager.arn
+  }
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["cert-manager:cert-manager"]
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_iam_policy" "cert_manager" {
+  name        = "cert-manager-${var.cluster_name}"
+  path        = "/"
+  description = "policy for external dns to access route53 resources"
+
+  policy = <<EOT
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": "route53:GetChange",
+      "Resource": "arn:aws:route53:::change/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": "arn:aws:route53:::hostedzone/*"
+    },
+    {
+      "Effect": "Allow",
+      "Action": "route53:ListHostedZonesByName",
+      "Resource": "*"
+    }
+  ]
+}
+EOT
+}
+
+module "external_dns" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.32.0"
+
+  role_name = "external-dns-${var.cluster_name}"
+  role_policy_arns = {
+    external_dns = aws_iam_policy.external_dns.arn
+  }
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["external-dns:external-dns"]
+    }
+  }
+
+  tags = local.tags
+}
+
+resource "aws_iam_policy" "external_dns" {
+  name        = "external-dns-${var.cluster_name}"
+  path        = "/"
+  description = "policy for external dns to access route53 resources"
+
+  policy = <<EOT
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": [
+        "arn:aws:route53:::hostedzone/*"
+      ]
+    },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "route53:ListHostedZones",
+        "route53:ListResourceRecordSets"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}
+EOT
+}
+
+resource "vault_generic_secret" "clusters" {
+  path = "secret/clusters/${var.cluster_name}"
+
+  data_json = jsonencode(
+    {
+      cluster_ca_certificate = module.eks.cluster_certificate_authority_data
+      host                   = module.eks.cluster_endpoint
+      cluster_name           = var.cluster_name
+      environment            = var.cluster_name
+      argocd_role_arn        = "arn:aws:iam::<AWS_ACCOUNT_ID>:role/argocd-<CLUSTER_NAME>"
+    }
+  )
+}
diff --git a/aws-gitlab/terraform/aws/modules/workload-cluster/variables.tf b/aws-gitlab/terraform/aws/modules/workload-cluster/variables.tf
new file mode 100644
index 000000000..b809c8039
--- /dev/null
+++ b/aws-gitlab/terraform/aws/modules/workload-cluster/variables.tf
@@ -0,0 +1,22 @@
+variable "cluster_name" {
+  description = "the name of the cluster"
+  type        = string
+}
+
+variable "cluster_region" {
+  description = "the region of the cluster"
+  type        = string
+}
+
+variable "node_count" {
+  description = "The node count for the node group"
+  default     = "2"
+  type        = string
+}
+
+variable "node_type" {
+  description = "The node type of node group"
+  default     = "t3.medium"
+  type        = string
+}
+
diff --git a/aws-gitlab/terraform/gitlab/groups.tf b/aws-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..da300caa0 100644
--- a/aws-gitlab/terraform/gitlab/groups.tf
+++ b/aws-gitlab/terraform/gitlab/groups.tf
@@ -3,15 +3,15 @@ data "gitlab_group" "owner" {
 }
 
 resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/aws-gitlab/terraform/gitlab/projects.tf b/aws-gitlab/terraform/gitlab/projects.tf
index f91932cac..22266ddef 100644
--- a/aws-gitlab/terraform/gitlab/projects.tf
+++ b/aws-gitlab/terraform/gitlab/projects.tf
@@ -1,7 +1,7 @@
 module "metaphor" {
   source                                = "./modules/project"
   group_name                            = data.gitlab_group.owner.id
-  project_name                          = "metaphor"
+  project_name                          = "<METAPHOR_REPO_NAME>"
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
   remove_source_branch_after_merge      = true
@@ -10,7 +10,7 @@ module "metaphor" {
 module "gitops" {
   source                                = "./modules/project"
   group_name                            = data.gitlab_group.owner.id
-  project_name                          = "gitops"
+  project_name                          = "<GIT_REPO_NAME> "
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
   remove_source_branch_after_merge      = true
diff --git a/aws-gitlab/terraform/users/admins/data-sources.tf b/aws-gitlab/terraform/users/admins/data-sources.tf
index c15703de5..cdc94d28b 100644
--- a/aws-gitlab/terraform/users/admins/data-sources.tf
+++ b/aws-gitlab/terraform/users/admins/data-sources.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/aws-gitlab/terraform/users/modules/user/main.tf b/aws-gitlab/terraform/users/modules/user/main.tf
index 7ad950860..fb091f121 100644
--- a/aws-gitlab/terraform/users/modules/user/main.tf
+++ b/aws-gitlab/terraform/users/modules/user/main.tf
@@ -133,15 +133,15 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 data "gitlab_user" "user" {
diff --git a/aws-gitlab/terraform/users/users.tf b/aws-gitlab/terraform/users/users.tf
index 693ccf682..207dc80a6 100644
--- a/aws-gitlab/terraform/users/users.tf
+++ b/aws-gitlab/terraform/users/users.tf
@@ -18,11 +18,11 @@ terraform {
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 
@@ -31,7 +31,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -40,7 +40,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/aws-gitlab/terraform/vault/oidc-groups.tf b/aws-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..fd136c400 100644
--- a/aws-gitlab/terraform/vault/oidc-groups.tf
+++ b/aws-gitlab/terraform/vault/oidc-groups.tf
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/aws-gitlab/terraform/vault/secrets.tf b/aws-gitlab/terraform/vault/secrets.tf
index 7f1ed00c2..ad3c822dd 100644
--- a/aws-gitlab/terraform/vault/secrets.tf
+++ b/aws-gitlab/terraform/vault/secrets.tf
@@ -34,7 +34,7 @@ resource "vault_generic_secret" "docker_config" {
 
   data_json = jsonencode(
     {
-      dockerconfig = jsonencode({ "auths" : { "registry.gitlab.io" : { "auth" : "${var.b64_docker_auth}" } } }),
+      dockerconfig = jsonencode({ "auths" : { "registry.gitlab.com" : { "auth" : "${var.b64_docker_auth}" } } }),
     }
   )
 }
diff --git a/civo-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/civo-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/civo-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/civo-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/civo-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/civo-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/civo-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/civo-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/civo-github/templates/mgmt/components/argocd/kustomization.yaml b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
index e6ca1a901..907f8ba77 100644
--- a/civo-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/civo-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=0.1.0
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/civo-github/templates/mgmt/components/kubefirst/console.yaml b/civo-github/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/civo-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/civo-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/civo-github/templates/workload-cluster/infrastructure/wait.yaml b/civo-github/templates/workload-cluster/infrastructure/wait.yaml
index f409abaa6..233111aaa 100644
--- a/civo-github/templates/workload-cluster/infrastructure/wait.yaml
+++ b/civo-github/templates/workload-cluster/infrastructure/wait.yaml
@@ -16,7 +16,7 @@ spec:
         - /bin/sh
         - -c
         - |
-          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>; do echo "waiting for cluster to provision"; sleep 5; done
+          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>-infrastructure; do echo "waiting for cluster to provision"; sleep 5; done
       restartPolicy: Never
   backoffLimit: 1
 
diff --git a/civo-github/templates/workload-cluster/infrastructure/workspace.yaml b/civo-github/templates/workload-cluster/infrastructure/workspace.yaml
index 8aba21372..e5835a10a 100644
--- a/civo-github/templates/workload-cluster/infrastructure/workspace.yaml
+++ b/civo-github/templates/workload-cluster/infrastructure/workspace.yaml
@@ -1,235 +1,21 @@
 apiVersion: tf.upbound.io/v1beta1
 kind: Workspace
 metadata:
-  name: <WORKLOAD_CLUSTER_NAME>
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    crossplane.io/external-name: <WORKLOAD_CLUSTER_NAME>
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
 spec:
-  providerConfigRef:
+  providerConfigRef: 
     name: <WORKLOAD_CLUSTER_NAME>
   forProvider:
-    source: Inline
-    module: |
-      variable "instance_size" {
-        type    = string
-        default = "g4s.kube.medium"
-      }
-
-      variable "node_count" {
-        type    = number
-        default = "<WORKLOAD_NODE_COUNT>"
-      }
-
-      locals {
-        cluster_name = "<WORKLOAD_CLUSTER_NAME>"
-      }
-
-      resource "civo_network" "kubefirst" {
-        label = local.cluster_name
-      }
-
-      resource "civo_firewall" "kubefirst" {
-        name                 = local.cluster_name
-        network_id           = civo_network.kubefirst.id
-        create_default_rules = true
-      }
-
-      resource "civo_kubernetes_cluster" "kubefirst" {
-        name        = local.cluster_name
-        network_id  = civo_network.kubefirst.id
-        firewall_id = civo_firewall.kubefirst.id
-        pools {
-          label      = local.cluster_name
-          size       = var.instance_size
-          node_count = var.node_count
-        }
-      }
-
-      resource "vault_generic_secret" "clusters" {
-        path = "secret/clusters/${local.cluster_name}"
-
-        data_json = jsonencode(
-          {
-            kubeconfig             = civo_kubernetes_cluster.kubefirst.kubeconfig
-            client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
-            client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
-            cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
-            host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
-            cluster_name           = local.cluster_name
-            argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
-          }
-        )
-      }
-
-      provider "kubernetes" {
-        host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
-        client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
-        client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
-        cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
-      }
-
-      resource "kubernetes_cluster_role_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-role"
-        }
-
-        rule {
-          api_groups = ["*"]
-          resources  = ["*"]
-          verbs      = ["*"]
-        }
-        rule {
-          non_resource_urls = ["*"]
-          verbs = ["*"]
-        }
-      }
-
-
-      resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-role-binding"
-        }
-        role_ref {
-          api_group = "rbac.authorization.k8s.io"
-          kind      = "ClusterRole"
-          name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
-        }
-        subject {
-          kind      = "ServiceAccount"
-          name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
-          namespace = "kube-system"
-        }
-      }
-
-      resource "kubernetes_service_account_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager"
-          namespace = "kube-system"
-        }
-        secret {
-          name = "argocd-manager-token"
-        }
-      }
-
-      resource "kubernetes_secret_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-token"
-          namespace = "kube-system"
-          annotations = {
-            "kubernetes.io/service-account.name" = "argocd-manager"
-          }
-        }
-        type = "kubernetes.io/service-account-token"
-        depends_on = [ kubernetes_service_account_v1.argocd_manager ]
-      }
-
-      resource "kubernetes_namespace_v1" "external_dns" {
-        metadata {
-          name = "external-dns"
-        }
-      }
-
-      data "vault_generic_secret" "external_dns" {
-        path = "secret/external-dns"
-      }
-
-      resource "kubernetes_secret_v1" "external_dns" {
-        metadata {
-          name = "external-dns-secrets"
-          namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
-        }
-        data = {
-          token = data.vault_generic_secret.external_dns.data["token"]
-        }
-        type = "Opaque"
-      }
-
-
-      resource "kubernetes_namespace_v1" "external_secrets_operator" {
-        metadata {
-          name = "external-secrets-operator"
-        }
-      }
-
-      resource "kubernetes_namespace_v1" "environment" {
-        metadata {
-          name = "<WORKLOAD_CLUSTER_NAME>"
-        }
-      }
-
-      data "vault_generic_secret" "docker_config" {
-        path = "secret/dockerconfigjson"
-      }
-
-      resource "kubernetes_secret_v1" "image_pull" {
-        metadata {
-          name = "docker-config"
-          namespace = kubernetes_namespace_v1.environment.metadata.0.name
-        }
-
-        data = {
-          ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
-        }
-
-        type = "kubernetes.io/dockerconfigjson"
-      }
-
-      data "vault_generic_secret" "external_secrets_operator" {
-        path = "secret/atlantis"
-      }
-
-      resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
-        metadata {
-          name = "${local.cluster_name}-cluster-vault-bootstrap"
-          namespace = kubernetes_namespace_v1.environment.metadata.0.name
-        }
-        data = {
-          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
-        }
-        type = "Opaque"
-      }
-
-      resource "kubernetes_secret_v1" "external_secrets_operator" {
-        metadata {
-          name = "${local.cluster_name}-cluster-vault-bootstrap"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-        }
-        data = {
-          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
-        }
-        type = "Opaque"
-      }
-
-      resource "kubernetes_service_account_v1" "external_secrets" {
-        metadata {
-          name = "external-secrets"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-        }
-        secret {
-          name = "external-secrets-token"
-        }
-      }
-
-      resource "kubernetes_secret_v1" "external_secrets" {
-        metadata {
-          name = "external-secrets-token"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-          annotations = {
-            "kubernetes.io/service-account.name" = "external-secrets"
-          }
-        }
-        type = "kubernetes.io/service-account-token"
-        depends_on = [ kubernetes_service_account_v1.external_secrets ]
-      }
-
-      resource "kubernetes_config_map" "kubefirst_cm" {
-        metadata {
-          name = "kubefirst-cm"
-          namespace = "kube-system"
-        }
-
-        data = {
-          mgmt_cluster_id = "<CLUSTER_ID>"
-        }
-      }
\ No newline at end of file
+    source: Remote
+    module: <WORKLOAD_CLUSTER_TERRAFORM_MODULE_URL>
+    vars:
+    - key: cluster_name
+      value: <WORKLOAD_CLUSTER_NAME>
+    - key: cluster_region
+      value: <WORKLOAD_CLUSTER_REGION>
+    - key: environment
+      value: <WORKLOAD_CLUSTER_NAME>
+    - key: node_count
+      value: "<WORKLOAD_NODE_COUNT>"
+    - key: node_type
+      value: <WORKLOAD_NODE_TYPE>
diff --git a/civo-github/templates/workload-cluster/provider-config/providerconfig.yaml b/civo-github/templates/workload-cluster/provider-config/providerconfig.yaml
index 89d124839..066cdfee3 100644
--- a/civo-github/templates/workload-cluster/provider-config/providerconfig.yaml
+++ b/civo-github/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -21,15 +21,8 @@ spec:
         }
         required_providers {
           civo = {
-            source = "civo/civo"
-          }
-          kubernetes = {
-            source = "hashicorp/kubernetes"
-            version = "2.23.0"
-          }
-          vault = {
-            source = "hashicorp/vault"
-            version = "3.19.0"
+            source  = "civo/civo"
+            version = "~> 1.1.0"
           }
         }
       }
diff --git a/civo-github/terraform/civo/main.tf b/civo-github/terraform/civo/main.tf
index 59fe87f8a..0b6188a24 100644
--- a/civo-github/terraform/civo/main.tf
+++ b/civo-github/terraform/civo/main.tf
@@ -14,14 +14,7 @@ terraform {
   required_providers {
     civo = {
       source = "civo/civo"
-    }
-    kubernetes = {
-      source  = "hashicorp/kubernetes"
-      version = "2.23.0"
-    }
-    vault = {
-      source  = "hashicorp/vault"
-      version = "3.19.0"
+      version = "~> 1.1.0"
     }
   }
 }
@@ -45,10 +38,11 @@ resource "civo_firewall" "kubefirst" {
 }
 
 resource "civo_kubernetes_cluster" "kubefirst" {
-  name         = local.cluster_name
-  network_id   = civo_network.kubefirst.id
-  firewall_id  = civo_firewall.kubefirst.id
-  cluster_type = "talos"
+  name                = local.cluster_name
+  network_id          = civo_network.kubefirst.id
+  firewall_id         = civo_firewall.kubefirst.id
+  kubernetes_version  = "1.28.7-k3s1"
+  write_kubeconfig    = true
   pools {
     label      = local.cluster_name
     size       = "<NODE_TYPE>"
diff --git a/civo-github/terraform/civo/modules/workload-cluster/main.tf b/civo-github/terraform/civo/modules/workload-cluster/main.tf
new file mode 100644
index 000000000..5117608d7
--- /dev/null
+++ b/civo-github/terraform/civo/modules/workload-cluster/main.tf
@@ -0,0 +1,210 @@
+resource "civo_network" "kubefirst" {
+  label = var.cluster_name
+}
+
+resource "civo_firewall" "kubefirst" {
+  name                 = var.cluster_name
+  network_id           = civo_network.kubefirst.id
+  create_default_rules = true
+}
+
+resource "civo_kubernetes_cluster" "kubefirst" {
+  name                = var.cluster_name
+  network_id          = civo_network.kubefirst.id
+  firewall_id         = civo_firewall.kubefirst.id
+  kubernetes_version  = "1.28.7-k3s1"
+  write_kubeconfig    = true
+  pools {
+    label      = var.cluster_name
+    size       = var.node_type
+    node_count = var.node_count
+  }
+}
+
+resource "vault_generic_secret" "clusters" {
+  path = "secret/clusters/${var.cluster_name}"
+
+  data_json = jsonencode(
+    {
+      kubeconfig              = civo_kubernetes_cluster.kubefirst.kubeconfig
+      client_certificate      = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+      client_key              = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+      cluster_ca_certificate  = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+      host                    = civo_kubernetes_cluster.kubefirst.api_endpoint
+      cluster_name            = var.cluster_name
+      argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
+    }
+  )
+}
+
+provider "kubernetes" {
+  host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
+  client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+  client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+}
+
+resource "kubernetes_cluster_role_v1" "argocd_manager" {
+  metadata {
+    name = "argocd-manager-role"
+  }
+
+  rule {
+    api_groups = ["*"]
+    resources  = ["*"]
+    verbs      = ["*"]
+  }
+  rule {
+    non_resource_urls = ["*"]
+    verbs             = ["*"]
+  }
+}
+
+
+resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
+  metadata {
+    name = "argocd-manager-role-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_service_account_v1" "argocd_manager" {
+  metadata {
+    name      = "argocd-manager"
+    namespace = "kube-system"
+  }
+  secret {
+    name = "argocd-manager-token"
+  }
+}
+
+resource "kubernetes_secret_v1" "argocd_manager" {
+  metadata {
+    name      = "argocd-manager-token"
+    namespace = "kube-system"
+    annotations = {
+      "kubernetes.io/service-account.name" = "argocd-manager"
+    }
+  }
+  type       = "kubernetes.io/service-account-token"
+  depends_on = [kubernetes_service_account_v1.argocd_manager]
+}
+
+resource "kubernetes_namespace_v1" "external_dns" {
+  metadata {
+    name = "external-dns"
+  }
+}
+
+data "vault_generic_secret" "external_dns" {
+  path = "secret/external-dns"
+}
+
+resource "kubernetes_secret_v1" "external_dns" {
+  metadata {
+    name      = "external-dns-secrets"
+    namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
+  }
+  data = {
+    token = data.vault_generic_secret.external_dns.data["token"]
+  }
+  type = "Opaque"
+}
+
+
+resource "kubernetes_namespace_v1" "external_secrets_operator" {
+  metadata {
+    name = "external-secrets-operator"
+  }
+}
+
+resource "kubernetes_namespace_v1" "environment" {
+  metadata {
+    name = var.cluster_name
+  }
+}
+
+data "vault_generic_secret" "docker_config" {
+  path = "secret/dockerconfigjson"
+}
+
+resource "kubernetes_secret_v1" "image_pull" {
+  metadata {
+    name      = "docker-config"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+
+  data = {
+    ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+}
+
+data "vault_generic_secret" "external_secrets_operator" {
+  path = "secret/atlantis"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_service_account_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  secret {
+    name = "external-secrets-token"
+  }
+}
+
+resource "kubernetes_secret_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets-token"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+    annotations = {
+      "kubernetes.io/service-account.name" = "external-secrets"
+    }
+  }
+  type       = "kubernetes.io/service-account-token"
+  depends_on = [kubernetes_service_account_v1.external_secrets]
+}
+
+resource "kubernetes_config_map" "kubefirst_cm" {
+  metadata {
+    name      = "kubefirst-cm"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mgmt_cluster_id = "<CLUSTER_ID>"
+  }
+}
diff --git a/civo-github/terraform/civo/modules/workload-cluster/variables.tf b/civo-github/terraform/civo/modules/workload-cluster/variables.tf
new file mode 100644
index 000000000..7a7c18c00
--- /dev/null
+++ b/civo-github/terraform/civo/modules/workload-cluster/variables.tf
@@ -0,0 +1,19 @@
+variable "cluster_name" {
+  type = string
+}
+
+variable "cluster_region" {
+  type = string
+}
+
+variable "environment" {
+  type = string
+}
+
+variable "node_count" {
+  type = number
+}
+
+variable "node_type" {
+  type = string
+}
diff --git a/civo-github/terraform/github/repos.tf b/civo-github/terraform/github/repos.tf
index 0d101ee8f..03feb8a7c 100644
--- a/civo-github/terraform/github/repos.tf
+++ b/civo-github/terraform/github/repos.tf
@@ -26,7 +26,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -55,7 +55,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/civo-github/terraform/github/teams.tf b/civo-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/civo-github/terraform/github/teams.tf
+++ b/civo-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/civo-github/terraform/users/admins/data_sources.tf b/civo-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/civo-github/terraform/users/admins/data_sources.tf
+++ b/civo-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/civo-github/terraform/users/developers/data_sources.tf b/civo-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/civo-github/terraform/users/developers/data_sources.tf
+++ b/civo-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/civo-github/terraform/users/users.tf b/civo-github/terraform/users/users.tf
index efe3e31db..35f254f88 100644
--- a/civo-github/terraform/users/users.tf
+++ b/civo-github/terraform/users/users.tf
@@ -20,11 +20,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/civo-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/civo-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/civo-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/civo-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/civo-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/civo-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/civo-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/civo-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/civo-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/civo-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/civo-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/civo-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/civo-gitlab/templates/mgmt/components/kubefirst/console.yaml b/civo-gitlab/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/civo-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/civo-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/civo-gitlab/templates/workload-cluster/infrastructure/wait.yaml b/civo-gitlab/templates/workload-cluster/infrastructure/wait.yaml
index 1268e3396..4f0da73bc 100644
--- a/civo-gitlab/templates/workload-cluster/infrastructure/wait.yaml
+++ b/civo-gitlab/templates/workload-cluster/infrastructure/wait.yaml
@@ -16,6 +16,6 @@ spec:
         - /bin/sh
         - -c
         - |
-          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>; do echo "waiting for cluster to provision"; sleep 5; done
+          while ! kubectl wait --for=jsonpath='{.status.conditions[0].status}'='True' workspace/<WORKLOAD_CLUSTER_NAME>-infrastructure; do echo "waiting for cluster to provision"; sleep 5; done
       restartPolicy: Never
   backoffLimit: 1
diff --git a/civo-gitlab/templates/workload-cluster/infrastructure/workspace.yaml b/civo-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
index 02168bff9..e5835a10a 100644
--- a/civo-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
+++ b/civo-gitlab/templates/workload-cluster/infrastructure/workspace.yaml
@@ -1,195 +1,21 @@
 apiVersion: tf.upbound.io/v1beta1
 kind: Workspace
 metadata:
-  name: <WORKLOAD_CLUSTER_NAME>
-  annotations:
-    argocd.argoproj.io/sync-wave: "10"
-    crossplane.io/external-name: <WORKLOAD_CLUSTER_NAME>
+  name: <WORKLOAD_CLUSTER_NAME>-infrastructure
 spec:
-  providerConfigRef:
+  providerConfigRef: 
     name: <WORKLOAD_CLUSTER_NAME>
   forProvider:
-    source: Inline
-    module: |
-      variable "instance_size" {
-        type    = string
-        default = "g4s.kube.medium"
-      }
-      variable "node_count" {
-        type    = number
-        default = "<WORKLOAD_NODE_COUNT>"
-      }
-      locals {
-        cluster_name = "<WORKLOAD_CLUSTER_NAME>"
-      }
-      resource "civo_network" "kubefirst" {
-        label = local.cluster_name
-      }
-      resource "civo_firewall" "kubefirst" {
-        name                 = local.cluster_name
-        network_id           = civo_network.kubefirst.id
-        create_default_rules = true
-      }
-      resource "civo_kubernetes_cluster" "kubefirst" {
-        name        = local.cluster_name
-        network_id  = civo_network.kubefirst.id
-        firewall_id = civo_firewall.kubefirst.id
-        pools {
-          label      = local.cluster_name
-          size       = var.instance_size
-          node_count = var.node_count
-        }
-      }
-      resource "vault_generic_secret" "clusters" {
-        path = "secret/clusters/${local.cluster_name}"
-        data_json = jsonencode(
-          {
-            kubeconfig             = civo_kubernetes_cluster.kubefirst.kubeconfig
-            client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
-            client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
-            cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
-            host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
-            cluster_name           = local.cluster_name
-            argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
-          }
-        )
-      }
-      provider "kubernetes" {
-        host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
-        client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
-        client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
-        cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
-      }
-      resource "kubernetes_cluster_role_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-role"
-        }
-        rule {
-          api_groups = ["*"]
-          resources  = ["*"]
-          verbs      = ["*"]
-        }
-        rule {
-          non_resource_urls = ["*"]
-          verbs = ["*"]
-        }
-      }
-      resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-role-binding"
-        }
-        role_ref {
-          api_group = "rbac.authorization.k8s.io"
-          kind      = "ClusterRole"
-          name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
-        }
-        subject {
-          kind      = "ServiceAccount"
-          name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
-          namespace = "kube-system"
-        }
-      }
-      resource "kubernetes_service_account_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager"
-          namespace = "kube-system"
-        }
-        secret {
-          name = "argocd-manager-token"
-        }
-      }
-      resource "kubernetes_secret_v1" "argocd_manager" {
-        metadata {
-          name = "argocd-manager-token"
-          namespace = "kube-system"
-          annotations = {
-            "kubernetes.io/service-account.name" = "argocd-manager"
-          }
-        }
-        type = "kubernetes.io/service-account-token"
-        depends_on = [ kubernetes_service_account_v1.argocd_manager ]
-      }
-      resource "kubernetes_namespace_v1" "external_dns" {
-        metadata {
-          name = "external-dns"
-        }
-      }
-      data "vault_generic_secret" "external_dns" {
-        path = "secret/external-dns"
-      }
-      resource "kubernetes_secret_v1" "external_dns" {
-        metadata {
-          name = "external-dns-secrets"
-          namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
-        }
-        data = {
-          token = data.vault_generic_secret.external_dns.data["token"]
-        }
-        type = "Opaque"
-      }
-      resource "kubernetes_namespace_v1" "external_secrets_operator" {
-        metadata {
-          name = "external-secrets-operator"
-        }
-      }
-      resource "kubernetes_namespace_v1" "environment" {
-        metadata {
-          name = "<WORKLOAD_CLUSTER_NAME>"
-        }
-      }
-      data "vault_generic_secret" "docker_config" {
-        path = "secret/dockerconfigjson"
-      }
-      resource "kubernetes_secret_v1" "image_pull" {
-        metadata {
-          name = "docker-config"
-          namespace = kubernetes_namespace_v1.environment.metadata.0.name
-        }
-        data = {
-          ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
-        }
-        type = "kubernetes.io/dockerconfigjson"
-      }
-      data "vault_generic_secret" "external_secrets_operator" {
-        path = "secret/atlantis"
-      }
-      resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
-        metadata {
-          name = "${local.cluster_name}-cluster-vault-bootstrap"
-          namespace = kubernetes_namespace_v1.environment.metadata.0.name
-        }
-        data = {
-          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
-        }
-        type = "Opaque"
-      }
-      resource "kubernetes_secret_v1" "external_secrets_operator" {
-        metadata {
-          name = "${local.cluster_name}-cluster-vault-bootstrap"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-        }
-        data = {
-          vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
-        }
-        type = "Opaque"
-      }
-      resource "kubernetes_service_account_v1" "external_secrets" {
-        metadata {
-          name = "external-secrets"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-        }
-        secret {
-          name = "external-secrets-token"
-        }
-      }
-      resource "kubernetes_secret_v1" "external_secrets" {
-        metadata {
-          name = "external-secrets-token"
-          namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
-          annotations = {
-            "kubernetes.io/service-account.name" = "external-secrets"
-          }
-        }
-        type = "kubernetes.io/service-account-token"
-        depends_on = [ kubernetes_service_account_v1.external_secrets ]
-      }
\ No newline at end of file
+    source: Remote
+    module: <WORKLOAD_CLUSTER_TERRAFORM_MODULE_URL>
+    vars:
+    - key: cluster_name
+      value: <WORKLOAD_CLUSTER_NAME>
+    - key: cluster_region
+      value: <WORKLOAD_CLUSTER_REGION>
+    - key: environment
+      value: <WORKLOAD_CLUSTER_NAME>
+    - key: node_count
+      value: "<WORKLOAD_NODE_COUNT>"
+    - key: node_type
+      value: <WORKLOAD_NODE_TYPE>
diff --git a/civo-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml b/civo-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
index d9860350d..51ba58329 100644
--- a/civo-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
+++ b/civo-gitlab/templates/workload-cluster/provider-config/providerconfig.yaml
@@ -20,6 +20,7 @@ spec:
         required_providers {
           civo = {
             source = "civo/civo"
+            version = "~> 1.1.0"
           }
           kubernetes = {
             source = "hashicorp/kubernetes"
diff --git a/civo-gitlab/terraform/civo/main.tf b/civo-gitlab/terraform/civo/main.tf
index 5c6698545..4be8c5b4d 100644
--- a/civo-gitlab/terraform/civo/main.tf
+++ b/civo-gitlab/terraform/civo/main.tf
@@ -14,6 +14,7 @@ terraform {
   required_providers {
     civo = {
       source = "civo/civo"
+      version = "~> 1.1.0"
     }
   }
 }
@@ -39,10 +40,11 @@ resource "civo_firewall" "kubefirst" {
 }
 
 resource "civo_kubernetes_cluster" "kubefirst" {
-  name         = local.cluster_name
-  network_id   = civo_network.kubefirst.id
-  firewall_id  = civo_firewall.kubefirst.id
-  cluster_type = "talos"
+  name                = local.cluster_name
+  network_id          = civo_network.kubefirst.id
+  firewall_id         = civo_firewall.kubefirst.id
+  kubernetes_version  = "1.28.7-k3s1"
+  write_kubeconfig    = true
   pools {
     label      = local.cluster_name
     size       = "<NODE_TYPE>"
diff --git a/civo-gitlab/terraform/civo/modules/workload-cluster/main.tf b/civo-gitlab/terraform/civo/modules/workload-cluster/main.tf
new file mode 100644
index 000000000..5117608d7
--- /dev/null
+++ b/civo-gitlab/terraform/civo/modules/workload-cluster/main.tf
@@ -0,0 +1,210 @@
+resource "civo_network" "kubefirst" {
+  label = var.cluster_name
+}
+
+resource "civo_firewall" "kubefirst" {
+  name                 = var.cluster_name
+  network_id           = civo_network.kubefirst.id
+  create_default_rules = true
+}
+
+resource "civo_kubernetes_cluster" "kubefirst" {
+  name                = var.cluster_name
+  network_id          = civo_network.kubefirst.id
+  firewall_id         = civo_firewall.kubefirst.id
+  kubernetes_version  = "1.28.7-k3s1"
+  write_kubeconfig    = true
+  pools {
+    label      = var.cluster_name
+    size       = var.node_type
+    node_count = var.node_count
+  }
+}
+
+resource "vault_generic_secret" "clusters" {
+  path = "secret/clusters/${var.cluster_name}"
+
+  data_json = jsonencode(
+    {
+      kubeconfig              = civo_kubernetes_cluster.kubefirst.kubeconfig
+      client_certificate      = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+      client_key              = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+      cluster_ca_certificate  = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+      host                    = civo_kubernetes_cluster.kubefirst.api_endpoint
+      cluster_name            = var.cluster_name
+      argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
+    }
+  )
+}
+
+provider "kubernetes" {
+  host                   = civo_kubernetes_cluster.kubefirst.api_endpoint
+  client_certificate     = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-certificate-data)
+  client_key             = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).users[0].user.client-key-data)
+  cluster_ca_certificate = base64decode(yamldecode(civo_kubernetes_cluster.kubefirst.kubeconfig).clusters[0].cluster.certificate-authority-data)
+}
+
+resource "kubernetes_cluster_role_v1" "argocd_manager" {
+  metadata {
+    name = "argocd-manager-role"
+  }
+
+  rule {
+    api_groups = ["*"]
+    resources  = ["*"]
+    verbs      = ["*"]
+  }
+  rule {
+    non_resource_urls = ["*"]
+    verbs             = ["*"]
+  }
+}
+
+
+resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
+  metadata {
+    name = "argocd-manager-role-binding"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
+    namespace = "kube-system"
+  }
+}
+
+resource "kubernetes_service_account_v1" "argocd_manager" {
+  metadata {
+    name      = "argocd-manager"
+    namespace = "kube-system"
+  }
+  secret {
+    name = "argocd-manager-token"
+  }
+}
+
+resource "kubernetes_secret_v1" "argocd_manager" {
+  metadata {
+    name      = "argocd-manager-token"
+    namespace = "kube-system"
+    annotations = {
+      "kubernetes.io/service-account.name" = "argocd-manager"
+    }
+  }
+  type       = "kubernetes.io/service-account-token"
+  depends_on = [kubernetes_service_account_v1.argocd_manager]
+}
+
+resource "kubernetes_namespace_v1" "external_dns" {
+  metadata {
+    name = "external-dns"
+  }
+}
+
+data "vault_generic_secret" "external_dns" {
+  path = "secret/external-dns"
+}
+
+resource "kubernetes_secret_v1" "external_dns" {
+  metadata {
+    name      = "external-dns-secrets"
+    namespace = kubernetes_namespace_v1.external_dns.metadata.0.name
+  }
+  data = {
+    token = data.vault_generic_secret.external_dns.data["token"]
+  }
+  type = "Opaque"
+}
+
+
+resource "kubernetes_namespace_v1" "external_secrets_operator" {
+  metadata {
+    name = "external-secrets-operator"
+  }
+}
+
+resource "kubernetes_namespace_v1" "environment" {
+  metadata {
+    name = var.cluster_name
+  }
+}
+
+data "vault_generic_secret" "docker_config" {
+  path = "secret/dockerconfigjson"
+}
+
+resource "kubernetes_secret_v1" "image_pull" {
+  metadata {
+    name      = "docker-config"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+
+  data = {
+    ".dockerconfigjson" = data.vault_generic_secret.docker_config.data["dockerconfig"]
+  }
+
+  type = "kubernetes.io/dockerconfigjson"
+}
+
+data "vault_generic_secret" "external_secrets_operator" {
+  path = "secret/atlantis"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator_environment" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.environment.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_secret_v1" "external_secrets_operator" {
+  metadata {
+    name      = "${var.cluster_name}-cluster-vault-bootstrap"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  data = {
+    vault-token = data.vault_generic_secret.external_secrets_operator.data["VAULT_TOKEN"]
+  }
+  type = "Opaque"
+}
+
+resource "kubernetes_service_account_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+  }
+  secret {
+    name = "external-secrets-token"
+  }
+}
+
+resource "kubernetes_secret_v1" "external_secrets" {
+  metadata {
+    name      = "external-secrets-token"
+    namespace = kubernetes_namespace_v1.external_secrets_operator.metadata.0.name
+    annotations = {
+      "kubernetes.io/service-account.name" = "external-secrets"
+    }
+  }
+  type       = "kubernetes.io/service-account-token"
+  depends_on = [kubernetes_service_account_v1.external_secrets]
+}
+
+resource "kubernetes_config_map" "kubefirst_cm" {
+  metadata {
+    name      = "kubefirst-cm"
+    namespace = "kube-system"
+  }
+
+  data = {
+    mgmt_cluster_id = "<CLUSTER_ID>"
+  }
+}
diff --git a/civo-gitlab/terraform/civo/modules/workload-cluster/variables.tf b/civo-gitlab/terraform/civo/modules/workload-cluster/variables.tf
new file mode 100644
index 000000000..7a7c18c00
--- /dev/null
+++ b/civo-gitlab/terraform/civo/modules/workload-cluster/variables.tf
@@ -0,0 +1,19 @@
+variable "cluster_name" {
+  type = string
+}
+
+variable "cluster_region" {
+  type = string
+}
+
+variable "environment" {
+  type = string
+}
+
+variable "node_count" {
+  type = number
+}
+
+variable "node_type" {
+  type = string
+}
diff --git a/civo-gitlab/terraform/gitlab/groups.tf b/civo-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..da300caa0 100644
--- a/civo-gitlab/terraform/gitlab/groups.tf
+++ b/civo-gitlab/terraform/gitlab/groups.tf
@@ -3,15 +3,15 @@ data "gitlab_group" "owner" {
 }
 
 resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/civo-gitlab/terraform/gitlab/projects.tf b/civo-gitlab/terraform/gitlab/projects.tf
index 7e87a373b..bbf5c01b5 100644
--- a/civo-gitlab/terraform/gitlab/projects.tf
+++ b/civo-gitlab/terraform/gitlab/projects.tf
@@ -1,7 +1,7 @@
 module "metaphor" {
   source       = "./modules/project"
   group_name   = data.gitlab_group.owner.id
-  project_name = "metaphor"
+  project_name = "<METAPHOR_REPO_NAME>"
   # create_ecr                            = true
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
@@ -11,7 +11,7 @@ module "metaphor" {
 module "gitops" {
   source       = "./modules/project"
   group_name   = data.gitlab_group.owner.id
-  project_name = "gitops"
+  project_name = "<GIT_REPO_NAME> "
   # create_ecr                            = true
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
@@ -26,3 +26,4 @@ resource "gitlab_project_hook" "atlantis" {
   push_events           = true
   note_events           = true
 }
+
diff --git a/civo-gitlab/terraform/users/admins/main.tf b/civo-gitlab/terraform/users/admins/main.tf
index c15703de5..cdc94d28b 100644
--- a/civo-gitlab/terraform/users/admins/main.tf
+++ b/civo-gitlab/terraform/users/admins/main.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/civo-gitlab/terraform/users/developers/data-sources.tf b/civo-gitlab/terraform/users/developers/data-sources.tf
index b162542c0..1a5265189 100644
--- a/civo-gitlab/terraform/users/developers/data-sources.tf
+++ b/civo-gitlab/terraform/users/developers/data-sources.tf
@@ -1,3 +1,3 @@
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
diff --git a/civo-gitlab/terraform/users/modules/user/main.tf b/civo-gitlab/terraform/users/modules/user/main.tf
index 7ad950860..fb091f121 100644
--- a/civo-gitlab/terraform/users/modules/user/main.tf
+++ b/civo-gitlab/terraform/users/modules/user/main.tf
@@ -133,15 +133,15 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 data "gitlab_user" "user" {
diff --git a/civo-gitlab/terraform/users/users.tf b/civo-gitlab/terraform/users/users.tf
index 4c7ad999c..ffa2080a9 100644
--- a/civo-gitlab/terraform/users/users.tf
+++ b/civo-gitlab/terraform/users/users.tf
@@ -23,11 +23,11 @@ terraform {
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 
@@ -36,7 +36,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -45,7 +45,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/civo-gitlab/terraform/vault/oidc-groups.tf b/civo-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/civo-gitlab/terraform/vault/oidc-groups.tf
+++ b/civo-gitlab/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/digitalocean-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/digitalocean-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/digitalocean-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/digitalocean-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/digitalocean-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/digitalocean-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/digitalocean-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/digitalocean-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/digitalocean-github/templates/mgmt/components/argocd/kustomization.yaml b/digitalocean-github/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/digitalocean-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/digitalocean-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/digitalocean-github/templates/mgmt/components/kubefirst/console.yaml b/digitalocean-github/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/digitalocean-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/digitalocean-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/digitalocean-github/terraform/digitalocean/main.tf b/digitalocean-github/terraform/digitalocean/main.tf
index 115deefcd..c30c89757 100644
--- a/digitalocean-github/terraform/digitalocean/main.tf
+++ b/digitalocean-github/terraform/digitalocean/main.tf
@@ -34,7 +34,7 @@ locals {
 }
 
 data "digitalocean_kubernetes_versions" "versions" {
-  version_prefix = "1.27."
+  version_prefix = "1.29."
 }
 
 resource "digitalocean_kubernetes_cluster" "kubefirst" {
diff --git a/digitalocean-github/terraform/digitalocean/modules/workload-cluster/main.tf b/digitalocean-github/terraform/digitalocean/modules/workload-cluster/main.tf
index ed230f48a..2ce39e995 100644
--- a/digitalocean-github/terraform/digitalocean/modules/workload-cluster/main.tf
+++ b/digitalocean-github/terraform/digitalocean/modules/workload-cluster/main.tf
@@ -1,6 +1,6 @@
 
 data "digitalocean_kubernetes_versions" "versions" {
-  version_prefix = "1.27."
+  version_prefix = "1.29."
 }
 
 resource "digitalocean_kubernetes_cluster" "cluster" {
diff --git a/digitalocean-github/terraform/github/repos.tf b/digitalocean-github/terraform/github/repos.tf
index 8136a5e11..0dbce9f38 100644
--- a/digitalocean-github/terraform/github/repos.tf
+++ b/digitalocean-github/terraform/github/repos.tf
@@ -26,7 +26,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME> "
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -56,7 +56,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/digitalocean-github/terraform/github/teams.tf b/digitalocean-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/digitalocean-github/terraform/github/teams.tf
+++ b/digitalocean-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/digitalocean-github/terraform/users/admins/data_sources.tf b/digitalocean-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/digitalocean-github/terraform/users/admins/data_sources.tf
+++ b/digitalocean-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/digitalocean-github/terraform/users/developers/data_sources.tf b/digitalocean-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/digitalocean-github/terraform/users/developers/data_sources.tf
+++ b/digitalocean-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/digitalocean-github/terraform/users/users.tf b/digitalocean-github/terraform/users/users.tf
index 49aa0b6f0..c72c50f82 100644
--- a/digitalocean-github/terraform/users/users.tf
+++ b/digitalocean-github/terraform/users/users.tf
@@ -23,11 +23,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -35,7 +35,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -60,7 +60,7 @@ resource "vault_identity_group_member_entity_ids" "admins_membership" {
 # # developers module
 
 # data "vault_identity_group" "developers" {
-#   group_name = "developers"
+#   group_name = "<DEVELOPER-TEAM>"
 # }
 
 # module "developers" {
diff --git a/digitalocean-github/terraform/vault/oidc-groups.tf b/digitalocean-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/digitalocean-github/terraform/vault/oidc-groups.tf
+++ b/digitalocean-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/digitalocean-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/digitalocean-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/digitalocean-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/digitalocean-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/digitalocean-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/digitalocean-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/digitalocean-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/digitalocean-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/digitalocean-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/digitalocean-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/digitalocean-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/digitalocean-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/digitalocean-gitlab/templates/mgmt/components/kubefirst/console.yaml b/digitalocean-gitlab/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/digitalocean-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/digitalocean-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/digitalocean-gitlab/terraform/digitalocean/main.tf b/digitalocean-gitlab/terraform/digitalocean/main.tf
index 84f56398b..da45b731a 100644
--- a/digitalocean-gitlab/terraform/digitalocean/main.tf
+++ b/digitalocean-gitlab/terraform/digitalocean/main.tf
@@ -33,7 +33,7 @@ locals {
 }
 
 data "digitalocean_kubernetes_versions" "versions" {
-  version_prefix = "1.27."
+  version_prefix = "1.29."
 }
 
 resource "digitalocean_kubernetes_cluster" "kubefirst" {
diff --git a/digitalocean-gitlab/terraform/digitalocean/modules/workload-cluster/main.tf b/digitalocean-gitlab/terraform/digitalocean/modules/workload-cluster/main.tf
index ed230f48a..2ce39e995 100644
--- a/digitalocean-gitlab/terraform/digitalocean/modules/workload-cluster/main.tf
+++ b/digitalocean-gitlab/terraform/digitalocean/modules/workload-cluster/main.tf
@@ -1,6 +1,6 @@
 
 data "digitalocean_kubernetes_versions" "versions" {
-  version_prefix = "1.27."
+  version_prefix = "1.29."
 }
 
 resource "digitalocean_kubernetes_cluster" "cluster" {
diff --git a/digitalocean-gitlab/terraform/gitlab/groups.tf b/digitalocean-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..da300caa0 100644
--- a/digitalocean-gitlab/terraform/gitlab/groups.tf
+++ b/digitalocean-gitlab/terraform/gitlab/groups.tf
@@ -3,15 +3,15 @@ data "gitlab_group" "owner" {
 }
 
 resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/digitalocean-gitlab/terraform/gitlab/projects.tf b/digitalocean-gitlab/terraform/gitlab/projects.tf
index 7e87a373b..c3455aefe 100644
--- a/digitalocean-gitlab/terraform/gitlab/projects.tf
+++ b/digitalocean-gitlab/terraform/gitlab/projects.tf
@@ -1,7 +1,7 @@
 module "metaphor" {
   source       = "./modules/project"
   group_name   = data.gitlab_group.owner.id
-  project_name = "metaphor"
+  project_name = "<METAPHOR_REPO_NAME>"
   # create_ecr                            = true
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
@@ -11,7 +11,7 @@ module "metaphor" {
 module "gitops" {
   source       = "./modules/project"
   group_name   = data.gitlab_group.owner.id
-  project_name = "gitops"
+  project_name = "<GIT_REPO_NAME> "
   # create_ecr                            = true
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
diff --git a/digitalocean-gitlab/terraform/users/admins/main.tf b/digitalocean-gitlab/terraform/users/admins/main.tf
index c15703de5..cdc94d28b 100644
--- a/digitalocean-gitlab/terraform/users/admins/main.tf
+++ b/digitalocean-gitlab/terraform/users/admins/main.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/digitalocean-gitlab/terraform/users/developers/data-sources.tf b/digitalocean-gitlab/terraform/users/developers/data-sources.tf
index b162542c0..1a5265189 100644
--- a/digitalocean-gitlab/terraform/users/developers/data-sources.tf
+++ b/digitalocean-gitlab/terraform/users/developers/data-sources.tf
@@ -1,3 +1,3 @@
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
diff --git a/digitalocean-gitlab/terraform/users/modules/user/main.tf b/digitalocean-gitlab/terraform/users/modules/user/main.tf
index 7ad950860..97b920292 100644
--- a/digitalocean-gitlab/terraform/users/modules/user/main.tf
+++ b/digitalocean-gitlab/terraform/users/modules/user/main.tf
@@ -133,7 +133,7 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
diff --git a/digitalocean-gitlab/terraform/users/users.tf b/digitalocean-gitlab/terraform/users/users.tf
index 941e37494..185767e9f 100644
--- a/digitalocean-gitlab/terraform/users/users.tf
+++ b/digitalocean-gitlab/terraform/users/users.tf
@@ -21,11 +21,11 @@ terraform {
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 
@@ -34,7 +34,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -43,7 +43,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/digitalocean-gitlab/terraform/vault/oidc-groups.tf b/digitalocean-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/digitalocean-gitlab/terraform/vault/oidc-groups.tf
+++ b/digitalocean-gitlab/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/google-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/google-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..7c6908e3a 100644
--- a/google-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/google-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,4 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
+      
\ No newline at end of file
diff --git a/google-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/google-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/google-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/google-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/google-github/templates/mgmt/components/argocd/kustomization.yaml b/google-github/templates/mgmt/components/argocd/kustomization.yaml
index ef44dac20..1b7fd9651 100644
--- a/google-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/google-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/google-github/templates/mgmt/components/kubefirst/console.yaml b/google-github/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/google-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/google-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/google-github/terraform/github/repos.tf b/google-github/terraform/github/repos.tf
index f3b41c16e..a85ea51a9 100644
--- a/google-github/terraform/github/repos.tf
+++ b/google-github/terraform/github/repos.tf
@@ -18,7 +18,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -47,7 +47,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/google-github/terraform/github/teams.tf b/google-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/google-github/terraform/github/teams.tf
+++ b/google-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/google-github/terraform/users/admins/data_sources.tf b/google-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/google-github/terraform/users/admins/data_sources.tf
+++ b/google-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/google-github/terraform/users/developers/data_sources.tf b/google-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/google-github/terraform/users/developers/data_sources.tf
+++ b/google-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/google-github/terraform/users/users.tf b/google-github/terraform/users/users.tf
index 52183ae5a..bf4b7b10e 100644
--- a/google-github/terraform/users/users.tf
+++ b/google-github/terraform/users/users.tf
@@ -19,11 +19,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -31,7 +31,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
diff --git a/google-github/terraform/vault/oidc-groups.tf b/google-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/google-github/terraform/vault/oidc-groups.tf
+++ b/google-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/google-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/google-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/google-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/google-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/google-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/google-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/google-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/google-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/google-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/google-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index ef44dac20..1b7fd9651 100644
--- a/google-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/google-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/google-gitlab/templates/mgmt/components/kubefirst/console.yaml b/google-gitlab/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/google-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/google-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/google-gitlab/terraform/gitlab/groups.tf b/google-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..da300caa0 100644
--- a/google-gitlab/terraform/gitlab/groups.tf
+++ b/google-gitlab/terraform/gitlab/groups.tf
@@ -3,15 +3,15 @@ data "gitlab_group" "owner" {
 }
 
 resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/google-gitlab/terraform/gitlab/projects.tf b/google-gitlab/terraform/gitlab/projects.tf
index f91932cac..22266ddef 100644
--- a/google-gitlab/terraform/gitlab/projects.tf
+++ b/google-gitlab/terraform/gitlab/projects.tf
@@ -1,7 +1,7 @@
 module "metaphor" {
   source                                = "./modules/project"
   group_name                            = data.gitlab_group.owner.id
-  project_name                          = "metaphor"
+  project_name                          = "<METAPHOR_REPO_NAME>"
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
   remove_source_branch_after_merge      = true
@@ -10,7 +10,7 @@ module "metaphor" {
 module "gitops" {
   source                                = "./modules/project"
   group_name                            = data.gitlab_group.owner.id
-  project_name                          = "gitops"
+  project_name                          = "<GIT_REPO_NAME> "
   initialize_with_readme                = false
   only_allow_merge_if_pipeline_succeeds = false
   remove_source_branch_after_merge      = true
diff --git a/google-gitlab/terraform/users/admins/data-sources.tf b/google-gitlab/terraform/users/admins/data-sources.tf
index c15703de5..cdc94d28b 100644
--- a/google-gitlab/terraform/users/admins/data-sources.tf
+++ b/google-gitlab/terraform/users/admins/data-sources.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/google-gitlab/terraform/users/developers/data-sources.tf b/google-gitlab/terraform/users/developers/data-sources.tf
index d05780273..ab3d1abd8 100644
--- a/google-gitlab/terraform/users/developers/data-sources.tf
+++ b/google-gitlab/terraform/users/developers/data-sources.tf
@@ -1,3 +1,3 @@
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
\ No newline at end of file
diff --git a/google-gitlab/terraform/users/modules/user/main.tf b/google-gitlab/terraform/users/modules/user/main.tf
index 7ad950860..fb091f121 100644
--- a/google-gitlab/terraform/users/modules/user/main.tf
+++ b/google-gitlab/terraform/users/modules/user/main.tf
@@ -133,15 +133,15 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 data "gitlab_user" "user" {
diff --git a/google-gitlab/terraform/users/users.tf b/google-gitlab/terraform/users/users.tf
index 2e2ab8ff3..a3870d7a0 100644
--- a/google-gitlab/terraform/users/users.tf
+++ b/google-gitlab/terraform/users/users.tf
@@ -19,11 +19,11 @@ terraform {
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 
@@ -32,7 +32,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -41,7 +41,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/google-gitlab/terraform/vault/oidc-groups.tf b/google-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/google-gitlab/terraform/vault/oidc-groups.tf
+++ b/google-gitlab/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/k3d-github/cluster-types/mgmt/components/argocd/kustomization.yaml b/k3d-github/cluster-types/mgmt/components/argocd/kustomization.yaml
index 596551601..8b096b58c 100644
--- a/k3d-github/cluster-types/mgmt/components/argocd/kustomization.yaml
+++ b/k3d-github/cluster-types/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:argoproj/argo-cd.git/manifests/cluster-install?ref=v2.6.4
+  - github.com:argoproj/argo-cd.git/manifests/cluster-install?ref=v2.12.0
   - argocd-namespace.yaml
   - argocd-ui-ingress.yaml
   - argocd-ui-ingressroute.yaml
diff --git a/k3d-github/cluster-types/mgmt/components/github-runner/runnerdeployment.yaml b/k3d-github/cluster-types/mgmt/components/github-runner/runnerdeployment.yaml
index 0cfe46d1b..f2e1cc9da 100644
--- a/k3d-github/cluster-types/mgmt/components/github-runner/runnerdeployment.yaml
+++ b/k3d-github/cluster-types/mgmt/components/github-runner/runnerdeployment.yaml
@@ -8,7 +8,7 @@ spec:
   replicas: 1
   template:
     spec:
-      repository: <GITHUB_OWNER>/metaphor
+      repository: <GITHUB_OWNER>/<METAPHOR_REPO_NAME>
       image: summerwind/actions-runner-dind
       serviceAccountName: github-runner
       dockerdWithinRunnerContainer: true
diff --git a/k3d-github/cluster-types/mgmt/components/kubefirst/console-arm.yaml b/k3d-github/cluster-types/mgmt/components/kubefirst/console-arm.yaml
index ec3c83216..617564add 100644
--- a/k3d-github/cluster-types/mgmt/components/kubefirst/console-arm.yaml
+++ b/k3d-github/cluster-types/mgmt/components/kubefirst/console-arm.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3d-github/cluster-types/mgmt/components/kubefirst/console.yaml b/k3d-github/cluster-types/mgmt/components/kubefirst/console.yaml
index ec3c83216..617564add 100644
--- a/k3d-github/cluster-types/mgmt/components/kubefirst/console.yaml
+++ b/k3d-github/cluster-types/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3d-github/terraform/github/repos.tf b/k3d-github/terraform/github/repos.tf
index 80ba23763..467430f73 100644
--- a/k3d-github/terraform/github/repos.tf
+++ b/k3d-github/terraform/github/repos.tf
@@ -2,7 +2,7 @@
 module "gitops" {
   source             = "./modules/repository"
   visibility         = "private"
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
 }
@@ -10,7 +10,7 @@ module "gitops" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
 }
diff --git a/k3d-github/terraform/vault/policies.tf b/k3d-github/terraform/vault/policies.tf
index 93bf58075..439ae5a8e 100644
--- a/k3d-github/terraform/vault/policies.tf
+++ b/k3d-github/terraform/vault/policies.tf
@@ -141,7 +141,7 @@ EOT
 }
 
 resource "vault_policy" "developer" {
-  name = "developer"
+  name = "developers"
 
   policy = <<EOT
 # Allow full write access to developers, without delete
diff --git a/k3d-gitlab/cluster-types/mgmt/components/argocd/kustomization.yaml b/k3d-gitlab/cluster-types/mgmt/components/argocd/kustomization.yaml
index 596551601..8b096b58c 100644
--- a/k3d-gitlab/cluster-types/mgmt/components/argocd/kustomization.yaml
+++ b/k3d-gitlab/cluster-types/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:argoproj/argo-cd.git/manifests/cluster-install?ref=v2.6.4
+  - github.com:argoproj/argo-cd.git/manifests/cluster-install?ref=v2.12.0
   - argocd-namespace.yaml
   - argocd-ui-ingress.yaml
   - argocd-ui-ingressroute.yaml
diff --git a/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console-arm.yaml b/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console-arm.yaml
index ec3c83216..617564add 100644
--- a/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console-arm.yaml
+++ b/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console-arm.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console.yaml b/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console.yaml
index ec3c83216..617564add 100644
--- a/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console.yaml
+++ b/k3d-gitlab/cluster-types/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3s-github/templates/mgmt/components/argocd/kustomization.yaml b/k3s-github/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/k3s-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/k3s-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/k3s-github/templates/mgmt/components/kubefirst/console.yaml b/k3s-github/templates/mgmt/components/kubefirst/console.yaml
index afecd2c78..4b34c052d 100644
--- a/k3s-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/k3s-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc22
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3s-github/terraform/github/repos.tf b/k3s-github/terraform/github/repos.tf
index ee3f32abc..c88fd232d 100644
--- a/k3s-github/terraform/github/repos.tf
+++ b/k3s-github/terraform/github/repos.tf
@@ -10,7 +10,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME> "
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -40,7 +40,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/k3s-github/terraform/github/teams.tf b/k3s-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/k3s-github/terraform/github/teams.tf
+++ b/k3s-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/k3s-github/terraform/users/admins/data_sources.tf b/k3s-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/k3s-github/terraform/users/admins/data_sources.tf
+++ b/k3s-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/k3s-github/terraform/users/developers/data_sources.tf b/k3s-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/k3s-github/terraform/users/developers/data_sources.tf
+++ b/k3s-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/k3s-github/terraform/users/users.tf b/k3s-github/terraform/users/users.tf
index 1faeee3b5..039708719 100644
--- a/k3s-github/terraform/users/users.tf
+++ b/k3s-github/terraform/users/users.tf
@@ -11,11 +11,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -23,7 +23,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
diff --git a/k3s-github/terraform/vault/oidc-groups.tf b/k3s-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/k3s-github/terraform/vault/oidc-groups.tf
+++ b/k3s-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/k3s-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/k3s-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/k3s-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/k3s-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/k3s-gitlab/templates/mgmt/components/kubefirst/console.yaml b/k3s-gitlab/templates/mgmt/components/kubefirst/console.yaml
index afecd2c78..4b34c052d 100644
--- a/k3s-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/k3s-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc22
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/k3s-gitlab/terraform/gitlab/groups.tf b/k3s-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..d83de58f3 100644
--- a/k3s-gitlab/terraform/gitlab/groups.tf
+++ b/k3s-gitlab/terraform/gitlab/groups.tf
@@ -2,16 +2,17 @@ data "gitlab_group" "owner" {
   group_id = tonumber(var.owner_group_id)
 }
 
-resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+resource "gitlab_group" 
+ {
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/k3s-gitlab/terraform/users/admins/main.tf b/k3s-gitlab/terraform/users/admins/main.tf
index c15703de5..cdc94d28b 100644
--- a/k3s-gitlab/terraform/users/admins/main.tf
+++ b/k3s-gitlab/terraform/users/admins/main.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/k3s-gitlab/terraform/users/developers/data-sources.tf b/k3s-gitlab/terraform/users/developers/data-sources.tf
index b162542c0..1a5265189 100644
--- a/k3s-gitlab/terraform/users/developers/data-sources.tf
+++ b/k3s-gitlab/terraform/users/developers/data-sources.tf
@@ -1,3 +1,3 @@
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
diff --git a/k3s-gitlab/terraform/users/modules/user/main.tf b/k3s-gitlab/terraform/users/modules/user/main.tf
index 8803be179..127461219 100644
--- a/k3s-gitlab/terraform/users/modules/user/main.tf
+++ b/k3s-gitlab/terraform/users/modules/user/main.tf
@@ -119,15 +119,15 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 data "gitlab_user" "user" {
diff --git a/k3s-gitlab/terraform/users/users.tf b/k3s-gitlab/terraform/users/users.tf
index 5f3e801b6..4aec2f013 100644
--- a/k3s-gitlab/terraform/users/users.tf
+++ b/k3s-gitlab/terraform/users/users.tf
@@ -12,7 +12,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -21,7 +21,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/k3s-gitlab/terraform/vault/modules/oidc-client/main.tf b/k3s-gitlab/terraform/vault/modules/oidc-client/main.tf
index d9b58f105..3c62dec28 100644
--- a/k3s-gitlab/terraform/vault/modules/oidc-client/main.tf
+++ b/k3s-gitlab/terraform/vault/modules/oidc-client/main.tf
@@ -1,9 +1,9 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 resource "vault_identity_oidc_assignment" "app" {
diff --git a/k3s-gitlab/terraform/vault/oidc-groups.tf b/k3s-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/k3s-gitlab/terraform/vault/oidc-groups.tf
+++ b/k3s-gitlab/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/vultr-github/templates/mgmt/components/argo-workflows/vault-wait.yaml b/vultr-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/vultr-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/vultr-github/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/vultr-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/vultr-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/vultr-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/vultr-github/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/vultr-github/templates/mgmt/components/argocd/kustomization.yaml b/vultr-github/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/vultr-github/templates/mgmt/components/argocd/kustomization.yaml
+++ b/vultr-github/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/vultr-github/templates/mgmt/components/kubefirst/console.yaml b/vultr-github/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/vultr-github/templates/mgmt/components/kubefirst/console.yaml
+++ b/vultr-github/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/vultr-github/terraform/github/repos.tf b/vultr-github/terraform/github/repos.tf
index b672a73b6..9f07731ce 100644
--- a/vultr-github/terraform/github/repos.tf
+++ b/vultr-github/terraform/github/repos.tf
@@ -28,7 +28,7 @@ terraform {
 module "gitops" {
   source = "./modules/repository"
 
-  repo_name          = "gitops"
+  repo_name          = "<GIT_REPO_NAME> "
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   team_developers_id = github_team.developers.id
@@ -57,7 +57,7 @@ variable "atlantis_repo_webhook_secret" {
 module "metaphor" {
   source = "./modules/repository"
 
-  repo_name          = "metaphor"
+  repo_name          = "<METAPHOR_REPO_NAME>"
   archive_on_destroy = false
   auto_init          = false # set to false if importing an existing repository
   create_ecr         = true
diff --git a/vultr-github/terraform/github/teams.tf b/vultr-github/terraform/github/teams.tf
index 355d21b5f..a77f9bae9 100644
--- a/vultr-github/terraform/github/teams.tf
+++ b/vultr-github/terraform/github/teams.tf
@@ -1,11 +1,11 @@
 resource "github_team" "admins" {
-  name        = "admins"
+  name        = "<ADMIN_TEAM>"
   description = "administrators of the kubefirst platform"
   privacy     = "closed"
 }
 
 resource "github_team" "developers" {
-  name        = "developers"
+  name        = "<DEVELOPER-TEAM>"
   description = "developers using the kubefirst plaftform"
   privacy     = "closed"
 }
diff --git a/vultr-github/terraform/users/admins/data_sources.tf b/vultr-github/terraform/users/admins/data_sources.tf
index a454eea5f..1331a4653 100644
--- a/vultr-github/terraform/users/admins/data_sources.tf
+++ b/vultr-github/terraform/users/admins/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/vultr-github/terraform/users/developers/data_sources.tf b/vultr-github/terraform/users/developers/data_sources.tf
index 9c5d5c625..471e1c444 100644
--- a/vultr-github/terraform/users/developers/data_sources.tf
+++ b/vultr-github/terraform/users/developers/data_sources.tf
@@ -1,5 +1,5 @@
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/vultr-github/terraform/users/users.tf b/vultr-github/terraform/users/users.tf
index 811b11f6a..655fc214b 100644
--- a/vultr-github/terraform/users/users.tf
+++ b/vultr-github/terraform/users/users.tf
@@ -25,11 +25,11 @@ terraform {
 }
 
 data "github_team" "admins" {
-  slug = "admins"
+  slug = "<ADMIN_TEAM>"
 }
 
 data "github_team" "developers" {
-  slug = "developers"
+  slug = "<DEVELOPER-TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
@@ -37,7 +37,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
diff --git a/vultr-github/terraform/vault/oidc-groups.tf b/vultr-github/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/vultr-github/terraform/vault/oidc-groups.tf
+++ b/vultr-github/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/vultr-github/terraform/vault/secrets.tf b/vultr-github/terraform/vault/secrets.tf
index cf8e68d32..ece358e1d 100644
--- a/vultr-github/terraform/vault/secrets.tf
+++ b/vultr-github/terraform/vault/secrets.tf
@@ -56,6 +56,16 @@ resource "vault_generic_secret" "docker_config" {
   )
 }
 
+resource "vault_generic_secret" "regsitry_auth" {
+  path = "${vault_mount.secret.path}/registry-auth"
+
+  data_json = jsonencode(
+    {
+      auth = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
+    }
+  )
+}
+
 resource "vault_generic_secret" "metaphor" {
   for_each = toset(["development", "staging", "production"])
 
diff --git a/vultr-github/terraform/vultr/main.tf b/vultr-github/terraform/vultr/main.tf
index 0f03c9c81..4468bf18c 100644
--- a/vultr-github/terraform/vultr/main.tf
+++ b/vultr-github/terraform/vultr/main.tf
@@ -27,7 +27,7 @@ locals {
   pool_name            = "${local.cluster_name}-node-pool"
   pool_instance_type   = "<NODE_TYPE>"
   kube_config_filename = "../../../kubeconfig"
-  kubernetes_version   = "v1.28.2+1"
+  kubernetes_version   = "v1.30.3+1"
 }
 
 resource "vultr_kubernetes" "kubefirst" {
diff --git a/vultr-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml b/vultr-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
index 47beecc62..bde31a201 100644
--- a/vultr-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
+++ b/vultr-gitlab/templates/mgmt/components/argo-workflows/vault-wait.yaml
@@ -22,4 +22,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-      - Replace=true
diff --git a/vultr-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml b/vultr-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
index c90d10ff9..d0f9b3f66 100644
--- a/vultr-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
+++ b/vultr-gitlab/templates/mgmt/components/argo-workflows/wait/vault-tls.yaml
@@ -23,6 +23,7 @@ kind: Job
 metadata:
   annotations:
     argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
   name: wait-vault-tls
   namespace: vault
 spec:
diff --git a/vultr-gitlab/templates/mgmt/components/argocd/kustomization.yaml b/vultr-gitlab/templates/mgmt/components/argocd/kustomization.yaml
index 362b89122..907f8ba77 100644
--- a/vultr-gitlab/templates/mgmt/components/argocd/kustomization.yaml
+++ b/vultr-gitlab/templates/mgmt/components/argocd/kustomization.yaml
@@ -5,7 +5,7 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:kubefirst/manifests.git/argocd/cloud?ref=main
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.0
   - argocd-ui-ingress.yaml
   - externalsecrets.yaml
   - argocd-oidc-restart-job.yaml
diff --git a/vultr-gitlab/templates/mgmt/components/kubefirst/console.yaml b/vultr-gitlab/templates/mgmt/components/kubefirst/console.yaml
index f9d950528..df130b7f1 100644
--- a/vultr-gitlab/templates/mgmt/components/kubefirst/console.yaml
+++ b/vultr-gitlab/templates/mgmt/components/kubefirst/console.yaml
@@ -8,8 +8,8 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: https://charts.kubefirst.com
-    targetRevision: 2.4.14-rc39
+    repoURL: https://charts.konstruct.io
+    targetRevision: 2.5.12-rc3
     chart: kubefirst
     helm:
       values: |-
diff --git a/vultr-gitlab/terraform/gitlab/groups.tf b/vultr-gitlab/terraform/gitlab/groups.tf
index c5c5f16f4..da300caa0 100644
--- a/vultr-gitlab/terraform/gitlab/groups.tf
+++ b/vultr-gitlab/terraform/gitlab/groups.tf
@@ -3,15 +3,15 @@ data "gitlab_group" "owner" {
 }
 
 resource "gitlab_group" "admins" {
-  name        = "admins"
-  path        = "admins"
+  name        = "<ADMIN_TEAM>"
+  path        = "<ADMIN_TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "admins group"
 }
 
 resource "gitlab_group" "developers" {
-  name        = "developers"
-  path        = "developers"
+  name        = "<DEVELOPER-TEAM>"
+  path        = "<DEVELOPER-TEAM>"
   parent_id   = data.gitlab_group.owner.group_id
   description = "developers group"
 }
diff --git a/vultr-gitlab/terraform/users/admins/main.tf b/vultr-gitlab/terraform/users/admins/main.tf
index c15703de5..cdc94d28b 100644
--- a/vultr-gitlab/terraform/users/admins/main.tf
+++ b/vultr-gitlab/terraform/users/admins/main.tf
@@ -1,5 +1,5 @@
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "vault_auth_backend" "userpass" {
diff --git a/vultr-gitlab/terraform/users/developers/data-sources.tf b/vultr-gitlab/terraform/users/developers/data-sources.tf
index b162542c0..1a5265189 100644
--- a/vultr-gitlab/terraform/users/developers/data-sources.tf
+++ b/vultr-gitlab/terraform/users/developers/data-sources.tf
@@ -1,3 +1,3 @@
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
diff --git a/vultr-gitlab/terraform/users/modules/user/main.tf b/vultr-gitlab/terraform/users/modules/user/main.tf
index 7ad950860..fb091f121 100644
--- a/vultr-gitlab/terraform/users/modules/user/main.tf
+++ b/vultr-gitlab/terraform/users/modules/user/main.tf
@@ -133,15 +133,15 @@ variable "group_id" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 data "gitlab_user" "user" {
diff --git a/vultr-gitlab/terraform/users/users.tf b/vultr-gitlab/terraform/users/users.tf
index 1440cfbc2..722f89aed 100644
--- a/vultr-gitlab/terraform/users/users.tf
+++ b/vultr-gitlab/terraform/users/users.tf
@@ -25,11 +25,11 @@ terraform {
 }
 
 data "gitlab_group" "admins" {
-  full_path = "<GITLAB_OWNER>/admins"
+  full_path = "<GITLAB_OWNER>/<ADMIN_TEAM>"
 }
 
 data "gitlab_group" "developers" {
-  full_path = "<GITLAB_OWNER>/developers"
+  full_path = "<GITLAB_OWNER>/<DEVELOPER-TEAM>"
 }
 
 
@@ -38,7 +38,7 @@ data "vault_auth_backend" "userpass" {
 }
 
 data "vault_identity_group" "admins" {
-  group_name = "admins"
+  group_name = "<ADMIN_TEAM>"
 }
 
 variable "initial_password" {
@@ -47,7 +47,7 @@ variable "initial_password" {
 }
 
 data "vault_identity_group" "developers" {
-  group_name = "developers"
+  group_name = "<DEVELOPER-TEAM>"
 }
 
 module "admins" {
diff --git a/vultr-gitlab/terraform/vault/oidc-groups.tf b/vultr-gitlab/terraform/vault/oidc-groups.tf
index 4da060600..b2cc82df9 100644
--- a/vultr-gitlab/terraform/vault/oidc-groups.tf
+++ b/vultr-gitlab/terraform/vault/oidc-groups.tf
@@ -1,5 +1,5 @@
 resource "vault_identity_group" "developers" {
-  name     = "developers"
+  name     = "<DEVELOPER-TEAM>"
   type     = "internal"
   policies = ["developer"]
 
@@ -16,7 +16,7 @@ resource "vault_identity_group" "developers" {
 }
 
 resource "vault_identity_group" "admins" {
-  name     = "admins"
+  name     = "<ADMIN_TEAM>"
   type     = "internal"
   policies = ["admin"]
 
diff --git a/vultr-gitlab/terraform/vault/secrets.tf b/vultr-gitlab/terraform/vault/secrets.tf
index 56c6ff638..2fb59917b 100644
--- a/vultr-gitlab/terraform/vault/secrets.tf
+++ b/vultr-gitlab/terraform/vault/secrets.tf
@@ -65,6 +65,16 @@ resource "vault_generic_secret" "docker_config" {
   )
 }
 
+resource "vault_generic_secret" "regsitry_auth" {
+  path = "${vault_mount.secret.path}/registry-auth"
+
+  data_json = jsonencode(
+    {
+      auth = jsonencode({ "auths" : { "ghcr.io" : { "auth" : "${var.b64_docker_auth}" } } }),
+    }
+  )
+}
+
 
 resource "vault_generic_secret" "metaphor" {
   for_each = toset(["development", "staging", "production"])
diff --git a/vultr-gitlab/terraform/vultr/main.tf b/vultr-gitlab/terraform/vultr/main.tf
index 0f03c9c81..4468bf18c 100644
--- a/vultr-gitlab/terraform/vultr/main.tf
+++ b/vultr-gitlab/terraform/vultr/main.tf
@@ -27,7 +27,7 @@ locals {
   pool_name            = "${local.cluster_name}-node-pool"
   pool_instance_type   = "<NODE_TYPE>"
   kube_config_filename = "../../../kubeconfig"
-  kubernetes_version   = "v1.28.2+1"
+  kubernetes_version   = "v1.30.3+1"
 }
 
 resource "vultr_kubernetes" "kubefirst" {