From 766dd517b80956f9aaca0cf24088e79896aa9c63 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Wed, 4 Feb 2026 17:39:42 +0530
Subject: [PATCH 1/7] feat: 0.3

---
 terraform/civo/main.tf                      |  36 ----
 terraform/gcp/workload-cluster/main.tf      | 209 --------------------
 terraform/gcp/workload-cluster/variables.tf |  16 --
 3 files changed, 261 deletions(-)
 delete mode 100644 terraform/civo/main.tf
 delete mode 100644 terraform/gcp/workload-cluster/main.tf
 delete mode 100644 terraform/gcp/workload-cluster/variables.tf

diff --git a/terraform/civo/main.tf b/terraform/civo/main.tf
deleted file mode 100644
index a9279ce..0000000
--- a/terraform/civo/main.tf
+++ /dev/null
@@ -1,36 +0,0 @@
-provider "civo" {
-  region = "<CLOUD_REGION>"
-}
-
-locals {
-  cluster_name         = "<CLUSTER_NAME>"
-  kube_config_filename = "../../../kubeconfig"
-}
-
-resource "civo_network" "kubefirst" {
-  label = local.cluster_name
-}
-
-resource "civo_firewall" "kubefirst" {
-  name                 = local.cluster_name
-  network_id           = civo_network.kubefirst.id
-  create_default_rules = true
-}
-
-resource "civo_kubernetes_cluster" "kubefirst" {
-  name                = local.cluster_name
-  network_id          = civo_network.kubefirst.id
-  firewall_id         = civo_firewall.kubefirst.id
-  kubernetes_version  = "1.28.7-k3s1"
-  write_kubeconfig    = true
-  pools {
-    label      = local.cluster_name
-    size       = "<NODE_TYPE>"
-    node_count = tonumber("<NODE_COUNT>") # tonumber() is used for a string token value
-  }
-}
-
-resource "local_file" "kubeconfig" {
-  content  = civo_kubernetes_cluster.kubefirst.kubeconfig
-  filename = local.kube_config_filename
-}
diff --git a/terraform/gcp/workload-cluster/main.tf b/terraform/gcp/workload-cluster/main.tf
deleted file mode 100644
index 4c35c97..0000000
--- a/terraform/gcp/workload-cluster/main.tf
+++ /dev/null
@@ -1,209 +0,0 @@
-
-
-locals {
-  cluster_name = var.cluster_name
-  subnet_name  = lookup(module.vpc.subnets, "${var.cluster_region}/subnet-01-${local.cluster_name}").name
-}
-
-data "google_client_config" "current" {}
-
-resource "google_compute_router" "router" {
-  name    = "gke-cloud-router-${local.cluster_name}"
-  project = data.google_client_config.current.project
-  network = local.cluster_name
-  region  = var.cluster_region
-}
-
-module "cloud-nat" {
-  name                               = "gke-nat-config-${local.cluster_name}"
-  source                             = "terraform-google-modules/cloud-nat/google"
-  version                            = "~> 5.0"
-  project_id                         = data.google_client_config.current.project
-  region                             = var.cluster_region
-  router                             = google_compute_router.router.name
-  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
-}
-
-resource "google_service_account" "kubefirst" {
-  account_id   = local.cluster_name
-  display_name = "Service Account for ${local.cluster_name} cluster"
-}
-
-module "vpc" {
-  source  = "terraform-google-modules/network/google"
-  version = "~> 9.1"
-
-  project_id   = data.google_client_config.current.project
-  network_name = local.cluster_name
-
-  subnets = [
-    {
-      subnet_name           = "subnet-01-${local.cluster_name}"
-      subnet_ip             = "10.10.10.0/24"
-      subnet_region         = var.cluster_region
-      subnet_private_access = "true"
-      subnet_flow_logs      = "true"
-      description           = "This base subnet."
-    },
-  ]
-
-  secondary_ranges = {
-    "subnet-01-${local.cluster_name}" = [
-      {
-        range_name    = "subnet-01-${local.cluster_name}-gke-01-pods"
-        ip_cidr_range = "10.13.0.0/16"
-      },
-      {
-        range_name    = "subnet-01-${local.cluster_name}-gke-01-services"
-        ip_cidr_range = "10.14.0.0/16"
-      },
-    ]
-  }
-}
-
-module "gke" {
-  source = "terraform-google-modules/kubernetes-engine/google//modules/private-cluster"
-  version = "~> 31.0"
-  
-  project_id               = data.google_client_config.current.project
-  name                     = local.cluster_name
-  region                   = var.cluster_region
-  release_channel          = "STABLE"
-  remove_default_node_pool = true
-
-  deletion_protection = false
-
-  // External availability
-  enable_private_endpoint = false
-  enable_private_nodes    = true
-
-  // Service Account
-  create_service_account = true
-
-  // Networking
-  network           = module.vpc.network_name
-  subnetwork        = local.subnet_name
-  ip_range_pods     = "${local.subnet_name}-gke-01-pods"
-  ip_range_services = "${local.subnet_name}-gke-01-services"
-
-  // Addons
-  dns_cache                  = true
-  enable_shielded_nodes      = true
-  filestore_csi_driver       = false
-  gce_pd_csi_driver          = true
-  horizontal_pod_autoscaling = false
-  http_load_balancing        = false
-  network_policy             = false
-
-  // Node Pools
-  node_pools = [
-    {
-      name      = "kubefirst"
-      machine_type = var.node_type
-
-      // Autoscaling
-      // PER ZONE
-      min_count = var.node_count
-      // PER ZONE
-      max_count = var.node_count
-      // PER ZONE
-      initial_node_count = var.node_count
-
-      local_ssd_count = 0
-      spot            = false
-      disk_size_gb    = 100
-      disk_type       = "pd-standard"
-      image_type      = "COS_CONTAINERD"
-      enable_gcfs     = false
-      enable_gvnic    = false
-      auto_repair     = true
-      auto_upgrade    = true
-      preemptible     = false
-    },
-  ]
-
-  node_pools_oauth_scopes = {
-    all = [
-      "https://www.googleapis.com/auth/logging.write",
-      "https://www.googleapis.com/auth/monitoring",
-      "https://www.googleapis.com/auth/devstorage.read_only",
-    ]
-  }
-}
-
-resource "aws_ssm_parameter" "clusters" {
-  provider    = aws.PROJECT_REGION
-  name        = "/clusters/${local.cluster_name}"
-  description = "Cluster configuration for ${local.cluster_name}"
-  type        = "String"
-  value = jsonencode(
-    {
-      cluster_ca_certificate = base64decode(module.gke.ca_certificate)
-      host                   = "https://${module.gke.endpoint}"
-      token                  = data.google_client_config.current.access_token
-      cluster_name           = local.cluster_name
-      argocd_manager_sa_token = kubernetes_secret_v1.argocd_manager.data.token
-    }
-  )
-}
-
-
-provider "kubernetes" {
-  host                   = "https://${module.gke.endpoint}"
-  token                  = data.google_client_config.current.access_token
-  cluster_ca_certificate = base64decode(module.gke.ca_certificate)
-}
-
-resource "kubernetes_cluster_role_v1" "argocd_manager" {
-  metadata {
-    name = "argocd-manager-role"
-  }
-
-  rule {
-    api_groups = ["*"]
-    resources  = ["*"]
-    verbs      = ["*"]
-  }
-  rule {
-    non_resource_urls = ["*"]
-    verbs = ["*"]
-  }
-}
-
-resource "kubernetes_cluster_role_binding_v1" "argocd_manager" {
-  metadata {
-    name = "argocd-manager-role-binding"
-  }
-  role_ref {
-    api_group = "rbac.authorization.k8s.io"
-    kind      = "ClusterRole"
-    name      = kubernetes_cluster_role_v1.argocd_manager.metadata.0.name
-  }
-  subject {
-    kind      = "ServiceAccount"
-    name      = kubernetes_service_account_v1.argocd_manager.metadata.0.name
-    namespace = "kube-system"
-  }
-}
-
-resource "kubernetes_service_account_v1" "argocd_manager" {
-  metadata {
-    name = "argocd-manager"
-    namespace = "kube-system"
-  }
-  secret {
-    name = "argocd-manager-token"
-  }
-}
-
-resource "kubernetes_secret_v1" "argocd_manager" {
-  metadata {
-    name = "argocd-manager-token"
-    namespace = "kube-system"
-    annotations = {
-      "kubernetes.io/service-account.name" = "argocd-manager"
-    }
-  }
-  type = "kubernetes.io/service-account-token"
-  depends_on = [ kubernetes_service_account_v1.argocd_manager ]
-}
diff --git a/terraform/gcp/workload-cluster/variables.tf b/terraform/gcp/workload-cluster/variables.tf
deleted file mode 100644
index 04cecfa..0000000
--- a/terraform/gcp/workload-cluster/variables.tf
+++ /dev/null
@@ -1,16 +0,0 @@
-
-variable "node_type" {
-  type    = string
-}
-
-variable "cluster_region" {
-  type    = string
-}
-
-variable "node_count" {
-  type    = number
-}
-
-variable "cluster_name" {
-  type    = string
-}

From f601e1d8258aeeec8f2d46944db7ea9fe1f30504 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Thu, 12 Feb 2026 21:18:03 +0530
Subject: [PATCH 2/7] add v2 template for cp

---
 templates/controlplane-template/.helmignore   |  20 ++
 templates/controlplane-template/Chart.yaml    |   6 +
 .../templates/actions-runner-controller.yaml  |  33 ++++
 .../templates/appprojects.yaml                |  24 +++
 .../templates/argo-workflows.yaml             |  24 +++
 .../templates/argocd.yaml                     |  31 +++
 .../templates/atlantis.yaml                   |  30 +++
 .../templates/cert-issuers.yaml               |  24 +++
 .../templates/cert-manager.yaml               |  24 +++
 .../templates/chartmuseum.yaml                |  24 +++
 .../cloudflare-origin-ca-issuer.yaml          |  34 ++++
 .../cloudflare-origin-issuer-crd.yaml         |  24 +++
 .../templates/cluster-secret-store.yaml       |  30 +++
 .../templates/clusterrolebinding.yaml         | 119 ++++++++++++
 .../templates/clusters.yaml                   |  25 +++
 .../application.yaml                          |  41 ++++
 .../externalsecret.yaml                       |  18 ++
 .../actions-runner-controller/wait.yaml       |  59 ++++++
 .../argo-workflows/application.yaml           | 101 ++++++++++
 .../argo-workflows/argo-workflows-cwfts.yaml  |  24 +++
 .../argo-workflows/cloudflareissuer.yaml      |  31 +++
 .../argo-workflows/cwfts/cwft-git.yaml        | 178 ++++++++++++++++++
 .../argo-workflows/cwfts/cwft-helm.yaml       | 129 +++++++++++++
 .../argo-workflows/cwfts/cwft-kaniko.yaml     |  84 +++++++++
 .../argo-workflows/externalsecret.yaml        |  59 ++++++
 .../argo-workflows/serviceaccount.yaml        |  52 +++++
 .../components/argo-workflows/vault-wait.yaml |  24 +++
 .../components/argo-workflows/wait.yaml       |  83 ++++++++
 .../argo-workflows/wait/vault-tls.yaml        |  46 +++++
 .../components/argocd-appprojects/.gitkeep    |   0
 .../components/argocd/argocd-cm.yaml          |  13 ++
 .../argocd/argocd-cmd-params-cm.yaml          |  11 ++
 .../argocd/argocd-oidc-restart-job.yaml       |  58 ++++++
 .../components/argocd/argocd-ui-ingress.yaml  |  74 ++++++++
 .../components/argocd/cloudflareissuer.yaml   |  29 +++
 .../components/argocd/externalsecrets.yaml    |  24 +++
 .../components/argocd/kustomization.yaml      |  18 ++
 .../components/atlantis/application.yaml      |  79 ++++++++
 .../components/atlantis/cloudflareissuer.yaml |  31 +++
 .../components/atlantis/externalsecret.yaml   |  16 ++
 .../templates/components/atlantis/wait.yaml   |  59 ++++++
 .../cert-issuers/clusterissuers.yaml          |  29 +++
 .../components/cert-manager/application.yaml  |  30 +++
 .../components/cert-manager/wait-todo.yaml    |   0
 .../components/chartmuseum/application.yaml   |  63 +++++++
 .../chartmuseum/cloudflareissuer.yaml         |  31 +++
 .../chartmuseum/externalsecret.yaml           |  17 ++
 .../components/chartmuseum/wait.yaml          |  59 ++++++
 .../clustersecretstore.yaml                   |  22 +++
 .../components/cluster-secret-store/wait.yaml |  40 ++++
 .../templates/components/clusters/.gitkeep    |   0
 .../crossplane/crossplane-system.yaml         |  25 +++
 .../crossplane-system/crossplane-secrets.yaml |  51 +++++
 .../crossplane-system/crossplane-system.yaml  |  24 +++
 .../components/crossplane/provider.yaml       |  25 +++
 .../crossplane/provider/controllerconfig.yaml |  23 +++
 .../provider/terraform-provider.yaml          |  16 ++
 .../components/external-dns/application.yaml  |  44 +++++
 .../components/external-dns/wait.yaml         |  59 ++++++
 .../external-secrets-operator.yaml            |  56 ++++++
 .../external-secrets-operator/wait.yaml       | 107 +++++++++++
 .../github-runner/runnerdeployment.yaml       |  20 ++
 .../github-runner/serviceaccount.yaml         |   7 +
 .../components/ingress-nginx/application.yaml |  35 ++++
 .../components/ingress-nginx/wait.yaml        |  59 ++++++
 .../components/nginx-apex/config-map.yaml     | 109 +++++++++++
 .../components/nginx-apex/ingress.yaml        |  38 ++++
 .../components/nginx-apex/kustomization.yaml  |   8 +
 .../templates/components/nginx-apex/wait.yaml |  59 ++++++
 .../components/reloader/application.yaml      |  33 ++++
 .../templates/components/reloader/wait.yaml   |  59 ++++++
 .../templates/crossplane.yaml                 |  25 +++
 .../templates/external-dns.yaml               |  24 +++
 .../templates/external-secrets-operator.yaml  |  24 +++
 .../templates/github-runner.yaml              |  33 ++++
 .../templates/ingress-nginx.yaml              |  24 +++
 .../templates/nginx-apex.yaml                 |  24 +++
 .../templates/registry.yaml                   |  30 +++
 .../templates/reloader.yaml                   |  24 +++
 templates/controlplane-template/values.yaml   | 169 +++++++++++++++++
 80 files changed, 3338 insertions(+)
 create mode 100644 templates/controlplane-template/.helmignore
 create mode 100644 templates/controlplane-template/Chart.yaml
 create mode 100644 templates/controlplane-template/templates/actions-runner-controller.yaml
 create mode 100644 templates/controlplane-template/templates/appprojects.yaml
 create mode 100644 templates/controlplane-template/templates/argo-workflows.yaml
 create mode 100644 templates/controlplane-template/templates/argocd.yaml
 create mode 100644 templates/controlplane-template/templates/atlantis.yaml
 create mode 100644 templates/controlplane-template/templates/cert-issuers.yaml
 create mode 100644 templates/controlplane-template/templates/cert-manager.yaml
 create mode 100644 templates/controlplane-template/templates/chartmuseum.yaml
 create mode 100644 templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml
 create mode 100644 templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml
 create mode 100644 templates/controlplane-template/templates/cluster-secret-store.yaml
 create mode 100644 templates/controlplane-template/templates/clusterrolebinding.yaml
 create mode 100644 templates/controlplane-template/templates/clusters.yaml
 create mode 100644 templates/controlplane-template/templates/components/actions-runner-controller/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml
 create mode 100644 templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd-appprojects/.gitkeep
 create mode 100644 templates/controlplane-template/templates/components/argocd/argocd-cm.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
 create mode 100644 templates/controlplane-template/templates/components/argocd/kustomization.yaml
 create mode 100644 templates/controlplane-template/templates/components/atlantis/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
 create mode 100644 templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
 create mode 100644 templates/controlplane-template/templates/components/atlantis/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml
 create mode 100644 templates/controlplane-template/templates/components/cert-manager/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml
 create mode 100644 templates/controlplane-template/templates/components/chartmuseum/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
 create mode 100644 templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
 create mode 100644 templates/controlplane-template/templates/components/chartmuseum/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
 create mode 100644 templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/clusters/.gitkeep
 create mode 100644 templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/provider.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
 create mode 100644 templates/controlplane-template/templates/components/external-dns/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/external-dns/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
 create mode 100644 templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml
 create mode 100644 templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml
 create mode 100644 templates/controlplane-template/templates/components/ingress-nginx/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
 create mode 100644 templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
 create mode 100644 templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
 create mode 100644 templates/controlplane-template/templates/components/nginx-apex/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/reloader/application.yaml
 create mode 100644 templates/controlplane-template/templates/components/reloader/wait.yaml
 create mode 100644 templates/controlplane-template/templates/crossplane.yaml
 create mode 100644 templates/controlplane-template/templates/external-dns.yaml
 create mode 100644 templates/controlplane-template/templates/external-secrets-operator.yaml
 create mode 100644 templates/controlplane-template/templates/github-runner.yaml
 create mode 100644 templates/controlplane-template/templates/ingress-nginx.yaml
 create mode 100644 templates/controlplane-template/templates/nginx-apex.yaml
 create mode 100644 templates/controlplane-template/templates/registry.yaml
 create mode 100644 templates/controlplane-template/templates/reloader.yaml
 create mode 100644 templates/controlplane-template/values.yaml

diff --git a/templates/controlplane-template/.helmignore b/templates/controlplane-template/.helmignore
new file mode 100644
index 0000000..fe06809
--- /dev/null
+++ b/templates/controlplane-template/.helmignore
@@ -0,0 +1,20 @@
+# Patterns to ignore when building packages.
+.DS_Store
+.git/
+.gitignore
+.helmignore
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+.project
+.idea/
+*.tmproj
+.vscode/
+
+# Ignore .gitkeep files in templates
+.gitkeep
+*/.gitkeep
+*/*/.gitkeep
+*/*/*/.gitkeep
diff --git a/templates/controlplane-template/Chart.yaml b/templates/controlplane-template/Chart.yaml
new file mode 100644
index 0000000..53adf34
--- /dev/null
+++ b/templates/controlplane-template/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: controlplane-template
+description: Management cluster template for Konstruct GitOps - deploys ArgoCD applications and components
+type: application
+version: 0.1.0
+appVersion: "1.0.0"
diff --git a/templates/controlplane-template/templates/actions-runner-controller.yaml b/templates/controlplane-template/templates/actions-runner-controller.yaml
new file mode 100644
index 0000000..c130a63
--- /dev/null
+++ b/templates/controlplane-template/templates/actions-runner-controller.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: actions-runner-controller-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/actions-runner-controller
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/appprojects.yaml b/templates/controlplane-template/templates/appprojects.yaml
new file mode 100644
index 0000000..4dbba88
--- /dev/null
+++ b/templates/controlplane-template/templates/appprojects.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-projects
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/argocd-appprojects
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/argo-workflows.yaml b/templates/controlplane-template/templates/argo-workflows.yaml
new file mode 100644
index 0000000..abfef09
--- /dev/null
+++ b/templates/controlplane-template/templates/argo-workflows.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/argocd.yaml b/templates/controlplane-template/templates/argocd.yaml
new file mode 100644
index 0000000..5bd3355
--- /dev/null
+++ b/templates/controlplane-template/templates/argocd.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd-kustomized-app
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '100'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: argocd
+    name: {{ .Values.clusterDestination }}
+  project: {{ .Values.project }}
+  source:
+    path: registry/clusters/{{ .Values.clusterName }}/components/argocd
+    repoURL: '{{ .Values.gitopsRepoUrl }}'
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
diff --git a/templates/controlplane-template/templates/atlantis.yaml b/templates/controlplane-template/templates/atlantis.yaml
new file mode 100644
index 0000000..be68115
--- /dev/null
+++ b/templates/controlplane-template/templates/atlantis.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/atlantis
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: atlantis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/cert-issuers.yaml b/templates/controlplane-template/templates/cert-issuers.yaml
new file mode 100644
index 0000000..ee6e30e
--- /dev/null
+++ b/templates/controlplane-template/templates/cert-issuers.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-issuers
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/cert-issuers
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/cert-manager.yaml b/templates/controlplane-template/templates/cert-manager.yaml
new file mode 100644
index 0000000..33a6e06
--- /dev/null
+++ b/templates/controlplane-template/templates/cert-manager.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/cert-manager
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/chartmuseum.yaml b/templates/controlplane-template/templates/chartmuseum.yaml
new file mode 100644
index 0000000..ee4ee62
--- /dev/null
+++ b/templates/controlplane-template/templates/chartmuseum.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chartmuseum-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '50'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/chartmuseum
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: chartmuseum
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml b/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml
new file mode 100644
index 0000000..1a2a692
--- /dev/null
+++ b/templates/controlplane-template/templates/cloudflare-origin-ca-issuer.yaml
@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-cloudflare-origin-ca-issuer
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '19'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: ghcr.io/cloudflare/origin-ca-issuer-charts
+    chart: origin-ca-issuer
+    targetRevision: 0.5.2
+    helm:
+      values: |-
+        global:
+          rbac:
+            create: true
+        controller:
+          image:
+            repository: cloudflare/origin-ca-issuer
+            tag: v0.6.1
+            pullPolicy: Always
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml b/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml
new file mode 100644
index 0000000..a4bcd58
--- /dev/null
+++ b/templates/controlplane-template/templates/cloudflare-origin-issuer-crd.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-origin-issuer-crd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '19'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: https://github.com/cloudflare/origin-ca-issuer
+    path: deploy/crds
+    targetRevision: v0.6.1
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/cluster-secret-store.yaml b/templates/controlplane-template/templates/cluster-secret-store.yaml
new file mode 100644
index 0000000..0cc1571
--- /dev/null
+++ b/templates/controlplane-template/templates/cluster-secret-store.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-secret-store
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/cluster-secret-store
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/clusterrolebinding.yaml b/templates/controlplane-template/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..35bf79f
--- /dev/null
+++ b/templates/controlplane-template/templates/clusterrolebinding.yaml
@@ -0,0 +1,119 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argocd-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argocd
+    namespace: argocd
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-server
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: github-runner-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: github-runner
+    namespace: github-runner
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-admin-admin-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-admin
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-admin-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-admin
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: argo-admin
+  apiGroup: rbac.authorization.k8s.io
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: argo-developer-clusterrole
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+subjects:
+  - kind: ServiceAccount
+    name: argo-developer
+    namespace: argo
+roleRef:
+  kind: ClusterRole
+  name: argo-view
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-admin-crb
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-server
+    namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: argocd-crossplane-admin-crb
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: crossplane-admin
+subjects:
+  - kind: ServiceAccount
+    name: argocd-server
+    namespace: argocd
diff --git a/templates/controlplane-template/templates/clusters.yaml b/templates/controlplane-template/templates/clusters.yaml
new file mode 100644
index 0000000..d5c3847
--- /dev/null
+++ b/templates/controlplane-template/templates/clusters.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: clusters
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '1000'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/clusters
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml
new file mode 100644
index 0000000..d16dbb5
--- /dev/null
+++ b/templates/controlplane-template/templates/components/actions-runner-controller/application.yaml
@@ -0,0 +1,41 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: actions-runner-contoller
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://actions-runner-controller.github.io/actions-runner-controller
+    targetRevision: 0.20.2
+    helm:
+      values: |-
+        image:
+          dindSidecarRepositoryAndTag: "docker:dind-rootless"
+        podSecurityContext:
+          runAsUser: 1000
+          runAsNonRoot: true
+        securityContext:
+          capabilities:
+            drop:
+            - ALL
+          readOnlyRootFilesystem: true
+          runAsNonRoot: true
+          runAsUser: 1000
+    chart: actions-runner-controller
+  destination:
+    name: in-cluster
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml
new file mode 100644
index 0000000..8d2657e
--- /dev/null
+++ b/templates/controlplane-template/templates/components/actions-runner-controller/externalsecret.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: controller-manager
+  namespace: github-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: controller-manager
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  data:
+    - remoteRef:
+        key: ci-secrets
+        property: PERSONAL_ACCESS_TOKEN
+      secretKey: github_token
diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
new file mode 100644
index 0000000..e63aa77
--- /dev/null
+++ b/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-arc
+  namespace: github-runner
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-arc
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-arc
+    namespace: github-runner
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-actions-runner-controller
+  namespace: github-runner
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - github-runner
+            - --label
+            - app.kubernetes.io/name=actions-runner-controller
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-arc
diff --git a/templates/controlplane-template/templates/components/argo-workflows/application.yaml b/templates/controlplane-template/templates/components/argo-workflows/application.yaml
new file mode 100644
index 0000000..19333c1
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/application.yaml
@@ -0,0 +1,101 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: https://argoproj.github.io/argo-helm
+    targetRevision: {{ .Values.versions.argoWorkflows }}
+    helm:
+      values: |-
+        nameOverride: argo
+        executor:
+          resources:
+            requests:
+              cpu: 200m
+              memory: 256Mi
+            limits:
+              cpu: 1
+              memory: 1024Mi
+        server:
+          secure: false
+          extraArgs:
+          - --auth-mode=client
+          - --auth-mode=sso
+          ingress:
+            enabled: true
+            ingressClassName: nginx
+            annotations:
+              {{- if .Values.certManager.issuerAnnotation1 }}
+              {{ .Values.certManager.issuerAnnotation1 }}
+              {{- end }}
+              {{- if .Values.certManager.issuerAnnotation2 }}
+              {{ .Values.certManager.issuerAnnotation2 }}
+              {{- end }}
+              {{- if .Values.certManager.issuerAnnotation3 }}
+              {{ .Values.certManager.issuerAnnotation3 }}
+              {{- end }}
+              {{- if .Values.certManager.issuerAnnotation4 }}
+              {{ .Values.certManager.issuerAnnotation4 }}
+              {{- end }}
+            hosts:
+              - argo.{{ .Values.domainName }}
+            paths:
+              - /
+            pathType: Prefix
+            tls:
+              - secretName: argo-tls
+                hosts:
+                  - argo.{{ .Values.domainName }}
+          sso:
+            issuer: https://vault.{{ .Values.domainName }}/v1/identity/oidc/provider/kubefirst
+            clientId:
+              name: argo-secrets
+              key: client-id
+            clientSecret:
+              name: argo-secrets
+              key: client-secret
+            redirectUrl: https://argo.{{ .Values.domainName }}/oauth2/callback
+            scopes:
+              - email
+              - openid
+              - groups
+              - user
+              - profile
+            # RBAC Config. >= v2.12
+            rbac:
+              enabled: true
+        useDefaultArtifactRepo: true
+        useStaticCredentials: true
+        artifactRepository:
+          archiveLogs: false
+          s3:
+            accessKeySecret:
+              name: ci-secrets
+              key: accesskey
+            secretKeySecret:
+              name: ci-secrets
+              key: secretkey
+            insecure: false
+            bucket: {{ .Values.kubefirstStateStoreBucket }}
+            endpoint: objectstore.{{ .Values.cloudRegion }}.civo.com
+            region: {{ .Values.cloudRegion }}
+            useSDKCreds: false
+            encryptionOptions:
+              enableEncryption: false
+    chart: argo-workflows
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml b/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
new file mode 100644
index 0000000..a985a86
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argo-cwfts
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows/cwfts
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: argo
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
new file mode 100644
index 0000000..0e2593d
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: argo
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: argo
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
new file mode 100644
index 0000000..4271e3f
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
@@ -0,0 +1,178 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-git
+  annotations:
+    argocd.argoproj.io/sync-wave: '55'
+spec:
+  templates:
+    - name: checkout-with-gitops-ssh
+      inputs:
+        parameters:
+          - name: appName
+          - name: branch
+            default: main
+          - name: gitUrlNoProtocol
+        artifacts:
+          - name: repo-source
+            path: '/src/{{`{{inputs.parameters.appName}}`}}'
+            git:
+              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
+              branch: '{{`{{inputs.parameters.branch}}`}}'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              sshPrivateKeySecret:
+                name: ci-secrets
+                key: SSH_PRIVATE_KEY
+          - name: gitops-source
+            path: /src/gitops
+            git:
+              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/gitops.git'
+              branch: 'main'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              sshPrivateKeySecret:
+                name: ci-secrets
+                key: SSH_PRIVATE_KEY
+      container:
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        args:
+          - ls -la /src &&
+            ls -la /src/{{`{{inputs.parameters.appName}}`}}
+      outputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+    - name: checkout-with-gitops-https
+      inputs:
+        parameters:
+          - name: appName
+          - name: branch
+            default: main
+          - name: gitUrlNoProtocol
+        artifacts:
+          - name: repo-source
+            path: '/src/{{`{{inputs.parameters.appName}}`}}'
+            git:
+              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
+              branch: '{{`{{inputs.parameters.branch}}`}}'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              usernameSecret:
+                name: ci-secrets
+                key: BASIC_AUTH_USER
+              passwordSecret:
+                name: ci-secrets
+                key: PERSONAL_ACCESS_TOKEN
+          - name: gitops-source
+            path: /src/gitops
+            git:
+              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/gitops.git'
+              branch: 'main'
+              singleBranch: true
+              insecureIgnoreHostKey: true
+              usernameSecret:
+                name: ci-secrets
+                key: BASIC_AUTH_USER
+              passwordSecret:
+                name: ci-secrets
+                key: PERSONAL_ACCESS_TOKEN
+      container:
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        args:
+          - ls -la /src &&
+            ls -la /src/{{`{{inputs.parameters.appName}}`}}
+      outputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+    - name: pull-commit-push-ssh
+      retryStrategy:
+        limit: '5'
+      # todo get ssh item not all secrets
+      volumes:
+        - name: ssh-key
+          secret:
+            defaultMode: 256
+            secretName: ci-secrets
+      inputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+        parameters:
+          - name: commitMessage
+          - name: gitUrlNoProtocol
+          - name: repoName
+      container:
+        workingDir: '/src/{{`{{inputs.parameters.repoName}}`}}'
+        image: golang:latest
+        command: ['/bin/sh', '-c']
+        volumeMounts:
+          - mountPath: '/mnt/secrets'
+            name: ssh-key
+            readOnly: true
+        args:
+          - set -e;
+
+            eval `ssh-agent -s`;
+            mkdir $HOME/.ssh;
+            cat /mnt/secrets/SSH_PRIVATE_KEY > $HOME/.ssh/id_ed25519;
+            echo -n "\\n" >> $HOME/.ssh/id_ed25519;
+            chmod 0600 $HOME/.ssh/id_ed25519;
+            ssh-add $HOME/.ssh/id_ed25519;
+
+            echo "Host *" >> $HOME/.ssh/config;
+            echo "  StrictHostKeyChecking no" >> $HOME/.ssh/config;
+            echo "  User git" >> $HOME/.ssh/config;
+            echo "  IdentitiesOnly yes" >> $HOME/.ssh/config;
+            echo "  UserKnownHostsFile /dev/null" >> $HOME/.ssh/config;
+            chmod 0700 $HOME/.ssh/config;
+
+            git config --global user.email 'k-ray@example.com';
+            git config --global user.name 'kbot';
+            git remote set-url origin '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.repoName}}`}}.git';
+            git remote -v;
+            git status;
+            git pull;
+            git add .;
+            git commit -m "{{`{{inputs.parameters.commitMessage}}`}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
+            git push;
+    - name: pull-commit-push-https
+      retryStrategy:
+        limit: '5'
+      # todo get ssh item not all secrets
+      inputs:
+        artifacts:
+          - name: repo-source
+            path: /src
+        parameters:
+          - name: commitMessage
+          - name: gitUrlNoProtocol
+          - name: repoName
+      container:
+        workingDir: '/src/{{`{{inputs.parameters.repoName}}`}}'
+        image: golang:latest
+        command: ['/bin/bash', '-c']
+        env:
+        - name: GIT_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: ci-secrets
+              key: PERSONAL_ACCESS_TOKEN
+        args:
+          - set -e;
+
+            git config --global user.email 'k-ray@example.com';
+            git config --global user.name 'kbot';
+            echo "set url to https://kbot:token@{{ .Values.gitProvider }}.com/the_rest_of_the input slug";
+            input_url='{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.repoName}}`}}.git';
+            origin_url="${input_url/"https://{{ .Values.gitProvider }}.com"/"https://kbot:$GIT_TOKEN@{{ .Values.gitProvider }}.com"}";
+            git remote set-url origin $origin_url;
+            git remote -v;
+            git status;
+            git pull;
+            git add .;
+            git commit -m "{{`{{inputs.parameters.commitMessage}}`}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
+            git push;
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
new file mode 100644
index 0000000..81802dd
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
@@ -0,0 +1,129 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-helm
+  annotations:
+    argocd.argoproj.io/sync-wave: '55'
+spec:
+  templates:
+  - name: get-chart-version
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [python3]
+      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
+      source: |
+        import yaml, semver
+        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml') as f:
+            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
+            print(chart_yaml['version'])
+  - name: set-chart-versions
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+        - name: chartVersion
+        - name: shortSha
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [bash]
+      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
+      source: |
+        set -e
+        NEW_CHART_VERSION={{`{{inputs.parameters.chartVersion}}`}}
+        echo "setting ./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml to version: ${NEW_CHART_VERSION}"
+        sed -i "s/version:.*/version: ${NEW_CHART_VERSION}/g" /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
+        echo "setting ./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml to appVersion: {{`{{inputs.parameters.shortSha}}`}}"
+        sed -i "s/appVersion:.*/appVersion: '{{`{{inputs.parameters.shortSha}}`}}'/g" /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
+        echo "adjusted chart:"
+        cat /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+  - name: publish-chart
+    retryStrategy:
+      limit: '5'
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+    container:
+      image: kubefirst/chubbo:0.2
+      command: ['bash', '-c']
+      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
+      args:
+        - helm repo add kubefirst http://chartmuseum.chartmuseum.svc.cluster.local:8080 --username ${BASIC_AUTH_USER} --password ${BASIC_AUTH_PASS} || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
+          helm push {{`{{inputs.parameters.chartDir}}`}} kubefirst || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
+      env:
+      - name: BASIC_AUTH_PASS
+        valueFrom:
+          secretKeyRef:
+            name: ci-secrets
+            key: BASIC_AUTH_PASS
+      - name: BASIC_AUTH_USER
+        valueFrom:
+          secretKeyRef:
+            name: ci-secrets
+            key: BASIC_AUTH_USER
+  - name: set-environment-version
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: chartVersion
+        - name: environment
+        - name: fullChartPath
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [bash]
+      workingDir: '/src/gitops'
+      source: |
+        set -e
+        echo "setting wrapper Chart.yaml to version: {{`{{inputs.parameters.chartVersion}}`}}"
+        sed -i "s/  version:.*/  version: {{`{{inputs.parameters.chartVersion}}`}}/g" "{{`{{inputs.parameters.fullChartPath}}`}}"
+        echo "updated {{`{{inputs.parameters.environment}}`}} wrapper chart version to {{`{{inputs.parameters.chartVersion}}`}}"
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+  - name: increment-chart-minor
+    inputs:
+      artifacts:
+        - name: repo-source
+          path: /src
+      parameters:
+        - name: appName
+        - name: chartDir
+        - name: chartVersion
+    script:
+      image: kubefirst/chubbo:0.2
+      command: [python3]
+      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
+      source: |
+        import yaml, semver
+        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml') as f:
+            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
+            chart_version = semver.parse('{{`{{inputs.parameters.chartVersion}}`}}')
+            next_chart_version = '{}.{}.0'.format(chart_version['major'],chart_version['minor']+1)
+            chart_yaml['version'] = next_chart_version
+        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml', 'w') as f:
+            yaml.dump(chart_yaml, f)
+        print('prepared next release in {{`{{inputs.parameters.chartDir}}`}} with bumped chart version after releasing {}'.format(next_chart_version))
+    outputs:
+      artifacts:
+        - name: repo-source
+          path: /src
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
new file mode 100644
index 0000000..20a21f8
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
@@ -0,0 +1,84 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ClusterWorkflowTemplate
+metadata:
+  name: cwft-kaniko
+spec:
+  entrypoint: build-push
+  templates:
+  - name: build-push-ssh
+    inputs:
+      parameters:
+      - name: appName
+      - name: branch
+      - name: containerRegistryURL
+      - name: gitUrlNoProtocol
+      artifacts:
+      - name: app-source
+        path: '/src/{{`{{inputs.parameters.appName}}`}}'
+        git:
+          repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
+          branch: '{{`{{inputs.parameters.branch}}`}}'
+          singleBranch: true
+          insecureIgnoreHostKey: true
+          sshPrivateKeySecret:
+            name: ci-secrets
+            key: SSH_PRIVATE_KEY
+    volumes:
+    - name: docker-config
+      secret:
+        secretName: 'container-registry-auth'
+    container:
+      image: gcr.io/kaniko-project/executor:latest
+      volumeMounts:
+      - name: docker-config
+        mountPath: /.docker
+      env:
+      - name: DOCKER_CONFIG
+        value: /.docker
+      args:
+      - '--dockerfile'
+      - 'Dockerfile'
+      - '--context'
+      - 'dir:///src/{{`{{inputs.parameters.appName}}`}}/'
+      - '--destination'
+      - '{{`{{inputs.parameters.containerRegistryURL}}`}}'
+  - name: build-push-https
+    inputs:
+      parameters:
+      - name: appName
+      - name: branch
+      - name: containerRegistryURL
+      - name: gitUrlNoProtocol
+      artifacts:
+      - name: app-source
+        path: '/src/{{`{{inputs.parameters.appName}}`}}'
+        git:
+          repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
+          branch: '{{`{{inputs.parameters.branch}}`}}'
+          singleBranch: true
+          insecureIgnoreHostKey: true
+          usernameSecret:
+            name: ci-secrets
+            key: BASIC_AUTH_USER
+          passwordSecret:
+            name: ci-secrets
+            key: PERSONAL_ACCESS_TOKEN
+    volumes:
+    - name: docker-config
+      secret:
+        secretName: 'container-registry-auth'
+    container:
+      image: gcr.io/kaniko-project/executor:latest
+      volumeMounts:
+      - name: docker-config
+        mountPath: /.docker
+      env:
+      - name: DOCKER_CONFIG
+        value: /.docker
+      args:
+      - '--dockerfile'
+      - 'Dockerfile'
+      - '--context'
+      - 'dir:///src/{{`{{inputs.parameters.appName}}`}}/'
+      - '--destination'
+      - '{{`{{inputs.parameters.containerRegistryURL}}`}}'
diff --git a/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml b/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
new file mode 100644
index 0000000..a276c8c
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
@@ -0,0 +1,59 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ci-secrets
+  namespace: argo
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: ci-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /ci-secrets
+---
+apiVersion: 'external-secrets.io/v1beta1'
+kind: ExternalSecret
+metadata:
+  name: argo-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: argo-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: oidc/argo
+        property: client_id
+      secretKey: client-id
+    - remoteRef:
+        key: oidc/argo
+        property: client_secret
+      secretKey: client-secret
+---
+apiVersion: 'external-secrets.io/v1beta1'
+kind: ExternalSecret
+metadata:
+  name: container-registry-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: container-registry-auth
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: registry-auth
+        property: auth
+      secretKey: config.json
diff --git a/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml b/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
new file mode 100644
index 0000000..b18f586
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-admin
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+    # The rule is an expression used to determine if this service account
+    # should be used.
+    # * `groups` - an array of the OIDC groups
+    # * `iss` - the issuer ("argo-server")
+    # * `sub` - the subject (typically the username)
+    # Must evaluate to a boolean.
+    # If you want an account to be the default to use, this rule can be "true".
+    # Details of the expression language are available in
+    # https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md.
+    workflows.argoproj.io/rbac-rule: "'admins' in groups"
+    # The precedence is used to determine which service account to use whe
+    # Precedence is an integer. It may be negative. If omitted, it defaults to "0".
+    # Numerically higher values have higher precedence (not lower, which maybe
+    # counter-intuitive to you).
+    # If two rules match and have the same precedence, then which one used will
+    # be arbitrary.
+    workflows.argoproj.io/rbac-rule-precedence: '1'
+secrets:
+- name: argo-admin
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argo-developer
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+    workflows.argoproj.io/rbac-rule: "'developers' in groups"
+    workflows.argoproj.io/rbac-rule-precedence: '0'
+secrets:
+- name: argo-developer
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argo-admin
+  annotations:
+    kubernetes.io/service-account.name: argo-admin
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: argo-developer
+  annotations:
+    kubernetes.io/service-account.name: argo-developer
+type: kubernetes.io/service-account-token
diff --git a/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml b/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
new file mode 100644
index 0000000..ef58ba1
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-wait
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows/wait
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: vault
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/wait.yaml b/templates/controlplane-template/templates/components/argo-workflows/wait.yaml
new file mode 100644
index 0000000..40c40e1
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/wait.yaml
@@ -0,0 +1,83 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-argo
+  namespace: argo
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-argo
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-argo
+    namespace: argo
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-argo-workflow-controller
+  namespace: argo
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - argo
+            - --label
+            - app.kubernetes.io/name=argo-workflow-controller
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-argo
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-argo-server
+  namespace: argo
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - argo
+            - --label
+            - app.kubernetes.io/name=argo-server
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-argo
diff --git a/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml b/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
new file mode 100644
index 0000000..6108f22
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-vault-tls
+  namespace: vault
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: k8s-toolkit-vault-tls
+  namespace: vault
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cert-manager-view
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-vault-tls
+    namespace: vault
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+    argocd.argoproj.io/sync-options: Force=true,Replace=true
+  name: wait-vault-tls
+  namespace: vault
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - certificate
+            - --namespace
+            - vault
+            - --name
+            - vault-tls
+            - --timeout-seconds
+            - '3600'
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-vault-tls
diff --git a/templates/controlplane-template/templates/components/argocd-appprojects/.gitkeep b/templates/controlplane-template/templates/components/argocd-appprojects/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml b/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml
new file mode 100644
index 0000000..fdc9ddb
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/argocd-cm.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cm
+data:
+  url: 'https://argocd.{{ .Values.domainName }}'
+  oidc.config: |
+    name: Vault
+    issuer: https://vault.{{ .Values.domainName }}/v1/identity/oidc/provider/kubefirst
+    clientID: $argocd-oidc-secret:clientId
+    clientSecret: $argocd-oidc-secret:clientSecret
+    requestedScopes: ["openid", "groups", "user", "profile", "email"]
+    requestedIDTokenClaims: {"groups": {"essential": true}}
diff --git a/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml b/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml
new file mode 100644
index 0000000..c3b99b9
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/argocd-cmd-params-cm.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: argocd-cmd-params-cm
+  labels:
+    app.kubernetes.io/name: argocd-cmd-params-cm
+    app.kubernetes.io/part-of: argocd
+data:
+  # ssl terminated at ingress-nginx and forwarded
+  # to allow for cloudflare origin issuer certificates
+  server.insecure: 'true'
diff --git a/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml b/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml
new file mode 100644
index 0000000..a666ef3
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml
@@ -0,0 +1,58 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+    verbs:
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: argocd-oidc-restart-job
+subjects:
+  - kind: ServiceAccount
+    name: argocd-oidc-restart-job
+    namespace: argocd
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: argocd-oidc-restart-job
+  namespace: argocd
+spec:
+  template:
+    spec:
+      containers:
+        - name: argocd-oidc-restart-job
+          image: dtzar/helm-kubectl:3.19.0
+          command:
+            - /bin/sh
+            - -c
+            - echo restarting argocd-server in 15 seconds && sleep 15 && echo restarting && kubectl -n argocd get deployment/argocd-server -oyaml | kubectl -n argocd replace --force -f -
+      restartPolicy: OnFailure
+      serviceAccountName: argocd-oidc-restart-job
+
diff --git a/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml b/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml
new file mode 100644
index 0000000..d3c740c
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/argocd-ui-ingress.yaml
@@ -0,0 +1,74 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-http-ingress
+  namespace: argocd
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+    {{- if .Values.certManager.issuerAnnotation1 }}
+    {{ .Values.certManager.issuerAnnotation1 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation2 }}
+    {{ .Values.certManager.issuerAnnotation2 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation3 }}
+    {{ .Values.certManager.issuerAnnotation3 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation4 }}
+    {{ .Values.certManager.issuerAnnotation4 }}
+    {{- end }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: http
+    host: argocd.{{ .Values.domainName }}
+  tls:
+  - hosts:
+    - argocd.{{ .Values.domainName }}
+    secretName: argocd-ingress-http
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-grpc-ingress
+  namespace: argocd
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: "GRPC"
+    {{- if .Values.certManager.issuerAnnotation1 }}
+    {{ .Values.certManager.issuerAnnotation1 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation2 }}
+    {{ .Values.certManager.issuerAnnotation2 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation3 }}
+    {{ .Values.certManager.issuerAnnotation3 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation4 }}
+    {{ .Values.certManager.issuerAnnotation4 }}
+    {{- end }}
+spec:
+  ingressClassName: nginx
+  rules:
+  - http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: argocd-server
+            port:
+              name: https
+    host: grpc.argocd.{{ .Values.domainName }}
+  tls:
+  - hosts:
+    - grpc-argocd.{{ .Values.domainName }}
+    secretName: argocd-ingress-grpc
diff --git a/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml
new file mode 100644
index 0000000..9fb35ae
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/cloudflareissuer.yaml
@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: argocd
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: argocd
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml b/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
new file mode 100644
index 0000000..e4a5ede
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
@@ -0,0 +1,24 @@
+apiVersion: "external-secrets.io/v1alpha1"
+kind: ExternalSecret
+metadata:
+  name: argocd-oidc-secret
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  target:
+    name: argocd-oidc-secret
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        conversionStrategy: Default
+        key: oidc/argocd
+        property: client_secret
+      secretKey: clientSecret
+    - remoteRef:
+        conversionStrategy: Default
+        key: oidc/argocd
+        property: client_id
+      secretKey: clientId
diff --git a/templates/controlplane-template/templates/components/argocd/kustomization.yaml b/templates/controlplane-template/templates/components/argocd/kustomization.yaml
new file mode 100644
index 0000000..00ddbc5
--- /dev/null
+++ b/templates/controlplane-template/templates/components/argocd/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+
+# To upgrade ArgoCD, increment the version here
+# https://github.com/argoproj/argo-cd/tags
+resources:
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.1
+  - argocd-ui-ingress.yaml
+  - externalsecrets.yaml
+  - argocd-oidc-restart-job.yaml
+
+patchesStrategicMerge:
+  - argocd-cm.yaml
+  - argocd-cmd-params-cm.yaml
+  
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/templates/controlplane-template/templates/components/atlantis/application.yaml b/templates/controlplane-template/templates/components/atlantis/application.yaml
new file mode 100644
index 0000000..648219e
--- /dev/null
+++ b/templates/controlplane-template/templates/components/atlantis/application.yaml
@@ -0,0 +1,79 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: atlantis
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: https://runatlantis.github.io/helm-charts
+    chart: atlantis
+    targetRevision: {{ .Values.versions.atlantis }}
+    helm:
+      values: |-
+        statefulSet:
+          annotations:
+            secret.reloader.stakater.com/reload: "atlantis-secrets"
+        atlantisUrl: https://atlantis.{{ .Values.domainName }}
+        orgAllowlist: {{ .Values.atlantis.allowList }}
+        hidePrevPlanComments: true
+        serviceAccount:
+          create: false
+          mount: true
+        resources:
+          limits:
+            cpu: 400m
+            memory: 1Gi
+          requests:
+            cpu: 400m
+            memory: 512Mi
+        ingress:
+          enabled: true
+          annotations:
+            {{- if .Values.certManager.issuerAnnotation1 }}
+            {{ .Values.certManager.issuerAnnotation1 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation2 }}
+            {{ .Values.certManager.issuerAnnotation2 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation3 }}
+            {{ .Values.certManager.issuerAnnotation3 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation4 }}
+            {{ .Values.certManager.issuerAnnotation4 }}
+            {{- end }}
+          path: /
+          host: atlantis.{{ .Values.domainName }}
+          ingressClassName: "nginx"
+          tls:
+            - secretName: atlantis-tls
+              hosts:
+                - atlantis.{{ .Values.domainName }}
+        loadEnvFromSecrets:
+          - atlantis-secrets
+        repoConfig: |
+          ---
+          repos:
+          - id: {{ .Values.atlantis.allowList }}
+            workflow: default
+            allowed_overrides: [apply_requirements]
+            apply_requirements: [mergeable]
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: atlantis
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
new file mode 100644
index 0000000..1926218
--- /dev/null
+++ b/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: atlantis
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: atlantis
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml b/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
new file mode 100644
index 0000000..334d4bf
--- /dev/null
+++ b/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
@@ -0,0 +1,16 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: atlantis-secrets
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
+spec:
+  target:
+    name: atlantis-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /atlantis
diff --git a/templates/controlplane-template/templates/components/atlantis/wait.yaml b/templates/controlplane-template/templates/components/atlantis/wait.yaml
new file mode 100644
index 0000000..049580f
--- /dev/null
+++ b/templates/controlplane-template/templates/components/atlantis/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-atlantis
+  namespace: atlantis
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-atlantis
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-atlantis
+    namespace: atlantis
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-atlantis
+  namespace: atlantis
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - statefulset
+            - --namespace
+            - atlantis
+            - --label
+            - app=atlantis
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-atlantis
diff --git a/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml b/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml
new file mode 100644
index 0000000..40ea1e9
--- /dev/null
+++ b/templates/controlplane-template/templates/components/cert-issuers/clusterissuers.yaml
@@ -0,0 +1,29 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: {{ .Values.alertsEmail }}
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: {{ .Values.alertsEmail }}
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
diff --git a/templates/controlplane-template/templates/components/cert-manager/application.yaml b/templates/controlplane-template/templates/components/cert-manager/application.yaml
new file mode 100644
index 0000000..6387457
--- /dev/null
+++ b/templates/controlplane-template/templates/components/cert-manager/application.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://charts.jetstack.io
+    targetRevision: v1.14.4
+    helm:
+      values: |-
+        serviceAccount:
+          create: true
+          name: cert-manager
+        installCRDs: true
+    chart: cert-manager
+  destination:
+    name: in-cluster
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml b/templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/templates/controlplane-template/templates/components/chartmuseum/application.yaml b/templates/controlplane-template/templates/components/chartmuseum/application.yaml
new file mode 100644
index 0000000..71fc22f
--- /dev/null
+++ b/templates/controlplane-template/templates/components/chartmuseum/application.yaml
@@ -0,0 +1,63 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: chartmuseum
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: https://chartmuseum.github.io/charts
+    targetRevision: {{ .Values.versions.chartmuseum }}
+    helm:
+      values: |-
+        env:
+          open:
+            AUTH_ANONYMOUS_GET: true
+            STORAGE: amazon
+            STORAGE_AMAZON_BUCKET: {{ .Values.kubefirstStateStoreBucket }}
+            STORAGE_AMAZON_PREFIX: kubefirst-charts
+            STORAGE_AMAZON_REGION: {{ .Values.cloudRegion }}
+            STORAGE_AMAZON_ENDPOINT: https://objectstore.{{ .Values.cloudRegion }}.civo.com
+            DISABLE_API: false
+          existingSecret: chartmuseum-secrets
+          existingSecretMappings:
+            BASIC_AUTH_USER: BASIC_AUTH_USER
+            BASIC_AUTH_PASS: BASIC_AUTH_PASS
+            AWS_ACCESS_KEY_ID: AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY: AWS_SECRET_ACCESS_KEY
+        ingress:
+          enabled: true
+          pathType: "Prefix"
+          annotations:
+            {{- if .Values.certManager.issuerAnnotation1 }}
+            {{ .Values.certManager.issuerAnnotation1 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation2 }}
+            {{ .Values.certManager.issuerAnnotation2 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation3 }}
+            {{ .Values.certManager.issuerAnnotation3 }}
+            {{- end }}
+            {{- if .Values.certManager.issuerAnnotation4 }}
+            {{ .Values.certManager.issuerAnnotation4 }}
+            {{- end }}
+          hosts:
+            - name: chartmuseum.{{ .Values.domainName }}
+              path: /
+              tls: true
+              tlsSecret: chartmuseum-tls
+          ingressClassName: nginx
+    chart: chartmuseum
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: chartmuseum
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
new file mode 100644
index 0000000..64630f8
--- /dev/null
+++ b/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-creds
+  namespace: chartmuseum
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: cloudflare-creds
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+  - remoteRef:
+      key: cloudflare
+      property: origin-ca-api-key
+    secretKey: origin-ca-api-key
+---
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: OriginIssuer
+metadata:
+  name: cloudflare-origin-issuer
+  namespace: chartmuseum
+spec:
+  requestType: OriginECC
+  auth:
+    serviceKeyRef:
+      key: origin-ca-api-key
+      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml b/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
new file mode 100644
index 0000000..020f387
--- /dev/null
+++ b/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: chartmuseum-secrets
+  namespace: chartmuseum
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: chartmuseum-secrets
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  dataFrom:
+    - extract:
+        key: /chartmuseum
diff --git a/templates/controlplane-template/templates/components/chartmuseum/wait.yaml b/templates/controlplane-template/templates/components/chartmuseum/wait.yaml
new file mode 100644
index 0000000..77a0c7a
--- /dev/null
+++ b/templates/controlplane-template/templates/components/chartmuseum/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-chartmuseum
+  namespace: chartmuseum
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-chartmuseum
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-chartmuseum
+    namespace: chartmuseum
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-chartmuseum
+  namespace: chartmuseum
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - chartmuseum
+            - --label
+            - app.kubernetes.io/name=chartmuseum
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-chartmuseum
diff --git a/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml b/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
new file mode 100644
index 0000000..33cbc8f
--- /dev/null
+++ b/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault-kv-secret
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  provider:
+    vault:
+      server: 'http://vault.vault.svc:8200'
+      # Path is the mount path of the Vault KV backend endpoint
+      path: 'secret'
+      version: 'v2'
+      auth:
+        kubernetes:
+          # Path where the Kubernetes authentication backend is mounted in Vault
+          mountPath: 'kubernetes/kubefirst'
+          # A required field containing the Vault Role to assume.
+          role: 'external-secrets'
+          serviceAccountRef:
+            name: 'external-secrets'
+            namespace: 'external-secrets-operator'
diff --git a/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml b/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
new file mode 100644
index 0000000..635429c
--- /dev/null
+++ b/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: external-secrets-operator-view
+subjects:
+- kind: ServiceAccount
+  name: eso-clustersecretstore
+  namespace: external-secrets-operator
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "20"
+  name: wait-vault-kv-secret
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+      - name: wait
+        image: dtzar/helm-kubectl:3.19.0
+        command:
+        - /bin/sh
+        - -c
+        - |
+          while ! kubectl get clustersecretstore/vault-kv-secret --namespace external-secrets-operator; do echo "waiting for external secrets store to be valid, sleeping 5 seconds"; sleep 5; done
+      restartPolicy: OnFailure
+      serviceAccountName: eso-clustersecretstore
\ No newline at end of file
diff --git a/templates/controlplane-template/templates/components/clusters/.gitkeep b/templates/controlplane-template/templates/components/clusters/.gitkeep
new file mode 100644
index 0000000..e69de29
diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml
new file mode 100644
index 0000000..8606bc7
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-system
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/crossplane/crossplane-system
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml
new file mode 100644
index 0000000..72e3d80
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-secrets.yaml
@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  name: crossplane-secrets
+  namespace: crossplane-system
+spec:
+  dataFrom:
+  - extract:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: /crossplane
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: crossplane-secrets
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: git-credentials
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: git-credentials
+    template:
+      engineVersion: v2
+      data:
+        creds: |
+          https://{{ .username }}:{{ .password }}@github.com
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: crossplane
+        property: username
+        conversionStrategy: Default
+      secretKey: username
+    - remoteRef:
+        key: crossplane
+        property: password
+        conversionStrategy: Default
+      secretKey: password
\ No newline at end of file
diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
new file mode 100644
index 0000000..b3b9c5b
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "10"
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  destination:
+    name: in-cluster 
+    namespace: crossplane-system
+  source:
+    repoURL: https://charts.crossplane.io/stable
+    chart: crossplane
+    targetRevision: 1.17.0
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/crossplane/provider.yaml b/templates/controlplane-template/templates/components/crossplane/provider.yaml
new file mode 100644
index 0000000..ed56724
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/provider.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-provider
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/crossplane/provider
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
new file mode 100644
index 0000000..c48e96e
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
@@ -0,0 +1,23 @@
+apiVersion: pkg.crossplane.io/v1alpha1
+kind: ControllerConfig
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+  labels:
+    app: crossplane-provider-terraform
+  name: terraform-config
+spec:
+  args:
+  - -d
+  - --poll=2m
+  - --max-reconcile-rate=10
+  envFrom:
+  - secretRef:
+      name: crossplane-secrets
+  volumeMounts:
+  - mountPath: /.cache
+    name: helmcache
+  volumes:
+    - name: helmcache
+      emptyDir:
+        sizeLimit: 500Mi
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
new file mode 100644
index 0000000..6403c68
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
@@ -0,0 +1,16 @@
+apiVersion: pkg.crossplane.io/v1
+kind: Provider
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: crossplane-provider-terraform
+spec:
+  controllerConfigRef:
+    name: terraform-config
+  ignoreCrossplaneConstraints: false
+  package: xpkg.upbound.io/upbound/provider-terraform:v0.12.0
+  packagePullPolicy: IfNotPresent
+  revisionActivationPolicy: Automatic
+  revisionHistoryLimit: 1
+  skipDependencyResolution: false
+ 
diff --git a/templates/controlplane-template/templates/components/external-dns/application.yaml b/templates/controlplane-template/templates/components/external-dns/application.yaml
new file mode 100644
index 0000000..77c161f
--- /dev/null
+++ b/templates/controlplane-template/templates/components/external-dns/application.yaml
@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: https://kubernetes-sigs.github.io/external-dns
+    targetRevision: {{ .Values.versions.externalDns }}
+    helm:
+      releaseName: external-dns
+      values: |
+        image:
+          repository: registry.k8s.io/external-dns/external-dns
+          tag: "v0.13.2"
+        serviceAccount:
+          create: true
+          name: external-dns
+        provider: {{ .Values.externalDns.providerName }}
+        sources:
+        - ingress
+        domainFilters:
+        - {{ .Values.externalDns.domainName }}
+        env:
+        - name: {{ .Values.externalDns.providerTokenEnvName }}
+          valueFrom:
+            secretKeyRef:
+              name: external-dns-secrets
+              key: token
+    chart: external-dns
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/external-dns/wait.yaml b/templates/controlplane-template/templates/components/external-dns/wait.yaml
new file mode 100644
index 0000000..39d677c
--- /dev/null
+++ b/templates/controlplane-template/templates/components/external-dns/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: kubernetes-toolkit
+  namespace: external-dns
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-toolkit
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-toolkit
+    namespace: external-dns
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: kubernetes-toolkit
+  namespace: external-dns
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-dns
+            - --label
+            - app.kubernetes.io/name=external-dns
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: kubernetes-toolkit
+      restartPolicy: OnFailure
+      serviceAccountName: kubernetes-toolkit
diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
new file mode 100644
index 0000000..ed43a16
--- /dev/null
+++ b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
@@ -0,0 +1,56 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-operator
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://charts.external-secrets.io
+    targetRevision: 0.8.1
+    helm:
+      values: |-
+        serviceAccount:
+          create: false
+          name: external-secrets
+    chart: external-secrets
+  destination:
+    name: in-cluster
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - RespectIgnoreDifferences=true
+  ignoreDifferences:
+    - group: apiextensions.k8s.io
+      kind: CustomResourceDefinition
+      jqPathExpressions:
+        - .spec.conversion.webhook.clientConfig.caBundle
+        - .spec.conversion.webhook.clientConfig.service.name
+        - .spec.conversion.webhook.clientConfig.service.namespace
+    - group: admissionregistration.k8s.io
+      kind: ValidatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-kubernetes-external-secrets-auth
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'system:auth-delegator'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
new file mode 100644
index 0000000..3c7d566
--- /dev/null
+++ b/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
@@ -0,0 +1,107 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-eso
+  namespace: external-secrets-operator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-eso
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-eso
+    namespace: external-secrets-operator
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets-cert-controller
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets-cert-controller
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-external-secrets-webhook
+  namespace: external-secrets-operator
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - external-secrets-operator
+            - --label
+            - app.kubernetes.io/name=external-secrets-webhook
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-eso
diff --git a/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml b/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml
new file mode 100644
index 0000000..991352b
--- /dev/null
+++ b/templates/controlplane-template/templates/components/github-runner/runnerdeployment.yaml
@@ -0,0 +1,20 @@
+apiVersion: actions.summerwind.dev/v1alpha1
+kind: RunnerDeployment
+metadata:
+  name: actions-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  replicas: 2
+  template:
+    spec:
+      organization: {{ .Values.githubOwner }}
+      image: ghcr.io/actions-runner-controller/actions-runner-controller/actions-runner-dind-rootless:v2.315.0-ubuntu-20.04-5b9b9f7
+      serviceAccountName: github-runner
+      automountServiceAccountToken: true
+      dockerEnabled: false
+      dockerdWithinRunnerContainer: false
+      resources: {}
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
diff --git a/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml b/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml
new file mode 100644
index 0000000..6e2d556
--- /dev/null
+++ b/templates/controlplane-template/templates/components/github-runner/serviceaccount.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: github-runner
+  namespace: github-runner
+  annotations:
+    argocd.argoproj.io/sync-wave: '0'
diff --git a/templates/controlplane-template/templates/components/ingress-nginx/application.yaml b/templates/controlplane-template/templates/components/ingress-nginx/application.yaml
new file mode 100644
index 0000000..7186776
--- /dev/null
+++ b/templates/controlplane-template/templates/components/ingress-nginx/application.yaml
@@ -0,0 +1,35 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx
+  namespace: argocd
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: https://kubernetes.github.io/ingress-nginx
+    targetRevision: 4.12.1
+    helm:
+      values: |-
+        controller:
+          publishService:
+            enabled: true
+          service:
+            annotations:
+              service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
+              service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
+          extraArgs:
+            enable-ssl-passthrough: true
+    chart: ingress-nginx
+  destination:
+    name: in-cluster
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml b/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
new file mode 100644
index 0000000..2123e01
--- /dev/null
+++ b/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-ingress-nginx
+  namespace: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-ingress-nginx
+    namespace: ingress-nginx
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-ingress-nginx
+  namespace: ingress-nginx
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - ingress-nginx
+            - --label
+            - app.kubernetes.io/name=ingress-nginx
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-ingress-nginx
diff --git a/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml b/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
new file mode 100644
index 0000000..65aafa6
--- /dev/null
+++ b/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: index-html-configmap
+  namespace: default
+data:
+  index.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+      <head>
+        <meta charset="UTF-8" />
+        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
+        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+        <title>Kubefirst</title>
+        <link rel="preconnect" href="https://fonts.googleapis.com" />
+        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
+        <link href="https://fonts.googleapis.com/css2?family=Roboto&display=swap" rel="stylesheet" />
+
+        <style>
+          html,
+          body {
+            font-family: 'Roboto', sans-serif;
+            margin: 0;
+            padding: 0;
+          }
+
+          .main {
+            align-items: center;
+            background-color: #f8fafc;
+            display: flex;
+            flex-direction: column;
+            height: 100vh;
+            justify-content: center;
+            width: 100%;
+          }
+
+          .content {
+            align-items: center;
+            display: flex;
+            flex-direction: column;
+            max-width: 699px;
+            text-align: center;
+          }
+
+          h4 {
+            color: #18181b;
+            font-family: 'Roboto';
+            font-style: normal;
+            font-weight: 400;
+            font-size: 32px;
+            line-height: 40px;
+          }
+
+          p {
+            color: #374151;
+            font-family: 'Roboto';
+            font-style: normal;
+            font-weight: 400;
+            font-size: 16px;
+            line-height: 24px;
+          }
+
+          a {
+            color: #8851c8;
+            text-decoration: none;
+          }
+
+          a:hover {
+            text-decoration: underline;
+          }
+        </style>
+      </head>
+      <body>
+        <div class="main">
+          <div>
+            <img
+              src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL4AAAEICAYAAADhkE5BAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAEatSURBVHgB7X19kFzFde/pu6vV7ko2iyQQxpIZSSF+gRiW2BgbJ2ZlByTjJIgyElSeY4k/UkhyXhDPH3lJVawVryp5wU4BKUeSy38gJX4pB0Eh4kAkwNaSegF/kLDIFjECSSMkYj4ksRjQ7mp3p1+f7nO6+96du3vvzJ3ZmdH9lVYzc+d+zcyvT5/+ndOnBeRoeaxatalnZNaZVRLgGvWyF4TsAQkFensIQBTVtqKQ4mFoKw3s+e72IrQ4BORoWVy3ZsMqIeF29bQPUkHsEG2lLa3cAHLiNyHCFlwW1K9YACmU5ZZDIIJBEKWjUIIbwCO8+qEHQMonS1IMBrPkYOiE4+r4IOiTINd6PUFRgNiyZ9fWHdCCyInfRFh5yx/1yYmJzZDKgsuHu8Y61+3efc9Qkr1X3rS+TwbiPm4AUoj+x+7fugVaDDnxmwBo4Yc7RjcrMm7ibWjBJYjnBJQG1fai3ohWW8rNk88gdnSNddyRlPwI1QD6Fen1uVqR/DnxGxzXfU756QHcp5724GvlfuyAMv73ylvWF2RJ7ENLLaTcCe3QD+NCkRfW0i5F0SaXp/HbQ+QvwY2PPbhtN7QI2iFHw+K6NRs3KxL343O08BMwfsfju749WG5fORFs1v6+IvieB7avo83rVIPo5wYhJwQ2oOWQEOo8/Yr86lAx1EqkR+QWv0ERIr2UW5CEU+2/Ys2GI2Ttl6t9B/z3dG8wIZ5VT3tUj3Frqw5Y0yCAHA2HFTdvvN1ZennrdKRHYvNgNEp6vQ3dmwC0j66VmxxnJ/FRHdFkaUDo+yoZ0ivW37Nn1/YdkAI4EC63XYg2dpEKkOPs9PFlaULJdaKwYvWGoqLEgBTBw4/d/80Z9WGxMZZKpWvkBKxSd2jIq1QcdY/r1D3uFm3Bzj3f/eZAuWPRoq9YvVERW/Zq9Qfgjug+eG70a9VfEXKcfT5+n7KIs2ed2YckibxVxEZQ74glqTF3K5Kvmn7v+IjqytXr16lBKA5etfwYBKWduF9UCs19fIOzdnCro5/tI4r8Yp0MVARUhlwA1QCUb13jBuBLkHxdMMGpwb27tl2BG65d/Ye9bbJ9ky9LtoG48dFdWyepO7786J0PG7jpQUry3r0Pbt8EOXJVh4ERS90IHMGgljkrYdKLQXWdG0tjoldp9g9htHXvru2r4vdHnz1Yt+f+v9056bxo+ZH84YY8pF5v2fvAtnsgh0ZO/Aj04DIa+KlBzgrLj0h6FVVdjlFVClaVJT7jupvW7xBC4L0NKcu/vJzl159DNeSSFNrSd0/MHkgTtT0bkBM/BqR9o8/cpzcohaXrzOwtWRDI88dD0VS65hH1dEi5OufGHa8azUNmTCCUS7T1CsiRGrmOHwMkoyLfckUwo5CoweGwGhRnIYOyH657Es+NoufYsHqM61Ueo2dm32r2k72fWbMhwaA4RxQ58acB+sXKKi9RLC0i0ZRFror86M6Q/10s5z4pN+ZefFQS691x5xhQvY7dT4obIEdq5MRPALTEIpDLDfl1zsu+uEDRdBABE1U8XO79kTMd93AjUy5NLPmlkORy6fycHCmREz8houQfnjX6EFQCIfvMQ6lswExb85K8Vb/AAJby56M9DKUo3G7OJ56EHKmRD25Twk/4wgHv3vu33ZHyWBy8gho/TPnd+wEp4OAawJNqfHC5Cj2vA6PNp041zmGQW/yU0JZfyhv1C2WRpxqETkZ7Af8XJrA09XV2bd/hxhY4JpCqIcj7FOkxANUjTJAtJ32FyIlfAXQGpIqC4nNlge9L6u9LOaHTJBSB30qyv1aW7t+2BFONVXO5V09CwUdMPVaKU076ypFPRKkQoxOd/bPbRm9AhWak4wxa4f7pjhEqoKRIr54FRUgBSjUegByZIbf4FcIfhOI812QSp1FghIA8ijrDyIlfBXxLbKb+5WgW5MSvEjgt0DyT6yrV9nPUHznxq4Rv9cnXzxTYmK7//Y291635ozw1IUPkg9sMIEtwrwgAa9pgUKkfKoCeH9A53quVHxlcBFAqqM29w3K0AGMogU7gbg0TdzH3i7GE8QK+DoLS0KP/UD5TtBGRB7AygJnVNYqBqZ5yVQ4YK9ds7NcFnwTsVn9PQkkFo8yA100WmQKibfaSPd+9pwh1BBL8TPeZQmkMenXwjBpkJN+fMTTdNMlGQU78jLByzYYdUmIOv7h3766tm1besqlQKo33CjFRMARHcmuSVzwOqOW0wZQE15gzpxvmzunSz197/WTk3cYuPJsTv0pYgsvSDTjApc06tRgyhhBiy577t/ZDFZjkUslSryk6G0/w7u5OmD/vXFj8/vfB4kXvg3988BG9/cEd34A53d12v/3PH4THB36o/wix0yRnGrmPnxBIcJg404ckUZZd+eDGgsuJ0Z4y1qM26o65biLE9TjDMNpjhguIEp9XI0rw+fPmwQfU8/nzw3Nivj/wFJw4+aay8qdgacER/7JLflX/fX71Z+GrW+7BXqAwAfLZ61dvvKLRyJ8TvwxwgncgOtb63b0iuHlTwoxBTq4MEUtw2yCl/c8CCY7kXvT+C2HB/B71XD0qwkcJHgdsHEj8Q8XjiviLJr2/8Lz5sPOb/xv+euvfaeuvyI9zGK5oJLcnJ34ZtEGbcgVKjViNoLDi5g2bkhJ8wXy03hfAPLTcyoIv1tZ7HnR3dUI1WKTO88KLh+Fw8Zh69bHY/W5bu1rtcxwbSE/aup21Rk78MpiAYDCYSdMejx7lndxdL4LHYcE848m9euLklPvhwPdrX7kN1n7xz/FlH2ayxile9UZO/DIYG+soKnkSGg31JngcFi+6UD8ePvLKtPui23P1lZfBUz/Zj9MpMQg3AA2AnPhlgAloK9ZsKE6ldNQSSPBf/ZUl2pfG5x/8laXQ1d1Vd4LHgYn/2hsn4d3Tp0PKTjmsuv5Tmviqp8Jplw3hQubEj4UYrOV81qQKSiMCGyD+nR4egXfeHZ4kab72xim47NcuhoXnz9fblhYW89sFlFMbocZPTvw4yNLRLMIczUzwqYD3f/r4L2D/gRfh2j5D8O07HoDdj/7A7rN+3U3a2qOvjy4P9hAYJFNvzbi0mRO/DFAilKUxiUk4SdGqBI8Dfs5jivhIZgRGbn3SI76z6xHVKD6me4RlhffrfTEyDDnxZxZTaeBxx5TTwNHnbRT/u17A7wBhiV9G4UE3iHH+eQv0ozR5STOOs4L4lQR5GkVBaVTgd4FAVwex9KLFOnfn3XdP233Qx2f/f+H582irDgrOOFqK+JPSCrCGDUVdc4JnC/yuEGzx0Y/fetef6mjtoeIr2rX50sYv2P2XXcQRXm14ZhxNR/ypsggnpRV4HM8Jni1wPMPKDpIfB6/4d9fm8mWGfGUHGgANS/w4gvPEDA05ObpaTgNv1QHmTIOVHbTwSPqpgD0Cu0LYM9d7XkEUM058JvjEBLolk2ceacjJSVZnk4LSqGBl5/U3TiTa/4Lz5sEhHAOgOwqwA2YQM0Z8XOxMTkxsHobRXkVwUlHC8mFO8MYGKzuYpZkEmMmp9xUz7+7Unfi0GNl9ivR28jTP5EEt+IMXL4FP9/1mTvAmACs7h44mJ75GinkFtUJdiY9Fl4ZLo3YdJwxu4B9OXsC8bVQEuru64IrLLoEcjQ9Wdl5//WSi/RcuYC3fVIyeSdSN+P7iZajvfmnjH2jCM5aRNXhZ+Yw5mgOs7GCgipWdqbBsyfv5aQFmGHWrq6MnIhDp79q8KUR6xPn0pZ089aaWyHI0B9gdRWVnOmDDQLcWoWMuM4i6EB9rvQMtooakL2cZOJEJcfLkm5CjOcAD3DTKDkKURmc0daEuxOfFznAS8lTdIUb7EC+/8l+QozlQibKDKM2wslNzH59kywI+x4HsVOBEJtSG4SrI0QSoVNkRpcpSFzjvKgjGB6uZvF5z4vNiCB//6GXTD37oSzl1Knd1mgVVKDtTujrTJhaWAizW2w8VoubEFxJ6Me667KLF0+6bKzvNB1R2EJUqO9PWKyqTWAhmU1WxgDpYfHOD0S8Eczawe1y4YL6dohZVdvIEsuYA5kSZOjvT5+ywsqN+/54VqzfISusVTddjTIfa6/hCDEVzbXAghJW2OHcbB734509RQ2Wnm7rRHI0NTApE4qfO2akOBagCNVd1BC10ZooPGdz59W+FJizgFLXDpArkyk7zgd2dtMpOleipJhZQc+JLYeZX+sWHePKCj1ffOKUfQ8pOjqbAAg5iHa0r8auKBdTexx+HogjCxYcuu/RiO2WNwZY+V3Zqh9OnR2Dwpwe0eDCsxlDDw8MwT1lrVGaqmbfwwYuX6se0yk61qCYWUHPiB7PkoJwQISuPU9Komq4e6PzB6uvtoChXdrIHjpf+6V+egKd+9B9T7nf1VR+G3/vMp1M3gK4uUyMflZ0kBaY8ZacqVBoLQNSc+BhkUKN3XS/en6KG1XTxtZ6Z431RubKTLb4/8G/wT48+kSj/6akf/bv++73rfxt+VzWApMDfyCo7R46rHv1Xp9zfU3agGlSj7NQpSU0U8f+oe6O/gIh14ClqiOHTw5CjcnzvX74P333wn1Mn/WFDwWPTYBGlLhxO6Odzzk6VKECFqAvxhZDP4WO5QW05sL//85cOQ47KgJYbCVwp8FjsLZKClZ3XEvr5M63s1ClJzSg7SYm/lKK8eZZmZcDv7XuPprPY5ZDURUJw6sKho9OnJyOmC3QlRaXKTl0morCyE3V14sDFh06eyle+rwTP/vR5OBGjiqEbed01V8HSJYuVm9kFT//kOV3JuJy/jaR/Yt//0z7/dMCKcgg/XjMVsiJ+pcpOXYjPyg6O+JOAiw/hqhs50uP7+8q7KDwJyCfd1VdeDp9XPTGrbJPOpdydJMRnJSipsoOSdhaoVNmpi6tD6aNDnMg0HTh352Su5acGBv7irH3cJCBTCKp82Xq0+kmCiazsIHBRuOmQlcWvVNmp29RDVnbSTlHL/fx0iCM9SoxTkQ3fi7PCSdNHFqWclJIR+QtQAeo22RyVHSmhN20iE37pWZYZQffpmDrnseOv6tdd2lL1qMjlMl27p9mB0dhyWJhAPkRRodw4LKnxYWVnukXhGFw6vEr0VFKZrW7E18qOhLVpiw+dPJnNABd91SeU73tiCvcJf7jfu/7TOoJ5NiJuDNZNkdnpwMrOdIvCMTgvq1qQslNMc0z9iE/KTtpEpmOvVJe6gNbqvv/7QKKBMo4p7vsO7nsEbv7c7zRl1JitbhSo3kw36IxT3ebPT7ZetVV2jiSTNJdllKxWibJTNx8flR18TJvIdKyK9GQk/Tf+5tup1SEM/tz5f/6mKcuc8MJsUaCw8Pe7Ho09DlPD49yOD8ScMwp2SXlRuOmQFfEV8wuQEnUjPk8MTqrscCJTpYNbzERE0p+oUBlC67/1238PzQbspThbMordj/xAV6vzZUvU73HtKiR+OWBJx7hepNy10yg752ek7Ch/IrWkWd/amQL0Epopp6hp8qcd4H5vzxMVk56BPQWODT7d9wloJmCCWVwvh6Ua8Y8l4+lSDNKOd1DZMdMQj0+bluDPuKsSqSXNOsqZeg3BJ/ExbfGhtLOxsKE8sS8+zwRlu9vWrYYvffELptbP+fGNME3YvlGAFn+6+qNI+OlIj9Y+LfHDys704LysKtGDxYjTHFDnasmo5UuotbLz7P4Dse/x/N7oNuzqy3X3SPoXXjykiHQpNBPWfX41HPurv9HWtxJgD3urOkdazJSyM9I+glZ/IOn+dbX4IEtFfKi1sjP40/8sux0LWkVJz8DtcQGcwf3lz9fIQH/7y3/8h9bnTgMk/VfUsUl9+9CxbPHrrOyACAppdq8r8ScgqIuyc+x4+f1vvP5TUx63KmbyxbEmnfiOJPzzP/njVGMUdG2+po6phPQIVpXqreykXUa0bq4O+mAjbeM9cmIidfGhtMpOnE8+3WArbkocKkTNCrT8t6iYxLXLP6HHKwdfOjLJ/cFe4fIPXaLHBXGKUJrr2UXhlLKztDB1slp2yk66ZUQzJ/6Ui7ZNuP3qoexEMV0A5913W3fGF1pw9tmRlDy7rau7K/NAHVp9VJXqq+yky9Ksivi6ICzWxsRF22QJu5reYRjtmWpVQkYtc3Z4/mcUzx14Ca6+8rLY4+IG3QvmpxIMGh5slWsFlDSR+HXO2Smg0d29+55ESkh1Pn5pYh2U4G5Fesxp7VN/iRmStvhQGmUHK3uVw7d27Ir1O1HaiwviLHp/sshlDoMF8wwN6q3soKeRdN+qiM9TCitBLZWdOO0ZrcrGr/ylrdrG2P/8QTMRI8bqfOIsTVqrFFw6vO45O2PJB7hVuTqceFYJaqns4AAtzt3R5P/qX5gyJypwhT3PVGUuMIjTCunK9QRr+cmLC9Rf2anK4nPiWSXgKWrToVJlZ91/v2nK9/FH2X/g4LS1XSoJ4pzt4EXhEEnIPxPKTlXE5ymFUCGw+NB0YOUHlYg0qQNo9dMURSoHPL5SPftsBwsRSQoM+LWUqkNyZSeDAJaZUlgJkhYfYvLHBabikLYimA88Lskk6xzlwWtjpa2lVCUKSXN2qiY+F4uqBEmLD3EqQSUVlJG8t37+psShe7RUGOrPSV8d0hJ/aYIVc5IgqbJTdQCLpxRCBUgqd7HFrzTNGFUedH1QW35i4N/KNiAcxPaqyOXVV30kr9eZAVjZSVtLqVqQsjPt2LN64leh7CSVu5j4x6uYhoi+OjYA/MOxwsmTp/TjArW9FtHLsx2s7KStpVQtkio7VROfi0VVAk5kmrasNMldJzIqNaIjl4vyoFQtwcpO0ryspYXqXR2BE51KpURiS9XEpzLgUCnSJDLlpcObCzheOq3cyiR5WazsJCkdjgSX6M5IcVRAaXACJgbnjM0pJk1XQGSTpEZTCqECpE1kyheFax7gABfHU5UuCpcFweOQCfFxSqGssKJV2kQmTFbLI6nNgcUpK6vxjDvFqHu7xjr6syB4HDKaiFK5lp82kSlfFK55wMpO2rwsZUjPqSXpEdkQn6YUVoK0iUz5onDNA1Z20uZlVbt4cxJkQ/y25JN8o0g7RS1fFK55EFV2poM3A64ANUYmxB8Z6ayqW0pTfIiVnRzNAc7ZSVklu6rFm5MgE+IPoD8m0hXt9JFk8MPKDiIvHd484AFu2lpK1SzenAQZVlkQFacopy0+9HKTVj04G8HZrWln3FWzeHMSZEd8WToKFSJXdloXnByYWtmpYvHmJMiM+AIqn4aYKzutCy5X0mjKTmbE52JRlSBXdloX7Oo0mrKTGfHHxjqKUAVyZad1saABlZ3MiJ8rOzniwOVeGknZybh2Zq7s5JiMLlpDq5GUnWxLCGplp7Lc/HdOJyvfF1J2roIcdcLryj8/cvRl/Vg8egyOKEP1ulLj/sdt6+CqK6+Y8lhOXWgkZSdT4qOyI6EyJJ2ixgPc4dzHrwniCB6XJ/96AimaF4VrJGUnU+KjshNAZdRPOimZ12tNu6BbjjDSErwczMSR6XtqTlvgWkrTzrirg7KTKfFR2Zk9axQqRZopaidzLX9aIImRzJrUamD5hnr+s+cPJh5kMpDgqKgtuWgxFNSfef6BxIWgeFE4vTbWkeN6lfWp4HGgosWbkyBT4qOys2LNhopnY6G7c21f8ilqWZQObwX4BC9qK35KWfNjdSf4VOBF4bCW0nTER/CMu0oWb06CGiwMgcqOLEAFSFN8CBvJz186DJ+Yf/YUdM2S4EjuJRctgvOUWLBEk3xBhqX8JoMDWWlqKT0+cLJmyk72xK9C2UlTfAiJ36paPhIcCY1/byhSV0rw8y2p5ykL/gFYotzE8xfMz6hcXzo4ZSddSZlKFm9OgsyJX42yk1Tu4uJDJ0/VdHZazREdYJrXx1INMBGNRPA4sLKT1OI7P1/WRNLMnPjVKDu1XhRuppCFgoJoBoLHgcdiSWspeStQ1kTSzJz41Sg7tV4UrtbISiLkAeZ5itRI9l+/5IM19b/rAV/ZSVJLyWsYPWmW+EmKzImvlZ3VG/AmK1o4aiYWhUsLJPbPnn8hJBGiFauU4FkrKI0KVnbS1lJKu3hzEtRquU/M2elLsT+35p5aLgqXBs0gETYb7OLPKWspyTbRLMTH0uGir8wbQ1iDRw+AA/kcFpzF2ptYhnDlmo39UsrNaYsPpVkUrhyylgiR0Gc7wePAyk7qReFqoOzUhPhG2RGD5Qgee5CuzSNquijcEfK7qyG4P8BkDRz/mmGAOdNgZSf9onDpFm9OgpoQf8+u7TvUw45UB2FtnonaKTvog//P/3UnJEUzKyiNijhlB3vu7zzwz6r3HYFrr/mYit4bN8gRP/sszVr5+KnBVZdrpezgl4xkjlr4nOD1QzllB3X9O7/+LRu81AvyqUax6vpP+W5iIWtlp2GIr0FVl2ul7PzOZz6t99dkzwk+I8ABrq/sPPXMc5Mi9g89sk8T31d2aImfiic6RdFQxOeqy7VSdn73M/m6VjMNlDQxpZyVnbllAllz5nbZ56zsJF3iJykynnpYLUzV5bRT1KpVdnLUDwvmmfAOKzsfv/JyvdC2jxs/8yn73PbIGSerNZarUwdlJ8fMYvGisLKD7sxdmzfB4wM/1JYdB7aXXTJ92nK1aCjic55Pq+bs5HDE95Ud9OM/v/qzZfdn/1+AzMzNQTSUq8O1edIWH8pLjTQP9MJ7tIZZklpKXItHtFe++Eg5NBTx/do8aYoPmeU7c/I3C1zp8Kld2v2YA2Xyn4qP/sPW1rX4BqY2T9riQ3mdneYBlw6frpbSt3Y8oB8FiAHIGI1HfKq6nHTCQq7sNB+Y+FPl7Dz06A+4RyhCW2kLZIyGIz5XXU47Re1EXnWhacCLwsXl7Dw+8LS19krruHfKHK8K0VhyJjhlJ2lJQSb+8VzSbBpwlmY5AQMtvXVxpNyy54Ht90IN0HDE5xlcSYsP8RS1Y8dzH79ZwIvCoSiB5J/b3QWPPfkj2P3ID5x8aUjfDzVCwxHfr82TpvgQfon4x1JZjsbD6dMjuhCYH3fZ+NW/jM5cG5IluHXvg9t3Qw3RcMQ3MLV50hYfQqvPK3DkmDn4BMdFPE7p57/QyWlRMOnV2G5ABvBw1+jsHbVe3BnRmMSn2jxpiw/hAPeDkKNeSENwwpAQMARSyZMCjmKKygRMDM4Zm1OsB9l9NCTxuTZP0ilq7O7kpcNrAwwOniCCn1CyMQoJ2LtOsSpN7BRTaBA0JPGtsnMknaSZLwpXHZDgLytSnzx1ShH7VW29T5481dQEj0NDEp+VnXLFhx56dJ+WOjGDLzpFLV8ULhnOJoLHoSGJ7ys7fvGh7Urf3a10XgSmsWL68vq1N01aFC5XdgwqIDgCSb4TAlkUE3Kwc7xzsN7+dz3QoKoOwig7PEXtsHpk0jNQ9/2D1dfD3DndVtnBH7ubAiRnA3CAOTw8DC+8dFgPKrGe6EF6nhSLgl+DE/IYjMh38GWPFPDmY/+4rSaBo0ZB4xKflJ3pig9hoAtdIZ6ihslqi1uQ+BUoKIlxvPSf0BNcoJ8j+VXwqH/F6o2Fvbu23gotisYlfiCKUHLKDlr9ZVREivHxj15mB7atsihcLQk+FYZKr0KnmAvvCc6Ft0t4LblOkb+3a6xjee7q1BHoX0ol+vrKzte+cht8Z9cj2rLj4PbGzy637/EAt1mUnZki+FRAaz8SKnQte4dnndm3atWmliN/wxJ/RA2qWNnhOjv496WNXyi7f6MqOxVo4A0GJP/oQ+rJcmghNCzxqerygHrahwpO3JxMxkwrOxUqKM2CPuX23NdKPn8Dqzp6gvFOCaIP1Rx0a6bK1PSLD9VS2Wlxgk8Bue66NRuLj92/NfNJITOByharqiOUpXkWu1scyG7+8vop973z69vhqZ/sh3Wfvwk+cVV1i8KdrQRvFx3QFcyBOcE8mBvMk53BHPFO6RQUR/fr92UJbnzswW01zZysBxra4iNKMHZrAO37nv7x/h4c2E7l8qRVdirRwNV4uygrXM60kYAEV6SGuW1I8HPt804xB+e46iGuBKkN4wJYLN8pvSlOjB0DEcB9K29Z39RRW0TDE//xXd8eXLl6/R3K5bkPiX/o6DFY/4XVk6pvIeKUnUoUFE1wnAYpxVEBpUHOIjzdceZ25YL1QxMBSd3TfoF+RGKfO+t9cnbQLfRSZYI6fdWakfBMdoR5bZ78t66PwzMTb8JI6Z0eOSHugyYf7E7r6qy85Y/6ZEneoL6YPvU9mPpvEoqq6Q+KQDy857vfHIA64LrPbViF1gZoiSHM08G/ZRctsmXmnvrxfrjzG9v1wPbjytWphuDl5Dtl6QrqRz8CDQpttduV1Q7mKiveY5+jdQdakE/gyCm0OB9uAUd4KfQTfK0gNfNxk3pUVh+e+eUj5rAA7tjbxNHdWOJrorXB3QlWKS+qr27Lnl1bd0CNgcSDcdGvfoa1kA42yYrzwLEef9ruesWaDUegAdyc9qBDWfCFSGo5t61HzG0/VwefcLsPxVcpibSAXBbu97bvRaB5zvtEegBEcXi//gPMrW+TVzSry1OW+OoHRsJvgnRnumfv/dvugDrANQBcMED6y0HWLItwxc0bb4eSrKuFQyIbN0WRvO09RPJ5yoLPmvZYZa3BmGvQj0LEd+4Rgvvc5/dsm8FzKasv3hnXvejA3l3bmtLlmfRtoF6L0hVUBLFjJrRe3RDALC4BNYB2cUpiX62svSZ4Gw0023rUc+WqtJsBJ/9ETD4mIr2hCWtcE94zxF8JmtDGvdHkl25XPic9hgjPsI1C72TONTT2Ggy+9bh5X8rlex7YPgBNhtAHVTrtZkxQgmrQ5L5fOVRnDMJAgvd0XKAIfq6crZ6/p32eMASXZqApmczkaQMQKWUZky2I/naDZ5rBkl7/o9YiNdP5Wn7jgMg28G5B3w/1CubxwC//FU6M6hIwTWn17ZeZ4cCtqX2/KCr9XrQFx8GlfjxXkd345Gw1w+QDUlckWKWFCchEJfbyLgES0I1UhbHa+kSaxSXqCey5rcUGew1BjSzcSfBZ7J2BbYjcKagHpe7AD0/spn2bz+pbOVNOBJshNNqvGEruCnB8kG6M0KCY7nsJEXyWUVJmK1dlVsBKiueISEcyyzHBFldafoNxS/Tg0z/aWm/wiG38H6/rlqIkQyqluQTvIYAblpQBNhzh/J3AuDTSSDt0fhwG0z26BoSfV1zQtRReHT6Md6K+o2zXoa01PB0/m66czrUWWoT46kfuQ8qhHz531rnaejPB0RdvC2igaT0VsB6C4TAZTsMe/WZgW5KxwNLJKOy4m5eW2dI0Aknkt/dGV/L2t01U+Ofwrk8NQdOYyU6XkbSfCDv95pZsg7SDArho7uVSER/f6Vt50/q+ZrL6unYmavWQLXqu//2NvdDkUIGzdTig7WyfC7+5cLXsnf/bsOycD8PC7mUwp+NcaG/rQLNrGB6QR60tqnvUVjUgqxyw3ZdmWyCM1aV9zXlMy1CE1MYY/QjcRxj/XdtiOh6YyvoeAteLCFMRlfan++B7Ctz94XmlAKfg23sw5xbccgPTU3nv6+M6Z3WLntkL6eBgFTQRzFc0MV6AjEGLdTU11E+PPRcU3vMh+2N7xNZdPtJW+KQgIkkhQw3BvJZ0HhIPtUMhw+fDdsHXIB+fiC2QgLrxhMiLjUCYbQF4DYg8erq2vU4g7D7caLkRmI9MvUEg+H7NUMPs6//p4wrv/RB/W2txSU5oEhjii6AAOUIgibQPn2ur5oiiLSzZXUsutx0sycCR3RJOko/N+5pWYyy5fh6Qx43npkYC4esACCao8a+UVy+kGxfgLTMxpfkTko+TOK2N79P1NqbRBXRvAVj5UzcCPN7tS66/+Szqu5EUOOsZnj26DpoE1Cnioms5fChm6K4bSd/ZMcdY7EA6t0UIKTwCsvuiLbIhiusB2DXXZJNsnYXXkEL7kjsDTFq22PzcNDkAR27daox/jpba3KchqeCewmwXxpUy8S3js0s+HzVl/37589nhhesFbI8Hi95D9etKcAM0CdgbLELWaPbGVDJuzgVzl0npBBUiITh3gXxy6xrgPgFZb24gAY0HAwpAEbm4IfE51WvnrgTGjWF/3u8ViOiSrul8/kCCtfwgnXsFEHrkxqX3Y/+d3SW6Z+963LDMQDigcQZ9Rnze07mQv7W+ZnF3NPFxmh/ocH9mGGrGaB7DuDkmFaKn6zxDvMD4wexXMylJ4OBoKjCR2HWg/YDJLwPKAaMlOSRZcut7I4R3M+QO+e4K+91eI7TXt5ab7tn3/TW5hdvmSE/3C6anMqS2vY3g/Vgx0vdLRgD3O6frfOhsn6PfG5l1pikGufrrHzCZiFkurlWEZsYE+fad+gflyBBHPp3vHJCaYpQbQzQh7H62ZwDn62tQA7KWnBoHW3qPrNL449hgSuimSGtxBSs4wh3nKUzOatshgvX/Q4N02m58fudCSXKR+Fx+YzINH4T97Gr/BXMW8bd3DTQB7FJAWIgfskPvitUb9jXTKN+HYrT2VXu6FjKhzEAwkDyoYy+bfX07mPUUEM+vF+D3ApNdJhl6lG48ICwZ9Ym16gO+asNKkWlAEHKLLInt2ERaokr/PcH3Z3sV0I1a8CBWjw1MYwfwDYHkOSvndC6kUbWKezQBLPG1a1KS90KVwBx5yo/vG541+iwnkDUXjJuDXTh18SThCSaMUXACK0dK9o0lqTHAOrgnJYbI7zcGbzwQbgjs4rAMSlaY3KNJUmikAfFzGsCSgkT7MYHtNh3z5QG3SWQQVs+XWjmiroMH52AHy8rP7z5f0JdXaAaDF1r8bXSisx9ouc1KgDOgsPzH1rv+lGdIYZ7LvutXN08wqw9/NMrCnNs5zwWbhOe784BS2CCQYOspPJeD5EZHZk0S4akkTGAXnOL9PMXIv65tEDIsmYpQr+L3NtZNQVUHXANrA+EkTIDQPYS0e0FjG9sAWfWR1u9X72Ewr3OW8fNHO0b7oMERIj76+qNjHcvVB0o9mfjjV14Od/WbLAWsdnDX5k2W/BMg961c88W10ATo7BzXjXTu7B4VmZ0VJZN0A1HNDOr6pWc1pRvg6v2cb8z+vm0M1AjYDfGOYffCuSAc0dVav2l81i0R5AOF3RWWW831PYlS0m2Hjufz8b4BEx68c4P/edz+phcQuocEFMSM4WhkiLg3Vty0YZP6ULez9ZsKuFwPEj0KrGv511v/Dp7+yXP6tfol+hu9PMWKm9XnLsHdC+Yugksv/C3zDbkEHCBfW4BLipFAabte4piTQPzXIvqG245cl372JITPbwYGAC5FWT/as+vmJCLnnXR9oG7IjhvAzFKBcLKa/nx8HT6F4GktwjsP8N3jYUdP/kwUT/4Ud94tgtmJJyXt+e49RagzYte53fvAtnu6zsy+Qn0Dt+oPIpxSo5/jNgk78fX+Awdh+84HJp0Da91s/spttjIC5vpjzj80MkqygA9zOntsdx5yBwLPMpqcGm0BS+TmhI4JS4kSzIxuA+fTS6v6kFWVofQD6efX8PWlYOtvegkhWB4FckWCyHnsI2nxYM9tmgWPV+zno6RnT8oNuUbe98AD7Nkdc/gmVsmJ0SNJ/zDBDeoMAVVC9wwC7sbn6ON/7cu3la2AgBUS8I+uuls1qlvrVY8RFSZI2v1KPZm9579d+DG44JylUtrURyKItM+BkxjZUIJxUkxESoS/W3/6XhTl5r96UwfNxBTaxyZZUq/DZl5bXeoSrHWPu3CZbRwHCN079UIk4vvHmCtEzvPOyJD89yP/kppTM5HPH0CVwJ4Bb1w9HcJKxl/dck/ZRdvQ6mOj0IqPsgh1VXyQ9DLhH1VxmD2r2/jZbQCeDy68nBWg3Boe7Alvm6eHS7dvZJuz8CWr46OMSBFXp8mbwBLr+DZq6ieclVCRaQOI9FBl7wUmZYTqsYu7dx63mGsa764NXDZo+Px28N7WPv1c4EZB1cRHYGvFWVfqCyhiCT8k/2GvnDfj6o9ePknxaVi5k35U9Nv1jxs4+ZB+bCShmcEUGpyGBoIgJpPOEpzIpc/NDUOPE3ikEJBl5QAXtQEvPVjatAQ6VnqDbOt20XWw4Uj7nLa7DsOeD3QDokZluhXtjAWBUYNsnKGNj8V7EbKzo7tqD6JeyIT4CJxqKAK53JH/bnh84OlJ+0UVH0X+Z7GUCTQYOmfPdX44q/csI7LKzb67sGnGYAd/3DhsAxBhP94OMA1Nww3GHGOmn2iFxZGWSMb3wSnRgvahgBNr9sIqQXQdbcHZUTKZmNQAhZ2GaB6dUsXBrBK4ZDW/ofufSythTYDMiI9A8o+qATH68EbR+Xvn13tA8v/tX/2ZlkAVetQX+1DDDXrNoNO48MbF8IinB4Pej08SZwCuAVBTIVo78gNZ7EA4rZ8yKWWEaDZqTBn8gs4vifCuJwLXmNwxvK9NVnOv8QNyNIE+H5HeuDxgPxcT3nxG02tQQwW6Gyu74nHR2j6NijbIGMWf/3Dk0IFn/vHiSz6C32Df/udfhHdOD8NHei8J7dfRMQv6PvERLXn+/MUj+L31Lfv1j8KhAz95EjLGr1x6JWqtqaKJhQt+XRGwzZCBqCycmaBKHX7cEziwa10UG+XUbwKR2iqhgghu3QNNLDeacNafjifrbgTQgHwebmD2fAL8442FN/dhd2d3C6xgyYE32kFIGyoj/99MOKeGzJ+XG6/3fbxy8iCMT4xBGqhDd770/DNFqCNqVjtT+f39SqbCr2szLtL22hsn4Msqqhst9b1+3U1a9sSeQa+9tGZD7977t90IMww1UGNZ3Eol9ANr5VuzL7BCuhh653V47qUfeDRNBDHN66mOEVO8Vy30eT55+S2ud9FbnTvkmrZpEZPiCA2Omt+qX/My4t+HgOOB7TsfhHffPY0vi2qwvLxciRIzGG4vQArIiQlc0SOVxf/kFbdwWIiMmoZxEsBX/IyXMfT260IRH1oJ+B0I+y3Q5xaBnd1O243UQ53Vjw58T4yceTfNZSAIgjvU0alSZaqt2VqXNupXIpuK/CiH3vmNb7EcWpb8K9ds7Ncmt+bjgU/+xi3uhZSmW5d2i2DCG2ZI8dbbb8BzL7YY8X/jZrAUkXaCC42UzVcQNQI//tn3IC3xK0Bx765tS6AK1KVMOJJXkX85kl8pPoUv/slf6GQ2GtxaYAAMGwXFArTio9ylG8sFN7DhLDxvXpLLq15kOLRaYhK47t2M/zwVBrxYlvN1g/oYkXpCj0eY8KRdUXqCYJvPr/X+oQI+yYBxHVyqNSn2H3gRskDd6uMj+ftWbbpidsfofWpAu2rL17+lg1rRhR64R7hTva/I2qO+6n0rbt4wqSzhtdd8bNp1sRi4hhbmDKUB/7Q28CRD77LjK6QrONZy4AnnpNxI7w2ww2LXA4SMQ1JcfeVlsQv6RYEy+dov/jlkgUzlzOmA2Z84cOVJL6E0Bg9a7rzrz2DV9Z8yG0pwd93lTk8iZJmQJUabhuzSFKjnbzFYnd77HoRTc0xevuBZYRBqHA2OuhKfgYqPT/4t39gO754+PWk/VHz8BDcs3iol1GeSA/2QRrsGW7SJdXZr3agxtJ6jA5yAJkQ4Gu2ivGBjCnYecLNgRoiP0OTHzE+Aoad/vB82fuUvY3N81q+9iV5hmUN5O9QDZnK4nWRCf1Iw0QOXuWhtf6uBNCwbTDOWXnJSRKjRe/p+M2DGiI/Ys2v7jhKMLwcvx6cc+Vd99lPa9SmnBNUM3o/qkd9EO42Q4Vl80ZoWX1tyAd40REGT0m3KtZmWiDvLpur5ZpT4CFzczc/xQcWHJ674YMWnXuS3k60D4HQFl6wWhJPVbL5LqyFw34OfhiFcUp2eY0y+fu7qpIXN8QExiCkMqPjEDXpRzakHeMAqXVA/lKwGkWS1lrT4dkDrEtMEZay6HCNO0APZTN9BQxAfoRWfXVuv4EoPcYpP3cB+Kw/oyMd1+fJAFt+bPdVqcK5cKBFOcM9n5UtK5qtfzkLVlRwahviMvQ9u3+QrPqi/l1N8ag76oQObiOVyHG1CF+5hvkHRVIkqSWF7skjaNAVuJRsGyl6tp6tzpvtMAapAwxEfgYqP+hr1ZGUMPn21v/ygt6bguaac6sspuS5lmGpg0vMW1HW8lGnwYxnC5u5TirUv7dYJ1Zahb0jiI3BKo1J89KyuqaY01gxRjd7Ll+fX1CDs81ZDqJY+uztW2xfWEHjv1a31qwu1JvER5RSfQ0ePQV1gZ1CVmTVly3sLsPu0ILhwlAwoM9sM9gFslQdpZU5P4K0TSgWoAg1vp+yURlJ8MNhVH/CPKaLTCAXXTjM9gBnUtaSL77R6kjOFJbx0A39vfm89DYC4HKpAU3TQSH5f8akLBE/YllbaFG1CugEd+/o057aO3Xy9YHN0bJCOp2EKP2VD2OmR9W38VSk7TeWZGsXHFLGqOVzUFmyFZM5SdH4+2LmqLSho2nr65N5NTlYD6Ss7os6Nvxplp/mGZIEoQh0g/YFtwNFZm7SlLZz/w8uWzM6UriIbJ6s5ZQdCiXqiuZSdFtQisgEv8ECVDYQNzYN0UUrBMidAKzr5fm0eN+3GRmwll1bxDEBdv4RqlJ26TURpNmA9eCqkBGzGeGa5JgLmKEoTuJJNlZeYHDSz3nwyjmnY2bfmE9scfErZhPra/AJUiKYlPmr7jz/5w0T77n/+IKSFnXZnqgRbfstI1UlTT8Tm8bQUrPsmrA0QXvFQabN0gN9J/xWgTJ30d6RCBB4qV3aalviYwVkuizMrSGvCTNFU8mdNRbOSK75kle2g9Uy+XfuKPiNNuKeOgJORJVMfKmn8OIe2inm0BagQTUf80oQcDAKxI80x6sfBEoXppC8ROp4mXBvyQxu1Aml/6Fa1+MadcZ/dQNht9Ioi15WO73XJeTGpcrbx4WUvpqJfdsnFdjtOUMdUFuwBVt6yqVBJff2mI/5jD27D1VpSrdiyYs2GPpCVE5/XjUXYAnw8yKM56a3o49vPJ7zPzpq9BKrkTB4hokJVR6j4zJ4Htg1Et69cvX6dOvV9mI4enZD+0wMH4RC6PhNn+tTLHZASuaoTB5IzRRAKyYNZmVxtaDMFWnmiSksSH8G5SCzvkoJjrX5I0oRMMQGBLjJ1uDg5TWVpgZYXrXDZoZz4caAJ5tKG6/nRVD3miCYnL7Ssxac4hTfhXLCkqZUvUyzXrvmbJcbGOor4iKkq0dR0S3wJF0EFyIkfC2lX/wNvxT+aZsizkmwSmxQVe7gNDNfgpfBydvza+pSvJGtg8fXC47QE1Wuvnwq9t3DBArpDWZGWnxM/DgH97ByVNCsdhrT80MogrWvxbXKerZ0jwmkbwi6aUYu2b2pqRivhLVtiq68VoALkxI+Dc3GkjVjabEywUqdNVGtBVYdTNHySSxvHdjk6JYiUYckSsnQUH6J+Pg54aSHxHlR2ICXyyG0crKIhRKhKoBH4NNGlDdhS1mKr2X3hSfTAH53LaZrl6ICMf9TWZ7Wgmzr3IJ771ROTJyFdcN48reyI0ii6O0VIgbOC+EouuzXpvlir0xzEvCerb3egQK0N2tLWFo3cClqpgiO2JpAFtB4i5WyYBTH8uEZmQGUHL3f4yCuT3sMBLrpAlSwofVYQP43lWbF6g3li3RthX2l6By5nQUdxWdxrQR9feHn39jNzmxfYyQUqiF2yxVZEDaLXqOzMnjWqUxtQ2fEXFmFlR4lLqVMXch8/Dm7KoS2opEnPg13dI5TC83BbDS5y68Y7XDbRxTfCC0lnjFopOznxY8DatRS8hCavKAi86qBwCk9rZmf6QSsvoCfBW8HRrq3F849rcyOZKzs58WNAKxPaagIypFW7CsEiEE7jbjVE1Ct8nLSWbmCmY0INAlgWNVB2clUnDuTmSL0GhDPuCJJvaBRgSNDW0Q7nLDzPvevvGTmtjLlcmu3++1B2H3ft6D7Ce1fCFNfT2Zicm+QdZ1OU9TuCxzq1avu1UHZy4sfAWHH60YVLTMPFz3h5ZQ1qAXPn98CHfvu33AmMzKGfcHYjr5hY7nrajZIeWSPHOEKGGxYvvxM+lq9jB+J2YgGz11zPu7b94D75aeGXyS2EHD3h9gviP1vVaIMBJe9kquzkrk4chDfNgn1d9ucpZG8XjLB/0q4UrglpB4Xmz9adDJ2HrgWkirj97YLOofqcdrFaaWtamu5IeNMg+f6EG4w6N40XtrD5N5LcdnDjGvAGsTTXmF0bCH8vAkKV1WqBkZFOnbLMyo4PdHf0x0+p7OTEjwNXEYsQlZPTPL+fqw6YLl9XVRNa8eGyg1Sdgfxi4O10TjdI5FRnOjeT3mVGeoSkKX/mDkKrrNPCDU51kdLLLCXimnul/eizuuJQrqGYEBXfp2vwtlGxAGArq9UAWtkBMOSPKjtE/LTKTk78OOjfUP8JtywQWVBLf7CW0pCEk9ekHRQyKTS524St1GBnLtlGBCHLbDRxaZ8LW9hKUrkTLl7r8mb0eaW3HVxD0/4Z78v3H0i+hpSCpVq+Pk8tjChWghw9rqwm3EBf1jZLtayyc9mldoJKAVIgJ34cmIhe0VQbzGkLk41XDdFhfK/GJM7U4ufSuToR1wksiUIEjlh/fV0h2CrztEBHNu+8XhlzasD60NACdnQ+/VmsBfcaItjeIPpdyNA92O/AulK1gtTzTMspO4RUyk5O/Dj4BIkWkfKDOdaf5iC+JaJkK+1P1vAtvUf02OtZKZH8fH4vkjwWzpYkF8lWdyaLH5k0Ivne7F+4p7KNw50TQj0S34Mf4a0ZqJ5SOWXH+fmjid2dnPhxEO4xOsuIO3qfpKEIbsAT9txxwisvHnrtkynmeqHrlHkv3HtIOzGEQ2zS1fu0pAU3NuEFL/xG7dw1+wgQ/ixS+i6d97lrAjlupMpyyg67O2mUnZz4cTADN4CwwmGJBV5lNTs9jxdHYNfFjAeEy+2Xvjsiwj69O6dxp7weJXDjB+Gu4ZHUuiW8WBuwEOsasACnLpWi5DZNhAe60Ybk3bew9XVA8Bq3dP9Ad1ITBLOk9vHLKTucv5NG2cmJHwOrbRvrKK2QHZBdZrLR4BCIaGZhNCCFQ0uOZgDM6o11TYTXA7gsdyZ2ySvkBFTiw1+B0KkxVODE3ZU3/oBIw/JctvAYwxsPSG/Ajg0tkD7BJd8HuNdUSc003BoZfSwcDKTs4FREH8soWU3dSwESIg9gxYD1c/Pr0gws8CI+eicagOpdyL0xAiIRyrQGOki7ExxYMlWqzBt6X9rAbkMAXMEK2L0CjlW5/AibOSlNsEnYwJXeysuV6PvzUob5eKqTA/Y6tiEJdzFpz8cfRgD3ZmYFJK48UXugny97t+/cBRcsmA+Hjh5XKs8rfqGpXqygvNvIn1MiJ34M9ECSf3pg0oHZYElGtXWkcxUoY11SyEcTnfVttOJBIPwsCMcp4V4I5pjU7oQ1tBxGMkFYvoeQYwPO4kp7rxzg4vpAZk+6AWF7C2og7Kz4ZBbunHarsG2ABicSatwA1K0/p+6vd4o1EnqGZ42+uWL1xh2irbSFeomyyF2dGAjPHaB1XKULKAnrRnB01S4IZ/cB56vzczsQlH5yV8QtIV3d+ufk9oQHz/qxBN7UR+vLe6/DvjoXeeWF3ERkzrCwtTH156Gehe7JFpAFsOMC7T61CV74rbaqjv4m4JyEe66TE+LIijUb7o7bIyd+DMKkNIEsm5Zs3QHy6dsi/rNwCo6wKbzhwWzEv5bCDmLDyo20DQ98SVREB6D2GqHjeSAupCW2Ps53acz9SuE+q6RGhbmYoUZLjYXGMeTiUGOxS4DWBorED6krrEp1kIRNyvo/W24BiZz4cfA6fB055egrWUMOLJXAUcYNVkHY9IaQsgIhx0QIXy4kh8RTcoBzb+wK6nQP3r3YwJghH3jKktXgzYQZYAlVWqXJU4XCnw/8HHvwBsi2p5HCxRZcc6mN1deWOy3pLWSvcn8eim7NiR8DESGRtZYkRXIOGqo1msgR+ZEJOik4pbc7iZCm67lcHpCe62GtPDlQ5h5KqFgDhCOt3n0KKvLkB9RYbmRXy6gx7v7sbDJuHOEIMC8Ap2dbiYBEKSFcIhx/xoyBZQTRckN16Ftx84bQOXLix8BQw1v6J/BlQis/0o8f8sltcCsaXZVO0wdprb2kxiNDrpWRDaX3nIa3ZoAKnGtjI6jh3oDvR1LvZIkpQjq9je5yrwa2sYC01h8EyTfCG8fQcZxeYa+R9e8gxGbIAiXY7Ls8OfFj4LIp+aelQaHx2yWlD5D7wg1EaSxeZqPO3WnzJmzTQNBPF+ZGYMcGtJ0S0yRZVWBrr8+nCe8ajz9opfsVnEZg798Nmo0QU6YwFNjUZKEtuwzIAAjXQ5X740CfzNjFv+5zG1apyxcgG/SMzDpj3aWc+HEQEkQ4sgq+rY/6v6ZhCHCDSjPYlM6ftgNP9snL5AAJa1X9gXVg/Xvp/HnBcwHMOdnNcQNr9+u6nkoIz13jVAbbMPxrmt4MGy4dL8Bl9TiDYDNL+S/LnyAQN0C2uIaf5Dp+HIST2CWE5HYp7bu8p4HkASuAjREJOwGbNH9LEDojEZ2v4Z0LhBU0SWJ3r80JhbsBc03hL9jgVCh6j88M0r9n/zj//t257NiDjjDhYXsGmqWFLSJrHT95JDbR2UD28fOc+HHQUU2zDpaJQgkOroZrCbgxqQiR17USIkMJvIgrcc+ts8VRVyYxtzCwRwCNgm2giIhpY0hOS+fRAGUxu6YBNqBGUTQ9X5BdMRui09cm9w1tOwWVqYKanSJpboi3Q/bApLNsvacCP8mJHwOrjlhWgfXJmezcCwCQESQCGDKZvcxcVBuq9ebGhluPBBA2j0eSNu43CLckF/cXInS3fD3hTmfWp2PjLb37oQZtZ+FKZ+FdmgWKtZ7FB2ocAly/I4whYIk0Y5bWEjnx4xAYAlNOCoXnrd0FsENFA6uZ44Yg5BBZ8gCwEy6dA0QGW0oaqNqmJD1/yV7Ccz94MMDBVENce1qqA6Qv6rlYhsDGLdHPvcZN90YL3LEPJu12vgY1MeOeWXNvr5ed7dfLA2XamAb5ST64jYMAL3DlUgaELSwlQ+nKTvlg3V4450fw4BcM7VxmJg92gbM3SZEBO0imRxcPEDYxDkKZmE6aNK/JQpvPwdmj1Iat1s+f082tBSDJ030Wb8aX8BsIGLmUBrqlGiQtlJ6ETCGP8rOc+HEQVkP3tXhSUGSIdPTci9waRQdYR28jzdtFPIUNctF75ppgieZfM/wnvX3C92bvwTUWU/M1ZnpiuFFRAltkXoCXGuGlQwNPNA/FN6zGnxHU3aRa62za80Fgz5cTPw7+j+hJhGaOqpBhkrnn6r3wdtLC7WR1R2phnaDQNEZ3Pa7kEH3uXSt0f7ZB0q9qI7MA4YS1ybO/hHd+K8H6qRoyMqqwRsAL8mWt4+tivyJd+e8pUNyza+sOfpETPw5hi2eTvjjkP8kSezVqLEFc6gKE8nZ88gVebxFpFHaAza4Sk931Puwi2eP9KG0ocOYai4QyPYm7N3f/oXm64d4i0guWPJk2W8gJuAMygLrBLf7rnPgxGB8dA0cm86hz4wOvTo0mEkhruT2fH7zcGE0MPgeTz+wvw++JsBshKM7qNTQtLvpujy1CxbqKDF0LhE9Uf6zAx/v72nuY1JNFGjmUj+Rmr+ro5V1L8l6oBricqGftETnxJ0PP3hl9+zT9yNqCykg6sjeodSQFv6qaq0jGWY/SpgMLN8jkVF5vAGr+B2kHspwiPXlCuNmTzyu4IYKEiFtF9yJkeFwgrBsG7n1zzujc3tAg3ruPQHo9WA1MvsLeB7dvUn3PTqgA6o4GuiY6+6Pbc+JHIcQAPrx19IS1bCYPXZA1ZFfBqjgipJwIm57L828po5JzfSgAFQhHRJ5MbnsLIj1Ze56/a90oa72BGoe0WZIlup8SXUPPFQBOO7aWXzBpKefHLWVk7gt4wg3dC/cyXgU4ujYAGwcxfuYMjLxlpgEGHcG00//S4LEHtq9Tnd2WVAdpS79tebmpiDnxI1A/oS5cdOrgq7brZ+nOWXzcUUhfJuSMFyP70TarAPl+usuk9EhstHXPQjs3hEjoE5Keu4oLXOMG3zJyK0nrZvaWlxDnXdclqYF0jcH8SQjlIlHxWg5SsWEX4Z7h1MHX+GssPvoPWwchY6jBbr9ok0vU5XYC9cxloLaLe0swfgX2FHHnygNYEYyc6bhn9qzRzW8dPQn4d05hPgcz9f+uN+epIwD+oI4kRKC3jNMrbQU1yfqLORf7UNIFtQT/o3OorSXppfwAJarxu9QTCGBiglXT7RFkzEXAsSoBZOelN+nduG10WgGhYJkNXNkP4T6zvdqxf32BNphesxagebTr8PnKm9b3AaY1ECZgYnDO2JxiksnmtXHKmhwrb9qwQ/3Ma2f3dEPvbZ+Ets52yybiJuWrQCiqCf736SV5eXyx7/o703MZ3Q7k7QCE45ehH0248twici6I7Md5FTQcd/twpyZEqBqDjNxG5H5Dz489eRBeHtDELyqrvHyqid6NgNzVKYOR8dmb1K9ZHB06DT/b+bRSeMatZeeMR0zXFbwaildt2PfBrcsRWEPrRVPd4Jf2gVDeOw16aWArhRsku/eZtpMGnO4++HjznPooEZYkeaQi/XGI5y5RCrQ7n3c93P7yky8w6fFk9zY66RFtkGMSij//4cjFv/aR59Svum7snVEYOvQG9Fx8PrR3z2LTCC7ll6w9yZdAZbo5eYv8fsGzlKy2Tv6E3ikwdHKznNyYwM/7F9yteNo/u1s8qZ32F9aP987hn8+vd2nlVb42e0NGqTHR39DAmvZTn/nYvhfg2MBB88WpwaTyq/uhCZATPwYvPf9M8eJLP3JU/cSrkPynfv4qnLNkAXS8txOEJbR1dQxxidi2dr0X1fRIbQbAXkBKM0tYvxt8AlqCkgG2DUxvINUI6DzAjdGAr2UJS/fIZ7CNz16fhrRcoU3YxijpdFRhQWCcQxzc9R/w6jNHzemU3KhIvx6aBAJyTIlrV/9hbyDasbRFAV9fePVSeN/HlkDnvC79fsSxZ5JO6SC7SSG8h7Q5zp4fzmQMDQ7MAe46YlLUSDtSNAAO7Qd8HeEPViW4pLOY59Rm7PDhF08dgZd/cBDGR8bMJY2lr3ZCeF2REz8BVt6yviBLYh+Tf3ZPF3zg0x+E835jkcdr8slDpfrsg/REQJrmxONJIVkoNe8CeISUntYSaUouM8Zc2xCet1vJJnQf1BOFUo39ZukajLtx93l+eeQkHPv+QXjriC3VPaTOcseeXdt3QJMhJ34KKPmsX9HidvVUz9affW43nH/FIjj/w4vV8y6f4OQakFwI5AIxsVibtMy11pimkADnubNOKQRElR0rEzltFNhYS/bUedYU59/zD+43xBC8Rqkvray6OHXgNXj9P475hMc3d4tAkb4JBrLlkBM/JdD6w7joR7nT3z7/kgvgvA8vgnmXLCRSIjzFkDaFZlPRdp6hFd5mOeisMr9mm+93D97b/n35DUaUWX2RehW/ZqY+6u0jp+DEgV/AG/9+3Lk05nwDauctOnOyiZETv0LENYD2zlkw79KFcO6lF0DP0vk6BhD+miMuuU9cS0jfq6FnxOrQkX6swEW4QnNk+TQifHHhxhRgXbS3Dp+CU8+/Cm8qCz/y5unoXbYE4Rk58auEbgAT0Kf0TOUCTV557xxF/u4L3wvnLJsPc973XjUo7rZECxPXq2qgN9AglmcjSjf/1uyv97I+O7NYgNeD2Ggw9waSJ/fKseExcfq/fgmn/+stOKmI/q567lt2Aob/dwpZ2t0qhGfkxM8QuhGUgnWKYTdAzPKTOBZQ5DeNQTWK9q5Z+nl7J2WP0KR0cJHhUJkPMFlwQnqjCUNyAHDzYa1qMz48DhMjY/LdV34pzpw6DW//4pfw9qFTkyy6h5Ylu4+c+DUC9wTKyPbJAK5hRWgqzLnwHNUQ2nVj6FANBJ8jsbGhgLPZGn7XMD5yBsZPj6lHTXKYUGQfOTUMo4roZax4FEqZgUF1jw+LCTnYymT3kRO/TsCGUBoTvUGb6FX0vVwxuAApFyXOAIbkIJ4TUBrEpK7Hd3078yzKZkBO/BkGBsjaZFuPVA1COTE9ysJfBFRBTBG0R3kxPcrQo3zaE3OKIeXC62xE5d2gro6uSlF1FG9BIIuiJIfSZC2eLfj/Gnqa9xaQxeUAAAAASUVORK5CYII="
+            />
+          </div>
+          <div class="content">
+            <h4>Hello World!</h4>
+            <p>
+              Kubefirst has added this apex site at the domain's apex to allow the Google bots to safely
+              onboard the cluster's new domain.
+            </p>
+            <p>
+              You can adjust this site in your new
+              <a href="" onClick="redirectToGitops()">kubefirst gitops repository</a>.
+            </p>
+            <p><a href="" onClick="redirectToDocs()">Learn more about</a> this apex site.</p>
+          </div>
+        </div>
+        <script>
+          const gitProvider = '{{ .Values.gitProvider }}';
+          const githubOwner = '{{ .Values.githubOwner }}';
+          const gitlabOwner = '{{ .Values.gitlabOwner }}';
+          function redirectToGitops() {
+            window.open(`https://${gitProvider}.com/${githubOwner || gitlabOwner}/gitops`, '_blank');
+          }
+
+          function redirectToDocs() {
+            window.open(
+              `https://docs.kubefirst.io/kubefirst/civo/${gitProvider}/user-creation`,
+              '_blank',
+            );
+          }
+        </script>
+      </body>
+    </html>
diff --git a/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml b/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
new file mode 100644
index 0000000..19101d6
--- /dev/null
+++ b/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
@@ -0,0 +1,38 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nginx-apex
+  namespace: default
+  labels:
+    app.kubernetes.io/name: nginx
+    app.kubernetes.io/instance: nginx
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    {{- if .Values.certManager.issuerAnnotation1 }}
+    {{ .Values.certManager.issuerAnnotation1 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation2 }}
+    {{ .Values.certManager.issuerAnnotation2 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation3 }}
+    {{ .Values.certManager.issuerAnnotation3 }}
+    {{- end }}
+    {{- if .Values.certManager.issuerAnnotation4 }}
+    {{ .Values.certManager.issuerAnnotation4 }}
+    {{- end }}
+spec:
+  rules:
+  - host: {{ .Values.domainName }}
+    http:
+      paths:
+      - path: /
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: nginx
+            port:
+              name: http
+  tls:
+  - hosts:
+    - {{ .Values.domainName }}
+    secretName: nginx-apex-tls
diff --git a/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml b/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
new file mode 100644
index 0000000..512cc53
--- /dev/null
+++ b/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+
+resources:
+  - github.com:kubefirst/manifests.git/nginx/apex?ref=main
+  - ingress.yaml
+  - config-map.yaml
diff --git a/templates/controlplane-template/templates/components/nginx-apex/wait.yaml b/templates/controlplane-template/templates/components/nginx-apex/wait.yaml
new file mode 100644
index 0000000..377e215
--- /dev/null
+++ b/templates/controlplane-template/templates/components/nginx-apex/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-nginx-apex
+  namespace: nginx-apex
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-nginx-apex
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-nginx-apex
+    namespace: nginx-apex
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-nginx-apex
+  namespace: nginx-apex
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - nginx-apex
+            - --label
+            - app.kubernetes.io/name=nginx-apex
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-nginx-apex
diff --git a/templates/controlplane-template/templates/components/reloader/application.yaml b/templates/controlplane-template/templates/components/reloader/application.yaml
new file mode 100644
index 0000000..5353788
--- /dev/null
+++ b/templates/controlplane-template/templates/components/reloader/application.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: default
+  source:
+    repoURL: 'https://stakater.github.io/stakater-charts'
+    targetRevision: v1.0.10
+    chart: reloader
+    helm:
+      values: |-
+        ignoreSecrets: false
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/components/reloader/wait.yaml b/templates/controlplane-template/templates/components/reloader/wait.yaml
new file mode 100644
index 0000000..d2e9893
--- /dev/null
+++ b/templates/controlplane-template/templates/components/reloader/wait.yaml
@@ -0,0 +1,59 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+rules:
+  - apiGroups:
+      - apps
+    resources:
+      - deployments
+      - statefulsets
+    verbs:
+      - get
+      - watch
+      - list
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: k8s-toolkit-reloader
+  namespace: reloader
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: k8s-toolkit-reloader
+subjects:
+  - kind: ServiceAccount
+    name: k8s-toolkit-reloader
+    namespace: reloader
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: '20'
+  name: wait-reloader
+  namespace: reloader
+spec:
+  template:
+    spec:
+      containers:
+        - args:
+            - wait-for
+            - deployment
+            - --namespace
+            - reloader
+            - --label
+            - app=reloader-reloader
+          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
+          imagePullPolicy: IfNotPresent
+          name: wait
+      restartPolicy: OnFailure
+      serviceAccountName: k8s-toolkit-reloader
diff --git a/templates/controlplane-template/templates/crossplane.yaml b/templates/controlplane-template/templates/crossplane.yaml
new file mode 100644
index 0000000..c92434b
--- /dev/null
+++ b/templates/controlplane-template/templates/crossplane.yaml
@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: crossplane-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/crossplane
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: crossplane-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - Replace=true
diff --git a/templates/controlplane-template/templates/external-dns.yaml b/templates/controlplane-template/templates/external-dns.yaml
new file mode 100644
index 0000000..61eaad3
--- /dev/null
+++ b/templates/controlplane-template/templates/external-dns.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/external-dns
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: external-dns
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/external-secrets-operator.yaml b/templates/controlplane-template/templates/external-secrets-operator.yaml
new file mode 100644
index 0000000..19f1a38
--- /dev/null
+++ b/templates/controlplane-template/templates/external-secrets-operator.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-operator-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '30'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/external-secrets-operator
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: external-secrets-operator
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/github-runner.yaml b/templates/controlplane-template/templates/github-runner.yaml
new file mode 100644
index 0000000..026cb74
--- /dev/null
+++ b/templates/controlplane-template/templates/github-runner.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: github-runner-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/github-runner
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: github-runner
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+      - Replace=true
+      - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/ingress-nginx.yaml b/templates/controlplane-template/templates/ingress-nginx.yaml
new file mode 100644
index 0000000..d0d5a4b
--- /dev/null
+++ b/templates/controlplane-template/templates/ingress-nginx.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ingress-nginx-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/ingress-nginx
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: ingress-nginx
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/nginx-apex.yaml b/templates/controlplane-template/templates/nginx-apex.yaml
new file mode 100644
index 0000000..ebeb333
--- /dev/null
+++ b/templates/controlplane-template/templates/nginx-apex.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  name: nginx-apex-components
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '11'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/nginx-apex
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/registry.yaml b/templates/controlplane-template/templates/registry.yaml
new file mode 100644
index 0000000..bd32d42
--- /dev/null
+++ b/templates/controlplane-template/templates/registry.yaml
@@ -0,0 +1,30 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: registry
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '1001'
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}
+    targetRevision: HEAD
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        maxDuration: 5m0s
+        factor: 2
diff --git a/templates/controlplane-template/templates/reloader.yaml b/templates/controlplane-template/templates/reloader.yaml
new file mode 100644
index 0000000..118df7b
--- /dev/null
+++ b/templates/controlplane-template/templates/reloader.yaml
@@ -0,0 +1,24 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: reloader-components
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: '60'
+spec:
+  project: {{ .Values.project }}
+  source:
+    repoURL: {{ .Values.gitopsRepoUrl }}
+    path: registry/clusters/{{ .Values.clusterName }}/components/reloader
+    targetRevision: HEAD
+  destination:
+    name: {{ .Values.clusterDestination }}
+    namespace: reloader
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/templates/controlplane-template/values.yaml b/templates/controlplane-template/values.yaml
new file mode 100644
index 0000000..d45def1
--- /dev/null
+++ b/templates/controlplane-template/values.yaml
@@ -0,0 +1,169 @@
+# Management Cluster Template Configuration
+# This values file contains all configurable parameters for deploying the management cluster components
+
+# =============================================================================
+# GLOBAL/COMMON VALUES
+# =============================================================================
+
+# @input.type: string
+# @input.description: Cluster name identifier used in registry paths
+# @input.required: true
+# @input.default: mgmt
+clusterName: mgmt
+
+# @input.type: string
+# @input.description: GitOps repository URL for ArgoCD sync
+# @input.required: true
+# @input.default: https://github.com/example/gitops-repo
+gitopsRepoUrl: https://github.com/example/gitops-repo
+
+# @input.type: string
+# @input.description: Domain name for all services (e.g., example.com)
+# @input.required: true
+# @input.default: example.com
+domainName: example.com
+
+# @input.type: string
+# @input.description: Target cluster destination for ArgoCD applications
+# @input.required: true
+# @input.default: in-cluster
+clusterDestination: in-cluster
+
+# @input.type: string
+# @input.description: ArgoCD project name for applications
+# @input.required: true
+# @input.default: default
+project: default
+
+# @input.type: string
+# @input.description: Cloud region for services (e.g., NYC1, us-east-1)
+# @input.required: true
+# @input.default: NYC1
+cloudRegion: NYC1
+
+# @input.type: string
+# @input.description: State store bucket name for artifacts and state
+# @input.required: true
+# @input.default: kubefirst-state-store
+kubefirstStateStoreBucket: kubefirst-state-store
+
+# @input.type: string
+# @input.description: Email address for alerts and certificate notifications
+# @input.required: true
+# @input.default: alerts@example.com
+alertsEmail: alerts@example.com
+
+# =============================================================================
+# GIT PROVIDER SETTINGS
+# =============================================================================
+
+# @input.type: enum
+# @input.description: Git provider type (github or gitlab)
+# @input.options: github,gitlab
+# @input.required: true
+# @input.default: github
+gitProvider: github
+
+# @input.type: string
+# @input.description: GitHub organization or user name
+# @input.required: false
+# @input.default: ""
+githubOwner: ""
+
+# @input.type: string
+# @input.description: GitLab group or user name
+# @input.required: false
+# @input.default: ""
+gitlabOwner: ""
+
+# =============================================================================
+# CERT MANAGER ISSUER ANNOTATIONS
+# =============================================================================
+
+certManager:
+  # @input.type: string
+  # @input.description: First cert-manager issuer annotation (key: value format)
+  # @input.required: false
+  # @input.default: "cert-manager.io/cluster-issuer: letsencrypt-prod"
+  issuerAnnotation1: "cert-manager.io/cluster-issuer: letsencrypt-prod"
+
+  # @input.type: string
+  # @input.description: Second cert-manager issuer annotation (optional)
+  # @input.required: false
+  # @input.default: ""
+  issuerAnnotation2: ""
+
+  # @input.type: string
+  # @input.description: Third cert-manager issuer annotation (optional)
+  # @input.required: false
+  # @input.default: ""
+  issuerAnnotation3: ""
+
+  # @input.type: string
+  # @input.description: Fourth cert-manager issuer annotation (optional)
+  # @input.required: false
+  # @input.default: ""
+  issuerAnnotation4: ""
+
+# =============================================================================
+# EXTERNAL DNS SETTINGS
+# =============================================================================
+
+externalDns:
+  # @input.type: string
+  # @input.description: External DNS provider name (e.g., cloudflare, route53, civo)
+  # @input.required: true
+  # @input.default: cloudflare
+  providerName: cloudflare
+
+  # @input.type: string
+  # @input.description: Domain name filter for external DNS
+  # @input.required: true
+  # @input.default: example.com
+  domainName: example.com
+
+  # @input.type: string
+  # @input.description: Environment variable name for provider token
+  # @input.required: true
+  # @input.default: CF_API_TOKEN
+  providerTokenEnvName: CF_API_TOKEN
+
+# =============================================================================
+# ATLANTIS SETTINGS
+# =============================================================================
+
+atlantis:
+  # @input.type: string
+  # @input.description: Atlantis repository allowlist (e.g., github.com/org/*)
+  # @input.required: true
+  # @input.default: github.com/example/*
+  allowList: github.com/example/*
+
+# =============================================================================
+# COMPONENT VERSIONS (Chart Versions)
+# =============================================================================
+
+versions:
+  # @input.type: string
+  # @input.description: Atlantis Helm chart version
+  # @input.required: false
+  # @input.default: 4.11.2
+  atlantis: "4.11.2"
+
+  # @input.type: string
+  # @input.description: External DNS Helm chart version
+  # @input.required: false
+  # @input.default: 1.14.4
+  externalDns: "1.14.4"
+
+  # @input.type: string
+  # @input.description: ChartMuseum Helm chart version
+  # @input.required: false
+  # @input.default: 3.9.3
+  chartmuseum: "3.9.3"
+
+  # @input.type: string
+  # @input.description: Argo Workflows Helm chart version
+  # @input.required: false
+  # @input.default: 0.20.1
+  argoWorkflows: "0.20.1"

From f43b7df36a45be712c1c478f6ba8f3d9ff1265af Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Sun, 15 Feb 2026 15:13:14 +0530
Subject: [PATCH 3/7] add v2 template for cp

---
 .../templates/argo-workflows.yaml             |  24 ---
 .../templates/atlantis.yaml                   |  30 ---
 .../templates/chartmuseum.yaml                |  24 ---
 .../templates/cluster-secret-store.yaml       |  30 ---
 .../argo-workflows/application.yaml           | 101 ----------
 .../argo-workflows/argo-workflows-cwfts.yaml  |  24 ---
 .../argo-workflows/cloudflareissuer.yaml      |  31 ---
 .../argo-workflows/cwfts/cwft-git.yaml        | 178 ------------------
 .../argo-workflows/cwfts/cwft-helm.yaml       | 129 -------------
 .../argo-workflows/cwfts/cwft-kaniko.yaml     |  84 ---------
 .../argo-workflows/externalsecret.yaml        |  59 ------
 .../argo-workflows/serviceaccount.yaml        |  52 -----
 .../components/argo-workflows/vault-wait.yaml |  24 ---
 .../components/argo-workflows/wait.yaml       |  83 --------
 .../argo-workflows/wait/vault-tls.yaml        |  46 -----
 .../components/argocd/externalsecrets.yaml    |  24 ---
 .../components/atlantis/application.yaml      |  79 --------
 .../components/atlantis/cloudflareissuer.yaml |  31 ---
 .../components/atlantis/externalsecret.yaml   |  16 --
 .../templates/components/atlantis/wait.yaml   |  59 ------
 .../components/chartmuseum/application.yaml   |  63 -------
 .../chartmuseum/cloudflareissuer.yaml         |  31 ---
 .../chartmuseum/externalsecret.yaml           |  17 --
 .../components/chartmuseum/wait.yaml          |  59 ------
 .../clustersecretstore.yaml                   |  22 ---
 .../components/cluster-secret-store/wait.yaml |  40 ----
 .../crossplane-system/crossplane-system.yaml  |   4 +-
 .../crossplane/provider/controllerconfig.yaml |  73 +++++--
 .../provider/crossplane-secrets.yaml          |  51 +++++
 .../components/crossplane/provider/svc.yaml   |  44 +++++
 .../provider/terraform-provider.yaml          |   4 +-
 .../external-secrets-operator.yaml            |   2 +-
 32 files changed, 154 insertions(+), 1384 deletions(-)
 delete mode 100644 templates/controlplane-template/templates/argo-workflows.yaml
 delete mode 100644 templates/controlplane-template/templates/atlantis.yaml
 delete mode 100644 templates/controlplane-template/templates/chartmuseum.yaml
 delete mode 100644 templates/controlplane-template/templates/cluster-secret-store.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/application.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
 delete mode 100644 templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
 delete mode 100644 templates/controlplane-template/templates/components/atlantis/application.yaml
 delete mode 100644 templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
 delete mode 100644 templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
 delete mode 100644 templates/controlplane-template/templates/components/atlantis/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/chartmuseum/application.yaml
 delete mode 100644 templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
 delete mode 100644 templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
 delete mode 100644 templates/controlplane-template/templates/components/chartmuseum/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
 delete mode 100644 templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml
 create mode 100644 templates/controlplane-template/templates/components/crossplane/provider/svc.yaml

diff --git a/templates/controlplane-template/templates/argo-workflows.yaml b/templates/controlplane-template/templates/argo-workflows.yaml
deleted file mode 100644
index abfef09..0000000
--- a/templates/controlplane-template/templates/argo-workflows.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo-components
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '50'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: argo
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/atlantis.yaml b/templates/controlplane-template/templates/atlantis.yaml
deleted file mode 100644
index be68115..0000000
--- a/templates/controlplane-template/templates/atlantis.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis-components
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '50'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/atlantis
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: atlantis
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        maxDuration: 5m0s
-        factor: 2
diff --git a/templates/controlplane-template/templates/chartmuseum.yaml b/templates/controlplane-template/templates/chartmuseum.yaml
deleted file mode 100644
index ee4ee62..0000000
--- a/templates/controlplane-template/templates/chartmuseum.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: chartmuseum-components
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '50'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/chartmuseum
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: chartmuseum
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/cluster-secret-store.yaml b/templates/controlplane-template/templates/cluster-secret-store.yaml
deleted file mode 100644
index 0cc1571..0000000
--- a/templates/controlplane-template/templates/cluster-secret-store.yaml
+++ /dev/null
@@ -1,30 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: cluster-secret-store
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '40'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/cluster-secret-store
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: external-secrets-operator
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        maxDuration: 5m0s
-        factor: 2
diff --git a/templates/controlplane-template/templates/components/argo-workflows/application.yaml b/templates/controlplane-template/templates/components/argo-workflows/application.yaml
deleted file mode 100644
index 19333c1..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/application.yaml
+++ /dev/null
@@ -1,101 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '10'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: https://argoproj.github.io/argo-helm
-    targetRevision: {{ .Values.versions.argoWorkflows }}
-    helm:
-      values: |-
-        nameOverride: argo
-        executor:
-          resources:
-            requests:
-              cpu: 200m
-              memory: 256Mi
-            limits:
-              cpu: 1
-              memory: 1024Mi
-        server:
-          secure: false
-          extraArgs:
-          - --auth-mode=client
-          - --auth-mode=sso
-          ingress:
-            enabled: true
-            ingressClassName: nginx
-            annotations:
-              {{- if .Values.certManager.issuerAnnotation1 }}
-              {{ .Values.certManager.issuerAnnotation1 }}
-              {{- end }}
-              {{- if .Values.certManager.issuerAnnotation2 }}
-              {{ .Values.certManager.issuerAnnotation2 }}
-              {{- end }}
-              {{- if .Values.certManager.issuerAnnotation3 }}
-              {{ .Values.certManager.issuerAnnotation3 }}
-              {{- end }}
-              {{- if .Values.certManager.issuerAnnotation4 }}
-              {{ .Values.certManager.issuerAnnotation4 }}
-              {{- end }}
-            hosts:
-              - argo.{{ .Values.domainName }}
-            paths:
-              - /
-            pathType: Prefix
-            tls:
-              - secretName: argo-tls
-                hosts:
-                  - argo.{{ .Values.domainName }}
-          sso:
-            issuer: https://vault.{{ .Values.domainName }}/v1/identity/oidc/provider/kubefirst
-            clientId:
-              name: argo-secrets
-              key: client-id
-            clientSecret:
-              name: argo-secrets
-              key: client-secret
-            redirectUrl: https://argo.{{ .Values.domainName }}/oauth2/callback
-            scopes:
-              - email
-              - openid
-              - groups
-              - user
-              - profile
-            # RBAC Config. >= v2.12
-            rbac:
-              enabled: true
-        useDefaultArtifactRepo: true
-        useStaticCredentials: true
-        artifactRepository:
-          archiveLogs: false
-          s3:
-            accessKeySecret:
-              name: ci-secrets
-              key: accesskey
-            secretKeySecret:
-              name: ci-secrets
-              key: secretkey
-            insecure: false
-            bucket: {{ .Values.kubefirstStateStoreBucket }}
-            endpoint: objectstore.{{ .Values.cloudRegion }}.civo.com
-            region: {{ .Values.cloudRegion }}
-            useSDKCreds: false
-            encryptionOptions:
-              enableEncryption: false
-    chart: argo-workflows
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: argo
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml b/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
deleted file mode 100644
index a985a86..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/argo-workflows-cwfts.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: argo-cwfts
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '30'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows/cwfts
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: argo
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
deleted file mode 100644
index 0e2593d..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/cloudflareissuer.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: cloudflare-creds
-  namespace: argo
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-spec:
-  target:
-    name: cloudflare-creds
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-  - remoteRef:
-      key: cloudflare
-      property: origin-ca-api-key
-    secretKey: origin-ca-api-key
----
-apiVersion: cert-manager.k8s.cloudflare.com/v1
-kind: OriginIssuer
-metadata:
-  name: cloudflare-origin-issuer
-  namespace: argo
-spec:
-  requestType: OriginECC
-  auth:
-    serviceKeyRef:
-      key: origin-ca-api-key
-      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
deleted file mode 100644
index 4271e3f..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-git.yaml
+++ /dev/null
@@ -1,178 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: cwft-git
-  annotations:
-    argocd.argoproj.io/sync-wave: '55'
-spec:
-  templates:
-    - name: checkout-with-gitops-ssh
-      inputs:
-        parameters:
-          - name: appName
-          - name: branch
-            default: main
-          - name: gitUrlNoProtocol
-        artifacts:
-          - name: repo-source
-            path: '/src/{{`{{inputs.parameters.appName}}`}}'
-            git:
-              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
-              branch: '{{`{{inputs.parameters.branch}}`}}'
-              singleBranch: true
-              insecureIgnoreHostKey: true
-              sshPrivateKeySecret:
-                name: ci-secrets
-                key: SSH_PRIVATE_KEY
-          - name: gitops-source
-            path: /src/gitops
-            git:
-              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/gitops.git'
-              branch: 'main'
-              singleBranch: true
-              insecureIgnoreHostKey: true
-              sshPrivateKeySecret:
-                name: ci-secrets
-                key: SSH_PRIVATE_KEY
-      container:
-        image: golang:latest
-        command: ['/bin/sh', '-c']
-        args:
-          - ls -la /src &&
-            ls -la /src/{{`{{inputs.parameters.appName}}`}}
-      outputs:
-        artifacts:
-          - name: repo-source
-            path: /src
-    - name: checkout-with-gitops-https
-      inputs:
-        parameters:
-          - name: appName
-          - name: branch
-            default: main
-          - name: gitUrlNoProtocol
-        artifacts:
-          - name: repo-source
-            path: '/src/{{`{{inputs.parameters.appName}}`}}'
-            git:
-              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
-              branch: '{{`{{inputs.parameters.branch}}`}}'
-              singleBranch: true
-              insecureIgnoreHostKey: true
-              usernameSecret:
-                name: ci-secrets
-                key: BASIC_AUTH_USER
-              passwordSecret:
-                name: ci-secrets
-                key: PERSONAL_ACCESS_TOKEN
-          - name: gitops-source
-            path: /src/gitops
-            git:
-              repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/gitops.git'
-              branch: 'main'
-              singleBranch: true
-              insecureIgnoreHostKey: true
-              usernameSecret:
-                name: ci-secrets
-                key: BASIC_AUTH_USER
-              passwordSecret:
-                name: ci-secrets
-                key: PERSONAL_ACCESS_TOKEN
-      container:
-        image: golang:latest
-        command: ['/bin/sh', '-c']
-        args:
-          - ls -la /src &&
-            ls -la /src/{{`{{inputs.parameters.appName}}`}}
-      outputs:
-        artifacts:
-          - name: repo-source
-            path: /src
-    - name: pull-commit-push-ssh
-      retryStrategy:
-        limit: '5'
-      # todo get ssh item not all secrets
-      volumes:
-        - name: ssh-key
-          secret:
-            defaultMode: 256
-            secretName: ci-secrets
-      inputs:
-        artifacts:
-          - name: repo-source
-            path: /src
-        parameters:
-          - name: commitMessage
-          - name: gitUrlNoProtocol
-          - name: repoName
-      container:
-        workingDir: '/src/{{`{{inputs.parameters.repoName}}`}}'
-        image: golang:latest
-        command: ['/bin/sh', '-c']
-        volumeMounts:
-          - mountPath: '/mnt/secrets'
-            name: ssh-key
-            readOnly: true
-        args:
-          - set -e;
-
-            eval `ssh-agent -s`;
-            mkdir $HOME/.ssh;
-            cat /mnt/secrets/SSH_PRIVATE_KEY > $HOME/.ssh/id_ed25519;
-            echo -n "\\n" >> $HOME/.ssh/id_ed25519;
-            chmod 0600 $HOME/.ssh/id_ed25519;
-            ssh-add $HOME/.ssh/id_ed25519;
-
-            echo "Host *" >> $HOME/.ssh/config;
-            echo "  StrictHostKeyChecking no" >> $HOME/.ssh/config;
-            echo "  User git" >> $HOME/.ssh/config;
-            echo "  IdentitiesOnly yes" >> $HOME/.ssh/config;
-            echo "  UserKnownHostsFile /dev/null" >> $HOME/.ssh/config;
-            chmod 0700 $HOME/.ssh/config;
-
-            git config --global user.email 'k-ray@example.com';
-            git config --global user.name 'kbot';
-            git remote set-url origin '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.repoName}}`}}.git';
-            git remote -v;
-            git status;
-            git pull;
-            git add .;
-            git commit -m "{{`{{inputs.parameters.commitMessage}}`}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
-            git push;
-    - name: pull-commit-push-https
-      retryStrategy:
-        limit: '5'
-      # todo get ssh item not all secrets
-      inputs:
-        artifacts:
-          - name: repo-source
-            path: /src
-        parameters:
-          - name: commitMessage
-          - name: gitUrlNoProtocol
-          - name: repoName
-      container:
-        workingDir: '/src/{{`{{inputs.parameters.repoName}}`}}'
-        image: golang:latest
-        command: ['/bin/bash', '-c']
-        env:
-        - name: GIT_TOKEN
-          valueFrom:
-            secretKeyRef:
-              name: ci-secrets
-              key: PERSONAL_ACCESS_TOKEN
-        args:
-          - set -e;
-
-            git config --global user.email 'k-ray@example.com';
-            git config --global user.name 'kbot';
-            echo "set url to https://kbot:token@{{ .Values.gitProvider }}.com/the_rest_of_the input slug";
-            input_url='{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.repoName}}`}}.git';
-            origin_url="${input_url/"https://{{ .Values.gitProvider }}.com"/"https://kbot:$GIT_TOKEN@{{ .Values.gitProvider }}.com"}";
-            git remote set-url origin $origin_url;
-            git remote -v;
-            git status;
-            git pull;
-            git add .;
-            git commit -m "{{`{{inputs.parameters.commitMessage}}`}}"  || echo "Assuming this was committed on previous run, not erroring out" ;
-            git push;
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
deleted file mode 100644
index 81802dd..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-helm.yaml
+++ /dev/null
@@ -1,129 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: cwft-helm
-  annotations:
-    argocd.argoproj.io/sync-wave: '55'
-spec:
-  templates:
-  - name: get-chart-version
-    inputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-      parameters:
-        - name: appName
-        - name: chartDir
-    script:
-      image: kubefirst/chubbo:0.2
-      command: [python3]
-      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
-      source: |
-        import yaml, semver
-        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml') as f:
-            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
-            print(chart_yaml['version'])
-  - name: set-chart-versions
-    inputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-      parameters:
-        - name: appName
-        - name: chartDir
-        - name: chartVersion
-        - name: shortSha
-    script:
-      image: kubefirst/chubbo:0.2
-      command: [bash]
-      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
-      source: |
-        set -e
-        NEW_CHART_VERSION={{`{{inputs.parameters.chartVersion}}`}}
-        echo "setting ./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml to version: ${NEW_CHART_VERSION}"
-        sed -i "s/version:.*/version: ${NEW_CHART_VERSION}/g" /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
-        echo "setting ./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml to appVersion: {{`{{inputs.parameters.shortSha}}`}}"
-        sed -i "s/appVersion:.*/appVersion: '{{`{{inputs.parameters.shortSha}}`}}'/g" /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
-        echo "adjusted chart:"
-        cat /src/{{`{{inputs.parameters.appName}}`}}/{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml
-    outputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-  - name: publish-chart
-    retryStrategy:
-      limit: '5'
-    inputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-      parameters:
-        - name: appName
-        - name: chartDir
-    container:
-      image: kubefirst/chubbo:0.2
-      command: ['bash', '-c']
-      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
-      args:
-        - helm repo add kubefirst http://chartmuseum.chartmuseum.svc.cluster.local:8080 --username ${BASIC_AUTH_USER} --password ${BASIC_AUTH_PASS} || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
-          helm push {{`{{inputs.parameters.chartDir}}`}} kubefirst || bash -c "sleep 10 && echo 'waiting before trying again' && exit 1";
-      env:
-      - name: BASIC_AUTH_PASS
-        valueFrom:
-          secretKeyRef:
-            name: ci-secrets
-            key: BASIC_AUTH_PASS
-      - name: BASIC_AUTH_USER
-        valueFrom:
-          secretKeyRef:
-            name: ci-secrets
-            key: BASIC_AUTH_USER
-  - name: set-environment-version
-    inputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-      parameters:
-        - name: chartVersion
-        - name: environment
-        - name: fullChartPath
-    script:
-      image: kubefirst/chubbo:0.2
-      command: [bash]
-      workingDir: '/src/gitops'
-      source: |
-        set -e
-        echo "setting wrapper Chart.yaml to version: {{`{{inputs.parameters.chartVersion}}`}}"
-        sed -i "s/  version:.*/  version: {{`{{inputs.parameters.chartVersion}}`}}/g" "{{`{{inputs.parameters.fullChartPath}}`}}"
-        echo "updated {{`{{inputs.parameters.environment}}`}} wrapper chart version to {{`{{inputs.parameters.chartVersion}}`}}"
-    outputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-  - name: increment-chart-minor
-    inputs:
-      artifacts:
-        - name: repo-source
-          path: /src
-      parameters:
-        - name: appName
-        - name: chartDir
-        - name: chartVersion
-    script:
-      image: kubefirst/chubbo:0.2
-      command: [python3]
-      workingDir: '/src/{{`{{inputs.parameters.appName}}`}}'
-      source: |
-        import yaml, semver
-        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml') as f:
-            chart_yaml = yaml.load(f, Loader=yaml.FullLoader)
-            chart_version = semver.parse('{{`{{inputs.parameters.chartVersion}}`}}')
-            next_chart_version = '{}.{}.0'.format(chart_version['major'],chart_version['minor']+1)
-            chart_yaml['version'] = next_chart_version
-        with open('./{{`{{inputs.parameters.chartDir}}`}}/Chart.yaml', 'w') as f:
-            yaml.dump(chart_yaml, f)
-        print('prepared next release in {{`{{inputs.parameters.chartDir}}`}} with bumped chart version after releasing {}'.format(next_chart_version))
-    outputs:
-      artifacts:
-        - name: repo-source
-          path: /src
diff --git a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml b/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
deleted file mode 100644
index 20a21f8..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/cwfts/cwft-kaniko.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ClusterWorkflowTemplate
-metadata:
-  name: cwft-kaniko
-spec:
-  entrypoint: build-push
-  templates:
-  - name: build-push-ssh
-    inputs:
-      parameters:
-      - name: appName
-      - name: branch
-      - name: containerRegistryURL
-      - name: gitUrlNoProtocol
-      artifacts:
-      - name: app-source
-        path: '/src/{{`{{inputs.parameters.appName}}`}}'
-        git:
-          repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
-          branch: '{{`{{inputs.parameters.branch}}`}}'
-          singleBranch: true
-          insecureIgnoreHostKey: true
-          sshPrivateKeySecret:
-            name: ci-secrets
-            key: SSH_PRIVATE_KEY
-    volumes:
-    - name: docker-config
-      secret:
-        secretName: 'container-registry-auth'
-    container:
-      image: gcr.io/kaniko-project/executor:latest
-      volumeMounts:
-      - name: docker-config
-        mountPath: /.docker
-      env:
-      - name: DOCKER_CONFIG
-        value: /.docker
-      args:
-      - '--dockerfile'
-      - 'Dockerfile'
-      - '--context'
-      - 'dir:///src/{{`{{inputs.parameters.appName}}`}}/'
-      - '--destination'
-      - '{{`{{inputs.parameters.containerRegistryURL}}`}}'
-  - name: build-push-https
-    inputs:
-      parameters:
-      - name: appName
-      - name: branch
-      - name: containerRegistryURL
-      - name: gitUrlNoProtocol
-      artifacts:
-      - name: app-source
-        path: '/src/{{`{{inputs.parameters.appName}}`}}'
-        git:
-          repo: '{{`{{inputs.parameters.gitUrlNoProtocol}}`}}/{{`{{inputs.parameters.appName}}`}}.git'
-          branch: '{{`{{inputs.parameters.branch}}`}}'
-          singleBranch: true
-          insecureIgnoreHostKey: true
-          usernameSecret:
-            name: ci-secrets
-            key: BASIC_AUTH_USER
-          passwordSecret:
-            name: ci-secrets
-            key: PERSONAL_ACCESS_TOKEN
-    volumes:
-    - name: docker-config
-      secret:
-        secretName: 'container-registry-auth'
-    container:
-      image: gcr.io/kaniko-project/executor:latest
-      volumeMounts:
-      - name: docker-config
-        mountPath: /.docker
-      env:
-      - name: DOCKER_CONFIG
-        value: /.docker
-      args:
-      - '--dockerfile'
-      - 'Dockerfile'
-      - '--context'
-      - 'dir:///src/{{`{{inputs.parameters.appName}}`}}/'
-      - '--destination'
-      - '{{`{{inputs.parameters.containerRegistryURL}}`}}'
diff --git a/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml b/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
deleted file mode 100644
index a276c8c..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/externalsecret.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: ci-secrets
-  namespace: argo
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-spec:
-  target:
-    name: ci-secrets
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  dataFrom:
-    - extract:
-        key: /ci-secrets
----
-apiVersion: 'external-secrets.io/v1beta1'
-kind: ExternalSecret
-metadata:
-  name: argo-secrets
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-spec:
-  target:
-    name: argo-secrets
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-    - remoteRef:
-        key: oidc/argo
-        property: client_id
-      secretKey: client-id
-    - remoteRef:
-        key: oidc/argo
-        property: client_secret
-      secretKey: client-secret
----
-apiVersion: 'external-secrets.io/v1beta1'
-kind: ExternalSecret
-metadata:
-  name: container-registry-auth
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-spec:
-  target:
-    name: container-registry-auth
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-    - remoteRef:
-        key: registry-auth
-        property: auth
-      secretKey: config.json
diff --git a/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml b/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
deleted file mode 100644
index b18f586..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/serviceaccount.yaml
+++ /dev/null
@@ -1,52 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-admin
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-    # The rule is an expression used to determine if this service account
-    # should be used.
-    # * `groups` - an array of the OIDC groups
-    # * `iss` - the issuer ("argo-server")
-    # * `sub` - the subject (typically the username)
-    # Must evaluate to a boolean.
-    # If you want an account to be the default to use, this rule can be "true".
-    # Details of the expression language are available in
-    # https://github.com/antonmedv/expr/blob/master/docs/Language-Definition.md.
-    workflows.argoproj.io/rbac-rule: "'admins' in groups"
-    # The precedence is used to determine which service account to use whe
-    # Precedence is an integer. It may be negative. If omitted, it defaults to "0".
-    # Numerically higher values have higher precedence (not lower, which maybe
-    # counter-intuitive to you).
-    # If two rules match and have the same precedence, then which one used will
-    # be arbitrary.
-    workflows.argoproj.io/rbac-rule-precedence: '1'
-secrets:
-- name: argo-admin
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-developer
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-    workflows.argoproj.io/rbac-rule: "'developers' in groups"
-    workflows.argoproj.io/rbac-rule-precedence: '0'
-secrets:
-- name: argo-developer
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: argo-admin
-  annotations:
-    kubernetes.io/service-account.name: argo-admin
-type: kubernetes.io/service-account-token
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: argo-developer
-  annotations:
-    kubernetes.io/service-account.name: argo-developer
-type: kubernetes.io/service-account-token
diff --git a/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml b/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
deleted file mode 100644
index ef58ba1..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/vault-wait.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: vault-wait
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/argo-workflows/wait
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: vault
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/argo-workflows/wait.yaml b/templates/controlplane-template/templates/components/argo-workflows/wait.yaml
deleted file mode 100644
index 40c40e1..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/wait.yaml
+++ /dev/null
@@ -1,83 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-argo
-  namespace: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-argo
-  namespace: argo
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-argo
-  namespace: argo
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-argo
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-argo
-    namespace: argo
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-argo-workflow-controller
-  namespace: argo
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - argo
-            - --label
-            - app.kubernetes.io/name=argo-workflow-controller
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-argo
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-argo-server
-  namespace: argo
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - argo
-            - --label
-            - app.kubernetes.io/name=argo-server
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-argo
diff --git a/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml b/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
deleted file mode 100644
index 6108f22..0000000
--- a/templates/controlplane-template/templates/components/argo-workflows/wait/vault-tls.yaml
+++ /dev/null
@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-vault-tls
-  namespace: vault
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: k8s-toolkit-vault-tls
-  namespace: vault
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cert-manager-view
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-vault-tls
-    namespace: vault
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-    argocd.argoproj.io/sync-options: Force=true,Replace=true
-  name: wait-vault-tls
-  namespace: vault
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - certificate
-            - --namespace
-            - vault
-            - --name
-            - vault-tls
-            - --timeout-seconds
-            - '3600'
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-vault-tls
diff --git a/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml b/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
deleted file mode 100644
index e4a5ede..0000000
--- a/templates/controlplane-template/templates/components/argocd/externalsecrets.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: "external-secrets.io/v1alpha1"
-kind: ExternalSecret
-metadata:
-  name: argocd-oidc-secret
-  labels:
-    app.kubernetes.io/part-of: argocd
-spec:
-  target:
-    name: argocd-oidc-secret
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-    - remoteRef:
-        conversionStrategy: Default
-        key: oidc/argocd
-        property: client_secret
-      secretKey: clientSecret
-    - remoteRef:
-        conversionStrategy: Default
-        key: oidc/argocd
-        property: client_id
-      secretKey: clientId
diff --git a/templates/controlplane-template/templates/components/atlantis/application.yaml b/templates/controlplane-template/templates/components/atlantis/application.yaml
deleted file mode 100644
index 648219e..0000000
--- a/templates/controlplane-template/templates/components/atlantis/application.yaml
+++ /dev/null
@@ -1,79 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: atlantis
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '10'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: https://runatlantis.github.io/helm-charts
-    chart: atlantis
-    targetRevision: {{ .Values.versions.atlantis }}
-    helm:
-      values: |-
-        statefulSet:
-          annotations:
-            secret.reloader.stakater.com/reload: "atlantis-secrets"
-        atlantisUrl: https://atlantis.{{ .Values.domainName }}
-        orgAllowlist: {{ .Values.atlantis.allowList }}
-        hidePrevPlanComments: true
-        serviceAccount:
-          create: false
-          mount: true
-        resources:
-          limits:
-            cpu: 400m
-            memory: 1Gi
-          requests:
-            cpu: 400m
-            memory: 512Mi
-        ingress:
-          enabled: true
-          annotations:
-            {{- if .Values.certManager.issuerAnnotation1 }}
-            {{ .Values.certManager.issuerAnnotation1 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation2 }}
-            {{ .Values.certManager.issuerAnnotation2 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation3 }}
-            {{ .Values.certManager.issuerAnnotation3 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation4 }}
-            {{ .Values.certManager.issuerAnnotation4 }}
-            {{- end }}
-          path: /
-          host: atlantis.{{ .Values.domainName }}
-          ingressClassName: "nginx"
-          tls:
-            - secretName: atlantis-tls
-              hosts:
-                - atlantis.{{ .Values.domainName }}
-        loadEnvFromSecrets:
-          - atlantis-secrets
-        repoConfig: |
-          ---
-          repos:
-          - id: {{ .Values.atlantis.allowList }}
-            workflow: default
-            allowed_overrides: [apply_requirements]
-            apply_requirements: [mergeable]
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: atlantis
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
-    retry:
-      limit: 5
-      backoff:
-        duration: 5s
-        maxDuration: 5m0s
-        factor: 2
diff --git a/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
deleted file mode 100644
index 1926218..0000000
--- a/templates/controlplane-template/templates/components/atlantis/cloudflareissuer.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: cloudflare-creds
-  namespace: atlantis
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-spec:
-  target:
-    name: cloudflare-creds
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-  - remoteRef:
-      key: cloudflare
-      property: origin-ca-api-key
-    secretKey: origin-ca-api-key
----
-apiVersion: cert-manager.k8s.cloudflare.com/v1
-kind: OriginIssuer
-metadata:
-  name: cloudflare-origin-issuer
-  namespace: atlantis
-spec:
-  requestType: OriginECC
-  auth:
-    serviceKeyRef:
-      key: origin-ca-api-key
-      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml b/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
deleted file mode 100644
index 334d4bf..0000000
--- a/templates/controlplane-template/templates/components/atlantis/externalsecret.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: atlantis-secrets
-  annotations:
-    argocd.argoproj.io/sync-wave: '0'
-spec:
-  target:
-    name: atlantis-secrets
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  dataFrom:
-    - extract:
-        key: /atlantis
diff --git a/templates/controlplane-template/templates/components/atlantis/wait.yaml b/templates/controlplane-template/templates/components/atlantis/wait.yaml
deleted file mode 100644
index 049580f..0000000
--- a/templates/controlplane-template/templates/components/atlantis/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-atlantis
-  namespace: atlantis
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-atlantis
-  namespace: atlantis
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-atlantis
-  namespace: atlantis
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-atlantis
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-atlantis
-    namespace: atlantis
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-atlantis
-  namespace: atlantis
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - statefulset
-            - --namespace
-            - atlantis
-            - --label
-            - app=atlantis
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-atlantis
diff --git a/templates/controlplane-template/templates/components/chartmuseum/application.yaml b/templates/controlplane-template/templates/components/chartmuseum/application.yaml
deleted file mode 100644
index 71fc22f..0000000
--- a/templates/controlplane-template/templates/components/chartmuseum/application.yaml
+++ /dev/null
@@ -1,63 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: chartmuseum
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '10'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: https://chartmuseum.github.io/charts
-    targetRevision: {{ .Values.versions.chartmuseum }}
-    helm:
-      values: |-
-        env:
-          open:
-            AUTH_ANONYMOUS_GET: true
-            STORAGE: amazon
-            STORAGE_AMAZON_BUCKET: {{ .Values.kubefirstStateStoreBucket }}
-            STORAGE_AMAZON_PREFIX: kubefirst-charts
-            STORAGE_AMAZON_REGION: {{ .Values.cloudRegion }}
-            STORAGE_AMAZON_ENDPOINT: https://objectstore.{{ .Values.cloudRegion }}.civo.com
-            DISABLE_API: false
-          existingSecret: chartmuseum-secrets
-          existingSecretMappings:
-            BASIC_AUTH_USER: BASIC_AUTH_USER
-            BASIC_AUTH_PASS: BASIC_AUTH_PASS
-            AWS_ACCESS_KEY_ID: AWS_ACCESS_KEY_ID
-            AWS_SECRET_ACCESS_KEY: AWS_SECRET_ACCESS_KEY
-        ingress:
-          enabled: true
-          pathType: "Prefix"
-          annotations:
-            {{- if .Values.certManager.issuerAnnotation1 }}
-            {{ .Values.certManager.issuerAnnotation1 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation2 }}
-            {{ .Values.certManager.issuerAnnotation2 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation3 }}
-            {{ .Values.certManager.issuerAnnotation3 }}
-            {{- end }}
-            {{- if .Values.certManager.issuerAnnotation4 }}
-            {{ .Values.certManager.issuerAnnotation4 }}
-            {{- end }}
-          hosts:
-            - name: chartmuseum.{{ .Values.domainName }}
-              path: /
-              tls: true
-              tlsSecret: chartmuseum-tls
-          ingressClassName: nginx
-    chart: chartmuseum
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: chartmuseum
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true
diff --git a/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml b/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
deleted file mode 100644
index 64630f8..0000000
--- a/templates/controlplane-template/templates/components/chartmuseum/cloudflareissuer.yaml
+++ /dev/null
@@ -1,31 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: cloudflare-creds
-  namespace: chartmuseum
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-spec:
-  target:
-    name: cloudflare-creds
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  data:
-  - remoteRef:
-      key: cloudflare
-      property: origin-ca-api-key
-    secretKey: origin-ca-api-key
----
-apiVersion: cert-manager.k8s.cloudflare.com/v1
-kind: OriginIssuer
-metadata:
-  name: cloudflare-origin-issuer
-  namespace: chartmuseum
-spec:
-  requestType: OriginECC
-  auth:
-    serviceKeyRef:
-      key: origin-ca-api-key
-      name: cloudflare-creds
diff --git a/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml b/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
deleted file mode 100644
index 020f387..0000000
--- a/templates/controlplane-template/templates/components/chartmuseum/externalsecret.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: chartmuseum-secrets
-  namespace: chartmuseum
-  annotations:
-    argocd.argoproj.io/sync-wave: "0"
-spec:
-  target:
-    name: chartmuseum-secrets
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: vault-kv-secret
-  refreshInterval: 10s
-  dataFrom:
-    - extract:
-        key: /chartmuseum
diff --git a/templates/controlplane-template/templates/components/chartmuseum/wait.yaml b/templates/controlplane-template/templates/components/chartmuseum/wait.yaml
deleted file mode 100644
index 77a0c7a..0000000
--- a/templates/controlplane-template/templates/components/chartmuseum/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-chartmuseum
-  namespace: chartmuseum
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-chartmuseum
-  namespace: chartmuseum
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-chartmuseum
-  namespace: chartmuseum
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-chartmuseum
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-chartmuseum
-    namespace: chartmuseum
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-chartmuseum
-  namespace: chartmuseum
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - chartmuseum
-            - --label
-            - app.kubernetes.io/name=chartmuseum
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-chartmuseum
diff --git a/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml b/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
deleted file mode 100644
index 33cbc8f..0000000
--- a/templates/controlplane-template/templates/components/cluster-secret-store/clustersecretstore.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-apiVersion: external-secrets.io/v1beta1
-kind: ClusterSecretStore
-metadata:
-  name: vault-kv-secret
-  annotations:
-    argocd.argoproj.io/sync-wave: '10'
-spec:
-  provider:
-    vault:
-      server: 'http://vault.vault.svc:8200'
-      # Path is the mount path of the Vault KV backend endpoint
-      path: 'secret'
-      version: 'v2'
-      auth:
-        kubernetes:
-          # Path where the Kubernetes authentication backend is mounted in Vault
-          mountPath: 'kubernetes/kubefirst'
-          # A required field containing the Vault Role to assume.
-          role: 'external-secrets'
-          serviceAccountRef:
-            name: 'external-secrets'
-            namespace: 'external-secrets-operator'
diff --git a/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml b/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
deleted file mode 100644
index 635429c..0000000
--- a/templates/controlplane-template/templates/components/cluster-secret-store/wait.yaml
+++ /dev/null
@@ -1,40 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: eso-clustersecretstore
-  namespace: external-secrets-operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: eso-clustersecretstore
-  namespace: external-secrets-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: external-secrets-operator-view
-subjects:
-- kind: ServiceAccount
-  name: eso-clustersecretstore
-  namespace: external-secrets-operator
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: "20"
-  name: wait-vault-kv-secret
-  namespace: external-secrets-operator
-spec:
-  template:
-    spec:
-      containers:
-      - name: wait
-        image: dtzar/helm-kubectl:3.19.0
-        command:
-        - /bin/sh
-        - -c
-        - |
-          while ! kubectl get clustersecretstore/vault-kv-secret --namespace external-secrets-operator; do echo "waiting for external secrets store to be valid, sleeping 5 seconds"; sleep 5; done
-      restartPolicy: OnFailure
-      serviceAccountName: eso-clustersecretstore
\ No newline at end of file
diff --git a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
index b3b9c5b..56acbf5 100644
--- a/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
+++ b/templates/controlplane-template/templates/components/crossplane/crossplane-system/crossplane-system.yaml
@@ -8,9 +8,9 @@ metadata:
   finalizers:
     - resources-finalizer.argocd.argoproj.io
 spec:
-  project: default
+  project: {{ .Values.project }}
   destination:
-    name: in-cluster 
+    name: {{ .Values.clusterDestination }}
     namespace: crossplane-system
   source:
     repoURL: https://charts.crossplane.io/stable
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
index c48e96e..11a60c7 100644
--- a/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
+++ b/templates/controlplane-template/templates/components/crossplane/provider/controllerconfig.yaml
@@ -1,23 +1,58 @@
-apiVersion: pkg.crossplane.io/v1alpha1
-kind: ControllerConfig
+apiVersion: pkg.crossplane.io/v1beta1
+kind: DeploymentRuntimeConfig
 metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '10'
+  name: terraform-config
   labels:
     app: crossplane-provider-terraform
-  name: terraform-config
+  annotations:
+    argocd.argoproj.io/sync-wave: '10'
 spec:
-  args:
-  - -d
-  - --poll=2m
-  - --max-reconcile-rate=10
-  envFrom:
-  - secretRef:
-      name: crossplane-secrets
-  volumeMounts:
-  - mountPath: /.cache
-    name: helmcache
-  volumes:
-    - name: helmcache
-      emptyDir:
-        sizeLimit: 500Mi
+  deploymentTemplate:
+    spec:
+      selector:
+        matchLabels:
+          pkg.crossplane.io/provider: terraform
+      template:
+        metadata:
+          labels:
+            pkg.crossplane.io/provider: terraform
+        spec:
+          securityContext:  
+            fsGroup: 65532
+          containers:
+          - name: package-runtime
+            image: ghcr.io/konstructio/provider-terraform:v0.0.1
+            args:
+              - -d
+              - --poll=4m
+              - --max-reconcile-rate=10
+            envFrom:
+              - secretRef:
+                  name: crossplane-secrets
+            volumeMounts:
+              - mountPath: /.cache
+                name: helmcache
+              - mountPath: /logs
+                name: shared-logs
+          - name: log-streamer
+            imagePullPolicy: Always
+            image: ghcr.io/konstructio/logs-streamer:v0.0.8
+            ports:
+              - containerPort: 9090
+                name: http
+                protocol: TCP
+            env:
+              - name: PORT
+                value: "9090"
+              - name: LOG_DIR
+                value: "/logs"
+            volumeMounts:
+              - mountPath: /logs
+                name: shared-logs
+                readOnly: true
+          volumes:
+            - name: helmcache
+              emptyDir:
+                sizeLimit: 500Mi
+            - name: shared-logs
+              emptyDir: {}
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml b/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml
new file mode 100644
index 0000000..69127cc
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/provider/crossplane-secrets.yaml
@@ -0,0 +1,51 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+  name: crossplane-secrets
+  namespace: crossplane-system
+spec:
+  dataFrom:
+  - extract:
+      conversionStrategy: Default
+      decodingStrategy: None
+      key: /crossplane
+  refreshInterval: 10s
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  target:
+    creationPolicy: Owner
+    deletionPolicy: Retain
+    name: crossplane-secrets
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: git-credentials
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  target:
+    name: git-credentials
+    template:
+      engineVersion: v2
+      data:
+        creds: |
+          https://{{ .username }}:{{ .password }}@github.com
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault-kv-secret
+  refreshInterval: 10s
+  data:
+    - remoteRef:
+        key: crossplane
+        property: username
+        conversionStrategy: Default
+      secretKey: username
+    - remoteRef:
+        key: crossplane
+        property: password
+        conversionStrategy: Default
+      secretKey: password
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml b/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml
new file mode 100644
index 0000000..8e2aa98
--- /dev/null
+++ b/templates/controlplane-template/templates/components/crossplane/provider/svc.yaml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: log-streamer-service
+  labels:
+    app: log-streamer
+spec:
+  ports:
+  - port: 9090
+    targetPort: 9090
+    protocol: TCP
+    name: http
+  selector:
+    pkg.crossplane.io/provider: provider-terraform 
+    pkg.crossplane.io/revision: crossplane-provider-terraform-6fe8d52ff0a1 
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    nginx.ingress.kubernetes.io/proxy-buffering: 'off'
+    nginx.ingress.kubernetes.io/proxy-cache-bypass: '1'
+    nginx.ingress.kubernetes.io/proxy-read-timeout: '3600'
+    nginx.ingress.kubernetes.io/proxy-send-timeout: '3600'
+  name: log-streamer-ingress
+  namespace: crossplane-system
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: logs-{{ .Values.clusterName }}.{{ .Values.domainName }}
+      http:
+        paths:
+          - backend:
+              service:
+                name: log-streamer-service
+                port:
+                  number: 9090
+            path: /
+            pathType: Prefix
+  tls:
+    - hosts:
+        - logs-{{ .Values.clusterName }}.{{ .Values.domainName }}
+      secretName: logs-{{ .Values.clusterName }}-cluster
diff --git a/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
index 6403c68..8ad0079 100644
--- a/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
+++ b/templates/controlplane-template/templates/components/crossplane/provider/terraform-provider.yaml
@@ -5,10 +5,10 @@ metadata:
     argocd.argoproj.io/sync-wave: '20'
   name: crossplane-provider-terraform
 spec:
-  controllerConfigRef:
+  runtimeConfigRef:
     name: terraform-config
   ignoreCrossplaneConstraints: false
-  package: xpkg.upbound.io/upbound/provider-terraform:v0.12.0
+  package: xpkg.upbound.io/upbound/provider-terraform:v0.20.0
   packagePullPolicy: IfNotPresent
   revisionActivationPolicy: Automatic
   revisionHistoryLimit: 1
diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
index ed43a16..550df8b 100644
--- a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
+++ b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
@@ -11,7 +11,7 @@ spec:
   project: default
   source:
     repoURL: https://charts.external-secrets.io
-    targetRevision: 0.8.1
+    targetRevision: 0.19.2
     helm:
       values: |-
         serviceAccount:

From 6d3b31bdf1ae5e2bb4ec348a49b7d6764913d787 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Mon, 16 Feb 2026 00:38:14 +0530
Subject: [PATCH 4/7] add v2 template for cp

---
 .../argocd/argocd-oidc-restart-job.yaml       | 58 -------------------
 .../components/argocd/kustomization.yaml      |  4 +-
 2 files changed, 1 insertion(+), 61 deletions(-)
 delete mode 100644 templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml

diff --git a/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml b/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml
deleted file mode 100644
index a666ef3..0000000
--- a/templates/controlplane-template/templates/components/argocd/argocd-oidc-restart-job.yaml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argocd-oidc-restart-job
-  namespace: argocd
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argocd-oidc-restart-job
-  namespace: argocd
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argocd-oidc-restart-job
-  namespace: argocd
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argocd-oidc-restart-job
-subjects:
-  - kind: ServiceAccount
-    name: argocd-oidc-restart-job
-    namespace: argocd
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: argocd-oidc-restart-job
-  namespace: argocd
-spec:
-  template:
-    spec:
-      containers:
-        - name: argocd-oidc-restart-job
-          image: dtzar/helm-kubectl:3.19.0
-          command:
-            - /bin/sh
-            - -c
-            - echo restarting argocd-server in 15 seconds && sleep 15 && echo restarting && kubectl -n argocd get deployment/argocd-server -oyaml | kubectl -n argocd replace --force -f -
-      restartPolicy: OnFailure
-      serviceAccountName: argocd-oidc-restart-job
-
diff --git a/templates/controlplane-template/templates/components/argocd/kustomization.yaml b/templates/controlplane-template/templates/components/argocd/kustomization.yaml
index 00ddbc5..87d6cac 100644
--- a/templates/controlplane-template/templates/components/argocd/kustomization.yaml
+++ b/templates/controlplane-template/templates/components/argocd/kustomization.yaml
@@ -5,10 +5,8 @@ namespace: argocd
 # To upgrade ArgoCD, increment the version here
 # https://github.com/argoproj/argo-cd/tags
 resources:
-  - github.com:konstructio/manifests.git/argocd/cloud?ref=v1.1.1
+  - github.com:konstructio/manifests.git/argocd/cloud?ref=jokestax-patch-2
   - argocd-ui-ingress.yaml
-  - externalsecrets.yaml
-  - argocd-oidc-restart-job.yaml
 
 patchesStrategicMerge:
   - argocd-cm.yaml

From ad8c935902f721e70b28af7f7d17e1dc91d062e5 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Mon, 16 Feb 2026 01:10:52 +0530
Subject: [PATCH 5/7] add v2 template for cp

---
 .../components/external-dns/wait.yaml         | 59 -------------------
 1 file changed, 59 deletions(-)
 delete mode 100644 templates/controlplane-template/templates/components/external-dns/wait.yaml

diff --git a/templates/controlplane-template/templates/components/external-dns/wait.yaml b/templates/controlplane-template/templates/components/external-dns/wait.yaml
deleted file mode 100644
index 39d677c..0000000
--- a/templates/controlplane-template/templates/components/external-dns/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kubernetes-toolkit
-  namespace: external-dns
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: kubernetes-toolkit
-  namespace: external-dns
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: kubernetes-toolkit
-  namespace: external-dns
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: kubernetes-toolkit
-subjects:
-  - kind: ServiceAccount
-    name: kubernetes-toolkit
-    namespace: external-dns
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: kubernetes-toolkit
-  namespace: external-dns
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - external-dns
-            - --label
-            - app.kubernetes.io/name=external-dns
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: kubernetes-toolkit
-      restartPolicy: OnFailure
-      serviceAccountName: kubernetes-toolkit

From 509c253e665272b6f4a8e3e7039280acf1e5e912 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Mon, 16 Feb 2026 01:15:20 +0530
Subject: [PATCH 6/7] add v2 template for cp

---
 .../actions-runner-controller/wait.yaml       |  59 ----------
 .../components/cert-manager/wait-todo.yaml    |   0
 .../external-secrets-operator.yaml            |  17 +++
 .../external-secrets-operator/wait.yaml       | 107 ------------------
 .../components/ingress-nginx/wait.yaml        |  59 ----------
 .../templates/components/nginx-apex/wait.yaml |  59 ----------
 6 files changed, 17 insertions(+), 284 deletions(-)
 delete mode 100644 templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml
 delete mode 100644 templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
 delete mode 100644 templates/controlplane-template/templates/components/nginx-apex/wait.yaml

diff --git a/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml b/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
deleted file mode 100644
index e63aa77..0000000
--- a/templates/controlplane-template/templates/components/actions-runner-controller/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-arc
-  namespace: github-runner
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-arc
-  namespace: github-runner
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-arc
-  namespace: github-runner
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-arc
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-arc
-    namespace: github-runner
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-actions-runner-controller
-  namespace: github-runner
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - github-runner
-            - --label
-            - app.kubernetes.io/name=actions-runner-controller
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-arc
diff --git a/templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml b/templates/controlplane-template/templates/components/cert-manager/wait-todo.yaml
deleted file mode 100644
index e69de29..0000000
diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
index 550df8b..56bf765 100644
--- a/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
+++ b/templates/controlplane-template/templates/components/external-secrets-operator/external-secrets-operator.yaml
@@ -28,6 +28,8 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - RespectIgnoreDifferences=true
+      - ServerSideApply=true
+      - ServerSideApplyForce=true
   ignoreDifferences:
     - group: apiextensions.k8s.io
       kind: CustomResourceDefinition
@@ -54,3 +56,18 @@ subjects:
   - kind: ServiceAccount
     name: external-secrets
     namespace: external-secrets-operator
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: eso-kubernetes-external-secrets-auth2
+  annotations:
+    argocd.argoproj.io/sync-wave: '40'
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: 'cluster-admin'
+subjects:
+  - kind: ServiceAccount
+    name: external-secrets
+    namespace: external-secrets-operator
diff --git a/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml b/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
deleted file mode 100644
index 3c7d566..0000000
--- a/templates/controlplane-template/templates/components/external-secrets-operator/wait.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-eso
-  namespace: external-secrets-operator
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-eso
-  namespace: external-secrets-operator
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-eso
-  namespace: external-secrets-operator
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-eso
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-eso
-    namespace: external-secrets-operator
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-external-secrets-cert-controller
-  namespace: external-secrets-operator
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - external-secrets-operator
-            - --label
-            - app.kubernetes.io/name=external-secrets-cert-controller
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-eso
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-external-secrets
-  namespace: external-secrets-operator
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - external-secrets-operator
-            - --label
-            - app.kubernetes.io/name=external-secrets
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-eso
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-external-secrets-webhook
-  namespace: external-secrets-operator
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - external-secrets-operator
-            - --label
-            - app.kubernetes.io/name=external-secrets-webhook
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-eso
diff --git a/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml b/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
deleted file mode 100644
index 2123e01..0000000
--- a/templates/controlplane-template/templates/components/ingress-nginx/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-ingress-nginx
-  namespace: ingress-nginx
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-ingress-nginx
-  namespace: ingress-nginx
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-ingress-nginx
-  namespace: ingress-nginx
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-ingress-nginx
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-ingress-nginx
-    namespace: ingress-nginx
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-ingress-nginx
-  namespace: ingress-nginx
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - ingress-nginx
-            - --label
-            - app.kubernetes.io/name=ingress-nginx
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-ingress-nginx
diff --git a/templates/controlplane-template/templates/components/nginx-apex/wait.yaml b/templates/controlplane-template/templates/components/nginx-apex/wait.yaml
deleted file mode 100644
index 377e215..0000000
--- a/templates/controlplane-template/templates/components/nginx-apex/wait.yaml
+++ /dev/null
@@ -1,59 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: k8s-toolkit-nginx-apex
-  namespace: nginx-apex
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: k8s-toolkit-nginx-apex
-  namespace: nginx-apex
-rules:
-  - apiGroups:
-      - apps
-    resources:
-      - deployments
-      - statefulsets
-    verbs:
-      - get
-      - watch
-      - list
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: k8s-toolkit-nginx-apex
-  namespace: nginx-apex
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: k8s-toolkit-nginx-apex
-subjects:
-  - kind: ServiceAccount
-    name: k8s-toolkit-nginx-apex
-    namespace: nginx-apex
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  annotations:
-    argocd.argoproj.io/sync-wave: '20'
-  name: wait-nginx-apex
-  namespace: nginx-apex
-spec:
-  template:
-    spec:
-      containers:
-        - args:
-            - wait-for
-            - deployment
-            - --namespace
-            - nginx-apex
-            - --label
-            - app.kubernetes.io/name=nginx-apex
-          image: ghcr.io/konstructio/kubernetes-toolkit:v0.1.3
-          imagePullPolicy: IfNotPresent
-          name: wait
-      restartPolicy: OnFailure
-      serviceAccountName: k8s-toolkit-nginx-apex

From 5e646f51c5f4a8d53fe0c73914822a69610a2ae8 Mon Sep 17 00:00:00 2001
From: mrrishi <mrrishi373@gmail.com>
Date: Mon, 16 Feb 2026 01:16:32 +0530
Subject: [PATCH 7/7] add v2 template for cp

---
 .../components/nginx-apex/config-map.yaml     | 109 ------------------
 .../components/nginx-apex/ingress.yaml        |  38 ------
 .../components/nginx-apex/kustomization.yaml  |   8 --
 .../templates/nginx-apex.yaml                 |  24 ----
 4 files changed, 179 deletions(-)
 delete mode 100644 templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
 delete mode 100644 templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
 delete mode 100644 templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
 delete mode 100644 templates/controlplane-template/templates/nginx-apex.yaml

diff --git a/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml b/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
deleted file mode 100644
index 65aafa6..0000000
--- a/templates/controlplane-template/templates/components/nginx-apex/config-map.yaml
+++ /dev/null
@@ -1,109 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: index-html-configmap
-  namespace: default
-data:
-  index.html: |
-    <!DOCTYPE html>
-    <html lang="en">
-      <head>
-        <meta charset="UTF-8" />
-        <meta http-equiv="X-UA-Compatible" content="IE=edge" />
-        <meta name="viewport" content="width=device-width, initial-scale=1.0" />
-        <title>Kubefirst</title>
-        <link rel="preconnect" href="https://fonts.googleapis.com" />
-        <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
-        <link href="https://fonts.googleapis.com/css2?family=Roboto&display=swap" rel="stylesheet" />
-
-        <style>
-          html,
-          body {
-            font-family: 'Roboto', sans-serif;
-            margin: 0;
-            padding: 0;
-          }
-
-          .main {
-            align-items: center;
-            background-color: #f8fafc;
-            display: flex;
-            flex-direction: column;
-            height: 100vh;
-            justify-content: center;
-            width: 100%;
-          }
-
-          .content {
-            align-items: center;
-            display: flex;
-            flex-direction: column;
-            max-width: 699px;
-            text-align: center;
-          }
-
-          h4 {
-            color: #18181b;
-            font-family: 'Roboto';
-            font-style: normal;
-            font-weight: 400;
-            font-size: 32px;
-            line-height: 40px;
-          }
-
-          p {
-            color: #374151;
-            font-family: 'Roboto';
-            font-style: normal;
-            font-weight: 400;
-            font-size: 16px;
-            line-height: 24px;
-          }
-
-          a {
-            color: #8851c8;
-            text-decoration: none;
-          }
-
-          a:hover {
-            text-decoration: underline;
-          }
-        </style>
-      </head>
-      <body>
-        <div class="main">
-          <div>
-            <img
-              src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAL4AAAEICAYAAADhkE5BAAAACXBIWXMAAAsTAAALEwEAmpwYAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAEatSURBVHgB7X19kFzFde/pu6vV7ko2iyQQxpIZSSF+gRiW2BgbJ2ZlByTjJIgyElSeY4k/UkhyXhDPH3lJVawVryp5wU4BKUeSy38gJX4pB0Eh4kAkwNaSegF/kLDIFjECSSMkYj4ksRjQ7mp3p1+f7nO6+96du3vvzJ3ZmdH9lVYzc+d+zcyvT5/+ndOnBeRoeaxatalnZNaZVRLgGvWyF4TsAQkFensIQBTVtqKQ4mFoKw3s+e72IrQ4BORoWVy3ZsMqIeF29bQPUkHsEG2lLa3cAHLiNyHCFlwW1K9YACmU5ZZDIIJBEKWjUIIbwCO8+qEHQMonS1IMBrPkYOiE4+r4IOiTINd6PUFRgNiyZ9fWHdCCyInfRFh5yx/1yYmJzZDKgsuHu8Y61+3efc9Qkr1X3rS+TwbiPm4AUoj+x+7fugVaDDnxmwBo4Yc7RjcrMm7ibWjBJYjnBJQG1fai3ohWW8rNk88gdnSNddyRlPwI1QD6Fen1uVqR/DnxGxzXfU756QHcp5724GvlfuyAMv73ylvWF2RJ7ENLLaTcCe3QD+NCkRfW0i5F0SaXp/HbQ+QvwY2PPbhtN7QI2iFHw+K6NRs3KxL343O08BMwfsfju749WG5fORFs1v6+IvieB7avo83rVIPo5wYhJwQ2oOWQEOo8/Yr86lAx1EqkR+QWv0ERIr2UW5CEU+2/Ys2GI2Ttl6t9B/z3dG8wIZ5VT3tUj3Frqw5Y0yCAHA2HFTdvvN1ZennrdKRHYvNgNEp6vQ3dmwC0j66VmxxnJ/FRHdFkaUDo+yoZ0ivW37Nn1/YdkAI4EC63XYg2dpEKkOPs9PFlaULJdaKwYvWGoqLEgBTBw4/d/80Z9WGxMZZKpWvkBKxSd2jIq1QcdY/r1D3uFm3Bzj3f/eZAuWPRoq9YvVERW/Zq9Qfgjug+eG70a9VfEXKcfT5+n7KIs2ed2YckibxVxEZQ74glqTF3K5Kvmn7v+IjqytXr16lBKA5etfwYBKWduF9UCs19fIOzdnCro5/tI4r8Yp0MVARUhlwA1QCUb13jBuBLkHxdMMGpwb27tl2BG65d/Ye9bbJ9ky9LtoG48dFdWyepO7786J0PG7jpQUry3r0Pbt8EOXJVh4ERS90IHMGgljkrYdKLQXWdG0tjoldp9g9htHXvru2r4vdHnz1Yt+f+v9056bxo+ZH84YY8pF5v2fvAtnsgh0ZO/Aj04DIa+KlBzgrLj0h6FVVdjlFVClaVJT7jupvW7xBC4L0NKcu/vJzl159DNeSSFNrSd0/MHkgTtT0bkBM/BqR9o8/cpzcohaXrzOwtWRDI88dD0VS65hH1dEi5OufGHa8azUNmTCCUS7T1CsiRGrmOHwMkoyLfckUwo5CoweGwGhRnIYOyH657Es+NoufYsHqM61Ueo2dm32r2k72fWbMhwaA4RxQ58acB+sXKKi9RLC0i0ZRFror86M6Q/10s5z4pN+ZefFQS691x5xhQvY7dT4obIEdq5MRPALTEIpDLDfl1zsu+uEDRdBABE1U8XO79kTMd93AjUy5NLPmlkORy6fycHCmREz8houQfnjX6EFQCIfvMQ6lswExb85K8Vb/AAJby56M9DKUo3G7OJ56EHKmRD25Twk/4wgHv3vu33ZHyWBy8gho/TPnd+wEp4OAawJNqfHC5Cj2vA6PNp041zmGQW/yU0JZfyhv1C2WRpxqETkZ7Af8XJrA09XV2bd/hxhY4JpCqIcj7FOkxANUjTJAtJ32FyIlfAXQGpIqC4nNlge9L6u9LOaHTJBSB30qyv1aW7t+2BFONVXO5V09CwUdMPVaKU076ypFPRKkQoxOd/bPbRm9AhWak4wxa4f7pjhEqoKRIr54FRUgBSjUegByZIbf4FcIfhOI812QSp1FghIA8ijrDyIlfBXxLbKb+5WgW5MSvEjgt0DyT6yrV9nPUHznxq4Rv9cnXzxTYmK7//Y291635ozw1IUPkg9sMIEtwrwgAa9pgUKkfKoCeH9A53quVHxlcBFAqqM29w3K0AGMogU7gbg0TdzH3i7GE8QK+DoLS0KP/UD5TtBGRB7AygJnVNYqBqZ5yVQ4YK9ds7NcFnwTsVn9PQkkFo8yA100WmQKibfaSPd+9pwh1BBL8TPeZQmkMenXwjBpkJN+fMTTdNMlGQU78jLByzYYdUmIOv7h3766tm1besqlQKo33CjFRMARHcmuSVzwOqOW0wZQE15gzpxvmzunSz197/WTk3cYuPJsTv0pYgsvSDTjApc06tRgyhhBiy577t/ZDFZjkUslSryk6G0/w7u5OmD/vXFj8/vfB4kXvg3988BG9/cEd34A53d12v/3PH4THB36o/wix0yRnGrmPnxBIcJg404ckUZZd+eDGgsuJ0Z4y1qM26o65biLE9TjDMNpjhguIEp9XI0rw+fPmwQfU8/nzw3Nivj/wFJw4+aay8qdgacER/7JLflX/fX71Z+GrW+7BXqAwAfLZ61dvvKLRyJ8TvwxwgncgOtb63b0iuHlTwoxBTq4MEUtw2yCl/c8CCY7kXvT+C2HB/B71XD0qwkcJHgdsHEj8Q8XjiviLJr2/8Lz5sPOb/xv+euvfaeuvyI9zGK5oJLcnJ34ZtEGbcgVKjViNoLDi5g2bkhJ8wXy03hfAPLTcyoIv1tZ7HnR3dUI1WKTO88KLh+Fw8Zh69bHY/W5bu1rtcxwbSE/aup21Rk78MpiAYDCYSdMejx7lndxdL4LHYcE848m9euLklPvhwPdrX7kN1n7xz/FlH2ayxile9UZO/DIYG+soKnkSGg31JngcFi+6UD8ePvLKtPui23P1lZfBUz/Zj9MpMQg3AA2AnPhlgAloK9ZsKE6ldNQSSPBf/ZUl2pfG5x/8laXQ1d1Vd4LHgYn/2hsn4d3Tp0PKTjmsuv5Tmviqp8Jplw3hQubEj4UYrOV81qQKSiMCGyD+nR4egXfeHZ4kab72xim47NcuhoXnz9fblhYW89sFlFMbocZPTvw4yNLRLMIczUzwqYD3f/r4L2D/gRfh2j5D8O07HoDdj/7A7rN+3U3a2qOvjy4P9hAYJFNvzbi0mRO/DFAilKUxiUk4SdGqBI8Dfs5jivhIZgRGbn3SI76z6xHVKD6me4RlhffrfTEyDDnxZxZTaeBxx5TTwNHnbRT/u17A7wBhiV9G4UE3iHH+eQv0ozR5STOOs4L4lQR5GkVBaVTgd4FAVwex9KLFOnfn3XdP233Qx2f/f+H582irDgrOOFqK+JPSCrCGDUVdc4JnC/yuEGzx0Y/fetef6mjtoeIr2rX50sYv2P2XXcQRXm14ZhxNR/ypsggnpRV4HM8Jni1wPMPKDpIfB6/4d9fm8mWGfGUHGgANS/w4gvPEDA05ObpaTgNv1QHmTIOVHbTwSPqpgD0Cu0LYM9d7XkEUM058JvjEBLolk2ceacjJSVZnk4LSqGBl5/U3TiTa/4Lz5sEhHAOgOwqwA2YQM0Z8XOxMTkxsHobRXkVwUlHC8mFO8MYGKzuYpZkEmMmp9xUz7+7Unfi0GNl9ivR28jTP5EEt+IMXL4FP9/1mTvAmACs7h44mJ75GinkFtUJdiY9Fl4ZLo3YdJwxu4B9OXsC8bVQEuru64IrLLoEcjQ9Wdl5//WSi/RcuYC3fVIyeSdSN+P7iZajvfmnjH2jCM5aRNXhZ+Yw5mgOs7GCgipWdqbBsyfv5aQFmGHWrq6MnIhDp79q8KUR6xPn0pZ089aaWyHI0B9gdRWVnOmDDQLcWoWMuM4i6EB9rvQMtooakL2cZOJEJcfLkm5CjOcAD3DTKDkKURmc0daEuxOfFznAS8lTdIUb7EC+/8l+QozlQibKDKM2wslNzH59kywI+x4HsVOBEJtSG4SrI0QSoVNkRpcpSFzjvKgjGB6uZvF5z4vNiCB//6GXTD37oSzl1Knd1mgVVKDtTujrTJhaWAizW2w8VoubEFxJ6Me667KLF0+6bKzvNB1R2EJUqO9PWKyqTWAhmU1WxgDpYfHOD0S8Eczawe1y4YL6dohZVdvIEsuYA5kSZOjvT5+ywsqN+/54VqzfISusVTddjTIfa6/hCDEVzbXAghJW2OHcbB734509RQ2Wnm7rRHI0NTApE4qfO2akOBagCNVd1BC10ZooPGdz59W+FJizgFLXDpArkyk7zgd2dtMpOleipJhZQc+JLYeZX+sWHePKCj1ffOKUfQ8pOjqbAAg5iHa0r8auKBdTexx+HogjCxYcuu/RiO2WNwZY+V3Zqh9OnR2Dwpwe0eDCsxlDDw8MwT1lrVGaqmbfwwYuX6se0yk61qCYWUHPiB7PkoJwQISuPU9Komq4e6PzB6uvtoChXdrIHjpf+6V+egKd+9B9T7nf1VR+G3/vMp1M3gK4uUyMflZ0kBaY8ZacqVBoLQNSc+BhkUKN3XS/en6KG1XTxtZ6Z431RubKTLb4/8G/wT48+kSj/6akf/bv++73rfxt+VzWApMDfyCo7R46rHv1Xp9zfU3agGlSj7NQpSU0U8f+oe6O/gIh14ClqiOHTw5CjcnzvX74P333wn1Mn/WFDwWPTYBGlLhxO6Odzzk6VKECFqAvxhZDP4WO5QW05sL//85cOQ47KgJYbCVwp8FjsLZKClZ3XEvr5M63s1ClJzSg7SYm/lKK8eZZmZcDv7XuPprPY5ZDURUJw6sKho9OnJyOmC3QlRaXKTl0morCyE3V14sDFh06eyle+rwTP/vR5OBGjiqEbed01V8HSJYuVm9kFT//kOV3JuJy/jaR/Yt//0z7/dMCKcgg/XjMVsiJ+pcpOXYjPyg6O+JOAiw/hqhs50uP7+8q7KDwJyCfd1VdeDp9XPTGrbJPOpdydJMRnJSipsoOSdhaoVNmpi6tD6aNDnMg0HTh352Su5acGBv7irH3cJCBTCKp82Xq0+kmCiazsIHBRuOmQlcWvVNmp29RDVnbSTlHL/fx0iCM9SoxTkQ3fi7PCSdNHFqWclJIR+QtQAeo22RyVHSmhN20iE37pWZYZQffpmDrnseOv6tdd2lL1qMjlMl27p9mB0dhyWJhAPkRRodw4LKnxYWVnukXhGFw6vEr0VFKZrW7E18qOhLVpiw+dPJnNABd91SeU73tiCvcJf7jfu/7TOoJ5NiJuDNZNkdnpwMrOdIvCMTgvq1qQslNMc0z9iE/KTtpEpmOvVJe6gNbqvv/7QKKBMo4p7vsO7nsEbv7c7zRl1JitbhSo3kw36IxT3ebPT7ZetVV2jiSTNJdllKxWibJTNx8flR18TJvIdKyK9GQk/Tf+5tup1SEM/tz5f/6mKcuc8MJsUaCw8Pe7Ho09DlPD49yOD8ScMwp2SXlRuOmQFfEV8wuQEnUjPk8MTqrscCJTpYNbzERE0p+oUBlC67/1238PzQbspThbMordj/xAV6vzZUvU73HtKiR+OWBJx7hepNy10yg752ek7Ch/IrWkWd/amQL0Epopp6hp8qcd4H5vzxMVk56BPQWODT7d9wloJmCCWVwvh6Ua8Y8l4+lSDNKOd1DZMdMQj0+bluDPuKsSqSXNOsqZeg3BJ/ExbfGhtLOxsKE8sS8+zwRlu9vWrYYvffELptbP+fGNME3YvlGAFn+6+qNI+OlIj9Y+LfHDys704LysKtGDxYjTHFDnasmo5UuotbLz7P4Dse/x/N7oNuzqy3X3SPoXXjykiHQpNBPWfX41HPurv9HWtxJgD3urOkdazJSyM9I+glZ/IOn+dbX4IEtFfKi1sjP40/8sux0LWkVJz8DtcQGcwf3lz9fIQH/7y3/8h9bnTgMk/VfUsUl9+9CxbPHrrOyACAppdq8r8ScgqIuyc+x4+f1vvP5TUx63KmbyxbEmnfiOJPzzP/njVGMUdG2+po6phPQIVpXqreykXUa0bq4O+mAjbeM9cmIidfGhtMpOnE8+3WArbkocKkTNCrT8t6iYxLXLP6HHKwdfOjLJ/cFe4fIPXaLHBXGKUJrr2UXhlLKztDB1slp2yk66ZUQzJ/6Ui7ZNuP3qoexEMV0A5913W3fGF1pw9tmRlDy7rau7K/NAHVp9VJXqq+yky9Ksivi6ICzWxsRF22QJu5reYRjtmWpVQkYtc3Z4/mcUzx14Ca6+8rLY4+IG3QvmpxIMGh5slWsFlDSR+HXO2Smg0d29+55ESkh1Pn5pYh2U4G5Fesxp7VN/iRmStvhQGmUHK3uVw7d27Ir1O1HaiwviLHp/sshlDoMF8wwN6q3soKeRdN+qiM9TCitBLZWdOO0ZrcrGr/ylrdrG2P/8QTMRI8bqfOIsTVqrFFw6vO45O2PJB7hVuTqceFYJaqns4AAtzt3R5P/qX5gyJypwhT3PVGUuMIjTCunK9QRr+cmLC9Rf2anK4nPiWSXgKWrToVJlZ91/v2nK9/FH2X/g4LS1XSoJ4pzt4EXhEEnIPxPKTlXE5ymFUCGw+NB0YOUHlYg0qQNo9dMURSoHPL5SPftsBwsRSQoM+LWUqkNyZSeDAJaZUlgJkhYfYvLHBabikLYimA88Lskk6xzlwWtjpa2lVCUKSXN2qiY+F4uqBEmLD3EqQSUVlJG8t37+psShe7RUGOrPSV8d0hJ/aYIVc5IgqbJTdQCLpxRCBUgqd7HFrzTNGFUedH1QW35i4N/KNiAcxPaqyOXVV30kr9eZAVjZSVtLqVqQsjPt2LN64leh7CSVu5j4x6uYhoi+OjYA/MOxwsmTp/TjArW9FtHLsx2s7KStpVQtkio7VROfi0VVAk5kmrasNMldJzIqNaIjl4vyoFQtwcpO0ryspYXqXR2BE51KpURiS9XEpzLgUCnSJDLlpcObCzheOq3cyiR5WazsJCkdjgSX6M5IcVRAaXACJgbnjM0pJk1XQGSTpEZTCqECpE1kyheFax7gABfHU5UuCpcFweOQCfFxSqGssKJV2kQmTFbLI6nNgcUpK6vxjDvFqHu7xjr6syB4HDKaiFK5lp82kSlfFK55wMpO2rwsZUjPqSXpEdkQn6YUVoK0iUz5onDNA1Z20uZlVbt4cxJkQ/y25JN8o0g7RS1fFK55EFV2poM3A64ANUYmxB8Z6ayqW0pTfIiVnRzNAc7ZSVklu6rFm5MgE+IPoD8m0hXt9JFk8MPKDiIvHd484AFu2lpK1SzenAQZVlkQFacopy0+9HKTVj04G8HZrWln3FWzeHMSZEd8WToKFSJXdloXnByYWtmpYvHmJMiM+AIqn4aYKzutCy5X0mjKTmbE52JRlSBXdloX7Oo0mrKTGfHHxjqKUAVyZad1saABlZ3MiJ8rOzniwOVeGknZybh2Zq7s5JiMLlpDq5GUnWxLCGplp7Lc/HdOJyvfF1J2roIcdcLryj8/cvRl/Vg8egyOKEP1ulLj/sdt6+CqK6+Y8lhOXWgkZSdT4qOyI6EyJJ2ixgPc4dzHrwniCB6XJ/96AimaF4VrJGUnU+KjshNAZdRPOimZ12tNu6BbjjDSErwczMSR6XtqTlvgWkrTzrirg7KTKfFR2Zk9axQqRZopaidzLX9aIImRzJrUamD5hnr+s+cPJh5kMpDgqKgtuWgxFNSfef6BxIWgeFE4vTbWkeN6lfWp4HGgosWbkyBT4qOys2LNhopnY6G7c21f8ilqWZQObwX4BC9qK35KWfNjdSf4VOBF4bCW0nTER/CMu0oWb06CGiwMgcqOLEAFSFN8CBvJz186DJ+Yf/YUdM2S4EjuJRctgvOUWLBEk3xBhqX8JoMDWWlqKT0+cLJmyk72xK9C2UlTfAiJ36paPhIcCY1/byhSV0rw8y2p5ykL/gFYotzE8xfMz6hcXzo4ZSddSZlKFm9OgsyJX42yk1Tu4uJDJ0/VdHZazREdYJrXx1INMBGNRPA4sLKT1OI7P1/WRNLMnPjVKDu1XhRuppCFgoJoBoLHgcdiSWspeStQ1kTSzJz41Sg7tV4UrtbISiLkAeZ5itRI9l+/5IM19b/rAV/ZSVJLyWsYPWmW+EmKzImvlZ3VG/AmK1o4aiYWhUsLJPbPnn8hJBGiFauU4FkrKI0KVnbS1lJKu3hzEtRquU/M2elLsT+35p5aLgqXBs0gETYb7OLPKWspyTbRLMTH0uGir8wbQ1iDRw+AA/kcFpzF2ptYhnDlmo39UsrNaYsPpVkUrhyylgiR0Gc7wePAyk7qReFqoOzUhPhG2RGD5Qgee5CuzSNquijcEfK7qyG4P8BkDRz/mmGAOdNgZSf9onDpFm9OgpoQf8+u7TvUw45UB2FtnonaKTvog//P/3UnJEUzKyiNijhlB3vu7zzwz6r3HYFrr/mYit4bN8gRP/sszVr5+KnBVZdrpezgl4xkjlr4nOD1QzllB3X9O7/+LRu81AvyqUax6vpP+W5iIWtlp2GIr0FVl2ul7PzOZz6t99dkzwk+I8ABrq/sPPXMc5Mi9g89sk8T31d2aImfiic6RdFQxOeqy7VSdn73M/m6VjMNlDQxpZyVnbllAllz5nbZ56zsJF3iJykynnpYLUzV5bRT1KpVdnLUDwvmmfAOKzsfv/JyvdC2jxs/8yn73PbIGSerNZarUwdlJ8fMYvGisLKD7sxdmzfB4wM/1JYdB7aXXTJ92nK1aCjic55Pq+bs5HDE95Ud9OM/v/qzZfdn/1+AzMzNQTSUq8O1edIWH8pLjTQP9MJ7tIZZklpKXItHtFe++Eg5NBTx/do8aYoPmeU7c/I3C1zp8Kld2v2YA2Xyn4qP/sPW1rX4BqY2T9riQ3mdneYBlw6frpbSt3Y8oB8FiAHIGI1HfKq6nHTCQq7sNB+Y+FPl7Dz06A+4RyhCW2kLZIyGIz5XXU47Re1EXnWhacCLwsXl7Dw+8LS19krruHfKHK8K0VhyJjhlJ2lJQSb+8VzSbBpwlmY5AQMtvXVxpNyy54Ht90IN0HDE5xlcSYsP8RS1Y8dzH79ZwIvCoSiB5J/b3QWPPfkj2P3ID5x8aUjfDzVCwxHfr82TpvgQfon4x1JZjsbD6dMjuhCYH3fZ+NW/jM5cG5IluHXvg9t3Qw3RcMQ3MLV50hYfQqvPK3DkmDn4BMdFPE7p57/QyWlRMOnV2G5ABvBw1+jsHbVe3BnRmMSn2jxpiw/hAPeDkKNeSENwwpAQMARSyZMCjmKKygRMDM4Zm1OsB9l9NCTxuTZP0ilq7O7kpcNrAwwOniCCn1CyMQoJ2LtOsSpN7BRTaBA0JPGtsnMknaSZLwpXHZDgLytSnzx1ShH7VW29T5481dQEj0NDEp+VnXLFhx56dJ+WOjGDLzpFLV8ULhnOJoLHoSGJ7ys7fvGh7Urf3a10XgSmsWL68vq1N01aFC5XdgwqIDgCSb4TAlkUE3Kwc7xzsN7+dz3QoKoOwig7PEXtsHpk0jNQ9/2D1dfD3DndVtnBH7ubAiRnA3CAOTw8DC+8dFgPKrGe6EF6nhSLgl+DE/IYjMh38GWPFPDmY/+4rSaBo0ZB4xKflJ3pig9hoAtdIZ6ihslqi1uQ+BUoKIlxvPSf0BNcoJ8j+VXwqH/F6o2Fvbu23gotisYlfiCKUHLKDlr9ZVREivHxj15mB7atsihcLQk+FYZKr0KnmAvvCc6Ft0t4LblOkb+3a6xjee7q1BHoX0ol+vrKzte+cht8Z9cj2rLj4PbGzy637/EAt1mUnZki+FRAaz8SKnQte4dnndm3atWmliN/wxJ/RA2qWNnhOjv496WNXyi7f6MqOxVo4A0GJP/oQ+rJcmghNCzxqerygHrahwpO3JxMxkwrOxUqKM2CPuX23NdKPn8Dqzp6gvFOCaIP1Rx0a6bK1PSLD9VS2Wlxgk8Bue66NRuLj92/NfNJITOByharqiOUpXkWu1scyG7+8vop973z69vhqZ/sh3Wfvwk+cVV1i8KdrQRvFx3QFcyBOcE8mBvMk53BHPFO6RQUR/fr92UJbnzswW01zZysBxra4iNKMHZrAO37nv7x/h4c2E7l8qRVdirRwNV4uygrXM60kYAEV6SGuW1I8HPt804xB+e46iGuBKkN4wJYLN8pvSlOjB0DEcB9K29Z39RRW0TDE//xXd8eXLl6/R3K5bkPiX/o6DFY/4XVk6pvIeKUnUoUFE1wnAYpxVEBpUHOIjzdceZ25YL1QxMBSd3TfoF+RGKfO+t9cnbQLfRSZYI6fdWakfBMdoR5bZ78t66PwzMTb8JI6Z0eOSHugyYf7E7r6qy85Y/6ZEneoL6YPvU9mPpvEoqq6Q+KQDy857vfHIA64LrPbViF1gZoiSHM08G/ZRctsmXmnvrxfrjzG9v1wPbjytWphuDl5Dtl6QrqRz8CDQpttduV1Q7mKiveY5+jdQdakE/gyCm0OB9uAUd4KfQTfK0gNfNxk3pUVh+e+eUj5rAA7tjbxNHdWOJrorXB3QlWKS+qr27Lnl1bd0CNgcSDcdGvfoa1kA42yYrzwLEef9ruesWaDUegAdyc9qBDWfCFSGo5t61HzG0/VwefcLsPxVcpibSAXBbu97bvRaB5zvtEegBEcXi//gPMrW+TVzSry1OW+OoHRsJvgnRnumfv/dvugDrANQBcMED6y0HWLItwxc0bb4eSrKuFQyIbN0WRvO09RPJ5yoLPmvZYZa3BmGvQj0LEd+4Rgvvc5/dsm8FzKasv3hnXvejA3l3bmtLlmfRtoF6L0hVUBLFjJrRe3RDALC4BNYB2cUpiX62svSZ4Gw0023rUc+WqtJsBJ/9ETD4mIr2hCWtcE94zxF8JmtDGvdHkl25XPic9hgjPsI1C72TONTT2Ggy+9bh5X8rlex7YPgBNhtAHVTrtZkxQgmrQ5L5fOVRnDMJAgvd0XKAIfq6crZ6/p32eMASXZqApmczkaQMQKWUZky2I/naDZ5rBkl7/o9YiNdP5Wn7jgMg28G5B3w/1CubxwC//FU6M6hIwTWn17ZeZ4cCtqX2/KCr9XrQFx8GlfjxXkd345Gw1w+QDUlckWKWFCchEJfbyLgES0I1UhbHa+kSaxSXqCey5rcUGew1BjSzcSfBZ7J2BbYjcKagHpe7AD0/spn2bz+pbOVNOBJshNNqvGEruCnB8kG6M0KCY7nsJEXyWUVJmK1dlVsBKiueISEcyyzHBFldafoNxS/Tg0z/aWm/wiG38H6/rlqIkQyqluQTvIYAblpQBNhzh/J3AuDTSSDt0fhwG0z26BoSfV1zQtRReHT6Md6K+o2zXoa01PB0/m66czrUWWoT46kfuQ8qhHz531rnaejPB0RdvC2igaT0VsB6C4TAZTsMe/WZgW5KxwNLJKOy4m5eW2dI0Aknkt/dGV/L2t01U+Ofwrk8NQdOYyU6XkbSfCDv95pZsg7SDArho7uVSER/f6Vt50/q+ZrL6unYmavWQLXqu//2NvdDkUIGzdTig7WyfC7+5cLXsnf/bsOycD8PC7mUwp+NcaG/rQLNrGB6QR60tqnvUVjUgqxyw3ZdmWyCM1aV9zXlMy1CE1MYY/QjcRxj/XdtiOh6YyvoeAteLCFMRlfan++B7Ctz94XmlAKfg23sw5xbccgPTU3nv6+M6Z3WLntkL6eBgFTQRzFc0MV6AjEGLdTU11E+PPRcU3vMh+2N7xNZdPtJW+KQgIkkhQw3BvJZ0HhIPtUMhw+fDdsHXIB+fiC2QgLrxhMiLjUCYbQF4DYg8erq2vU4g7D7caLkRmI9MvUEg+H7NUMPs6//p4wrv/RB/W2txSU5oEhjii6AAOUIgibQPn2ur5oiiLSzZXUsutx0sycCR3RJOko/N+5pWYyy5fh6Qx43npkYC4esACCao8a+UVy+kGxfgLTMxpfkTko+TOK2N79P1NqbRBXRvAVj5UzcCPN7tS66/+Szqu5EUOOsZnj26DpoE1Cnioms5fChm6K4bSd/ZMcdY7EA6t0UIKTwCsvuiLbIhiusB2DXXZJNsnYXXkEL7kjsDTFq22PzcNDkAR27daox/jpba3KchqeCewmwXxpUy8S3js0s+HzVl/37589nhhesFbI8Hi95D9etKcAM0CdgbLELWaPbGVDJuzgVzl0npBBUiITh3gXxy6xrgPgFZb24gAY0HAwpAEbm4IfE51WvnrgTGjWF/3u8ViOiSrul8/kCCtfwgnXsFEHrkxqX3Y/+d3SW6Z+963LDMQDigcQZ9Rnze07mQv7W+ZnF3NPFxmh/ocH9mGGrGaB7DuDkmFaKn6zxDvMD4wexXMylJ4OBoKjCR2HWg/YDJLwPKAaMlOSRZcut7I4R3M+QO+e4K+91eI7TXt5ab7tn3/TW5hdvmSE/3C6anMqS2vY3g/Vgx0vdLRgD3O6frfOhsn6PfG5l1pikGufrrHzCZiFkurlWEZsYE+fad+gflyBBHPp3vHJCaYpQbQzQh7H62ZwDn62tQA7KWnBoHW3qPrNL449hgSuimSGtxBSs4wh3nKUzOatshgvX/Q4N02m58fudCSXKR+Fx+YzINH4T97Gr/BXMW8bd3DTQB7FJAWIgfskPvitUb9jXTKN+HYrT2VXu6FjKhzEAwkDyoYy+bfX07mPUUEM+vF+D3ApNdJhl6lG48ICwZ9Ym16gO+asNKkWlAEHKLLInt2ERaokr/PcH3Z3sV0I1a8CBWjw1MYwfwDYHkOSvndC6kUbWKezQBLPG1a1KS90KVwBx5yo/vG541+iwnkDUXjJuDXTh18SThCSaMUXACK0dK9o0lqTHAOrgnJYbI7zcGbzwQbgjs4rAMSlaY3KNJUmikAfFzGsCSgkT7MYHtNh3z5QG3SWQQVs+XWjmiroMH52AHy8rP7z5f0JdXaAaDF1r8bXSisx9ouc1KgDOgsPzH1rv+lGdIYZ7LvutXN08wqw9/NMrCnNs5zwWbhOe784BS2CCQYOspPJeD5EZHZk0S4akkTGAXnOL9PMXIv65tEDIsmYpQr+L3NtZNQVUHXANrA+EkTIDQPYS0e0FjG9sAWfWR1u9X72Ewr3OW8fNHO0b7oMERIj76+qNjHcvVB0o9mfjjV14Od/WbLAWsdnDX5k2W/BMg961c88W10ATo7BzXjXTu7B4VmZ0VJZN0A1HNDOr6pWc1pRvg6v2cb8z+vm0M1AjYDfGOYffCuSAc0dVav2l81i0R5AOF3RWWW831PYlS0m2Hjufz8b4BEx68c4P/edz+phcQuocEFMSM4WhkiLg3Vty0YZP6ULez9ZsKuFwPEj0KrGv511v/Dp7+yXP6tfol+hu9PMWKm9XnLsHdC+Yugksv/C3zDbkEHCBfW4BLipFAabte4piTQPzXIvqG245cl372JITPbwYGAC5FWT/as+vmJCLnnXR9oG7IjhvAzFKBcLKa/nx8HT6F4GktwjsP8N3jYUdP/kwUT/4Ud94tgtmJJyXt+e49RagzYte53fvAtnu6zsy+Qn0Dt+oPIpxSo5/jNgk78fX+Awdh+84HJp0Da91s/spttjIC5vpjzj80MkqygA9zOntsdx5yBwLPMpqcGm0BS+TmhI4JS4kSzIxuA+fTS6v6kFWVofQD6efX8PWlYOtvegkhWB4FckWCyHnsI2nxYM9tmgWPV+zno6RnT8oNuUbe98AD7Nkdc/gmVsmJ0SNJ/zDBDeoMAVVC9wwC7sbn6ON/7cu3la2AgBUS8I+uuls1qlvrVY8RFSZI2v1KPZm9579d+DG44JylUtrURyKItM+BkxjZUIJxUkxESoS/W3/6XhTl5r96UwfNxBTaxyZZUq/DZl5bXeoSrHWPu3CZbRwHCN079UIk4vvHmCtEzvPOyJD89yP/kppTM5HPH0CVwJ4Bb1w9HcJKxl/dck/ZRdvQ6mOj0IqPsgh1VXyQ9DLhH1VxmD2r2/jZbQCeDy68nBWg3Boe7Alvm6eHS7dvZJuz8CWr46OMSBFXp8mbwBLr+DZq6ieclVCRaQOI9FBl7wUmZYTqsYu7dx63mGsa764NXDZo+Px28N7WPv1c4EZB1cRHYGvFWVfqCyhiCT8k/2GvnDfj6o9ePknxaVi5k35U9Nv1jxs4+ZB+bCShmcEUGpyGBoIgJpPOEpzIpc/NDUOPE3ikEJBl5QAXtQEvPVjatAQ6VnqDbOt20XWw4Uj7nLa7DsOeD3QDokZluhXtjAWBUYNsnKGNj8V7EbKzo7tqD6JeyIT4CJxqKAK53JH/bnh84OlJ+0UVH0X+Z7GUCTQYOmfPdX44q/csI7LKzb67sGnGYAd/3DhsAxBhP94OMA1Nww3GHGOmn2iFxZGWSMb3wSnRgvahgBNr9sIqQXQdbcHZUTKZmNQAhZ2GaB6dUsXBrBK4ZDW/ofufSythTYDMiI9A8o+qATH68EbR+Xvn13tA8v/tX/2ZlkAVetQX+1DDDXrNoNO48MbF8IinB4Pej08SZwCuAVBTIVo78gNZ7EA4rZ8yKWWEaDZqTBn8gs4vifCuJwLXmNwxvK9NVnOv8QNyNIE+H5HeuDxgPxcT3nxG02tQQwW6Gyu74nHR2j6NijbIGMWf/3Dk0IFn/vHiSz6C32Df/udfhHdOD8NHei8J7dfRMQv6PvERLXn+/MUj+L31Lfv1j8KhAz95EjLGr1x6JWqtqaKJhQt+XRGwzZCBqCycmaBKHX7cEziwa10UG+XUbwKR2iqhgghu3QNNLDeacNafjifrbgTQgHwebmD2fAL8442FN/dhd2d3C6xgyYE32kFIGyoj/99MOKeGzJ+XG6/3fbxy8iCMT4xBGqhDd770/DNFqCNqVjtT+f39SqbCr2szLtL22hsn4Msqqhst9b1+3U1a9sSeQa+9tGZD7977t90IMww1UGNZ3Eol9ANr5VuzL7BCuhh653V47qUfeDRNBDHN66mOEVO8Vy30eT55+S2ud9FbnTvkmrZpEZPiCA2Omt+qX/My4t+HgOOB7TsfhHffPY0vi2qwvLxciRIzGG4vQArIiQlc0SOVxf/kFbdwWIiMmoZxEsBX/IyXMfT260IRH1oJ+B0I+y3Q5xaBnd1O243UQ53Vjw58T4yceTfNZSAIgjvU0alSZaqt2VqXNupXIpuK/CiH3vmNb7EcWpb8K9ds7Ncmt+bjgU/+xi3uhZSmW5d2i2DCG2ZI8dbbb8BzL7YY8X/jZrAUkXaCC42UzVcQNQI//tn3IC3xK0Bx765tS6AK1KVMOJJXkX85kl8pPoUv/slf6GQ2GtxaYAAMGwXFArTio9ylG8sFN7DhLDxvXpLLq15kOLRaYhK47t2M/zwVBrxYlvN1g/oYkXpCj0eY8KRdUXqCYJvPr/X+oQI+yYBxHVyqNSn2H3gRskDd6uMj+ftWbbpidsfofWpAu2rL17+lg1rRhR64R7hTva/I2qO+6n0rbt4wqSzhtdd8bNp1sRi4hhbmDKUB/7Q28CRD77LjK6QrONZy4AnnpNxI7w2ww2LXA4SMQ1JcfeVlsQv6RYEy+dov/jlkgUzlzOmA2Z84cOVJL6E0Bg9a7rzrz2DV9Z8yG0pwd93lTk8iZJmQJUabhuzSFKjnbzFYnd77HoRTc0xevuBZYRBqHA2OuhKfgYqPT/4t39gO754+PWk/VHz8BDcs3iol1GeSA/2QRrsGW7SJdXZr3agxtJ6jA5yAJkQ4Gu2ivGBjCnYecLNgRoiP0OTHzE+Aoad/vB82fuUvY3N81q+9iV5hmUN5O9QDZnK4nWRCf1Iw0QOXuWhtf6uBNCwbTDOWXnJSRKjRe/p+M2DGiI/Ys2v7jhKMLwcvx6cc+Vd99lPa9SmnBNUM3o/qkd9EO42Q4Vl80ZoWX1tyAd40REGT0m3KtZmWiDvLpur5ZpT4CFzczc/xQcWHJ674YMWnXuS3k60D4HQFl6wWhJPVbL5LqyFw34OfhiFcUp2eY0y+fu7qpIXN8QExiCkMqPjEDXpRzakHeMAqXVA/lKwGkWS1lrT4dkDrEtMEZay6HCNO0APZTN9BQxAfoRWfXVuv4EoPcYpP3cB+Kw/oyMd1+fJAFt+bPdVqcK5cKBFOcM9n5UtK5qtfzkLVlRwahviMvQ9u3+QrPqi/l1N8ag76oQObiOVyHG1CF+5hvkHRVIkqSWF7skjaNAVuJRsGyl6tp6tzpvtMAapAwxEfgYqP+hr1ZGUMPn21v/ygt6bguaac6sspuS5lmGpg0vMW1HW8lGnwYxnC5u5TirUv7dYJ1Zahb0jiI3BKo1J89KyuqaY01gxRjd7Ll+fX1CDs81ZDqJY+uztW2xfWEHjv1a31qwu1JvER5RSfQ0ePQV1gZ1CVmTVly3sLsPu0ILhwlAwoM9sM9gFslQdpZU5P4K0TSgWoAg1vp+yURlJ8MNhVH/CPKaLTCAXXTjM9gBnUtaSL77R6kjOFJbx0A39vfm89DYC4HKpAU3TQSH5f8akLBE/YllbaFG1CugEd+/o057aO3Xy9YHN0bJCOp2EKP2VD2OmR9W38VSk7TeWZGsXHFLGqOVzUFmyFZM5SdH4+2LmqLSho2nr65N5NTlYD6Ss7os6Nvxplp/mGZIEoQh0g/YFtwNFZm7SlLZz/w8uWzM6UriIbJ6s5ZQdCiXqiuZSdFtQisgEv8ECVDYQNzYN0UUrBMidAKzr5fm0eN+3GRmwll1bxDEBdv4RqlJ26TURpNmA9eCqkBGzGeGa5JgLmKEoTuJJNlZeYHDSz3nwyjmnY2bfmE9scfErZhPra/AJUiKYlPmr7jz/5w0T77n/+IKSFnXZnqgRbfstI1UlTT8Tm8bQUrPsmrA0QXvFQabN0gN9J/xWgTJ30d6RCBB4qV3aalviYwVkuizMrSGvCTNFU8mdNRbOSK75kle2g9Uy+XfuKPiNNuKeOgJORJVMfKmn8OIe2inm0BagQTUf80oQcDAKxI80x6sfBEoXppC8ROp4mXBvyQxu1Aml/6Fa1+MadcZ/dQNht9Ioi15WO73XJeTGpcrbx4WUvpqJfdsnFdjtOUMdUFuwBVt6yqVBJff2mI/5jD27D1VpSrdiyYs2GPpCVE5/XjUXYAnw8yKM56a3o49vPJ7zPzpq9BKrkTB4hokJVR6j4zJ4Htg1Et69cvX6dOvV9mI4enZD+0wMH4RC6PhNn+tTLHZASuaoTB5IzRRAKyYNZmVxtaDMFWnmiSksSH8G5SCzvkoJjrX5I0oRMMQGBLjJ1uDg5TWVpgZYXrXDZoZz4caAJ5tKG6/nRVD3miCYnL7Ssxac4hTfhXLCkqZUvUyzXrvmbJcbGOor4iKkq0dR0S3wJF0EFyIkfC2lX/wNvxT+aZsizkmwSmxQVe7gNDNfgpfBydvza+pSvJGtg8fXC47QE1Wuvnwq9t3DBArpDWZGWnxM/DgH97ByVNCsdhrT80MogrWvxbXKerZ0jwmkbwi6aUYu2b2pqRivhLVtiq68VoALkxI+Dc3GkjVjabEywUqdNVGtBVYdTNHySSxvHdjk6JYiUYckSsnQUH6J+Pg54aSHxHlR2ICXyyG0crKIhRKhKoBH4NNGlDdhS1mKr2X3hSfTAH53LaZrl6ICMf9TWZ7Wgmzr3IJ771ROTJyFdcN48reyI0ii6O0VIgbOC+EouuzXpvlir0xzEvCerb3egQK0N2tLWFo3cClqpgiO2JpAFtB4i5WyYBTH8uEZmQGUHL3f4yCuT3sMBLrpAlSwofVYQP43lWbF6g3li3RthX2l6By5nQUdxWdxrQR9feHn39jNzmxfYyQUqiF2yxVZEDaLXqOzMnjWqUxtQ2fEXFmFlR4lLqVMXch8/Dm7KoS2opEnPg13dI5TC83BbDS5y68Y7XDbRxTfCC0lnjFopOznxY8DatRS8hCavKAi86qBwCk9rZmf6QSsvoCfBW8HRrq3F849rcyOZKzs58WNAKxPaagIypFW7CsEiEE7jbjVE1Ct8nLSWbmCmY0INAlgWNVB2clUnDuTmSL0GhDPuCJJvaBRgSNDW0Q7nLDzPvevvGTmtjLlcmu3++1B2H3ft6D7Ce1fCFNfT2Zicm+QdZ1OU9TuCxzq1avu1UHZy4sfAWHH60YVLTMPFz3h5ZQ1qAXPn98CHfvu33AmMzKGfcHYjr5hY7nrajZIeWSPHOEKGGxYvvxM+lq9jB+J2YgGz11zPu7b94D75aeGXyS2EHD3h9gviP1vVaIMBJe9kquzkrk4chDfNgn1d9ucpZG8XjLB/0q4UrglpB4Xmz9adDJ2HrgWkirj97YLOofqcdrFaaWtamu5IeNMg+f6EG4w6N40XtrD5N5LcdnDjGvAGsTTXmF0bCH8vAkKV1WqBkZFOnbLMyo4PdHf0x0+p7OTEjwNXEYsQlZPTPL+fqw6YLl9XVRNa8eGyg1Sdgfxi4O10TjdI5FRnOjeT3mVGeoSkKX/mDkKrrNPCDU51kdLLLCXimnul/eizuuJQrqGYEBXfp2vwtlGxAGArq9UAWtkBMOSPKjtE/LTKTk78OOjfUP8JtywQWVBLf7CW0pCEk9ekHRQyKTS524St1GBnLtlGBCHLbDRxaZ8LW9hKUrkTLl7r8mb0eaW3HVxD0/4Z78v3H0i+hpSCpVq+Pk8tjChWghw9rqwm3EBf1jZLtayyc9mldoJKAVIgJ34cmIhe0VQbzGkLk41XDdFhfK/GJM7U4ufSuToR1wksiUIEjlh/fV0h2CrztEBHNu+8XhlzasD60NACdnQ+/VmsBfcaItjeIPpdyNA92O/AulK1gtTzTMspO4RUyk5O/Dj4BIkWkfKDOdaf5iC+JaJkK+1P1vAtvUf02OtZKZH8fH4vkjwWzpYkF8lWdyaLH5k0Ivne7F+4p7KNw50TQj0S34Mf4a0ZqJ5SOWXH+fmjid2dnPhxEO4xOsuIO3qfpKEIbsAT9txxwisvHnrtkynmeqHrlHkv3HtIOzGEQ2zS1fu0pAU3NuEFL/xG7dw1+wgQ/ixS+i6d97lrAjlupMpyyg67O2mUnZz4cTADN4CwwmGJBV5lNTs9jxdHYNfFjAeEy+2Xvjsiwj69O6dxp7weJXDjB+Gu4ZHUuiW8WBuwEOsasACnLpWi5DZNhAe60Ybk3bew9XVA8Bq3dP9Ad1ITBLOk9vHLKTucv5NG2cmJHwOrbRvrKK2QHZBdZrLR4BCIaGZhNCCFQ0uOZgDM6o11TYTXA7gsdyZ2ySvkBFTiw1+B0KkxVODE3ZU3/oBIw/JctvAYwxsPSG/Ajg0tkD7BJd8HuNdUSc003BoZfSwcDKTs4FREH8soWU3dSwESIg9gxYD1c/Pr0gws8CI+eicagOpdyL0xAiIRyrQGOki7ExxYMlWqzBt6X9rAbkMAXMEK2L0CjlW5/AibOSlNsEnYwJXeysuV6PvzUob5eKqTA/Y6tiEJdzFpz8cfRgD3ZmYFJK48UXugny97t+/cBRcsmA+Hjh5XKs8rfqGpXqygvNvIn1MiJ34M9ECSf3pg0oHZYElGtXWkcxUoY11SyEcTnfVttOJBIPwsCMcp4V4I5pjU7oQ1tBxGMkFYvoeQYwPO4kp7rxzg4vpAZk+6AWF7C2og7Kz4ZBbunHarsG2ABicSatwA1K0/p+6vd4o1EnqGZ42+uWL1xh2irbSFeomyyF2dGAjPHaB1XKULKAnrRnB01S4IZ/cB56vzczsQlH5yV8QtIV3d+ufk9oQHz/qxBN7UR+vLe6/DvjoXeeWF3ERkzrCwtTH156Gehe7JFpAFsOMC7T61CV74rbaqjv4m4JyEe66TE+LIijUb7o7bIyd+DMKkNIEsm5Zs3QHy6dsi/rNwCo6wKbzhwWzEv5bCDmLDyo20DQ98SVREB6D2GqHjeSAupCW2Ps53acz9SuE+q6RGhbmYoUZLjYXGMeTiUGOxS4DWBorED6krrEp1kIRNyvo/W24BiZz4cfA6fB055egrWUMOLJXAUcYNVkHY9IaQsgIhx0QIXy4kh8RTcoBzb+wK6nQP3r3YwJghH3jKktXgzYQZYAlVWqXJU4XCnw/8HHvwBsi2p5HCxRZcc6mN1deWOy3pLWSvcn8eim7NiR8DESGRtZYkRXIOGqo1msgR+ZEJOik4pbc7iZCm67lcHpCe62GtPDlQ5h5KqFgDhCOt3n0KKvLkB9RYbmRXy6gx7v7sbDJuHOEIMC8Ap2dbiYBEKSFcIhx/xoyBZQTRckN16Ftx84bQOXLix8BQw1v6J/BlQis/0o8f8sltcCsaXZVO0wdprb2kxiNDrpWRDaX3nIa3ZoAKnGtjI6jh3oDvR1LvZIkpQjq9je5yrwa2sYC01h8EyTfCG8fQcZxeYa+R9e8gxGbIAiXY7Ls8OfFj4LIp+aelQaHx2yWlD5D7wg1EaSxeZqPO3WnzJmzTQNBPF+ZGYMcGtJ0S0yRZVWBrr8+nCe8ajz9opfsVnEZg798Nmo0QU6YwFNjUZKEtuwzIAAjXQ5X740CfzNjFv+5zG1apyxcgG/SMzDpj3aWc+HEQEkQ4sgq+rY/6v6ZhCHCDSjPYlM6ftgNP9snL5AAJa1X9gXVg/Xvp/HnBcwHMOdnNcQNr9+u6nkoIz13jVAbbMPxrmt4MGy4dL8Bl9TiDYDNL+S/LnyAQN0C2uIaf5Dp+HIST2CWE5HYp7bu8p4HkASuAjREJOwGbNH9LEDojEZ2v4Z0LhBU0SWJ3r80JhbsBc03hL9jgVCh6j88M0r9n/zj//t257NiDjjDhYXsGmqWFLSJrHT95JDbR2UD28fOc+HHQUU2zDpaJQgkOroZrCbgxqQiR17USIkMJvIgrcc+ts8VRVyYxtzCwRwCNgm2giIhpY0hOS+fRAGUxu6YBNqBGUTQ9X5BdMRui09cm9w1tOwWVqYKanSJpboi3Q/bApLNsvacCP8mJHwOrjlhWgfXJmezcCwCQESQCGDKZvcxcVBuq9ebGhluPBBA2j0eSNu43CLckF/cXInS3fD3hTmfWp2PjLb37oQZtZ+FKZ+FdmgWKtZ7FB2ocAly/I4whYIk0Y5bWEjnx4xAYAlNOCoXnrd0FsENFA6uZ44Yg5BBZ8gCwEy6dA0QGW0oaqNqmJD1/yV7Ccz94MMDBVENce1qqA6Qv6rlYhsDGLdHPvcZN90YL3LEPJu12vgY1MeOeWXNvr5ed7dfLA2XamAb5ST64jYMAL3DlUgaELSwlQ+nKTvlg3V4450fw4BcM7VxmJg92gbM3SZEBO0imRxcPEDYxDkKZmE6aNK/JQpvPwdmj1Iat1s+f082tBSDJ030Wb8aX8BsIGLmUBrqlGiQtlJ6ETCGP8rOc+HEQVkP3tXhSUGSIdPTci9waRQdYR28jzdtFPIUNctF75ppgieZfM/wnvX3C92bvwTUWU/M1ZnpiuFFRAltkXoCXGuGlQwNPNA/FN6zGnxHU3aRa62za80Fgz5cTPw7+j+hJhGaOqpBhkrnn6r3wdtLC7WR1R2phnaDQNEZ3Pa7kEH3uXSt0f7ZB0q9qI7MA4YS1ybO/hHd+K8H6qRoyMqqwRsAL8mWt4+tivyJd+e8pUNyza+sOfpETPw5hi2eTvjjkP8kSezVqLEFc6gKE8nZ88gVebxFpFHaAza4Sk931Puwi2eP9KG0ocOYai4QyPYm7N3f/oXm64d4i0guWPJk2W8gJuAMygLrBLf7rnPgxGB8dA0cm86hz4wOvTo0mEkhruT2fH7zcGE0MPgeTz+wvw++JsBshKM7qNTQtLvpujy1CxbqKDF0LhE9Uf6zAx/v72nuY1JNFGjmUj+Rmr+ro5V1L8l6oBricqGftETnxJ0PP3hl9+zT9yNqCykg6sjeodSQFv6qaq0jGWY/SpgMLN8jkVF5vAGr+B2kHspwiPXlCuNmTzyu4IYKEiFtF9yJkeFwgrBsG7n1zzujc3tAg3ruPQHo9WA1MvsLeB7dvUn3PTqgA6o4GuiY6+6Pbc+JHIcQAPrx19IS1bCYPXZA1ZFfBqjgipJwIm57L828po5JzfSgAFQhHRJ5MbnsLIj1Ze56/a90oa72BGoe0WZIlup8SXUPPFQBOO7aWXzBpKefHLWVk7gt4wg3dC/cyXgU4ujYAGwcxfuYMjLxlpgEGHcG00//S4LEHtq9Tnd2WVAdpS79tebmpiDnxI1A/oS5cdOrgq7brZ+nOWXzcUUhfJuSMFyP70TarAPl+usuk9EhstHXPQjs3hEjoE5Keu4oLXOMG3zJyK0nrZvaWlxDnXdclqYF0jcH8SQjlIlHxWg5SsWEX4Z7h1MHX+GssPvoPWwchY6jBbr9ok0vU5XYC9cxloLaLe0swfgX2FHHnygNYEYyc6bhn9qzRzW8dPQn4d05hPgcz9f+uN+epIwD+oI4kRKC3jNMrbQU1yfqLORf7UNIFtQT/o3OorSXppfwAJarxu9QTCGBiglXT7RFkzEXAsSoBZOelN+nduG10WgGhYJkNXNkP4T6zvdqxf32BNphesxagebTr8PnKm9b3AaY1ECZgYnDO2JxiksnmtXHKmhwrb9qwQ/3Ma2f3dEPvbZ+Ets52yybiJuWrQCiqCf736SV5eXyx7/o703MZ3Q7k7QCE45ehH0248twici6I7Md5FTQcd/twpyZEqBqDjNxG5H5Dz489eRBeHtDELyqrvHyqid6NgNzVKYOR8dmb1K9ZHB06DT/b+bRSeMatZeeMR0zXFbwaildt2PfBrcsRWEPrRVPd4Jf2gVDeOw16aWArhRsku/eZtpMGnO4++HjznPooEZYkeaQi/XGI5y5RCrQ7n3c93P7yky8w6fFk9zY66RFtkGMSij//4cjFv/aR59Svum7snVEYOvQG9Fx8PrR3z2LTCC7ll6w9yZdAZbo5eYv8fsGzlKy2Tv6E3ikwdHKznNyYwM/7F9yteNo/u1s8qZ32F9aP987hn8+vd2nlVb42e0NGqTHR39DAmvZTn/nYvhfg2MBB88WpwaTyq/uhCZATPwYvPf9M8eJLP3JU/cSrkPynfv4qnLNkAXS8txOEJbR1dQxxidi2dr0X1fRIbQbAXkBKM0tYvxt8AlqCkgG2DUxvINUI6DzAjdGAr2UJS/fIZ7CNz16fhrRcoU3YxijpdFRhQWCcQxzc9R/w6jNHzemU3KhIvx6aBAJyTIlrV/9hbyDasbRFAV9fePVSeN/HlkDnvC79fsSxZ5JO6SC7SSG8h7Q5zp4fzmQMDQ7MAe46YlLUSDtSNAAO7Qd8HeEPViW4pLOY59Rm7PDhF08dgZd/cBDGR8bMJY2lr3ZCeF2REz8BVt6yviBLYh+Tf3ZPF3zg0x+E835jkcdr8slDpfrsg/REQJrmxONJIVkoNe8CeISUntYSaUouM8Zc2xCet1vJJnQf1BOFUo39ZukajLtx93l+eeQkHPv+QXjriC3VPaTOcseeXdt3QJMhJ34KKPmsX9HidvVUz9affW43nH/FIjj/w4vV8y6f4OQakFwI5AIxsVibtMy11pimkADnubNOKQRElR0rEzltFNhYS/bUedYU59/zD+43xBC8Rqkvray6OHXgNXj9P475hMc3d4tAkb4JBrLlkBM/JdD6w7joR7nT3z7/kgvgvA8vgnmXLCRSIjzFkDaFZlPRdp6hFd5mOeisMr9mm+93D97b/n35DUaUWX2RehW/ZqY+6u0jp+DEgV/AG/9+3Lk05nwDauctOnOyiZETv0LENYD2zlkw79KFcO6lF0DP0vk6BhD+miMuuU9cS0jfq6FnxOrQkX6swEW4QnNk+TQifHHhxhRgXbS3Dp+CU8+/Cm8qCz/y5unoXbYE4Rk58auEbgAT0Kf0TOUCTV557xxF/u4L3wvnLJsPc973XjUo7rZECxPXq2qgN9AglmcjSjf/1uyv97I+O7NYgNeD2Ggw9waSJ/fKseExcfq/fgmn/+stOKmI/q567lt2Aob/dwpZ2t0qhGfkxM8QuhGUgnWKYTdAzPKTOBZQ5DeNQTWK9q5Z+nl7J2WP0KR0cJHhUJkPMFlwQnqjCUNyAHDzYa1qMz48DhMjY/LdV34pzpw6DW//4pfw9qFTkyy6h5Ylu4+c+DUC9wTKyPbJAK5hRWgqzLnwHNUQ2nVj6FANBJ8jsbGhgLPZGn7XMD5yBsZPj6lHTXKYUGQfOTUMo4roZax4FEqZgUF1jw+LCTnYymT3kRO/TsCGUBoTvUGb6FX0vVwxuAApFyXOAIbkIJ4TUBrEpK7Hd3078yzKZkBO/BkGBsjaZFuPVA1COTE9ysJfBFRBTBG0R3kxPcrQo3zaE3OKIeXC62xE5d2gro6uSlF1FG9BIIuiJIfSZC2eLfj/Gnqa9xaQxeUAAAAASUVORK5CYII="
-            />
-          </div>
-          <div class="content">
-            <h4>Hello World!</h4>
-            <p>
-              Kubefirst has added this apex site at the domain's apex to allow the Google bots to safely
-              onboard the cluster's new domain.
-            </p>
-            <p>
-              You can adjust this site in your new
-              <a href="" onClick="redirectToGitops()">kubefirst gitops repository</a>.
-            </p>
-            <p><a href="" onClick="redirectToDocs()">Learn more about</a> this apex site.</p>
-          </div>
-        </div>
-        <script>
-          const gitProvider = '{{ .Values.gitProvider }}';
-          const githubOwner = '{{ .Values.githubOwner }}';
-          const gitlabOwner = '{{ .Values.gitlabOwner }}';
-          function redirectToGitops() {
-            window.open(`https://${gitProvider}.com/${githubOwner || gitlabOwner}/gitops`, '_blank');
-          }
-
-          function redirectToDocs() {
-            window.open(
-              `https://docs.kubefirst.io/kubefirst/civo/${gitProvider}/user-creation`,
-              '_blank',
-            );
-          }
-        </script>
-      </body>
-    </html>
diff --git a/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml b/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
deleted file mode 100644
index 19101d6..0000000
--- a/templates/controlplane-template/templates/components/nginx-apex/ingress.yaml
+++ /dev/null
@@ -1,38 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: nginx-apex
-  namespace: default
-  labels:
-    app.kubernetes.io/name: nginx
-    app.kubernetes.io/instance: nginx
-  annotations:
-    kubernetes.io/ingress.class: nginx
-    {{- if .Values.certManager.issuerAnnotation1 }}
-    {{ .Values.certManager.issuerAnnotation1 }}
-    {{- end }}
-    {{- if .Values.certManager.issuerAnnotation2 }}
-    {{ .Values.certManager.issuerAnnotation2 }}
-    {{- end }}
-    {{- if .Values.certManager.issuerAnnotation3 }}
-    {{ .Values.certManager.issuerAnnotation3 }}
-    {{- end }}
-    {{- if .Values.certManager.issuerAnnotation4 }}
-    {{ .Values.certManager.issuerAnnotation4 }}
-    {{- end }}
-spec:
-  rules:
-  - host: {{ .Values.domainName }}
-    http:
-      paths:
-      - path: /
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: nginx
-            port:
-              name: http
-  tls:
-  - hosts:
-    - {{ .Values.domainName }}
-    secretName: nginx-apex-tls
diff --git a/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml b/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
deleted file mode 100644
index 512cc53..0000000
--- a/templates/controlplane-template/templates/components/nginx-apex/kustomization.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: argocd
-
-resources:
-  - github.com:kubefirst/manifests.git/nginx/apex?ref=main
-  - ingress.yaml
-  - config-map.yaml
diff --git a/templates/controlplane-template/templates/nginx-apex.yaml b/templates/controlplane-template/templates/nginx-apex.yaml
deleted file mode 100644
index ebeb333..0000000
--- a/templates/controlplane-template/templates/nginx-apex.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  finalizers:
-    - resources-finalizer.argocd.argoproj.io
-  name: nginx-apex-components
-  namespace: argocd
-  annotations:
-    argocd.argoproj.io/sync-wave: '11'
-spec:
-  project: {{ .Values.project }}
-  source:
-    repoURL: {{ .Values.gitopsRepoUrl }}
-    path: registry/clusters/{{ .Values.clusterName }}/components/nginx-apex
-    targetRevision: HEAD
-  destination:
-    name: {{ .Values.clusterDestination }}
-    namespace: default
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true
-    syncOptions:
-      - CreateNamespace=true