diff --git a/.github/workflows-config/aws-kubernetes-eks-single-region/test_matrix.yml b/.github/workflows-config/aws-kubernetes-eks-single-region/test_matrix.yml
index 4a1093fb5..b6feb861f 100644
--- a/.github/workflows-config/aws-kubernetes-eks-single-region/test_matrix.yml
+++ b/.github/workflows-config/aws-kubernetes-eks-single-region/test_matrix.yml
@@ -5,11 +5,11 @@ matrix:
           schedule_only: false
 
     scenario:
-        - name: eks-single-region
+        # - name: eks-single-region
         - name: eks-single-region-irsa
 
     declination:
-        - name: no-domain
-          desc: Setup chart in production-like setup with Ingress and TLS.
+        # - name: no-domain
+        #   desc: Setup chart in production-like setup with Ingress and TLS.
         - name: domain
           desc: Setup chart in production-like setup without Ingress and TLS.
diff --git a/.github/workflows/aws_kubernetes_eks_single_region_tests.yml b/.github/workflows/aws_kubernetes_eks_single_region_tests.yml
index 001111132..7e73f083f 100644
--- a/.github/workflows/aws_kubernetes_eks_single_region_tests.yml
+++ b/.github/workflows/aws_kubernetes_eks_single_region_tests.yml
@@ -59,13 +59,15 @@ env:
     IS_RENOVATE_PR: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'renovate[bot]' }}
 
     AWS_PROFILE: infraex
-    AWS_REGION: eu-west-2
-    S3_BACKEND_BUCKET: tests-ra-aws-rosa-hcp-tf-state-eu-central-1
+    # TODO: revert
+    AWS_REGION: eu-north-1
+    S3_BACKEND_BUCKET: general-purpose-bucket-that-will-not-be-deleted
     S3_BUCKET_REGION: eu-central-1
     TLD: camunda.ie
     MAIL_OVERWRITE: admin@camunda.ie
 
-    CLEANUP_CLUSTERS: ${{ github.event.inputs.delete_clusters || 'true' }}
+    # TODO: do it later
+    CLEANUP_CLUSTERS: ${{ github.event.inputs.delete_clusters || 'false' }}
 
     # TEST VARIABLES
 
@@ -116,7 +118,8 @@ jobs:
               id: matrix
               with:
                   ci_matrix_file: ${{ env.CI_MATRIX_FILE }}
-                  cluster_name: ${{ inputs.cluster_name }}
+                  # TODO: revert
+                  cluster_name: lejduo783
                   ref_arch: ${{ inputs.ref-arch }}
                   cluster_prefix: eks-${{ github.event.pull_request.number || '' }}
                   is_schedule: ${{ env.IS_SCHEDULE }}
@@ -231,6 +234,7 @@ jobs:
 
                   {
                     # Export to file to pass to other jobs
+                    echo "ESO_IRSA_ARN=$ESO_IRSA_ARN"
                     echo "CERT_MANAGER_IRSA_ARN=$CERT_MANAGER_IRSA_ARN"
                     echo "EXTERNAL_DNS_IRSA_ARN=$EXTERNAL_DNS_IRSA_ARN"
 
@@ -263,9 +267,7 @@ jobs:
                     echo "OPENSEARCH_HOST=$OPENSEARCH_HOST"
                     echo "OPENSEARCH_ROLE_NAME=$OPENSEARCH_ROLE_NAME"
                     echo "OPENSEARCH_ROLE_ARN=$OPENSEARCH_ROLE_ARN"
-                    echo "CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME=$CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME"
-                    echo "CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME=$CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME"
-                    echo "CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME=$CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME"
+                    echo "CAMUNDA_CORE_SERVICE_ACCOUNT_NAME=$CAMUNDA_CORE_SERVICE_ACCOUNT_NAME"
                     echo "CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME=$CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME"
 
                     echo "AURORA_ENDPOINT=$AURORA_ENDPOINT"
@@ -440,6 +442,7 @@ jobs:
                   ./aws/kubernetes/${{ matrix.scenario.name }}/procedure/install-cert-manager.sh
 
                   ./aws/kubernetes/${{ matrix.scenario.name }}/procedure/install-cert-manager-issuer.sh
+                  ./aws/kubernetes/${{ matrix.scenario.name }}/procedure/install-eso.sh
 
             - name: 🌱 Register chart setup environment values
               timeout-minutes: 3
@@ -538,7 +541,11 @@ jobs:
                   cp -f aws/kubernetes/${{ matrix.scenario.name }}/helm-values/values-${{ matrix.declination.name }}.yml ./values.yml
 
                   if [[ "${{ matrix.declination.name }}" == "domain" ]]; then
-                    export DOMAIN_NAME="${{ matrix.distro.clusterName }}-${{ matrix.scenario.shortName }}.${{ env.TLD }}"
+                    # TODO; revert to export DOMAIN_NAME="${{ matrix.distro.clusterName }}-${{ matrix.scenario.shortName }}.${{ env.TLD }}"
+                    # export DOMAIN_NAME="${{ matrix.distro.clusterName }}-${{ matrix.scenario.shortName }}377.${{ env.TLD }}"
+
+                    # TODO: harcoded for self-signed setup
+                    export DOMAIN_NAME="camunda.picsou2.camunda.ie"
                     echo "DOMAIN_NAME=$DOMAIN_NAME" | tee -a "$GITHUB_ENV"
 
                     export DOMAIN_NAME_GRPC="zeebe.$DOMAIN_NAME:443"
diff --git a/.lint/trivy/.trivyignore b/.lint/trivy/.trivyignore
index 9d2091d81..973ef842d 100644
--- a/.lint/trivy/.trivyignore
+++ b/.lint/trivy/.trivyignore
@@ -25,3 +25,5 @@ AVD-AZU-0013 #(CRITICAL): Vault network ACL does not block access by default.
 AVD-AWS-0042 #(MEDIUM): Domain audit logging is not enabled.
 
 AVD-AWS-0017 #(LOW): # When using CloudWatch, we are fine using the default kms for the moment (VPN usage only)
+
+AVD-AWS-0098 # TODO: revert
diff --git a/aws/kubernetes/eks-single-region-irsa/README.md b/aws/kubernetes/eks-single-region-irsa/README.md
index ae5ed7f24..c46001819 100644
--- a/aws/kubernetes/eks-single-region-irsa/README.md
+++ b/aws/kubernetes/eks-single-region-irsa/README.md
@@ -32,4 +32,5 @@ No resources.
 | <a name="output_opensearch_endpoint"></a> [opensearch\_endpoint](#output\_opensearch\_endpoint) | The OpenSearch endpoint URL |
 | <a name="output_opensearch_iam_role_arns"></a> [opensearch\_iam\_role\_arns](#output\_opensearch\_iam\_role\_arns) | Map of IAM role names to their ARNs |
 | <a name="output_postgres_endpoint"></a> [postgres\_endpoint](#output\_postgres\_endpoint) | The Postgres endpoint URL |
+| <a name="output_secret_manager_arn"></a> [secret\_manager\_arn](#output\_secret\_manager\_arn) | The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the eso manager |
 <!-- END_TF_DOCS -->
diff --git a/aws/kubernetes/eks-single-region-irsa/cluster.tf b/aws/kubernetes/eks-single-region-irsa/cluster.tf
index 0acd8106f..e820232bd 100644
--- a/aws/kubernetes/eks-single-region-irsa/cluster.tf
+++ b/aws/kubernetes/eks-single-region-irsa/cluster.tf
@@ -31,6 +31,11 @@ module "eks_cluster" {
   cluster_tags       = local.eks_tags
 }
 
+output "secret_manager_arn" {
+  value       = module.eks_cluster.secret_manager_arn
+  description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the eso manager"
+}
+
 output "cert_manager_arn" {
   value       = module.eks_cluster.cert_manager_arn
   description = "The Amazon Resource Name (ARN) of the AWS IAM Roles for Service Account mapping for the cert-manager"
diff --git a/aws/kubernetes/eks-single-region-irsa/helm-values/values-domain.yml b/aws/kubernetes/eks-single-region-irsa/helm-values/values-domain.yml
index 941b6d47e..93f5f585a 100644
--- a/aws/kubernetes/eks-single-region-irsa/helm-values/values-domain.yml
+++ b/aws/kubernetes/eks-single-region-irsa/helm-values/values-domain.yml
@@ -1,28 +1,4 @@
 ---
-identityKeycloak:
-    serviceAccount:
-        name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN}
-
-    postgresql:
-        enabled: false
-    externalDatabase:
-        host: ${DB_HOST}
-        user: ${DB_KEYCLOAK_USERNAME}
-        port: 5432
-        database: ${DB_KEYCLOAK_NAME}
-
-    extraEnvVars:
-        - name: KEYCLOAK_EXTRA_ARGS
-          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO
-        - name: KEYCLOAK_JDBC_PARAMS
-          value: wrapperPlugins=iam&ssl=true&sslmode=require
-        - name: KEYCLOAK_JDBC_DRIVER
-          value: aws-wrapper:postgresql
-
-    auth:
-        existingSecret: identity-secret-for-components
 
 global:
     elasticsearch:
@@ -33,39 +9,66 @@ global:
             enabled: true # enable IRSA auth
         url:
             protocol: https
-            host: ${OPENSEARCH_HOST}
+            host: os.picsou2.camunda.ie
             # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200.
             port: 443
 
+    # TODO: added in 8.8
+    security:
+        authentication:
+            method: oidc
+
     ingress:
         enabled: true
         host: ${DOMAIN_NAME}
         tls:
             enabled: true
-            secretName: camunda-c8-tls
+            # TODO: edited to consume self-signed certs
+            secretName: aws-pca-p12
         annotations:
-            kubernetes.io/tls-acme: 'true'
+            # kubernetes.io/tls-acme: 'true'
+            # TODO; added for rencryption
+            nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+            nginx.ingress.kubernetes.io/ssl-redirect: 'true'
+
     identity:
+        service:
+            url: https://${DOMAIN_NAME}/identity
+
+        keycloak:
+            url:
+                protocol: https
+                host: ${DOMAIN_NAME}
+                port: 443
+
         auth:
+            enabled: true
+            # TODO: this is currently broken : https://camunda.slack.com/archives/C06UYJMMETZ/p1747319551359609
             publicIssuerUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform
-            zeebe:
-                existingSecret:
-                    name: identity-secret-for-components
-            connectors:
+            issuerBackendUrl: https://${DOMAIN_NAME}/auth/realms/camunda-platform
+            admin:
+                enabled: true
                 existingSecret:
                     name: identity-secret-for-components
-            operate:
-                redirectUrl: https://${DOMAIN_NAME}/operate
+
+            #######################
+            # Orchestration Group
+            #######################
+            core:
+                redirectUrl: https://${DOMAIN_NAME}/core
                 existingSecret:
                     name: identity-secret-for-components
-            tasklist:
-                redirectUrl: https://${DOMAIN_NAME}/tasklist
+            connectors:
                 existingSecret:
                     name: identity-secret-for-components
             optimize:
                 redirectUrl: https://${DOMAIN_NAME}/optimize
                 existingSecret:
                     name: identity-secret-for-components
+
+            #######################
+            # Management Group
+            #######################
             webModeler:
                 redirectUrl: https://${DOMAIN_NAME}/modeler
             console:
@@ -73,6 +76,43 @@ global:
                 existingSecret:
                     name: identity-secret-for-components
 
+identityKeycloak:
+    enabled: true
+    serviceAccount:
+        name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}
+        annotations:
+            eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN}
+
+    postgresql:
+        enabled: false
+    externalDatabase:
+        host: ${DB_HOST}
+        user: ${DB_KEYCLOAK_USERNAME}
+        port: 5432
+        database: ${DB_KEYCLOAK_NAME}
+
+    extraEnvVars:
+        - name: KEYCLOAK_EXTRA_ARGS
+          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO
+        - name: KEYCLOAK_JDBC_PARAMS
+          value: wrapperPlugins=iam&ssl=true&sslmode=require
+        - name: KEYCLOAK_JDBC_DRIVER
+          value: aws-wrapper:postgresql
+
+    auth:
+        existingSecret: identity-secret-for-components
+        usePem: true
+
+    # TODO: added for self-signed certs
+    tls:
+        enabled: true
+
+        # The secret must have "tls-keystore-password" and "tls-truststore-password" keys for the keystore and truststore respectively.
+        ## +  "keycloak.truststore.jks" +  "keycloak.keystore.jks"
+        existingSecret: aws-pca-p12
+        passwordsSecret: aws-pca-p12
+
+
 webModeler:
     enabled: false # by default, webModeler is not enabled
     contextPath: /modeler
@@ -86,8 +126,7 @@ webModeler:
         externalDatabase:
             url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam
             user: ${DB_WEBMODELER_USERNAME}
-            existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler
-            existingSecretPasswordKey: password
+            existingSecret: notusedpasswd   # this fake password reference is needed to let the chart deploy webmodeler
         env:
             - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME
               value: software.amazon.jdbc.Driver
@@ -97,9 +136,18 @@ webModeler:
             fromAddress: changeme@example.com   # change this required value
 
 identity:
+    # TODO: in the update, make all enabled: true/false explicit
+    enabled: true
     contextPath: /identity
     fullURL: https://${DOMAIN_NAME}/identity
 
+    readinessProbe:
+        scheme: HTTPS
+
+    # TODO: added in 8.8
+    firstUser:
+        existingSecret: identity-secret-for-components
+
     serviceAccount:
         name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}
         annotations:
@@ -120,26 +168,71 @@ identity:
         - name: SPRING_DATASOURCE_USERNAME
           value: ${DB_IDENTITY_USERNAME}
 
-connectors:
-    contextPath: /connectors
+        - name: TRUSTSTORE_PASSWORD
+          valueFrom:
+              secretKeyRef:
+                  name: aws-pca-p12
+                  key: tls-truststore-password
 
-operate:
-    contextPath: /operate
+        - name: KEYSTORE_PASSWORD
+          valueFrom:
+              secretKeyRef:
+                  name: aws-pca-p12
+                  key: tls-keystore-password
 
-    serviceAccount:
-        name: ${CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
+        - name: JAVA_TOOL_OPTIONS
+          value: >-
+              -Djavax.net.ssl.trustStore=/usr/local/core/config/truststore.jks -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)
+              -Dserver.ssl.key-store=/usr/local/core/config/keystore.jks -Dserver.ssl.key-store-password=$(KEYSTORE_PASSWORD)
 
-tasklist:
-    contextPath: /tasklist
+        - name: SSL_CERT_FILE
+          value: /usr/local/core/config/ca.crt
 
-    serviceAccount:
-        name: ${CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
+    extraVolumeMounts:
+        - name: truststore
+          mountPath: /usr/local/core/config/truststore.jks
+          subPath: truststore.jks
+
+        - name: keystore
+          mountPath: /usr/local/core/config/keystore.jks
+          subPath: keystore.jks
+
+        - name: ca
+          mountPath: /usr/local/core/config/ca.crt
+          subPath: ca.crt
+
+    extraVolumes:
+
+        - name: truststore
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: truststore.jks
+                    path: truststore.jks
+              defaultMode: 420
+
+        - name: keystore
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: keystore.jks
+                    path: keystore.jks
+              defaultMode: 420
+
+        - name: ca
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: ca.crt
+                    path: ca.crt
+              defaultMode: 420
+
+connectors:
+    enabled: true
+    contextPath: /connectors
 
 optimize:
+    enabled: true
     contextPath: /optimize
 
     serviceAccount:
@@ -151,23 +244,205 @@ optimize:
     migration:
         enabled: false
 
-zeebe:
-    serviceAccount:
-        name: ${CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
+    env:
+        - name: TRUSTSTORE_PASSWORD
+          valueFrom:
+              secretKeyRef:
+                  name: aws-pca-p12
+                  key: tls-truststore-password
+
+        - name: JAVA_TOOL_OPTIONS
+          value: -Djavax.net.ssl.trustStore=/usr/local/core/config/truststore.jks -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)
+        - name: SSL_CERT_FILE
+          value: /usr/local/core/config/ca.crt
+
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/core/config/tls.crt
+          subPath: tls.crt
+        - name: key
+          mountPath: /usr/local/core/config/tls.key
+          subPath: tls.key
+        - name: ca
+          mountPath: /usr/local/core/config/ca.crt
+          subPath: ca.crt
+        - name: truststore
+          mountPath: /usr/local/core/config/truststore.jks
+          subPath: truststore.jks
+
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420
+
+        - name: key
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: tls.key
+                    path: tls.key
+              defaultMode: 420
+
+        - name: truststore
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: truststore.jks
+                    path: truststore.jks
+              defaultMode: 420
+
+        - name: ca
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: ca.crt
+                    path: ca.crt
+              defaultMode: 420
+
+core:
+    enabled: true
+    contextPath: /core
 
-zeebeGateway:
     ingress:
         grpc:
             enabled: true
             host: zeebe.${DOMAIN_NAME}
             tls:
                 enabled: true
-                secretName: zeebe-c8-tls-grpc
+                secretName: core-c8-tls-grpc
             annotations:
                 kubernetes.io/tls-acme: 'true'
-    contextPath: /zeebe
+
+    serviceAccount:
+        # TODO; change from zeebe to core in 8.8
+        name: ${CAMUNDA_CORE_SERVICE_ACCOUNT_NAME}
+        annotations:
+            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
+
+    # TODO; added in 8.8
+    # giving access to venom to deploy a model. Given access to connectors
+    # TODO: Find a way to only give connectors read access
+    # TODO: adapt for documentation as users will not have venom( certainly need yq in the test pipeline)
+    env:
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_MAPPINGID
+          value: demo-user-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_CLAIMNAME
+          value: preferred_username
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_CLAIMVALUE
+          value: demo
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_MAPPINGID
+          value: venom-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_CLAIMNAME
+          value: client_id
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_CLAIMVALUE
+          value: venom
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_MAPPINGID
+          value: connectors-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_CLAIMNAME
+          value: client_id
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_CLAIMVALUE
+          value: connectors
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_0
+          value: demo-user-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_1
+          value: venom-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_2
+          value: connectors-client-mapping
+
+        # TLS PART Zeebe Gateway
+        - name: ZEEBE_BROKER_GATEWAY_SECURITY_ENABLED
+          value: 'true'
+        - name: ZEEBE_BROKER_GATEWAY_SECURITY_CERTIFICATECHAINPATH
+          value: /usr/local/core/config/tls.crt
+        - name: ZEEBE_BROKER_GATEWAY_SECURITY_PRIVATEKEYPATH
+          value: /usr/local/core/config/tls.key
+
+        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_ENABLED
+          value: 'true'
+        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_CERTIFICATECHAINPATH
+          value: /usr/local/core/config/tls.crt
+        - name: ZEEBE_BROKER_GATEWAY_CLUSTER_SECURITY_PRIVATEKEYPATH
+          value: /usr/local/core/config/tls.key
+
+        - name: ZEEBE_BROKER_NETWORK_SECURITY_ENABLED
+          value: 'true'
+        - name: ZEEBE_BROKER_NETWORK_SECURITY_CERTIFICATECHAINPATH
+          value: /usr/local/core/config/tls.crt
+        - name: ZEEBE_BROKER_NETWORK_SECURITY_PRIVATEKEYPATH
+          value: /usr/local/core/config/tls.key
+
+        - name: CAMUNDA_TASKLIST_ZEEBE_SECURE
+          value: 'true'
+        - name: CAMUNDA_TASKLIST_ZEEBE_CERTIFICATEPATH
+          value: /usr/local/tasklist/config/tls.crt
+
+        - name: CAMUNDA_OPERATE_ZEEBE_SECURE
+          value: 'true'
+        - name: CAMUNDA_OPERATE_ZEEBE_CERTIFICATEPATH
+          value: /usr/local/core/config/tls.crt
+
+        - name: TRUSTSTORE_PASSWORD
+          valueFrom:
+              secretKeyRef:
+                  name: aws-pca-p12
+                  key: tls-truststore-password
+
+        - name: JAVA_TOOL_OPTIONS
+          value: -Djavax.net.ssl.trustStore=/usr/local/core/config/truststore.jks -Djavax.net.ssl.trustStorePassword=$(TRUSTSTORE_PASSWORD)
+        - name: SSL_CERT_FILE
+          value: /usr/local/core/config/ca.crt
+
+    extraVolumeMounts:
+        - name: certificate
+          mountPath: /usr/local/core/config/tls.crt
+          subPath: tls.crt
+        - name: key
+          mountPath: /usr/local/core/config/tls.key
+          subPath: tls.key
+        - name: ca
+          mountPath: /usr/local/core/config/ca.crt
+          subPath: ca.crt
+        - name: truststore
+          mountPath: /usr/local/core/config/truststore.jks
+          subPath: truststore.jks
+
+
+    extraVolumes:
+        - name: certificate
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: tls.crt
+                    path: tls.crt
+              defaultMode: 420
+
+        - name: key
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: tls.key
+                    path: tls.key
+              defaultMode: 420
+
+        - name: truststore
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: truststore.jks
+                    path: truststore.jks
+              defaultMode: 420
+
+        - name: ca
+          secret:
+              secretName: aws-pca-p12
+              items:
+                  - key: ca.crt
+                    path: ca.crt
+              defaultMode: 420
 
 console:
     enabled: false # by default, console is not enabled
diff --git a/aws/kubernetes/eks-single-region-irsa/helm-values/values-no-domain.yml b/aws/kubernetes/eks-single-region-irsa/helm-values/values-no-domain.yml
index 9e67038a1..63c4f4bca 100644
--- a/aws/kubernetes/eks-single-region-irsa/helm-values/values-no-domain.yml
+++ b/aws/kubernetes/eks-single-region-irsa/helm-values/values-no-domain.yml
@@ -1,28 +1,4 @@
 ---
-identityKeycloak:
-    serviceAccount:
-        name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN}
-
-    postgresql:
-        enabled: false
-    externalDatabase:
-        host: ${DB_HOST}
-        user: ${DB_KEYCLOAK_USERNAME}
-        port: 5432
-        database: ${DB_KEYCLOAK_NAME}
-
-    extraEnvVars:
-        - name: KEYCLOAK_EXTRA_ARGS
-          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO
-        - name: KEYCLOAK_JDBC_PARAMS
-          value: wrapperPlugins=iam&ssl=true&sslmode=require
-        - name: KEYCLOAK_JDBC_DRIVER
-          value: aws-wrapper:postgresql
-    auth:
-        existingSecret: identity-secret-for-components
-
 global:
     elasticsearch:
         enabled: false
@@ -36,35 +12,64 @@ global:
             # Amazon OpenSearch Service listens on port 443 opposed to the usual port 9200.
             port: 443
 
-    identity:
+    # TODO: added in 8.8
+    security:
+        authentication:
+            method: oidc
 
+    identity:
         auth:
+            enabled: true
+            # TODO: this is currently broken : https://camunda.slack.com/archives/C06UYJMMETZ/p1747319551359609
             publicIssuerUrl: http://localhost:18080/auth/realms/camunda-platform  # replace this with a port of your choice when you will do port forwarding
-
-            zeebe:
-                existingSecret:
-                    name: identity-secret-for-components
+            admin:
+                enabled: true
+                existingSecret: identity-secret-for-components
+
+            #######################
+            # Orchestration Group
+            #######################
+            core:
+                existingSecret: identity-secret-for-components
             connectors:
-                existingSecret:
-                    name: identity-secret-for-components
-            operate:
-                redirectUrl: http://localhost:8081  # replace this with a port of your choice when you will do port forwarding
-                existingSecret:
-                    name: identity-secret-for-components
-            tasklist:
-                redirectUrl: http://localhost:8082  # replace this with a port of your choice when you will do port forwarding
-                existingSecret:
-                    name: identity-secret-for-components
+                existingSecret: identity-secret-for-components
             optimize:
                 redirectUrl: http://localhost:8083  # replace this with a port of your choice when you will do port forwarding
-                existingSecret:
-                    name: identity-secret-for-components
+                existingSecret: identity-secret-for-components
+
+            #######################
+            # Management Group
+            #######################
             webModeler:
                 redirectUrl: http://localhost:8084
             console:
                 redirectUrl: http://localhost:8085
-                existingSecret:
-                    name: identity-secret-for-components
+                existingSecret: identity-secret-for-components
+
+identityKeycloak:
+    serviceAccount:
+        name: ${CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME}
+        annotations:
+            eks.amazonaws.com/role-arn: ${DB_ROLE_KEYCLOAK_ARN}
+
+    postgresql:
+        enabled: false
+    externalDatabase:
+        host: ${DB_HOST}
+        user: ${DB_KEYCLOAK_USERNAME}
+        port: 5432
+        database: ${DB_KEYCLOAK_NAME}
+
+    extraEnvVars:
+        - name: KEYCLOAK_EXTRA_ARGS
+          value: --db-driver=software.amazon.jdbc.Driver --transaction-xa-enabled=false --log-level=INFO,software.amazon.jdbc:INFO
+        - name: KEYCLOAK_JDBC_PARAMS
+          value: wrapperPlugins=iam&ssl=true&sslmode=require
+        - name: KEYCLOAK_JDBC_DRIVER
+          value: aws-wrapper:postgresql
+    auth:
+        existingSecret: identity-secret-for-components
+        passwordSecretKey: identity-keycloak-admin-password
 
 webModeler:
     enabled: false # by default, webModeler is not enabled
@@ -78,17 +83,17 @@ webModeler:
         externalDatabase:
             url: jdbc:aws-wrapper:postgresql://${DB_HOST}:5432/${DB_WEBMODELER_NAME}?wrapperPlugins=iam
             user: ${DB_WEBMODELER_USERNAME}
-            existingSecret: identity-secret-for-components # this fake password reference is needed to let the chart deploy webmodeler
-            existingSecretPasswordKey: password
+            existingSecret: notusedpasswd   # this fake password reference is needed to let the chart deploy webmodeler
         env:
             - name: SPRING_DATASOURCE_DRIVER_CLASS_NAME
               value: software.amazon.jdbc.Driver
         mail:
-            existingSecret:
-                name: identity-secret-for-components # reference the smtp password
+            existingSecret: identity-secret-for-components # reference the smtp password
             fromAddress: changeme@example.com   # change this required value
 
 identity:
+    enabled: true
+
     serviceAccount:
         name: ${CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME}
         annotations:
@@ -96,6 +101,10 @@ identity:
 
     fullURL: http://localhost:8080 # replace this with a port of your choice when you will do port forwarding
 
+    # TODO: added in 8.8
+    firstUser:
+        existingSecret: identity-secret-for-components
+
     externalDatabase:
         enabled: true
         host: ${DB_HOST}
@@ -111,33 +120,57 @@ identity:
         - name: SPRING_DATASOURCE_USERNAME
           value: ${DB_IDENTITY_USERNAME}
 
-zeebe:
+optimize:
+    enabled: true
     serviceAccount:
-        name: ${CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME}
+        name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME}
         annotations:
             eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
 
-operate:
-    serviceAccount:
-        name: ${CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
+    # OpenSearch prevents migration
+    migration:
+        enabled: false
 
-tasklist:
-    serviceAccount:
-        name: ${CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME}
-        annotations:
-            eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
 
-optimize:
+core:
     serviceAccount:
-        name: ${CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME}
+        # TODO; change from zeebe to core in 8.8
+        name: ${CAMUNDA_CORE_SERVICE_ACCOUNT_NAME}
         annotations:
             eks.amazonaws.com/role-arn: ${OPENSEARCH_ROLE_ARN}
 
-    # OpenSearch prevents migration
-    migration:
-        enabled: false
+    existingSecret: identity-secret-for-components
+
+    # TODO; added in 8.8
+    # giving access to venom to deploy a model. Given access to connectors
+    # TODO: Find a way to only give connectors read access
+    env:
+        # TODO: adapt for documentation as users will not have venom( certainly need yq in the test pipeline)
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_MAPPINGID
+          value: demo-user-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_CLAIMNAME
+          value: preferred_username
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_0_CLAIMVALUE
+          value: demo
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_MAPPINGID
+          value: venom-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_CLAIMNAME
+          value: client_id
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_1_CLAIMVALUE
+          value: venom
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_MAPPINGID
+          value: connectors-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_CLAIMNAME
+          value: client_id
+        - name: CAMUNDA_SECURITY_INITIALIZATION_MAPPINGS_2_CLAIMVALUE
+          value: connectors
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_0
+          value: demo-user-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_1
+          value: venom-client-mapping
+        - name: CAMUNDA_SECURITY_INITIALIZATION_DEFAULTROLES_ADMIN_MAPPINGS_2
+          value: connectors-client-mapping
+
 
 console:
     enabled: false # by default, console is not enabled
diff --git a/aws/kubernetes/eks-single-region-irsa/opensearch.tf b/aws/kubernetes/eks-single-region-irsa/opensearch.tf
index ab06f8557..c52a28c81 100644
--- a/aws/kubernetes/eks-single-region-irsa/opensearch.tf
+++ b/aws/kubernetes/eks-single-region-irsa/opensearch.tf
@@ -8,9 +8,7 @@ locals {
 
   # IRSA configuration
   camunda_namespace                = "camunda"     # Replace with your Kubernetes namespace that will host C8 Platform
-  camunda_zeebe_service_account    = "zeebe-sa"    # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe
-  camunda_operate_service_account  = "operate-sa"  # Replace with your Kubernetes ServiceAcccount that will be created for Operate
-  camunda_tasklist_service_account = "tasklist-sa" # Replace with your Kubernetes ServiceAcccount that will be created for TaskList
+  camunda_core_service_account     = "core-sa"     # Replace with your Kubernetes ServiceAcccount that will be created for Zeebe
   camunda_optimize_service_account = "optimize-sa" # Replace with your Kubernetes ServiceAcccount that will be created for Optimize
 
   opensearch_tags = {} # additional tags that you may want to apply to the resources
@@ -36,6 +34,8 @@ module "opensearch_domain" {
   advanced_security_master_user_name     = local.opensearch_master_username
   advanced_security_master_user_password = local.opensearch_master_password
 
+  custom_root_ca_arn = module.eks_cluster.private_ca_authority_arn
+
   # IAM IRSA
   iam_roles_with_policies = [
     {
@@ -53,9 +53,7 @@ module "opensearch_domain" {
                 "Condition": {
                   "StringEquals": {
                     "${module.eks_cluster.oidc_provider_id}:sub": [
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_zeebe_service_account}",
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_operate_service_account}",
-                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_tasklist_service_account}",
+                      "system:serviceaccount:${local.camunda_namespace}:${local.camunda_core_service_account}",
                       "system:serviceaccount:${local.camunda_namespace}:${local.camunda_optimize_service_account}"
                     ]
                   }
diff --git a/aws/kubernetes/eks-single-region-irsa/procedure/check-env-variables.sh b/aws/kubernetes/eks-single-region-irsa/procedure/check-env-variables.sh
index ba74d6a6f..0cff62fa2 100755
--- a/aws/kubernetes/eks-single-region-irsa/procedure/check-env-variables.sh
+++ b/aws/kubernetes/eks-single-region-irsa/procedure/check-env-variables.sh
@@ -3,7 +3,7 @@
 # This script is compatible with bash only
 
 # List of required environment variables
-required_vars=("DB_HOST" "DB_ROLE_IDENTITY_ARN" "DB_ROLE_KEYCLOAK_ARN" "DB_ROLE_WEBMODELER_ARN" "CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME" "DB_WEBMODELER_NAME" "DB_WEBMODELER_USERNAME" "CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME" "DB_IDENTITY_NAME" "DB_IDENTITY_USERNAME" "DB_KEYCLOAK_NAME" "DB_KEYCLOAK_USERNAME" "CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME" "OPENSEARCH_HOST" "OPENSEARCH_ROLE_ARN"  "CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME" "CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME" "CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME" "CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME")
+required_vars=("DB_HOST" "DB_ROLE_IDENTITY_ARN" "DB_ROLE_KEYCLOAK_ARN" "DB_ROLE_WEBMODELER_ARN" "CAMUNDA_WEBMODELER_SERVICE_ACCOUNT_NAME" "DB_WEBMODELER_NAME" "DB_WEBMODELER_USERNAME" "CAMUNDA_IDENTITY_SERVICE_ACCOUNT_NAME" "DB_IDENTITY_NAME" "DB_IDENTITY_USERNAME" "DB_KEYCLOAK_NAME" "DB_KEYCLOAK_USERNAME" "CAMUNDA_KEYCLOAK_SERVICE_ACCOUNT_NAME" "OPENSEARCH_HOST" "OPENSEARCH_ROLE_ARN"  "CAMUNDA_CORE_SERVICE_ACCOUNT_NAME" "CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME")
 
 # Loop through each variable and check if it is set and not empty
 for var in "${required_vars[@]}"; do
diff --git a/aws/kubernetes/eks-single-region-irsa/procedure/export-helm-values.sh b/aws/kubernetes/eks-single-region-irsa/procedure/export-helm-values.sh
index 7e6b458d4..819e63567 100755
--- a/aws/kubernetes/eks-single-region-irsa/procedure/export-helm-values.sh
+++ b/aws/kubernetes/eks-single-region-irsa/procedure/export-helm-values.sh
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 # EKS Cluster
+export ESO_IRSA_ARN="$(terraform output -raw secret_manager_arn)"
 export CERT_MANAGER_IRSA_ARN="$(terraform output -raw cert_manager_arn)"
 export EXTERNAL_DNS_IRSA_ARN="$(terraform output -raw external_dns_arn)"
 
@@ -29,7 +30,5 @@ export DB_ROLE_WEBMODELER_ARN=$(terraform output -json aurora_iam_role_arns | jq
 export OPENSEARCH_HOST="$(terraform output -raw opensearch_endpoint)"
 export OPENSEARCH_ROLE_NAME="$(terraform console <<<local.opensearch_iam_role_name | jq -r)"
 export OPENSEARCH_ROLE_ARN=$(terraform output -json opensearch_iam_role_arns | jq -r ".[\"$OPENSEARCH_ROLE_NAME\"]")
-export CAMUNDA_ZEEBE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_zeebe_service_account | jq -r)"
-export CAMUNDA_OPERATE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_operate_service_account | jq -r)"
-export CAMUNDA_TASKLIST_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_tasklist_service_account | jq -r)"
+export CAMUNDA_CORE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_core_service_account | jq -r)"
 export CAMUNDA_OPTIMIZE_SERVICE_ACCOUNT_NAME="$(terraform console <<<local.camunda_optimize_service_account | jq -r)"
diff --git a/aws/kubernetes/eks-single-region-irsa/procedure/install-eso.sh b/aws/kubernetes/eks-single-region-irsa/procedure/install-eso.sh
new file mode 120000
index 000000000..93ac9eb49
--- /dev/null
+++ b/aws/kubernetes/eks-single-region-irsa/procedure/install-eso.sh
@@ -0,0 +1 @@
+../../eks-single-region/procedure/install-cert-manager.sh
\ No newline at end of file
diff --git a/aws/kubernetes/eks-single-region/procedure/install-cert-manager.sh b/aws/kubernetes/eks-single-region/procedure/install-cert-manager.sh
index 8beee2b03..915c43241 100755
--- a/aws/kubernetes/eks-single-region/procedure/install-cert-manager.sh
+++ b/aws/kubernetes/eks-single-region/procedure/install-cert-manager.sh
@@ -1,13 +1,41 @@
 #!/bin/bash
 
-helm upgrade --install \
-  cert-manager cert-manager \
-  --repo https://charts.jetstack.io \
-  --version "$CERT_MANAGER_HELM_CHART_VERSION" \
-  --namespace cert-manager \
-  --create-namespace \
-  --set "serviceAccount.annotations.eks\.amazonaws\.com\/role-arn=$CERT_MANAGER_IRSA_ARN" \
-  --set securityContext.fsGroup=1001 \
-  --set ingressShim.defaultIssuerName=letsencrypt \
-  --set ingressShim.defaultIssuerKind=ClusterIssuer \
-  --set ingressShim.defaultIssuerGroup=cert-manager.io
+NAMESPACE="external-secrets"
+SERVICE_ACCOUNT_NAME="external-secrets"
+CLUSTER_SECRET_STORE_NAME="aws-secrets-manager"
+
+helm repo add external-secrets https://charts.external-secrets.io
+
+helm install external-secrets \
+   external-secrets/external-secrets \
+    -n "$NAMESPACE" \
+    --create-namespace \
+    --set "serviceAccount.annotations.eks\.amazonaws\.com\/role-arn=$ESO_IRSA_ARN"
+
+echo "Waiting for External Secrets Operator deployment to be ready..."
+
+kubectl rollout status deployment/external-secrets -n "$NAMESPACE" --timeout=180s
+
+
+echo "Applying ClusterSecretStore manifest..."
+
+cat <<EOF | envsubst > /tmp/clustersecretstore.yaml
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: $CLUSTER_SECRET_STORE_NAME
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: $AWS_REGION
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: $SERVICE_ACCOUNT_NAME
+            namespace: $NAMESPACE
+EOF
+
+kubectl apply -f /tmp/clustersecretstore.yaml
+
+echo "External Secrets Operator installed and ClusterSecretStore applied."
diff --git a/aws/modules/eks-cluster/README.md b/aws/modules/eks-cluster/README.md
index 8b0e56e8e..7c19e4546 100644
--- a/aws/modules/eks-cluster/README.md
+++ b/aws/modules/eks-cluster/README.md
@@ -26,23 +26,62 @@ module "eks_cluster" {
 | Name | Source | Version |
 |------|--------|---------|
 | <a name="module_cert_manager_role"></a> [cert\_manager\_role](#module\_cert\_manager\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.59.0 |
+| <a name="module_certs_reader_role"></a> [certs\_reader\_role](#module\_certs\_reader\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.58.0 |
 | <a name="module_ebs_cs_role"></a> [ebs\_cs\_role](#module\_ebs\_cs\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.59.0 |
 | <a name="module_eks"></a> [eks](#module\_eks) | terraform-aws-modules/eks/aws | 20.37.1 |
 | <a name="module_external_dns_role"></a> [external\_dns\_role](#module\_external\_dns\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.59.0 |
+| <a name="module_external_secrets_role"></a> [external\_secrets\_role](#module\_external\_secrets\_role) | terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks | 5.58.0 |
 | <a name="module_vpc"></a> [vpc](#module\_vpc) | terraform-aws-modules/vpc/aws | 5.21.0 |
 ## Resources
 
 | Name | Type |
 |------|------|
+| [aws_acmpca_certificate.camunda_signed_cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate) | resource |
+| [aws_acmpca_certificate_authority.sub_ca](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority) | resource |
+| [aws_acmpca_certificate_authority_certificate.sub_ca_cert_import](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_certificate_authority_certificate) | resource |
+| [aws_acmpca_permission.private_ca_permission](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acmpca_permission) | resource |
 | [aws_iam_policy.cert_manager_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.certs_access_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_sc_access](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.ebs_sc_access_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.eks_admin_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.external_dns_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_kms_key.eks](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
+| [aws_secretsmanager_secret.camunda_cert_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.camunda_jks_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.camunda_key_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.camunda_p12_password_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.camunda_p12_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.camunda_truststore_secret](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.root_ca_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.root_ca_private_key](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret.sub_root_ca_certificate](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret) | resource |
+| [aws_secretsmanager_secret_version.camunda_cert_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.camunda_key_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.camunda_p12_password_secret_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.root_ca_certificate_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.root_ca_private_key_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
+| [aws_secretsmanager_secret_version.sub_root_ca_certificate_version](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/secretsmanager_secret_version) | resource |
 | [aws_security_group_rule.cluster_api_to_nodes](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [kubernetes_storage_class_v1.ebs_sc](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs/resources/storage_class_v1) | resource |
+| [local_file.camunda_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.camunda_key](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.root_ca_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [local_file.sub_ca_cert](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/file) | resource |
+| [null_resource.convert_p12_to_jks](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.download_certificates](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.generate_camunda_p12](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.generate_truststore_jks](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.upload_jks_to_secretsmanager](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.upload_p12_to_secretsmanager](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
+| [null_resource.upload_truststore_to_secretsmanager](https://registry.terraform.io/providers/hashicorp/null/latest/docs/resources/resource) | resource |
 | [time_sleep.eks_cluster_warmup](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [time_sleep.wait_30_seconds](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
+| [tls_cert_request.camunda_csr](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/cert_request) | resource |
+| [tls_locally_signed_cert.sub_ca_cert_signed](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/locally_signed_cert) | resource |
+| [tls_private_key.camunda_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_private_key.root_ca_key](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/private_key) | resource |
+| [tls_self_signed_cert.root_ca_cert](https://registry.terraform.io/providers/hashicorp/tls/latest/docs/resources/self_signed_cert) | resource |
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_eips.current_usage](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/eips) | data source |
 | [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |
@@ -56,6 +95,7 @@ module "eks_cluster" {
 | <a name="input_authentication_mode"></a> [authentication\_mode](#input\_authentication\_mode) | The authentication mode for the cluster. | `string` | `"API"` | no |
 | <a name="input_availability_zones"></a> [availability\_zones](#input\_availability\_zones) | A list of availability zone names in the region. By default, this is set to `null` and is not used; instead, `availability_zones_count` manages the number of availability zones. This value should not be updated directly. To make changes, please create a new resource. | `list(string)` | `null` | no |
 | <a name="input_availability_zones_count"></a> [availability\_zones\_count](#input\_availability\_zones\_count) | The count of availability zones to utilize within the specified AWS Region, where pairs of public and private subnets will be generated (minimum is `2`). Valid only when availability\_zones variable is not provided. | `number` | `3` | no |
+| <a name="input_camunda_p12_password"></a> [camunda\_p12\_password](#input\_camunda\_p12\_password) | Password for the Camunda .p12 certificate bundle | `string` | `"NotVerySecurePassword123!"` | no |
 | <a name="input_cluster_node_ipv4_cidr"></a> [cluster\_node\_ipv4\_cidr](#input\_cluster\_node\_ipv4\_cidr) | The CIDR block for public and private subnets of loadbalancers and nodes. Between /28 and /16. | `string` | `"10.192.0.0/16"` | no |
 | <a name="input_cluster_service_ipv4_cidr"></a> [cluster\_service\_ipv4\_cidr](#input\_cluster\_service\_ipv4\_cidr) | The CIDR block to assign Kubernetes service IP addresses from. Between /24 and /12. | `string` | `"10.190.0.0/16"` | no |
 | <a name="input_cluster_tags"></a> [cluster\_tags](#input\_cluster\_tags) | A map of additional tags to add to the cluster | `map(string)` | `{}` | no |
@@ -93,10 +133,12 @@ module "eks_cluster" {
 | <a name="output_external_dns_arn"></a> [external\_dns\_arn](#output\_external\_dns\_arn) | Amazon Resource Name of the external-dns IAM role used for IAM Roles to Service Accounts mappings |
 | <a name="output_oidc_provider_arn"></a> [oidc\_provider\_arn](#output\_oidc\_provider\_arn) | Amazon Resource Name of the OIDC provider for the EKS cluster. Allows to add additional IRSA mappings |
 | <a name="output_oidc_provider_id"></a> [oidc\_provider\_id](#output\_oidc\_provider\_id) | OIDC provider for the EKS cluster. Allows to add additional IRSA mappings |
+| <a name="output_private_ca_authority_arn"></a> [private\_ca\_authority\_arn](#output\_private\_ca\_authority\_arn) | n/a |
 | <a name="output_private_route_table_ids"></a> [private\_route\_table\_ids](#output\_private\_route\_table\_ids) | The IDs of the private route tables associated with this VPC |
 | <a name="output_private_subnet_ids"></a> [private\_subnet\_ids](#output\_private\_subnet\_ids) | Private subnet IDs |
 | <a name="output_private_vpc_cidr_blocks"></a> [private\_vpc\_cidr\_blocks](#output\_private\_vpc\_cidr\_blocks) | Private VPC CIDR blocks |
 | <a name="output_public_vpc_cidr_blocks"></a> [public\_vpc\_cidr\_blocks](#output\_public\_vpc\_cidr\_blocks) | Public VPC CIDR blocks |
+| <a name="output_secret_manager_arn"></a> [secret\_manager\_arn](#output\_secret\_manager\_arn) | Amazon Resource Name of the secret-manager IAM role used for IAM Roles to Service Accounts mappings |
 | <a name="output_vpc_azs"></a> [vpc\_azs](#output\_vpc\_azs) | VPC AZs of the cluster |
 | <a name="output_vpc_id"></a> [vpc\_id](#output\_vpc\_id) | VPC id of the cluster |
 | <a name="output_vpc_main_route_table_id"></a> [vpc\_main\_route\_table\_id](#output\_vpc\_main\_route\_table\_id) | The ID of the main route table associated with this VPC |
diff --git a/aws/modules/eks-cluster/camunda-cert-p12.tf b/aws/modules/eks-cluster/camunda-cert-p12.tf
new file mode 100644
index 000000000..c0f769480
--- /dev/null
+++ b/aws/modules/eks-cluster/camunda-cert-p12.tf
@@ -0,0 +1,257 @@
+variable "camunda_p12_password" {
+  type        = string
+  description = "Password for the Camunda .p12 certificate bundle"
+  sensitive   = true
+  default     = "NotVerySecurePassword123!"
+}
+
+# Export PEM files locally
+resource "local_file" "camunda_key" {
+  content  = tls_private_key.camunda_key.private_key_pem
+  filename = "${path.module}/camunda_key.pem"
+}
+
+resource "local_file" "camunda_cert" {
+  content  = aws_acmpca_certificate.camunda_signed_cert.certificate
+  filename = "${path.module}/camunda_cert.pem"
+}
+
+resource "local_file" "sub_ca_cert" {
+  content  = tls_locally_signed_cert.sub_ca_cert_signed.cert_pem
+  filename = "${path.module}/sub_ca_cert.pem"
+}
+
+resource "local_file" "root_ca_cert" {
+  content  = tls_self_signed_cert.root_ca_cert.cert_pem
+  filename = "${path.module}/root_ca_cert.pem"
+}
+
+# Generate p12 using full chain: camunda -> subCA -> rootCA
+resource "null_resource" "generate_camunda_p12" {
+  provisioner "local-exec" {
+    command = <<EOT
+cat "${path.module}/sub_ca_cert.pem" "${path.module}/root_ca_cert.pem" > "${path.module}/chain.pem"
+
+openssl pkcs12 -export \
+  -inkey "${path.module}/camunda_key.pem" \
+  -in "${path.module}/camunda_cert.pem" \
+  -certfile "${path.module}/chain.pem" \
+  -out "${path.module}/camunda_bundle.p12" \
+  -passout pass:${var.camunda_p12_password}
+EOT
+  }
+
+  triggers = {
+    cert         = aws_acmpca_certificate.camunda_signed_cert.certificate
+    key          = tls_private_key.camunda_key.private_key_pem
+    ca           = tls_locally_signed_cert.sub_ca_cert_signed.cert_pem
+    root         = tls_self_signed_cert.root_ca_cert.cert_pem
+    password     = var.camunda_p12_password
+    always_regen = timestamp()
+  }
+
+  depends_on = [
+    local_file.camunda_key,
+    local_file.camunda_cert,
+    local_file.sub_ca_cert,
+    local_file.root_ca_cert
+  ]
+}
+
+# Store the .p12 in AWS Secrets Manager
+resource "aws_secretsmanager_secret" "camunda_p12_secret" {
+  name        = "certs/${local.camunda_custom_domain}/certificate-p12"
+  description = "PKCS#12 bundle for Camunda ${local.camunda_custom_domain}"
+}
+
+# Upload the p12 using AWS CLI
+resource "null_resource" "upload_p12_to_secretsmanager" {
+  depends_on = [
+    null_resource.generate_camunda_p12,
+    aws_secretsmanager_secret.camunda_p12_secret
+  ]
+
+  provisioner "local-exec" {
+    command = <<EOT
+aws secretsmanager put-secret-value \
+  --secret-id "certs/${local.camunda_custom_domain}/certificate-p12" \
+  --secret-binary fileb://${path.module}/camunda_bundle.p12 \
+  --region ${var.region}
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+resource "aws_secretsmanager_secret" "camunda_p12_password_secret" {
+  name        = "certs/${local.camunda_custom_domain}/p12-password"
+  description = "Password for the Camunda PKCS#12 bundle"
+}
+
+resource "aws_secretsmanager_secret_version" "camunda_p12_password_secret_version" {
+  secret_id     = aws_secretsmanager_secret.camunda_p12_password_secret.id
+  secret_string = var.camunda_p12_password
+}
+
+resource "null_resource" "convert_p12_to_jks" {
+  depends_on = [null_resource.generate_camunda_p12]
+
+  provisioner "local-exec" {
+    command = <<EOT
+keytool -importkeystore \
+  -srckeystore "${path.module}/camunda_bundle.p12" \
+  -srcstoretype PKCS12 \
+  -srcstorepass "${var.camunda_p12_password}" \
+  -destkeystore "${path.module}/camunda_keystore.jks" \
+  -deststoretype JKS \
+  -deststorepass "${var.camunda_p12_password}" \
+  -noprompt
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+resource "aws_secretsmanager_secret" "camunda_jks_secret" {
+  name        = "certs/${local.camunda_custom_domain}/keystore-jks"
+  description = "JKS keystore for Camunda ${local.camunda_custom_domain}"
+}
+
+resource "null_resource" "upload_jks_to_secretsmanager" {
+  depends_on = [
+    null_resource.convert_p12_to_jks,
+    aws_secretsmanager_secret.camunda_jks_secret
+  ]
+
+  provisioner "local-exec" {
+    command = <<EOT
+aws secretsmanager put-secret-value \
+  --secret-id "certs/${local.camunda_custom_domain}/keystore-jks" \
+  --secret-binary fileb://${path.module}/camunda_keystore.jks \
+  --region ${var.region}
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+resource "null_resource" "download_certificates" {
+  provisioner "local-exec" {
+    command = <<EOT
+mkdir -p "${path.module}/certificates"
+curl -o "${path.module}/certificates/AmazonRootCA1.pem" https://www.amazontrust.com/repository/AmazonRootCA1.pem
+curl -o "${path.module}/certificates/AmazonRootCA2.pem" https://www.amazontrust.com/repository/AmazonRootCA2.pem
+curl -o "${path.module}/certificates/AmazonRootCA3.pem" https://www.amazontrust.com/repository/AmazonRootCA3.pem
+curl -o "${path.module}/certificates/AmazonRootCA4.pem" https://www.amazontrust.com/repository/AmazonRootCA4.pem
+curl -o "${path.module}/certificates/SFSRootCAG2.pem" https://www.amazontrust.com/repository/SFSRootCAG2.pem
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+
+resource "null_resource" "generate_truststore_jks" {
+  depends_on = [
+    local_file.sub_ca_cert,
+    local_file.root_ca_cert,
+    null_resource.download_certificates
+  ]
+
+  provisioner "local-exec" {
+    command = <<EOT
+keytool -import \
+  -alias rootca \
+  -trustcacerts \
+  -file "${path.module}/root_ca_cert.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias subca \
+  -trustcacerts \
+  -file "${path.module}/sub_ca_cert.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias amazonrootca1 \
+  -trustcacerts \
+  -file "${path.module}/certificates/AmazonRootCA1.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias amazonrootca2 \
+  -trustcacerts \
+  -file "${path.module}/certificates/AmazonRootCA2.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias amazonrootca3 \
+  -trustcacerts \
+  -file "${path.module}/certificates/AmazonRootCA3.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias amazonrootca4 \
+  -trustcacerts \
+  -file "${path.module}/certificates/AmazonRootCA4.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+
+keytool -import \
+  -alias sfsrootcag2 \
+  -trustcacerts \
+  -file "${path.module}/certificates/SFSRootCAG2.pem" \
+  -keystore "${path.module}/camunda_truststore.jks" \
+  -storepass "${var.camunda_p12_password}" \
+  -noprompt
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
+
+resource "aws_secretsmanager_secret" "camunda_truststore_secret" {
+  name        = "certs/${local.camunda_custom_domain}/truststore-jks"
+  description = "JKS truststore for Camunda ${local.camunda_custom_domain}"
+}
+
+resource "null_resource" "upload_truststore_to_secretsmanager" {
+  depends_on = [
+    null_resource.generate_truststore_jks,
+    aws_secretsmanager_secret.camunda_truststore_secret
+  ]
+
+  provisioner "local-exec" {
+    command = <<EOT
+aws secretsmanager put-secret-value \
+  --secret-id "certs/${local.camunda_custom_domain}/truststore-jks" \
+  --secret-binary fileb://${path.module}/camunda_truststore.jks \
+  --region ${var.region}
+EOT
+  }
+
+  triggers = {
+    always_run = timestamp()
+  }
+}
diff --git a/aws/modules/eks-cluster/certs-iam-policy.tf b/aws/modules/eks-cluster/certs-iam-policy.tf
new file mode 100644
index 000000000..1164d7bfd
--- /dev/null
+++ b/aws/modules/eks-cluster/certs-iam-policy.tf
@@ -0,0 +1,46 @@
+# This file describes permissions for a EKS SA to access ASS
+
+resource "aws_iam_policy" "certs_access_policy" {
+  name = "${var.name}-certs-access-policy"
+
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "secretsmanager:GetSecretValue",
+          "secretsmanager:DescribeSecret",
+          "secretsmanager:ListSecretVersionIds",
+          "secretsmanager:ListSecrets"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+
+module "external_secrets_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.58.0"
+
+  role_name = "${var.name}-eso-role"
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["external-secrets:external-secrets"]
+    }
+  }
+
+  role_policy_arns = {
+    policy = aws_iam_policy.certs_access_policy.arn
+  }
+}
+
+
+output "secret_manager_arn" {
+  value       = module.external_secrets_role.iam_role_arn
+  description = "Amazon Resource Name of the secret-manager IAM role used for IAM Roles to Service Accounts mappings"
+}
diff --git a/aws/modules/eks-cluster/custom-ca.tf b/aws/modules/eks-cluster/custom-ca.tf
new file mode 100644
index 000000000..c1e7a935e
--- /dev/null
+++ b/aws/modules/eks-cluster/custom-ca.tf
@@ -0,0 +1,174 @@
+locals {
+  # TODO: harcoded on purpose
+  deployment_root_domain = "picsou2.camunda.ie"
+  opensearch_zone_id     = "Z0320975U3XESO24VAVA"
+  key_algorithm          = "RSA_2048"
+}
+
+locals {
+  camunda_custom_domain = "camunda.${local.deployment_root_domain}"
+}
+
+## ROOT CA
+
+resource "tls_private_key" "root_ca_key" {
+  algorithm = lower(local.key_algorithm) == "rsa_2048" ? "RSA" : "ECDSA"
+}
+
+resource "tls_self_signed_cert" "root_ca_cert" {
+  private_key_pem = tls_private_key.root_ca_key.private_key_pem
+
+  subject {
+    common_name  = "My ROOT CA"
+    organization = "Your Organization"
+  }
+
+  validity_period_hours = 87600 # 10 years
+  is_ca_certificate     = true
+
+  allowed_uses = [
+    "cert_signing",
+    "crl_signing",
+    "key_encipherment",
+    "digital_signature"
+  ]
+}
+
+resource "aws_secretsmanager_secret" "root_ca_private_key" {
+  name        = "certs/${local.deployment_root_domain}-rootca/private-key"
+  description = "Private key for Root CA ${local.deployment_root_domain}"
+}
+
+resource "aws_secretsmanager_secret_version" "root_ca_private_key_version" {
+  secret_id     = aws_secretsmanager_secret.root_ca_private_key.id
+  secret_string = tls_private_key.root_ca_key.private_key_pem
+}
+
+resource "aws_secretsmanager_secret" "root_ca_certificate" {
+  name        = "certs/${local.deployment_root_domain}-rootca/certificate"
+  description = "Self-signed root certificate for ${local.deployment_root_domain}"
+}
+
+resource "aws_secretsmanager_secret_version" "root_ca_certificate_version" {
+  secret_id     = aws_secretsmanager_secret.root_ca_certificate.id
+  secret_string = tls_self_signed_cert.root_ca_cert.cert_pem
+}
+
+## SUB Root CA
+
+resource "aws_acmpca_certificate_authority" "sub_ca" {
+  type = "SUBORDINATE"
+  certificate_authority_configuration {
+    key_algorithm     = local.key_algorithm
+    signing_algorithm = "SHA256WITHRSA"
+    subject {
+      common_name  = "Subordinate Root CA"
+      organization = "Your Organization"
+    }
+  }
+
+  revocation_configuration {
+    crl_configuration {
+      enabled            = false
+      expiration_in_days = 1095
+    }
+  }
+
+  permanent_deletion_time_in_days = 7
+}
+
+resource "tls_locally_signed_cert" "sub_ca_cert_signed" {
+  cert_request_pem   = aws_acmpca_certificate_authority.sub_ca.certificate_signing_request
+  ca_private_key_pem = tls_private_key.root_ca_key.private_key_pem
+  ca_cert_pem        = tls_self_signed_cert.root_ca_cert.cert_pem
+
+  validity_period_hours = 43800
+
+  allowed_uses = [
+    "cert_signing",
+    "crl_signing",
+    "key_encipherment",
+    "digital_signature"
+  ]
+
+  is_ca_certificate = true
+}
+
+# Final step to activate the CA using the self-signed certificate
+resource "aws_acmpca_certificate_authority_certificate" "sub_ca_cert_import" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.sub_ca.arn
+  certificate               = tls_locally_signed_cert.sub_ca_cert_signed.cert_pem
+  certificate_chain         = tls_self_signed_cert.root_ca_cert.cert_pem
+}
+
+resource "aws_acmpca_permission" "private_ca_permission" {
+  certificate_authority_arn = aws_acmpca_certificate_authority.sub_ca.arn
+  actions                   = ["IssueCertificate", "GetCertificate", "ListPermissions"]
+  principal                 = "acm.amazonaws.com"
+}
+
+resource "time_sleep" "wait_30_seconds" {
+  create_duration = "30s"
+  depends_on      = [aws_acmpca_certificate_authority.sub_ca]
+}
+resource "aws_secretsmanager_secret" "sub_root_ca_certificate" {
+  name        = "certs/${local.deployment_root_domain}-subroot-ca/certificate"
+  description = "Self-signed sub root certificate for ${local.deployment_root_domain}"
+}
+
+resource "aws_secretsmanager_secret_version" "sub_root_ca_certificate_version" {
+  secret_id     = aws_secretsmanager_secret.sub_root_ca_certificate.id
+  secret_string = tls_locally_signed_cert.sub_ca_cert_signed.cert_pem
+}
+
+output "private_ca_authority_arn" {
+  value = aws_acmpca_certificate_authority.sub_ca.arn
+}
+
+### Camunda certs
+
+resource "tls_private_key" "camunda_key" {
+  algorithm = "RSA"
+  rsa_bits  = 2048
+}
+
+resource "aws_secretsmanager_secret" "camunda_key_secret" {
+  name        = "certs/${local.camunda_custom_domain}/private-key"
+  description = "Private key for Camunda ${local.camunda_custom_domain}"
+}
+
+resource "aws_secretsmanager_secret_version" "camunda_key_secret_version" {
+  secret_id     = aws_secretsmanager_secret.camunda_key_secret.id
+  secret_string = tls_private_key.camunda_key.private_key_pem
+}
+
+resource "aws_secretsmanager_secret" "camunda_cert_secret" {
+  name        = "certs/${local.camunda_custom_domain}/certificate"
+  description = "Signed certificate for Camunda ${local.camunda_custom_domain}"
+}
+
+resource "aws_secretsmanager_secret_version" "camunda_cert_secret_version" {
+  secret_id     = aws_secretsmanager_secret.camunda_cert_secret.id
+  secret_string = aws_acmpca_certificate.camunda_signed_cert.certificate
+}
+resource "tls_cert_request" "camunda_csr" {
+  private_key_pem = tls_private_key.camunda_key.private_key_pem
+
+  subject {
+    common_name  = local.camunda_custom_domain
+    organization = "Your Organization"
+  }
+}
+
+resource "aws_acmpca_certificate" "camunda_signed_cert" {
+  certificate_authority_arn   = aws_acmpca_certificate_authority.sub_ca.arn
+  certificate_signing_request = tls_cert_request.camunda_csr.cert_request_pem
+  signing_algorithm           = "SHA256WITHRSA"
+
+  validity {
+    type  = "DAYS"
+    value = 180
+  }
+
+  template_arn = "arn:aws:acm-pca:::template/EndEntityCertificate/V1"
+}
diff --git a/aws/modules/eks-cluster/iam.tf b/aws/modules/eks-cluster/iam.tf
index 81c3a3fdf..7bd87b8f9 100644
--- a/aws/modules/eks-cluster/iam.tf
+++ b/aws/modules/eks-cluster/iam.tf
@@ -59,3 +59,24 @@ module "external_dns_role" {
     policy = aws_iam_policy.external_dns_policy.arn
   }
 }
+
+### ESO
+
+# Following role allows a SA to read secrets under certs/*
+module "certs_reader_role" {
+  source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
+  version = "5.58.0"
+
+  role_name = "${var.name}-certs-reader-role"
+
+  oidc_providers = {
+    main = {
+      provider_arn               = module.eks.oidc_provider_arn
+      namespace_service_accounts = ["external-secrets:external-secrets"]
+    }
+  }
+
+  role_policy_arns = {
+    policy = aws_iam_policy.certs_access_policy.arn
+  }
+}
diff --git a/aws/modules/eks-cluster/outputs.tf b/aws/modules/eks-cluster/outputs.tf
index a56bcfc49..c9dcc6a95 100644
--- a/aws/modules/eks-cluster/outputs.tf
+++ b/aws/modules/eks-cluster/outputs.tf
@@ -57,6 +57,7 @@ output "cluster_arn" {
 # eks.amazonaws.com/role-arn: arn:aws:iam::831074465991:role/irsa-${RANDOM}
 # This allows the SA, if mapping was defined properly, to impersonate the role
 
+
 output "cert_manager_arn" {
   value       = module.cert_manager_role.iam_role_arn
   description = "Amazon Resource Name of the cert-manager IAM role used for IAM Roles to Service Accounts mappings"
diff --git a/aws/modules/opensearch/README.md b/aws/modules/opensearch/README.md
index 1386d0bcd..22886822c 100644
--- a/aws/modules/opensearch/README.md
+++ b/aws/modules/opensearch/README.md
@@ -66,6 +66,7 @@ No modules.
 
 | Name | Type |
 |------|------|
+| [aws_acm_certificate.opensearch_cert](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/acm_certificate) | resource |
 | [aws_cloudwatch_log_group.log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource |
 | [aws_cloudwatch_log_resource_policy.log_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_resource_policy) | resource |
 | [aws_iam_policy.access_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
@@ -73,9 +74,11 @@ No modules.
 | [aws_iam_role_policy_attachment.attach_policies](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_kms_key.kms](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kms_key) | resource |
 | [aws_opensearch_domain.opensearch_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/opensearch_domain) | resource |
+| [aws_route53_record.opensearch](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_record) | resource |
 | [aws_security_group.this](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group) | resource |
 | [aws_security_group_rule.allow_egress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
 | [aws_security_group_rule.allow_ingress](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/security_group_rule) | resource |
+| [aws_acmpca_certificate_authority.private_ca_authority](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/acmpca_certificate_authority) | data source |
 | [aws_iam_policy_document.log_policy_document](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 ## Inputs
 
@@ -95,6 +98,7 @@ No modules.
 | <a name="input_cidr_blocks"></a> [cidr\_blocks](#input\_cidr\_blocks) | The CIDR blocks to allow access from and to. | `list(string)` | n/a | yes |
 | <a name="input_cold_storage_enabled"></a> [cold\_storage\_enabled](#input\_cold\_storage\_enabled) | Indicates cold storage is enabled. | `bool` | `false` | no |
 | <a name="input_create_timeout"></a> [create\_timeout](#input\_create\_timeout) | How much time to wait for the creation before timing out. | `string` | `"2h"` | no |
+| <a name="input_custom_root_ca_arn"></a> [custom\_root\_ca\_arn](#input\_custom\_root\_ca\_arn) | arn value of the root ca | `string` | n/a | yes |
 | <a name="input_dedicated_master_count"></a> [dedicated\_master\_count](#input\_dedicated\_master\_count) | Number of dedicated master nodes in the cluster. | `number` | `3` | no |
 | <a name="input_dedicated_master_enabled"></a> [dedicated\_master\_enabled](#input\_dedicated\_master\_enabled) | Indicates whether dedicated master nodes are enabled for the cluster. | `bool` | `true` | no |
 | <a name="input_dedicated_master_type"></a> [dedicated\_master\_type](#input\_dedicated\_master\_type) | Instance type of the dedicated master nodes in the cluster. | `string` | `"m5.large.search"` | no |
diff --git a/aws/modules/opensearch/domain.tf b/aws/modules/opensearch/domain.tf
new file mode 100644
index 000000000..10af281d6
--- /dev/null
+++ b/aws/modules/opensearch/domain.tf
@@ -0,0 +1,32 @@
+locals {
+  # TODO: harcoded on purpose
+  deployment_root_domain = "picsou2.camunda.ie"
+  opensearch_zone_id     = "Z0320975U3XESO24VAVA"
+  key_algorithm          = "RSA_2048"
+}
+
+locals {
+  opensearch_custom_domain = "os.${local.deployment_root_domain}"
+}
+
+data "aws_acmpca_certificate_authority" "private_ca_authority" {
+  arn = var.custom_root_ca_arn
+}
+
+## CERT FOR OS
+resource "aws_acm_certificate" "opensearch_cert" {
+  domain_name               = local.opensearch_custom_domain
+  certificate_authority_arn = data.aws_acmpca_certificate_authority.private_ca_authority.arn
+
+  tags = {
+    Name = "OS ACM cert for ${local.opensearch_custom_domain}"
+  }
+}
+
+resource "aws_route53_record" "opensearch" {
+  zone_id = local.opensearch_zone_id
+  name    = local.opensearch_custom_domain
+  type    = "CNAME"
+  ttl     = "300"
+  records = [aws_opensearch_domain.opensearch_cluster.endpoint]
+}
diff --git a/aws/modules/opensearch/main.tf b/aws/modules/opensearch/main.tf
index c280feac6..337985cc7 100644
--- a/aws/modules/opensearch/main.tf
+++ b/aws/modules/opensearch/main.tf
@@ -4,6 +4,8 @@ resource "aws_opensearch_domain" "opensearch_cluster" {
   domain_name    = var.domain_name
   engine_version = "OpenSearch_${var.engine_version}"
 
+  # TODO: added for custom domain
+
   ip_address_type = var.ip_address_type
 
   vpc_options {
@@ -102,6 +104,11 @@ resource "aws_opensearch_domain" "opensearch_cluster" {
   domain_endpoint_options {
     enforce_https       = var.domain_endpoint_options.enforce_https
     tls_security_policy = var.domain_endpoint_options.tls_security_policy
+
+    # TODO: hard coded
+    custom_endpoint_enabled         = true
+    custom_endpoint                 = local.opensearch_custom_domain
+    custom_endpoint_certificate_arn = aws_acm_certificate.opensearch_cert.arn
   }
 
   timeouts {
diff --git a/aws/modules/opensearch/variables.tf b/aws/modules/opensearch/variables.tf
index f4da638f3..81bd7b029 100644
--- a/aws/modules/opensearch/variables.tf
+++ b/aws/modules/opensearch/variables.tf
@@ -345,3 +345,8 @@ variable "log_types" {
   default     = []
   description = "The types of logs to publish to CloudWatch Logs. Example: [SEARCH_SLOW_LOGS, INDEX_SLOW_LOGS, ES_APPLICATION_LOGS]"
 }
+
+variable "custom_root_ca_arn" {
+  type        = string
+  description = "arn value of the root ca"
+}
diff --git a/generic/kubernetes/single-region/procedure/chart-env.sh b/generic/kubernetes/single-region/procedure/chart-env.sh
index fbbbca5e3..01db3d28d 100755
--- a/generic/kubernetes/single-region/procedure/chart-env.sh
+++ b/generic/kubernetes/single-region/procedure/chart-env.sh
@@ -2,7 +2,7 @@
 
 # The Camunda 8 Helm Chart version
 # renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?<minor>\d+))?(\.(?<patch>\d+))?$ registryUrl=https://helm.camunda.io
-export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-latest"
+export CAMUNDA_HELM_CHART_VERSION="13.0.0-alpha6"
 # TODO: [release-duty] before the release, update this!
 # TODO: [release-duty] adjust renovate comment to bump the major version
 
diff --git a/generic/kubernetes/single-region/procedure/create-identity-secret.sh b/generic/kubernetes/single-region/procedure/create-identity-secret.sh
index 3baa1ee02..9059924ec 100755
--- a/generic/kubernetes/single-region/procedure/create-identity-secret.sh
+++ b/generic/kubernetes/single-region/procedure/create-identity-secret.sh
@@ -1,12 +1,14 @@
 #!/bin/bash
 
+# TODO: 8;8 generate USER_PASSWORD
+
 kubectl create secret generic identity-secret-for-components \
   --namespace "$CAMUNDA_NAMESPACE" \
-  --from-literal=connectors-secret="$CONNECTORS_SECRET" \
-  --from-literal=console-secret="$CONSOLE_SECRET" \
-  --from-literal=operate-secret="$OPERATE_SECRET" \
-  --from-literal=optimize-secret="$OPTIMIZE_SECRET" \
-  --from-literal=tasklist-secret="$TASKLIST_SECRET" \
-  --from-literal=zeebe-secret="$ZEEBE_SECRET" \
-  --from-literal=admin-password="$ADMIN_PASSWORD" \
+  --from-literal=identity-connectors-client-token="$CONNECTORS_SECRET" \
+  --from-literal=identity-console-client-token="$CONSOLE_SECRET" \
+  --from-literal=identity-optimize-client-token="$OPTIMIZE_SECRET" \
+  --from-literal=identity-core-client-token="$CORE_SECRET" \
+  --from-literal=identity-admin-client-token="$ADMIN_PASSWORD" \
+  --from-literal=identity-keycloak-admin-password="$KEYCLOAK_ADMIN_PASSWORD" \
+  --from-literal=identity-firstuser-password="$USER_PASSWORD" \
   --from-literal=smtp-password=""
diff --git a/generic/kubernetes/single-region/procedure/export-verify-zeebe-domain.sh b/generic/kubernetes/single-region/procedure/export-verify-zeebe-domain.sh
index 28e116556..0c29d39ec 100755
--- a/generic/kubernetes/single-region/procedure/export-verify-zeebe-domain.sh
+++ b/generic/kubernetes/single-region/procedure/export-verify-zeebe-domain.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
-
-export ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/zeebe"
+# TODO; update the variables with CAMUNDA_CLIENT_ZEEBE_RESTADDRESS CAMUNDA_CLIENT_AUTH_TOKENURL (see https://github.com/camunda-community-hub/camunda-8-examples/blob/main/payment-example-process-application/kube/README.md)
+export ZEEBE_ADDRESS_REST="https://$DOMAIN_NAME/core"
 export ZEEBE_AUTHORIZATION_SERVER_URL="https://$DOMAIN_NAME/auth/realms/camunda-platform/protocol/openid-connect/token"
diff --git a/generic/kubernetes/single-region/procedure/generate-passwords.sh b/generic/kubernetes/single-region/procedure/generate-passwords.sh
index 6bffa72c4..221775413 100755
--- a/generic/kubernetes/single-region/procedure/generate-passwords.sh
+++ b/generic/kubernetes/single-region/procedure/generate-passwords.sh
@@ -2,8 +2,8 @@
 
 export CONNECTORS_SECRET="$(openssl rand -hex 16)"
 export CONSOLE_SECRET="$(openssl rand -hex 16)"
-export OPERATE_SECRET="$(openssl rand -hex 16)"
 export OPTIMIZE_SECRET="$(openssl rand -hex 16)"
-export TASKLIST_SECRET="$(openssl rand -hex 16)"
-export ZEEBE_SECRET="$(openssl rand -hex 16)"
+export CORE_SECRET="$(openssl rand -hex 16)"
+export KEYCLOAK_ADMIN_PASSWORD="$(openssl rand -hex 16)"
 export ADMIN_PASSWORD="$(openssl rand -hex 16)"
+export USER_PASSWORD="$(openssl rand -hex 16)"
diff --git a/generic/kubernetes/single-region/procedure/install-chart.sh b/generic/kubernetes/single-region/procedure/install-chart.sh
index 720fd22e0..64dc9e570 100755
--- a/generic/kubernetes/single-region/procedure/install-chart.sh
+++ b/generic/kubernetes/single-region/procedure/install-chart.sh
@@ -1,7 +1,66 @@
 #!/bin/bash
 
+# TODO: added to create the secret
+
+DOMAIN_BASE="picsou2.camunda.ie"
+
+kubectl apply -f - --namespace "$CAMUNDA_NAMESPACE" <<EOF
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: aws-pca-p12
+spec:
+  refreshPolicy: Periodic
+  refreshInterval: 1h
+
+  secretStoreRef:
+    name: aws-secrets-manager
+    kind: ClusterSecretStore
+
+  target:
+    name: aws-pca-p12
+  data:
+    - secretKey: ca.crt
+      remoteRef:
+        key: certs/$DOMAIN_BASE-subroot-ca/certificate
+    - secretKey: tls.crt
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/certificate
+    - secretKey: tls.key
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/private-key
+    - secretKey: certificate-p12
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/certificate-p12
+        decodingStrategy: Auto
+    - secretKey: tls-keystore-password
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/p12-password
+    - secretKey: tls-truststore-password
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/p12-password
+    - secretKey: keystore.jks
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/keystore-jks
+        decodingStrategy: Auto
+    - secretKey: truststore.jks
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/truststore-jks
+        decodingStrategy: Auto
+
+    - secretKey: keycloak.keystore.jks
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/keystore-jks
+        decodingStrategy: Auto
+
+    - secretKey: keycloak.truststore.jks
+      remoteRef:
+        key: certs/camunda.$DOMAIN_BASE/truststore-jks
+        decodingStrategy: Auto
+EOF
+
 helm upgrade --install \
-    "$CAMUNDA_RELEASE_NAME" oci://ghcr.io/camunda/helm/camunda-platform \
+   "$CAMUNDA_RELEASE_NAME" camunda-platform --repo https://helm.camunda.io \
     --version "$CAMUNDA_HELM_CHART_VERSION" --namespace "$CAMUNDA_NAMESPACE" \
     -f generated-values.yml
 
@@ -9,8 +68,7 @@ helm upgrade --install \
 # and uncomment the installation instruction below
 
 # helm upgrade --install \
-#   "$CAMUNDA_RELEASE_NAME" camunda-platform \
-#   --repo https://helm.camunda.io \
+#   "$CAMUNDA_RELEASE_NAME" camunda-platform --repo https://helm.camunda.io \
 #   --version "$CAMUNDA_HELM_CHART_VERSION" \
 #   --namespace "$CAMUNDA_NAMESPACE" \
 #   -f generated-values.yml
diff --git a/generic/kubernetes/single-region/tests/helm-values/identity.yml b/generic/kubernetes/single-region/tests/helm-values/identity.yml
index 64bc4c8f1..4e05e3c9f 100644
--- a/generic/kubernetes/single-region/tests/helm-values/identity.yml
+++ b/generic/kubernetes/single-region/tests/helm-values/identity.yml
@@ -36,44 +36,30 @@ identity:
           value: camunda-identity-resource-server
         - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_1_DEFINITION
           value: write
-        # Operate access.
+        # Core access.
         - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_RESOURCE_SERVER_ID
-          value: operate-api
+          value: core-api
         - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_2_DEFINITION
           value: read:*
         - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_RESOURCE_SERVER_ID
-          value: operate-api
+          value: core-api
         - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_3_DEFINITION
           value: write:*
-        # Tasklist access.
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_RESOURCE_SERVER_ID
-          value: tasklist-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_DEFINITION
-          value: read:*
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_RESOURCE_SERVER_ID
-          value: tasklist-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_DEFINITION
-          value: write:*
         # Optimize access.
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_RESOURCE_SERVER_ID
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_RESOURCE_SERVER_ID
           value: optimize-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_DEFINITION
-          value: write:*
-        # Zeebe access.
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_7_RESOURCE_SERVER_ID
-          value: zeebe-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_7_DEFINITION
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_4_DEFINITION
           value: write:*
         # WebModeler access.
         # NOTE: This actually should be only in the chart-with-web-modeler scenarios,
         # but since Helm doesn't support merge lists it's added here.
         # It could be removed later when the env vars could be configured via ConfigMap.
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_8_RESOURCE_SERVER_ID
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_RESOURCE_SERVER_ID
           value: web-modeler-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_8_DEFINITION
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_5_DEFINITION
           value: write:*
         # Console access.
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_9_RESOURCE_SERVER_ID
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_RESOURCE_SERVER_ID
           value: console-api
-        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_9_DEFINITION
+        - name: KEYCLOAK_CLIENTS_2_PERMISSIONS_6_DEFINITION
           value: write:*
diff --git a/generic/openshift/dual-region/procedure/chart-env.sh b/generic/openshift/dual-region/procedure/chart-env.sh
index e3e59476c..ac06531cb 100755
--- a/generic/openshift/dual-region/procedure/chart-env.sh
+++ b/generic/openshift/dual-region/procedure/chart-env.sh
@@ -31,6 +31,6 @@ export AWS_ES_BUCKET_REGION=""
 export CAMUNDA_RELEASE_NAME=camunda
 
 # renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?<minor>\d+))?(\.(?<patch>\d+))?$ registryUrl=https://helm.camunda.io
-export HELM_CHART_VERSION="0.0.0-snapshot-latest"
+export HELM_CHART_VERSION="0.0.0-snapshot-alpha"
 # TODO: [release-duty] before the release, update this!
 # TODO: [release-duty] adjust renovate comment to bump the major version
diff --git a/generic/openshift/single-region/procedure/chart-env.sh b/generic/openshift/single-region/procedure/chart-env.sh
index fbbbca5e3..c8b3c64cf 100755
--- a/generic/openshift/single-region/procedure/chart-env.sh
+++ b/generic/openshift/single-region/procedure/chart-env.sh
@@ -2,7 +2,7 @@
 
 # The Camunda 8 Helm Chart version
 # renovate: datasource=helm depName=camunda-platform versioning=regex:^12(\.(?<minor>\d+))?(\.(?<patch>\d+))?$ registryUrl=https://helm.camunda.io
-export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-latest"
+export CAMUNDA_HELM_CHART_VERSION="0.0.0-snapshot-alpha"
 # TODO: [release-duty] before the release, update this!
 # TODO: [release-duty] adjust renovate comment to bump the major version