Initial render: k3s-dev environment

2026-03-07 15:00:05 +00:00
commit a787720f2a
306 changed files with 75879 additions and 0 deletions
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/apps_v1_deployment_authgateway-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/apps_v1_deployment_authgateway-importer.yaml
@@ -0,0 +1,362 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: authgateway-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-importer-2.4.3-a
+  name: authgateway-importer
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: authgateway-importer
+      app.kubernetes.io/name: authgateway-importer
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: authgateway-importer
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: authgateway-importer
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: authgateway-importer-2.4.3-a
+      name: authgateway-importer
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AG_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AG_USERNAME
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "true"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_PHYSICAL_HOSTNAME
+          value: authgateway-importer
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: APP_FULL_URL
+          value: http://authgateway:8080/authgateway
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: authgateway-importer
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: MHUB_IMPORTER_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: authgateway-importer, abinitio/deployment: authgateway-importer'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: authgateway-importer
+        - name: POD_SERVICE_HEADLESS
+          value: authgateway-importer-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/authgateway-importer:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: authgateway-importer
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 120
+          initialDelaySeconds: 45
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 12Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 8Gi
+            memory: 8Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - authgateway-importer.abinitio
+        ip: 127.0.0.1
+      hostname: authgateway-importer
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: authgateway-importer
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: authgateway-importer-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/apps_v1_deployment_authgateway.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/apps_v1_deployment_authgateway.yaml
@@ -0,0 +1,312 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: authgateway
+    app.kubernetes.io/instance: authgateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-2.4.3-a
+  name: authgateway
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: authgateway
+      app.kubernetes.io/name: authgateway
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: authgateway
+        app.kubernetes.io/instance: authgateway
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: authgateway
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: authgateway-2.4.3-a
+      name: authgateway
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: authgateway
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: authgateway, abinitio/deployment: authgateway'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: authgateway
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/authgateway:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /authgateway/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        name: authgateway-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /authgateway/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 8Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 2Gi
+            memory: 8Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 60
+          httpGet:
+            path: /authgateway/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 60
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/authgateway
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: authgateway
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: authgateway-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_configmap_authgateway-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_configmap_authgateway-external-config.yaml
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_configmap_authgateway-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_configmap_authgateway-importer.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AG_LOCAL_ROOT : /abinitio/deploy
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : authgateway-importer
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  deploy_params.config: |
+    appserver.cluster.option: '3'
+    appserver.host: 'authgateway'
+    appserver.port: '8080'
+    appserver.protocol: 'http'
+    appserver.type: 'tomcat'
+    bridge.config: 'container-bridge'
+    bridge.create.security.config: 'N'
+    bridge.host: 'authgateway-importer'
+    bridge.port: '7070'
+    bridge.rpc.aes128gcm.ab_encrypted_key: 'file=/secrets/bridge/password'
+    bridge.rpc.aes128gcm.mhub_encrypted_key: 'file=/secrets/bridge/password'
+    bridge.security_config: 'container-bridge-security'
+    bridge.security_type: 'aes-128-gcm'
+    db.appserver.mhub_encrypted_password: 'file=/secrets/ag_appserver/password'
+    db.appserver.username: 'ag_appserver'
+    db.create: 'Y'
+    db.create_physical: 'N'
+    db.datastore.destroy_if_exists: 'N'
+    db.host: 'authgateway-rw.abinitio-db.svc'
+    db.importer.ab_encrypted_password: 'file=/secrets/ag_db_importer/password'
+    db.importer.mhub_encrypted_password: 'file=/secrets/ag_db_importer/password'
+    db.importer.username: 'ag_importer'
+    db.name: 'authgateway'
+    db.port: '5432'
+    db.report.mhub_encrypted_password: 'file=/secrets/ag_report/password'
+    db.report.username: 'ag_report'
+    db.type: 'postgresql'
+    deployment.name: 'authgateway-importer'
+    deployment.set_server_config: 'N'
+    deployment.type_basic: 'N'
+    lineage.server: 'N'
+    lineageserver.url: ''
+    security.encryption.keyDirectory: ''
+    security.encryption.useExternalKey: 'N'
+    ui.webaccess.admin.ab_encrypted_password: 'file=/secrets/admin/password'
+    ui.webaccess.admin.password_hash_encrypted: 'file=/secrets/admin/password'
+    ui.webaccess.importer.ab_encrypted_password: 'file=/secrets/ag_ui_importer/password'
+    ui.webaccess.importer.password_hash_encrypted: 'file=/secrets/ag_ui_importer/password'
+    webapp.app_name: 'authgateway'
+    webapp.cluster.hosts: 'authgateway-jgroup'
+    webapp.cluster.port: '7800'
+    webapp.clustered.deployment: 'Y'
+    webapp.deploy_warfile: 'N'
+    webapp.indexDirectoryRoot: 'file:///abinitio/data/searchIndex'
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: authgateway-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-importer-2.4.3-a
+  name: authgateway-importer
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_persistentvolumeclaim_authgateway-importer-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_persistentvolumeclaim_authgateway-importer-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: authgateway-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-importer-2.4.3-a
+  name: authgateway-importer-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway-importer.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: authgateway-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-importer-2.4.3-a
+  name: authgateway-importer
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: authgateway-importer
+    app.kubernetes.io/name: authgateway-importer
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: authgateway
+    app.kubernetes.io/instance: authgateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-2.4.3-a
+  name: authgateway-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: authgateway
+    app.kubernetes.io/name: authgateway
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/authgateway/v1_service_authgateway.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: authgateway
+    app.kubernetes.io/instance: authgateway
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: authgateway
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: authgateway-2.4.3-a
+  name: authgateway
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: authgateway
+    app.kubernetes.io/name: authgateway
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/blueprints/apps_v1_deployment_blueprints.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/blueprints/apps_v1_deployment_blueprints.yaml
@@ -0,0 +1,362 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: blueprints
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: blueprints
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: blueprints-2.4.3-a
+  name: blueprints
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: blueprints
+      app.kubernetes.io/name: blueprints
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: blueprints
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: blueprints
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: blueprints-2.4.3-a
+      name: blueprints
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "true"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: blueprints
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: blueprints, abinitio/deployment: blueprints'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: blueprints
+        - name: POD_SERVICE_HEADLESS
+          value: blueprints-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/blueprints:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: blueprints
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 960
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 16Gi
+          requests:
+            cpu: 500m
+            ephemeral-storage: 2Gi
+            memory: 8Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - blueprints.abinitio
+        ip: 127.0.0.1
+      hostname: blueprints
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: blueprints
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: blueprints-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_configmap_blueprints.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_configmap_blueprints.yaml
@@ -0,0 +1,94 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : blueprints
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  install-properties.config: |
+    AB_AIR_ROOT=//eme-0.eme-headless/abinitio/eme/eme
+    AB_APPLICATION_HUB=/usr/local/abinitio-app-hub
+    DO_CATALOGVIEW_PROJECT=y
+    DO_EME_INSTALL=y
+    DO_EXAMPLES_INSTALL=n
+    DO_EZ_PRIV=y
+    DO_MHUB_INSTALL=y
+    EZ_GENERATOR_AG_CATALOG_IP=datacatalog
+    EZ_GENERATOR_AG_CATALOG_NAME=Data Catalog Services
+    EZ_GENERATOR_AG_URL=http://authgateway:8080/authgateway
+    EZ_GENERATOR_AG_USER=aiadmin
+    EZ_GENERATOR_APPCONF_REL_LOC=edl
+    EZ_GENERATOR_APPID=expressit
+    EZ_GENERATOR_BLUEPRINTS_TO_INSTALL=ALL
+    EZ_GENERATOR_BLUEPRINT_SERVICE_HOST=blueprints
+    EZ_GENERATOR_BLUEPRINT_SERVICE_PORT=9870
+    EZ_GENERATOR_CATALOGVIEW_PHYSPROJECT=catalogview
+    EZ_GENERATOR_CATALOGVIEW_TECHSYSTEM=EnterpriseDataLake
+    EZ_GENERATOR_CC_HOST=http://controlcenter:8080/controlcenter
+    EZ_GENERATOR_CONFIG_MHUB_DEPLOYMENT_DIR=/abinitio/deploy/metadatahub-importer
+    EZ_GENERATOR_CONFIG_MHUB_MAIN_SCHEMA=mhub_main
+    EZ_GENERATOR_CONFIG_MHUB_META_SCHEMA=mhub_meta
+    EZ_GENERATOR_CONFIG_MHUB_USER=aiadmin
+    EZ_GENERATOR_DATAQUALITY=/ab_share/ab_appconf_root/global/abinitio/dataquality
+    EZ_GENERATOR_DATAQUALITY_RPATH=/Projects/abinitio/dataquality
+    EZ_GENERATOR_DCAT_URL=http://datacatalog:8080/datacatalog
+    EZ_GENERATOR_EI_PRODUCT_INSTANCE=Express>It
+    EZ_GENERATOR_EI_WORKSPACE=Blueprints (Pipelines)
+    EZ_GENERATOR_EME_TECHSYSTEM=Technical Repository
+    EZ_GENERATOR_EME_USES_AG_AUTH=y
+    EZ_GENERATOR_INSTALL_ACTIVE_METADATA_REFERENCE=y
+    EZ_GENERATOR_INSTALL_CODEGEN_TRACING=y
+    EZ_GENERATOR_INSTALL_CONTROL_TEST_RUNS=n
+    EZ_GENERATOR_LANDING_ROOT=/ab_share/ab_appconf_root/main/users
+    EZ_GENERATOR_LISTENER_SERVICE_HOST=blueprints
+    EZ_GENERATOR_LISTENER_SERVICE_PORT=9876
+    EZ_GENERATOR_LISTENER_SERVICE_URL=http://blueprints:9876
+    EZ_GENERATOR_MHUB_LOCAL_ROOT_DIR=/abinitio/deploy
+    EZ_GENERATOR_QUERYIT_HOST=localhost
+    EZ_GENERATOR_QUERYIT_RPATH=/Projects/queryit-instance-0
+    EZ_GENERATOR_QUERYIT_SANDBOX_INSTANCE=queryit-instance-0
+    EZ_GENERATOR_QUERYIT_SANDBOX_ROOT=/abinitio/sandboxes/private_sand
+    EZ_GENERATOR_QUERYIT_USER=aiadmin
+    EZ_GENERATOR_STDENV=/abinitio/sandboxes/sand/stdenv
+    EZ_GENERATOR_STDENV_RPATH=/Projects/stdenv
+    EZ_GENERATOR_USE_LOCAL_QUERYIT_SANDBOX=n
+    INSTALL_ACTIVE_METADATA_REFERENCE=y
+    INSTALL_CONFIG_USING_ABAPP_MHUB=y
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_IMPORT_PROFILE_PATH=/abinitio/deploy/metadatahub-importer/config/import.profile
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    SANDBOX_ROOT=/abinitio/sandboxes/sand
+    WAIT_BETWEEN_LOAD_ATTEMPTS=60
+    WAIT_FOR_LOAD_ATTEMPTS=150
+    EZ_GENERATOR_AG_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    EZ_GENERATOR_AG_BASE64_PASSWORD=file=/secrets/aiadmin/password
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    EZ_GENERATOR_CONFIG_MHUB_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: blueprints
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: blueprints
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: blueprints-2.4.3-a
+  name: blueprints
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_persistentvolumeclaim_blueprints-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_persistentvolumeclaim_blueprints-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: blueprints
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: blueprints
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: blueprints-2.4.3-a
+  name: blueprints-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_service_blueprints.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/blueprints/v1_service_blueprints.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: blueprints
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: blueprints
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: blueprints-2.4.3-a
+  name: blueprints
+  namespace: abinitio
+spec:
+  ports:
+  - name: blueprints
+    port: 9870
+    protocol: TCP
+    targetPort: 9870
+  - name: listener
+    port: 9876
+    protocol: TCP
+    targetPort: 9876
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: blueprints
+    app.kubernetes.io/name: blueprints
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/apps_v1_deployment_controlcenter-scheduler.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/apps_v1_deployment_controlcenter-scheduler.yaml
@@ -0,0 +1,348 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: controlcenter-scheduler
+      app.kubernetes.io/name: controlcenter-scheduler
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: controlcenter-scheduler
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: controlcenter-scheduler
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: controlcenter-scheduler-2.4.3-a
+      name: controlcenter-scheduler
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_HOST_CLUSTER_NAME
+          value: controlcenter-scheduler-cluster-name
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: controlcenter-scheduler
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: controlcenter-scheduler, abinitio/deployment:
+            controlcenter-scheduler'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: controlcenter-scheduler
+        - name: POD_SERVICE_HEADLESS
+          value: controlcenter-scheduler-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/controlcenter-scheduler:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: controlcenter-scheduler
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 960
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 4096Mi
+          requests:
+            cpu: 500m
+            ephemeral-storage: 8Gi
+            memory: 4096Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - controlcenter-scheduler.abinitio
+        ip: 127.0.0.1
+      hostname: controlcenter-scheduler
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: controlcenter-scheduler-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: controlcenter-scheduler
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: controlcenter-scheduler-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/apps_v1_deployment_controlcenter.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/apps_v1_deployment_controlcenter.yaml
@@ -0,0 +1,311 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: controlcenter
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-2.4.3-a
+  name: controlcenter
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: controlcenter
+      app.kubernetes.io/name: controlcenter
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: controlcenter
+        app.kubernetes.io/instance: controlcenter
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: controlcenter
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: controlcenter-2.4.3-a
+      name: controlcenter
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: controlcenter
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: controlcenter, abinitio/deployment: controlcenter'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: controlcenter
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/controlcenter:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /controlcenter/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        name: controlcenter-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /controlcenter/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 200m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /controlcenter/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/controlcenter
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: controlcenter
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: controlcenter-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/rbac.authorization.k8s.io_v1_role_controlcenter-scheduler-role.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/rbac.authorization.k8s.io_v1_role_controlcenter-scheduler-role.yaml
@@ -0,0 +1,94 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler-role
+  namespace: abinitio
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - get
+  - create
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - limitranges
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimes
+  verbs:
+  - get
+  - create
+  - delete
+  - patch
+  - list
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimepools
+  verbs:
+  - get
+  - create
+  - delete
+  - patch
+  - list
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimetemplates
+  verbs:
+  - get
+  - create
+  - delete
+  - patch
+  - list
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimeclaims
+  verbs:
+  - get
+  - create
+  - delete
+  - patch
+  - list
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/rbac.authorization.k8s.io_v1_rolebinding_controlcenter-scheduler-role-rb.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/rbac.authorization.k8s.io_v1_rolebinding_controlcenter-scheduler-role-rb.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: controlcenter-scheduler-role-rb
+  namespace: abinitio
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: controlcenter-scheduler-role
+subjects:
+- kind: ServiceAccount
+  name: controlcenter-scheduler-sa
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_configmap_controlcenter-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_configmap_controlcenter-external-config.yaml
@@ -0,0 +1,67 @@
+apiVersion: v1
+data:
+  controlcenter.yaml: |
+    externalConfig:
+      controlCenter:
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/cc_join_user/password
+          productIdentifier: Control>Center
+          productName: Control>Center
+          url: http://authgateway:8080/authgateway
+          username: cc_join_user
+        bridgeConnectionList:
+        - encryptionType: aes128-gcm
+          name: ag-importer-bridge
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://authgateway-importer:7070
+        cluster:
+          autoConfig:
+            hosts: controlcenter-jgroup
+            port: 7800
+            protocol: tcp
+          channelName: ch01
+          enabled: true
+        db:
+          host: controlcenter-rw.abinitio-db.svc
+          name: controlcenter
+          password: file=/secrets/cc_jdbc/password
+          port: 5432
+          type: PostgreSQL
+          username: cc_jdbc
+        interop:
+          trw:
+            url: http://trw:8080/trw
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 5
+        serverConfiguration:
+          network:
+            DNS:
+              expand: 0
+        ui:
+          admin:
+            password: file=/secrets/aiadmin/password
+          ocagent:
+            password: file=/secrets/ocagent/password
+            reporterConfigPassword: file=/secrets/ocagent/password
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/controlcenter
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: controlcenter
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-2.4.3-a
+  name: controlcenter-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_configmap_controlcenter-scheduler.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_configmap_controlcenter-scheduler.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_HOST_CLUSTER_NAME : controlcenter-scheduler-cluster-name
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : true
+    AB_OPS_PHYSICAL_HOSTNAME : controlcenter-scheduler.abinitio.svc.cluster.local
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_persistentvolumeclaim_controlcenter-scheduler-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_persistentvolumeclaim_controlcenter-scheduler-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: controlcenter
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-2.4.3-a
+  name: controlcenter-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/name: controlcenter
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter-scheduler.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter-scheduler.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/name: controlcenter-scheduler
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_service_controlcenter.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: controlcenter
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-2.4.3-a
+  name: controlcenter
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: controlcenter
+    app.kubernetes.io/name: controlcenter
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_serviceaccount_controlcenter-scheduler-sa.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/controlcenter/v1_serviceaccount_controlcenter-scheduler-sa.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: controlcenter-scheduler
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: controlcenter-scheduler
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: controlcenter-scheduler-2.4.3-a
+  name: controlcenter-scheduler-sa
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/apps_v1_deployment_datacatalog.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/apps_v1_deployment_datacatalog.yaml
@@ -0,0 +1,312 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: datacatalog
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: datacatalog
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: datacatalog-2.4.3-a
+  name: datacatalog
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: datacatalog
+      app.kubernetes.io/name: datacatalog
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: datacatalog
+        app.kubernetes.io/instance: datacatalog
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: datacatalog
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: datacatalog-2.4.3-a
+      name: datacatalog
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: datacatalog
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: datacatalog, abinitio/deployment: datacatalog'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: datacatalog
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/datacatalog:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /datacatalog/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        name: datacatalog-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /datacatalog/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 2Gi
+          requests:
+            cpu: 200m
+            ephemeral-storage: 4Gi
+            memory: 2Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /datacatalog/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/datacatalog
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: datacatalog
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: datacatalog-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_configmap_datacatalog-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_configmap_datacatalog-external-config.yaml
@@ -0,0 +1,60 @@
+apiVersion: v1
+data:
+  datacatalog.yaml: |
+    externalConfig:
+      dataCatalogServices:
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/dcs_join_user/password
+          productIdentifier: Data Catalog Services
+          productName: Data Catalog Services
+          url: http://authgateway:8080/authgateway
+          username: dcs_join_user
+        bridgeConnectionList: []
+        cluster:
+          autoConfig:
+            hosts: datacatalog-jgroup
+            port: 7800
+            protocol: tcp
+          channelName: ch01
+          enabled: true
+        defaultBridgeConnection:
+          encryptionType: aes128-gcm
+          name: container-bridge
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://queryit-0:7070
+        interop:
+          metadataHub:
+            url: http://metadatahub:8080/metadatahub
+            utilityPassword: file=/secrets/mhub_utility_user/password
+            utilityUsername: mhub_utility
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 3
+        queryItInstanceList:
+        - bridgeName: default
+          instanceName: queryit-instance-0
+          sandboxPath: /abinitio/sandboxes/private_sand/queryit-instance-0
+        security:
+          dataCatalog:
+            hmacKey: file=/secrets/dcs_hmac_key/password
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/datacatalog
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: datacatalog
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: datacatalog
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: datacatalog-2.4.3-a
+  name: datacatalog-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_service_datacatalog-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_service_datacatalog-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: datacatalog
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: datacatalog
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: datacatalog-2.4.3-a
+  name: datacatalog-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/name: datacatalog
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_service_datacatalog.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/datacatalog/v1_service_datacatalog.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: datacatalog
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: datacatalog
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: datacatalog-2.4.3-a
+  name: datacatalog
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: datacatalog
+    app.kubernetes.io/name: datacatalog
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/dqa/apps_v1_deployment_dqa.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/dqa/apps_v1_deployment_dqa.yaml
@@ -0,0 +1,368 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: dqa
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: dqa
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: dqa-2.4.3-a
+  name: dqa
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: dqa
+      app.kubernetes.io/name: dqa
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: dqa
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: dqa
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: dqa-2.4.3-a
+      name: dqa
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_HOME
+          value: /opt/abinitio/mhub/metadata-hub
+        - name: AB_MHUB_LOCAL_ROOT
+          value: /abinitio/deploy
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: dqa
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: MHUB_IMPORTER_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: MHUB_IMPORTER_USERNAME
+          value: aiadmin
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: dqa, abinitio/deployment: dqa'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: dqa
+        - name: POD_SERVICE_HEADLESS
+          value: dqa-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/dqa:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: dqa
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 10Gi
+            memory: 8Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 10Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - dqa.abinitio
+        ip: 127.0.0.1
+      hostname: dqa
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: dqa
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: dqa-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_configmap_dqa.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_configmap_dqa.yaml
@@ -0,0 +1,77 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CHARSET @ rwi : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION @ rwi : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : dqa
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  install-properties.config: |
+    AB_AIR_BRANCH=main
+    AB_AIR_ROOT=//eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR=/ab_share/ab_appconf_root
+    AB_APPLICATION_HUB=/usr/local/abinitio-app-hub
+    AB_MHUB_CONFIG_DIR=/abinitio/deploy/metadatahub-importer/config
+    AB_MHUB_LOCAL_DIR=/abinitio/deploy/metadatahub-importer
+    ALLOW_DS_CREATION=1
+    ALLOW_DS_UPDATE=1
+    DQ_INSTALL_CONFIG_CREATE_COMMON_IO_AND_DATA_QUALITY_SANDBOXES=y
+    DQ_INSTALL_CONFIG_DO_PXML_CREATION_AT_BRANCH_LEVEL=y
+    DQ_INSTALL_CONFIG_FORCE_PROJECT_CHECKOUT=y
+    DQ_INSTALL_CONFIG_INSTALL_EXAMPLES=y
+    DQ_INSTALL_CONFIG_MAKE_MHUB_BACKUP=n
+    DQ_INSTALL_CONFIG_OVERWRITE_COMMON_IO_SANDBOX=y
+    DQ_INSTALL_CONFIG_OVERWRITE_DQA_COMMON_SANDBOX=y
+    DQ_INSTALL_CONFIG_OVERWRITE_DQ_SANDBOX=y
+    EIT_APP_IDENTIFIER=expressit
+    EIT_USERNAME=aiadmin
+    INSTALL_CONFIG_USING_ABAPP_MHUB=y
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_EME_TR_DSCONN=Technical Repository
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_MAIN_SCHEMA=mhub_main
+    MHUB_META_SCHEMA=mhub_meta
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    RPATH_TO_COMMON_IO=/Projects/abinitio/common_io
+    RPATH_TO_DATAQUALITY=/Projects/abinitio/dataquality
+    RPATH_TO_DP_EXAMPLES=/Projects/abinitio/dp-examples
+    RPATH_TO_DQ_COMMON=/Projects/abinitio/dq-common
+    RPATH_TO_DQ_EXAMPLES=/Projects/abinitio/dq-examples
+    RPATH_TO_STDENV=/Projects/stdenv
+    RWI_DATA_ROOT=/ab_share/data/mfs/mfs_2way
+    RWI_METADATA_ROOT=//rwi/abinitio/rwi/mount/data/serial
+    SANDBOX_PATH_TO_COMMON_IO=/ab_share/ab_appconf_root/global/abinitio/common_io
+    SANDBOX_PATH_TO_DATAQUALITY=/ab_share/ab_appconf_root/global/abinitio/dataquality
+    SANDBOX_PATH_TO_STDENV=/abinitio/sandboxes/sand/stdenv
+    WAIT_BETWEEN_LOAD_ATTEMPTS=30
+    WAIT_FOR_LOAD_ATTEMPTS=300
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: dqa
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: dqa
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: dqa-2.4.3-a
+  name: dqa
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_persistentvolumeclaim_dqa-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_persistentvolumeclaim_dqa-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: dqa
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: dqa
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: dqa-2.4.3-a
+  name: dqa-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_service_dqa.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/dqa/v1_service_dqa.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: dqa
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: dqa
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: dqa-2.4.3-a
+  name: dqa
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: dqa
+    app.kubernetes.io/name: dqa
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/eme/apps_v1_statefulset_eme.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/eme/apps_v1_statefulset_eme.yaml
@@ -0,0 +1,375 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  labels:
+    abinitio/statefulset: eme
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: eme
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: eme-2.4.3-a
+  name: eme
+  namespace: abinitio
+spec:
+  podManagementPolicy: Parallel
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: eme
+      app.kubernetes.io/name: eme
+  serviceName: eme-headless
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: eme
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: eme
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: eme-2.4.3-a
+      name: eme
+    spec:
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/instance: eme
+                  app.kubernetes.io/name: eme
+              topologyKey: kubernetes.io/hostname
+            weight: 1
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ROOT
+          value: /abinitio/eme/eme
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_PHYSICAL_HOSTNAME
+          value: eme
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: eme
+        - name: EME_AG_JOINER_ENCRYPTED_PASSWORD
+          value: file=/secrets/eme_join_user/password
+        - name: EME_AG_JOINER_NAME
+          value: eme_join_user
+        - name: EME_AG_PRODUCT_ID
+          value: EMETR
+        - name: EME_AG_URL
+          value: http://authgateway:8080/authgateway
+        - name: EME_LOAD_SAV_FILES
+          value: "false"
+        - name: EME_START_ARGUMENTS
+          value: -override-running-server-check
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: eme, abinitio/deployment: eme'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: eme
+        - name: POD_SERVICE_HEADLESS
+          value: eme-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/eme:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: eme
+        readinessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -c
+            - air ls /abinitio/default/eme-created
+          failureThreshold: 12
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          successThreshold: 1
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 16Gi
+          requests:
+            cpu: 200m
+            ephemeral-storage: 8Gi
+            memory: 16Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - eme.abinitio
+        ip: 127.0.0.1
+      hostname: eme
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: eme
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: eme-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_configmap_eme.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_configmap_eme.yaml
@@ -0,0 +1,35 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_ALLOW_UNSECURED_HTTP_BRIDGE_TUNNEL : true
+    AB_BRIDGE_TUNNEL_ALLOW_LIST : /~ab_home/config/bridge-tunnel-allow-list.example
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : eme-0.eme-headless
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_AIR_BRANCHES @ eme : main
+    AB_AIR_ROOT     @ eme : /abinitio/eme/eme
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_DESCRIPTION  @ eme : Local EME
+    AB_DISPLAY_NAME @ eme : Local EME
+    AB_EME_REPOSITORIES : eme
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+    AB_UMASK : 002
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: eme
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: eme-2.4.3-a
+  name: eme
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_persistentvolumeclaim_eme-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_persistentvolumeclaim_eme-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: eme
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: eme-2.4.3-a
+  name: eme-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_service_eme-headless.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_service_eme-headless.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: eme
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: eme-2.4.3-a
+  name: eme-headless
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/name: eme
--- a/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_service_eme.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/eme/v1_service_eme.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: eme
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: eme-2.4.3-a
+  name: eme
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: eme
+    app.kubernetes.io/name: eme
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/apps_v1_deployment_enterprise-data-masking.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/apps_v1_deployment_enterprise-data-masking.yaml
@@ -0,0 +1,361 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: enterprise-data-masking
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: enterprise-data-masking
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: enterprise-data-masking-2.4.3-a
+  name: enterprise-data-masking
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: enterprise-data-masking
+      app.kubernetes.io/name: enterprise-data-masking
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: enterprise-data-masking
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: enterprise-data-masking
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: enterprise-data-masking-2.4.3-a
+      name: enterprise-data-masking
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: enterprise-data-masking
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: enterprise-data-masking, abinitio/deployment:
+            enterprise-data-masking'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: enterprise-data-masking
+        - name: POD_SERVICE_HEADLESS
+          value: enterprise-data-masking-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/enterprise-data-masking:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: enterprise-data-masking
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - enterprise-data-masking.abinitio
+        ip: 127.0.0.1
+      hostname: enterprise-data-masking
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: enterprise-data-masking
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: enterprise-data-masking-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_configmap_enterprise-data-masking.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_configmap_enterprise-data-masking.yaml
@@ -0,0 +1,90 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION @ emeabeme : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_CONNECTION_BRIDGE_PORT @ emeabeme : 7070
+    AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE @ emeabeme : aes128-gcm
+    AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION @ emeabeme : container-bridge-security
+    AB_HOME @ emeabeme : /usr/local/abinitio
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_NODES @ emeabeme : eme-0.eme-headless
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : enterprise-data-masking
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  install-properties.config: |
+    AB_AIR_BRANCH=main
+    AB_AIR_ROOT=//eme-0.eme-headless/abinitio/eme/eme
+    AB_APPLICATION_HUB=/usr/local/abinitio-app-hub
+    AB_MHUB_CONFIG_DIR=/abinitio/deploy/metadatahub-importer/config
+    DBM_ABSDK_GRAPH_PROJECT_RPATH=/Projects/abinitio/dbm_deps/absdk_graph
+    DBM_CONFIG_MHUB_USER=aiadmin
+    DBM_DATA_CATALOG_URL=http://datacatalog:8080/datacatalog
+    DBM_DATA_CATALOG_USER=aiadmin
+    DBM_DBC_DIR=/abinitio/sandboxes/sand/edm_dbc
+    DBM_EME_ADMIN=aiadmin
+    DBM_EXPRESSIT_WORKSPACE=Test_Data_Management
+    DBM_PROJECT_RPATH=/Projects/abinitio/dbm
+    DBM_SERVICE_AUDIT_LISTENER_PORT=9478
+    DBM_SERVICE_DIRECTORY=/abinitio/sandboxes
+    DBM_SERVICE_PORT=9878
+    DBM_SERVICE_URL=http://enterprise-data-masking:9878
+    DEFAULT_MHUB_URL=http://metadatahub:8080/metadatahub
+    DO_DPC_INSTALL=y
+    DO_EME_INSTALL=y
+    DO_EXPRESSIT_INSTALL=n
+    DO_EXPRESSIT_INSTALL_SERVICE_GRAPHS=y
+    DO_EXPRESSIT_INSTALL_UI=n
+    DO_MHUB_CONFIGURATION=y
+    DO_MHUB_INSTALL=n
+    DO_SERVICE_INSTALL=y
+    EIT_APP_IDENTIFIER=expressit
+    EIT_PRIVATE_PROJECT_TR_PATH=/Projects/abinitio/examples/test_data_management
+    EIT_USERNAME=aiadmin
+    INSTALL_CONFIG_USING_ABAPP_MHUB=y
+    IS_MULTI_SERVER_INSTALL=y
+    LOAD_INTO_MAIN_NAV_BAR=n
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_IMPORT_PROFILE_PATH=/abinitio/deploy/metadatahub-importer/config/import.profile
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    PRIVATE_REL_RPATH=private_edm
+    RPATH_TO_STDENV=/Projects/stdenv
+    SANDBOX_PATH_TO_STDENV=/abinitio/sandboxes/sand/stdenv
+    TDM_EXAMPLES_PROJECT_RPATH=/Projects/abinitio/examples/test_data_management
+    TDM_PROJECT_RPATH=/Projects/abinitio/dms
+    UPDATE_ABSQL_WITH_MASKING=n
+    UPGRADE_TDM=n
+    WAIT_BETWEEN_LOAD_ATTEMPTS=30
+    WAIT_FOR_LOAD_ATTEMPTS=300
+    DBM_CONFIG_MHUB_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    DBM_DATA_CATALOG_USER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    DBM_EME_ADMIN_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: enterprise-data-masking
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: enterprise-data-masking
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: enterprise-data-masking-2.4.3-a
+  name: enterprise-data-masking
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_persistentvolumeclaim_enterprise-data-masking-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_persistentvolumeclaim_enterprise-data-masking-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: enterprise-data-masking
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: enterprise-data-masking
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: enterprise-data-masking-2.4.3-a
+  name: enterprise-data-masking-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_service_enterprise-data-masking.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/enterprise-data-masking/v1_service_enterprise-data-masking.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: enterprise-data-masking
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: enterprise-data-masking
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: enterprise-data-masking-2.4.3-a
+  name: enterprise-data-masking
+  namespace: abinitio
+spec:
+  ports:
+  - name: enterprise-data-masking
+    port: 9878
+    protocol: TCP
+    targetPort: 9878
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: enterprise-data-masking
+    app.kubernetes.io/name: enterprise-data-masking
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/apps_v1_deployment_expressit-bridge.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/apps_v1_deployment_expressit-bridge.yaml
@@ -0,0 +1,364 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: expressit-bridge
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit-bridge
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-bridge-2.4.3-a
+  name: expressit-bridge
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: expressit-bridge
+      app.kubernetes.io/name: expressit-bridge
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: expressit-bridge
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: expressit-bridge
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: expressit-bridge-2.4.3-a
+      name: expressit-bridge
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_PHYSICAL_HOSTNAME
+          value: expressit-bridge
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: expressit-bridge
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: expressit-bridge, abinitio/deployment: expressit-bridge'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: expressit-bridge
+        - name: POD_SERVICE_HEADLESS
+          value: expressit-bridge-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/expressit-bridge:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: expressit-bridge
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 8Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 8Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - expressit-bridge.abinitio
+        ip: 127.0.0.1
+      hostname: expressit-bridge
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: expressit-bridge
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: expressit-bridge-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/apps_v1_deployment_expressit.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/apps_v1_deployment_expressit.yaml
@@ -0,0 +1,312 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: expressit
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-2.4.3-a
+  name: expressit
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: expressit
+      app.kubernetes.io/name: expressit
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: expressit
+        app.kubernetes.io/instance: expressit
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: expressit
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: expressit-2.4.3-a
+      name: expressit
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: expressit
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: expressit, abinitio/deployment: expressit'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: expressit
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/expressit:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /expressit/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        name: expressit-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /expressit/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /expressit/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/expressit
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: expressit
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: expressit-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_configmap_expressit-bridge.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_configmap_expressit-bridge.yaml
@@ -0,0 +1,48 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRE_ALLOW_STRINGY_AUTOMAP : true
+    AB_BRE_ENABLE_MARKDOWN_COMMENTS : true
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CHARSET @ rwi : utf-8
+    AB_CONNECTION @ emeabeme : bridge
+    AB_CONNECTION @ rwi : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_CONNECTION_BRIDGE_PORT @ emeabeme : 7070
+    AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE @ emeabeme : aes128-gcm
+    AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION @ emeabeme : container-bridge-security
+    AB_ENV_ROOT : /abinitio/sandboxes/sand/stdenv
+    AB_HOME @ emeabeme : /usr/local/abinitio
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_NODES @ emeabeme : eme-0.eme-headless
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : expressit-bridge
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_AIR_BRANCH @ eme : main
+    AB_AIR_ROOT @ eme : //eme-0.eme-headless/abinitio/eme/eme
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_DESCRIPTION @ eme : Ab Initio Data Platform technical repository
+    AB_DISPLAY_NAME @ eme : Default technical repository deployed in eme StatefulSet
+    AB_EME_REPOSITORIES : eme
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: expressit-bridge
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit-bridge
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-bridge-2.4.3-a
+  name: expressit-bridge
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_configmap_expressit-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_configmap_expressit-external-config.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+data:
+  expressit.yaml: |
+    externalConfig:
+      expressIt:
+        allowDrillDown: true
+        appIdentifier: expressit
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/ei_join_user/password
+          productIdentifier: Express>It
+          productName: Express>It
+          url: http://authgateway:8080/authgateway
+          username: ei_join_user
+        bridgeConnection:
+          encryptionType: aes128-gcm
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://expressit-bridge:7070
+        cluster:
+          autoConfig:
+            hosts: expressit-jgroup
+            port: 7800
+            protocol: tcp
+          channelName: ch01
+          enabled: true
+        emeTR:
+          useAgCredentials: true
+        interop:
+          dataCatalogServices:
+            url: http://datacatalog:8080/datacatalog
+          metadataHub:
+            url: http://metadatahub:8080/metadatahub
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 3
+        packageForSupport:
+          encrypted: EncryptForNonAdmins
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/expressit
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: expressit
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-2.4.3-a
+  name: expressit-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_persistentvolumeclaim_expressit-bridge-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_persistentvolumeclaim_expressit-bridge-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: expressit-bridge
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit-bridge
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-bridge-2.4.3-a
+  name: expressit-bridge-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit-bridge.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit-bridge.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: expressit-bridge
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit-bridge
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-bridge-2.4.3-a
+  name: expressit-bridge
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: expressit-bridge
+    app.kubernetes.io/name: expressit-bridge
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: expressit
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-2.4.3-a
+  name: expressit-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/name: expressit
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/expressit/v1_service_expressit.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: expressit
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: expressit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: expressit-2.4.3-a
+  name: expressit
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: expressit
+    app.kubernetes.io/name: expressit
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/apps_v1_deployment_metadata-promotion.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/apps_v1_deployment_metadata-promotion.yaml
@@ -0,0 +1,354 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-promotion
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-promotion
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-promotion-2.4.3-a
+  name: metadata-promotion
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: metadata-promotion
+      app.kubernetes.io/name: metadata-promotion
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: metadata-promotion
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: metadata-promotion
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: metadata-promotion-2.4.3-a
+      name: metadata-promotion
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: metadata-promotion
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: metadata-promotion, abinitio/deployment: metadata-promotion'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: metadata-promotion
+        - name: POD_SERVICE_HEADLESS
+          value: metadata-promotion-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/metadata-promotion:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: metadata-promotion
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - metadata-promotion.abinitio
+        ip: 127.0.0.1
+      hostname: metadata-promotion
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: metadata-promotion
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: metadata-promotion-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_configmap_metadata-promotion.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_configmap_metadata-promotion.yaml
@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : metadata-promotion
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  install-properties.config: |
+    AB_AIR_BRANCH=main
+    AB_AIR_ROOT=//eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR=/ab_share/ab_appconf_root
+    AB_APPLICATION_HUB=/usr/local/abinitio-app-hub
+    AB_MHUB_CONFIG_DIR=/abinitio/deploy/metadatahub-importer/config
+    DEFAULT_MHUB_URL=http://metadatahub:8080/metadatahub
+    DEFAULT_PROMOTION_USER=aiadmin
+    DEFAULT_TR_BRANCH=main
+    DEFAULT_TR_INTEGRATION=y
+    DEFAULT_TR_PATH=//eme-0.eme-headless/abinitio/eme/eme
+    DEFAULT_TR_USER=aiadmin
+    DO_EXPRESSIT_INSTALL=y
+    DO_MHUB_INSTALL=n
+    DO_SERVICE_INSTALL=y
+    DO_TR_INSTALL=y
+    EIT_APP_IDENTIFIER=expressit
+    EIT_USERNAME=aiadmin
+    EZ_UTILITY_PROJECT_RPATH=/Projects/abinitio/ez_utility
+    INSTALL_CONFIG_USING_ABAPP_MHUB=y
+    LOAD_INTO_DROPDOWN=y
+    LOAD_INTO_NAVBAR=y
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_IMPORT_PROFILE_PATH=/abinitio/deploy/metadatahub-importer/config/import.profile
+    MHUB_SPLIT_FROM_SERVICE=y
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    NAVBAR_MENU_NAME=Other
+    PROJECTS_XML=/ab_share/ab_appconf_root/main/config/promotion.projects.xml
+    PROMOTION_CONFIG_MHUB_USER=aiadmin
+    PROMOTION_PROJECT_RPATH=/Projects/abinitio/promotion
+    PROMOTION_SERVICE_AUDIT_LISTENER_PORT=9977
+    PROMOTION_SERVICE_DIRECTORY=/abinitio/sandboxes/sand
+    PROMOTION_SERVICE_PORT=9877
+    PROMOTION_SERVICE_URL=http://metadata-promotion:9877
+    RPATH_TO_STDENV=/Projects/stdenv
+    SANDBOX_PATH_TO_STDENV_FOR_EIT=/ab_share/ab_appconf_root/main/global/stdenv
+    SANDBOX_PATH_TO_STDENV_FOR_SERVICE=/abinitio/sandboxes/sand/stdenv
+    SECURE_MHUB_CONNECTIONS=y
+    TECHNICAL_REPOSITORY_DIRECTORY=/Projects/abinitio
+    UPGRADE_PROMOTION_CONFIGURATION=n
+    WAIT_BETWEEN_LOAD_ATTEMPTS=30
+    WAIT_FOR_LOAD_ATTEMPTS=300
+    PROMOTION_CONFIG_MHUB_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    DEFAULT_PROMOTION_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-promotion
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-promotion
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-promotion-2.4.3-a
+  name: metadata-promotion
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_persistentvolumeclaim_metadata-promotion-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_persistentvolumeclaim_metadata-promotion-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-promotion
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-promotion
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-promotion-2.4.3-a
+  name: metadata-promotion-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_service_metadata-promotion.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadata-promotion/v1_service_metadata-promotion.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-promotion
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-promotion
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-promotion-2.4.3-a
+  name: metadata-promotion
+  namespace: abinitio
+spec:
+  ports:
+  - name: metadata-promotion
+    port: 9877
+    protocol: TCP
+    targetPort: 9877
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: metadata-promotion
+    app.kubernetes.io/name: metadata-promotion
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadata-loader.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadata-loader.yaml
@@ -0,0 +1,399 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-loader
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-loader
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-loader-2.4.3-a
+  name: metadata-loader
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: metadata-loader
+      app.kubernetes.io/name: metadata-loader
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: metadata-loader
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: metadata-loader
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: metadata-loader-2.4.3-a
+      name: metadata-loader
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: AIC_EXTENSIONS
+          value: <nil>
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: metadata-loader
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: metadata-loader, abinitio/deployment: metadata-loader'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: metadata-loader
+        - name: POD_SERVICE_HEADLESS
+          value: metadata-loader-headless
+        - name: WAIT_FOR_PRODUCTS
+          value: promotion,sd,physobjects,dqa,edm,blueprints
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/metadata-loader:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          initialDelaySeconds: 30
+          periodSeconds: 20
+          tcpSocket:
+            port: 7070
+        name: metadata-loader
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /abinitio/.accepting_files.state
+          failureThreshold: 30
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 8Gi
+          requests:
+            cpu: 500m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - metadata-loader.abinitio
+        ip: 127.0.0.1
+      hostname: metadata-loader
+      initContainers:
+      - args:
+        - |
+          set -e
+          mkdir -p /abinitio/install && \
+          for archive in /*.tar.gz; do \
+            echo "Unpacking $archive..." && \
+            tar -xvzf "$archive" -C /abinitio/install; \
+          done && \
+          chmod -R 755 /abinitio/install
+        command:
+        - sh
+        - -c
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/metadata-loader-platform-init:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: metadata-loader-platform-init
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            ephemeral-storage: 1Gi
+            memory: 1Gi
+        securityContext:
+          runAsUser: 1000
+        volumeMounts:
+        - mountPath: /abinitio
+          name: abinitio-local
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: metadata-loader
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: metadata-loader-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadatahub-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadatahub-importer.yaml
@@ -0,0 +1,382 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadatahub-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-importer-2.4.3-a
+  name: metadatahub-importer
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: metadatahub-importer
+      app.kubernetes.io/name: metadatahub-importer
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: metadatahub-importer
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: metadatahub-importer
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: metadatahub-importer-2.4.3-a
+      name: metadatahub-importer
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_EME_WAYS_PARALLEL
+          value: "4"
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_PHYSICAL_HOSTNAME
+          value: metadatahub-importer
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: AB_RWI_BRIDGE_CONNECTION_DESCRIPTION
+          value: Ab Initio Bridge connection for Viewing Records with Data Quality
+            Issues
+        - name: AB_RWI_BRIDGE_CONNECTION_NAME
+          value: dq-rwi-Bridge-Connection
+        - name: AB_RWI_BRIDGE_CONNECTION_SECURITY_CONFIGURATION
+          value: rwi-security-config
+        - name: AB_RWI_BRIDGE_CONNECTION_SECURITY_TYPE_ID
+          value: "2"
+        - name: AB_RWI_BRIDGE_CONNECTION_URL
+          value: http://rwi:7171
+        - name: AB_RWI_BRIDGE_CONNECTION_USERNAME
+          value: rwi-bridge-user
+        - name: APP_FULL_URL
+          value: ""
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: metadatahub-importer
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: metadatahub-importer, abinitio/deployment: metadatahub-importer'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: metadatahub-importer
+        - name: POD_SERVICE_HEADLESS
+          value: metadatahub-importer-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/metadatahub-importer:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: metadatahub-importer
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          initialDelaySeconds: 45
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 12Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 8Gi
+            memory: 12Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - metadatahub-importer.abinitio
+        ip: 127.0.0.1
+      hostname: metadatahub-importer
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: metadatahub-importer
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: metadatahub-importer-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadatahub.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/apps_v1_deployment_metadatahub.yaml
@@ -0,0 +1,315 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: metadatahub
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-2.4.3-a
+  name: metadatahub
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: metadatahub
+      app.kubernetes.io/name: metadatahub
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: metadatahub
+        app.kubernetes.io/instance: metadatahub
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: metadatahub
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: metadatahub-2.4.3-a
+      name: metadatahub
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: metadatahub
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: metadatahub, abinitio/deployment: metadatahub'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: metadatahub
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/metadatahub:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /metadatahub/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 30
+          timeoutSeconds: 5
+        name: metadatahub-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /metadatahub/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 30
+          timeoutSeconds: 5
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 24Gi
+          requests:
+            cpu: "2"
+            ephemeral-storage: 2Gi
+            memory: 16Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 60
+          httpGet:
+            path: /metadatahub/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 30
+          timeoutSeconds: 5
+        volumeMounts:
+        - mountPath: /config/metadatahub
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: metadatahub
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: metadatahub-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadata-loader.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadata-loader.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY : file=/secrets/bridge/password
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : metadata-loader
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-loader
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-loader
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-loader-2.4.3-a
+  name: metadata-loader
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadatahub-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadatahub-external-config.yaml
@@ -0,0 +1,155 @@
+apiVersion: v1
+data:
+  default-resources.xml: |
+    <?xml version='1.1' encoding='UTF-8'?>
+    <config>
+      <initial>
+        <Entities>
+          <Principal.Role>
+            <Principal.Role>MDP Viewer Role</Principal.Role>
+            <Description>View Metadata Promotion configuration and jobs.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>MDP Viewer Role</Name>
+          </Principal.Role>
+          <Principal.Role>
+            <Principal.Role>MDP Operator Role</Principal.Role>
+            <Description>Run and operate Metadata Promotion jobs.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>MDP Operator Role</Name>
+          </Principal.Role>
+          <Principal.Role>
+            <Principal.Role>MDP Editor Role</Principal.Role>
+            <Description>Edit Metadata Promotion configurations.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>MDP Editor Role</Name>
+            <SynchronizationNumber />
+          </Principal.Role>
+          <Principal.Role>
+            <Principal.Role>MDP Administrator Role</Principal.Role>
+            <Description>Administrative role that can perform all Metadata Promotion activities.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>MDP Administrator Role</Name>
+          </Principal.Role>
+          <Principal.Role>
+            <Principal.Role>DiscoveryAdministratorRole</Principal.Role>
+            <Description>Administrative role that can access all of the Semantic Discovery views.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>Discovery Administrator Role</Name>
+          </Principal.Role>
+          <Principal.Role>
+            <Principal.Role>DiscoveryOperatorRole</Principal.Role>
+            <Description>Operations role that can request Semantic Discovery job execution.</Description>
+            <IsProvisionable>Y</IsProvisionable>
+            <Name>Discovery Operator Role</Name>
+          </Principal.Role>
+        </Entities>
+      </initial>
+    </config>
+  mhub.yaml: |
+    externalConfig:
+      metadataHub:
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/mhub_join_user/password
+          productIdentifier: Metadata Hub
+          productName: Metadata Hub
+          url: http://authgateway:8080/authgateway
+          username: mhub_join_user
+        bridgeConnectionList:
+        - encryptionType: aes128-gcm
+          name: container-bridge
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://metadatahub-importer:7070
+        - encryptionType: aes128
+          name: dq-rwi-Bridge-Connection
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: rwi-security-config
+          url: http://rwi:7171
+        db:
+          appserver:
+            password: file=/secrets/mhub_appserver/password
+            username: mhub_appserver
+          host: metadatahub-rw.abinitio-db.svc
+          importer:
+            password: file=/secrets/mhub_db_importer/password
+            username: mhub_importer
+          mainSchema:
+            name: mhub_main
+          metaSchema:
+            name: mhub_meta
+          name: metadatahub
+          port: 5432
+          report:
+            password: file=/secrets/mhub_report/password
+            username: mhub_report
+          type: postgresql
+        interop:
+          aiCentral:
+            url: http://aicentral:8080/aicentral
+          dataCatalogServices:
+            url: http://datacatalog:8080/datacatalog
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 5
+        packageForSupport:
+          encrypted: EncryptForNonAdmins
+        serverConfiguration:
+          abinitioCustomServices:
+            enabled: true
+            url: http://cafe:8080/portal
+          aiCentral:
+            directProxy: {}
+            enabled: false
+          client:
+            businessGlossary:
+              technicalDataElemBizTermLink: viaBusinessDataElem
+            techAssetDQ:
+              mode: showControls
+          cluster:
+            autoConfig:
+              hosts: metadatahub-jgroup
+              port: 7800
+              protocol: TCP
+            enabled: true
+            encryption:
+              enabled: false
+          dataCatalog:
+            enabled: true
+            usePhysicalObjectModel: true
+            utility:
+              password: file=/secrets/dcs_utility_user/password
+              user: dcs_utility
+          extensionSet:
+            customerDefinedExtensionSetLexicographicSort: false
+          mtbridge:
+            dQRecordsWithIssuesBridgeConnection: dq-rwi-Bridge-Connection
+            defaultBridgeConnection: container-bridge
+            importHostServicesBridgeConnection: container-bridge
+          search:
+            index:
+              thread:
+                pool:
+                  bootstrapSize: 1
+                  size: 1
+            indexDirectoryRoot: file:///abinitio/data/searchIndex
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/metadatahub
+        urlFromImporter: http://metadatahub:8080/metadatahub
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: metadatahub
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-2.4.3-a
+  name: metadatahub-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadatahub-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_configmap_metadatahub-importer.yaml
@@ -0,0 +1,80 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY : file=/secrets/bridge/password
+    AB_CONNECTION_BRIDGE_PORT : 7070
+    AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE : aes128-gcm
+    AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION : container-bridge-security
+    AB_HOME @ emeabeme : /usr/local/abinitio
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_NODES @ emeabeme : eme-0.eme-headless
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : metadatahub-importer
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  deploy_params.config: |
+    appserver.cluster.option: '3'
+    appserver.host: 'metadatahub'
+    appserver.port: '8080'
+    appserver.protocol: 'http'
+    appserver.type: 'tomcat'
+    bridge.config: 'container-bridge'
+    bridge.create.security.config: 'N'
+    bridge.host: 'metadatahub-importer'
+    bridge.port: '7070'
+    bridge.rpc.aes128gcm.ab_encrypted_key: 'file=/secrets/bridge/password'
+    bridge.rpc.aes128gcm.mhub_encrypted_key: 'file=/secrets/bridge/password'
+    bridge.security_config: 'container-bridge-security'
+    bridge.security_type: 'aes-128-gcm'
+    db.appserver.mhub_encrypted_password: 'file=/secrets/mhub_appserver/password'
+    db.appserver.username: 'mhub_appserver'
+    db.create: 'Y'
+    db.create_physical: 'N'
+    db.datastore.destroy_if_exists: 'N'
+    db.host: 'metadatahub-rw.abinitio-db.svc'
+    db.importer.ab_encrypted_password: 'file=/secrets/mhub_db_importer/password'
+    db.importer.mhub_encrypted_password: 'file=/secrets/mhub_db_importer/password'
+    db.importer.username: 'mhub_importer'
+    db.name: 'metadatahub'
+    db.port: '5432'
+    db.report.mhub_encrypted_password: 'file=/secrets/mhub_report/password'
+    db.report.username: 'mhub_report'
+    db.type: 'postgresql'
+    deployment.name: 'metadatahub-importer'
+    deployment.set_server_config: 'N'
+    deployment.type_basic: 'N'
+    lineage.server: 'N'
+    lineageserver.url: ''
+    security.encryption.keyDirectory: ''
+    security.encryption.useExternalKey: 'N'
+    ui.webaccess.admin.ab_encrypted_password: 'file=/secrets/admin/password'
+    ui.webaccess.admin.password_hash_encrypted: 'file=/secrets/admin/password'
+    ui.webaccess.importer.ab_encrypted_password: 'file=/secrets/mhub_ui_importer/password'
+    ui.webaccess.importer.password_hash_encrypted: 'file=/secrets/mhub_ui_importer/password'
+    webapp.app_name: 'metadatahub'
+    webapp.cluster.hosts: 'metadatahub-jgroup'
+    webapp.cluster.port: '7800'
+    webapp.clustered.deployment: 'Y'
+    webapp.deploy_warfile: 'N'
+    webapp.indexDirectoryRoot: 'file:///abinitio/data/searchIndex'
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadatahub-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-importer-2.4.3-a
+  name: metadatahub-importer
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_persistentvolumeclaim_metadata-loader-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_persistentvolumeclaim_metadata-loader-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-loader
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-loader
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-loader-2.4.3-a
+  name: metadata-loader-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_persistentvolumeclaim_metadatahub-importer-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_persistentvolumeclaim_metadatahub-importer-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadatahub-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-importer-2.4.3-a
+  name: metadatahub-importer-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadata-loader.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadata-loader.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadata-loader
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadata-loader
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadata-loader-2.4.3-a
+  name: metadata-loader
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: metadata-loader
+    app.kubernetes.io/name: metadata-loader
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub-importer.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub-importer.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: metadatahub-importer
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub-importer
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-importer-2.4.3-a
+  name: metadatahub-importer
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: metadatahub-importer
+    app.kubernetes.io/name: metadatahub-importer
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: metadatahub
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-2.4.3-a
+  name: metadatahub-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/name: metadatahub
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/metadatahub/v1_service_metadatahub.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: metadatahub
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: metadatahub
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: metadatahub-2.4.3-a
+  name: metadatahub
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: metadatahub
+    app.kubernetes.io/name: metadatahub
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/apps_v1_deployment_cafe.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/apps_v1_deployment_cafe.yaml
@@ -0,0 +1,310 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: portal
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cafe
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: cafe-2.4.3-a
+  name: cafe
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: cafe
+      app.kubernetes.io/name: cafe
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: portal
+        app.kubernetes.io/instance: cafe
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: cafe
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: cafe-2.4.3-a
+      name: cafe
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: portal
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: cafe, abinitio/deployment: portal'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: cafe
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/cafe:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /portal/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        name: cafe-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /portal/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /portal/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/portal
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: cafe
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: cafe-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/apps_v1_deployment_portal-nginx.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/apps_v1_deployment_portal-nginx.yaml
@@ -0,0 +1,326 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: portal-nginx
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portal-nginx
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: portal-nginx-2.4.3-a
+  name: portal-nginx
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: portal-nginx
+      app.kubernetes.io/name: portal-nginx
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: portal-nginx
+        app.kubernetes.io/instance: portal-nginx
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: portal-nginx
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: portal-nginx-2.4.3-a
+      name: portal-nginx
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: portal-nginx
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: portal-nginx, abinitio/deployment: portal-nginx'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: portal-nginx
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/portal-nginx:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -c
+            - curl -k https://localhost:8443/portal/app/index.html
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        name: portal-nginx-app
+        readinessProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -c
+            - curl -k https://localhost:8443/portal/app/index.html
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          exec:
+            command:
+            - /bin/sh
+            - -c
+            - curl -k https://localhost:8443/portal/app/index.html
+          failureThreshold: 3
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/portal-nginx
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /etc/nginx/nginx.conf
+          name: nginx-config
+          readOnly: true
+          subPath: nginx.conf
+        - mountPath: /usr/share/nginx/html/platform
+          name: platform-data
+          readOnly: true
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: portal-nginx
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: portal-nginx-external-config
+        name: app-external-config
+      - configMap:
+          items:
+          - key: nginx.conf
+            path: nginx.conf
+          name: portal-nginx-external-config
+        name: nginx-config
+      - configMap:
+          defaultMode: 420
+          name: portal-nginx-platform-data
+        name: platform-data
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/networking.k8s.io_v1_ingress_portal-nginx-ingress.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/networking.k8s.io_v1_ingress_portal-nginx-ingress.yaml
@@ -0,0 +1,57 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/affinity: cookie
+    nginx.ingress.kubernetes.io/affinity-mode: persistent
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/proxy-body-size: 1000m
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
+    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
+    nginx.ingress.kubernetes.io/session-cookie-name: portal-nginx
+    nginx.ingress.kubernetes.io/session-cookie-samesite: Strict
+    nginx.org/ssl-services: portal-nginx
+  labels:
+    abinitio/deployment: portal-nginx
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portal-nginx
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: portal-nginx-2.4.3-a
+  name: portal-nginx-ingress
+  namespace: abinitio
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com
+    http:
+      paths:
+      - backend:
+          service:
+            name: runtime-locator
+            port:
+              number: 8888
+        path: /runtime-locator/
+        pathType: Prefix
+      - backend:
+          service:
+            name: runtime-locator
+            port:
+              number: 8443
+        path: /bridge/
+        pathType: Prefix
+      - backend:
+          service:
+            name: portal-nginx
+            port:
+              number: 8443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com
+    secretName: abinitio-tls
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_cafe-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_cafe-external-config.yaml
@@ -0,0 +1,58 @@
+apiVersion: v1
+data:
+  cafe.yaml: |
+    externalConfig:
+      cafe:
+        allowDrillDown: true
+        appIdentifier: expressit
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/cafe_join_user/password
+          productIdentifier: Cafe
+          productName: Cafe
+          url: http://authgateway:8080/authgateway
+          username: cafe_join_user
+        bridgeConnection:
+          encryptionType: aes128-gcm
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://expressit-bridge:7070
+        cluster:
+          autoConfig:
+            hosts: cafe-jgroup
+            port: 7800
+            protocol: tcp
+          channelName: ch01
+          enabled: true
+        emeTR:
+          useAgCredentials: true
+        interop:
+          dataCatalogServices:
+            url: http://datacatalog:8080/datacatalog
+          expressIt:
+            agProductName: Express>It
+            url: http://expressit:8080/expressit
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 3
+        packageForSupport:
+          encrypted: EncryptForNonAdmins
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/portal
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: portal
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cafe
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: cafe-2.4.3-a
+  name: cafe-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_portal-nginx-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_portal-nginx-external-config.yaml
@@ -0,0 +1,192 @@
+apiVersion: v1
+data:
+  nginx.conf: |
+    worker_processes auto;
+    error_log /abinitio/webapp/logs/error.log;
+
+    # When running containing as non-root user (1001)
+    # TODO: when switch is made to using abinitio nginx,
+    # will this change?
+    pid /tmp/nginx.pid;
+
+    events {
+      worker_connections 1024;
+    }
+
+    http {
+      # When running as non root user, set *temp* paths to /tmp/*
+      client_body_temp_path /tmp/client_temp;
+      proxy_temp_path       /tmp/proxy_temp_path;
+      fastcgi_temp_path     /tmp/fastcgi_temp;
+      uwsgi_temp_path       /tmp/uwsgi_temp;
+      scgi_temp_path        /tmp/scgi_temp;
+
+      log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                        '$status $body_bytes_sent "$http_referer" '
+                        '"$http_user_agent" "$http_host" "$http_x_forwarded_for" [$http_cookie]';
+
+      access_log  /abinitio/webapp/logs/access.log  main;
+
+      sendfile            on;
+      tcp_nopush          on;
+      tcp_nodelay         on;
+      keepalive_timeout   65;
+      types_hash_max_size 2048;
+
+      proxy_read_timeout    300;
+      proxy_connect_timeout 300;
+      proxy_send_timeout    300;
+      proxy_intercept_errors on;
+
+      client_max_body_size  100m;
+
+      include             /etc/nginx/mime.types;
+      default_type        application/octet-stream;
+
+      # Enable gzip compression
+      gzip on;
+      gzip_vary on;
+      gzip_proxied any;
+      gzip_comp_level 6;
+      gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
+      gzip_disable "msie6";
+      gzip_min_length 256;
+
+      # we might need to strip the CSRF token cookie when the portal is using "direct" proxies,
+      # so capture it here
+      map $http_cookie $cookie_without_csrfToken {
+        default $http_cookie;
+        # This regex captures any content before and after the csrfToken cookie.
+
+        # Only csrfToken present
+        "~*^csrfToken=[^;]+$"                                     "";
+        # csrfToken at the start
+        "~*^csrfToken=[^;]+;\s*(.*)"                              "$1";
+        # csrfToken in the middle
+        "~*(.*);\s*csrfToken=[^;]+;\s*(.*)"                       "$1; $2";
+        # csrfToken at the end
+        "~*(.*);\s*csrfToken=[^;]+$"                              "$1";
+      }
+
+      # if the referer header contains "/portal/",
+      # we want to use the filtered cookie for any location the portal might use for direct proxies
+      map $http_referer $final_cookie {
+        default $http_cookie;
+        "~*/portal/" $cookie_without_csrfToken;
+      }
+
+      server {
+        listen      8443 ssl;
+        server_name  _;
+        root        /usr/share/nginx/html;
+
+        ssl_certificate /var/run/secrets/abinitio/cert/server.crt;
+        ssl_certificate_key /var/run/secrets/abinitio/cert/server.key;
+
+        ssl_protocols TLSv1.2 TLSv1.3;  # Adjust as necessary
+        ssl_ciphers HIGH:!aNULL:!MD5;   # Ensure strong ciphers
+
+        location / {
+        }
+
+        location /portal/app/ {
+          index index.html;
+        }
+
+        location /portal/app/webapp/app/assets/platform-portal/ {
+          alias /usr/share/nginx/html/platform/;
+        }
+
+        rewrite ^/$ $scheme://$http_host/portal/app/ redirect;
+        location /portal {
+          client_max_body_size 1000M;
+          proxy_pass http://cafe:8080/portal;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+        location /authgateway {
+          client_max_body_size 1000M;
+          proxy_pass http://authgateway:8080/authgateway;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          # CPT-748: handling of chucked downloads
+          proxy_buffering off;
+        }
+        location /expressit {
+          client_max_body_size 1000M;
+          proxy_pass http://expressit:8080/expressit;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+        location /metadatahub {
+          client_max_body_size 1000M;
+          proxy_pass http://metadatahub:8080/metadatahub;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          # requests originating from the portal should use the csrf-trimmed version of the cookie header
+          proxy_set_header Cookie $final_cookie;
+          # CPT-748: handling of chucked downloads
+          proxy_buffering off;
+        }
+        location /controlcenter {
+          client_max_body_size 1000M;
+          proxy_pass http://controlcenter:8080/controlcenter;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+        location /datacatalog {
+          client_max_body_size 1000M;
+          proxy_pass http://datacatalog:8080/datacatalog;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+        location /qiadmin {
+          client_max_body_size 1000M;
+          proxy_pass http://queryit-admin:8080/qiadmin;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+        location /trw {
+          client_max_body_size 1000M;
+          proxy_pass http://trw:8080/trw;
+          proxy_http_version 1.1;
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "upgrade";
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+        }
+      }
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: portal-nginx
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portal-nginx
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: portal-nginx-2.4.3-a
+  name: portal-nginx-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_portal-nginx-platform-data.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_configmap_portal-nginx-platform-data.yaml
@@ -0,0 +1,108 @@
+apiVersion: v1
+data:
+  40x.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>404 Not Found</title>
+        <style>
+            body {
+                background-color: #f8f9fa;
+                color: #343a40;
+                font-family: Arial, sans-serif;
+                text-align: center;
+                padding: 50px;
+            }
+            h1 {
+                font-size: 50px;
+                margin-bottom: 20px;
+            }
+            p {
+                font-size: 20px;
+                margin-bottom: 30px;
+            }
+            a {
+                text-decoration: none;
+                color: #007bff;
+                font-size: 18px;
+            }
+            a:hover {
+                text-decoration: underline;
+            }
+        </style>
+    </head>
+    <body>
+        <h1>404 Not Found</h1>
+        <p>Sorry, the page you are looking for does not exist.</p>
+        <p><a href="/">Go to Homepage</a></p>
+    </body>
+    </html>
+  50x.html: |
+    <!DOCTYPE html>
+    <html lang="en">
+    <head>
+        <meta charset="UTF-8">
+        <meta name="viewport" content="width=device-width, initial-scale=1.0">
+        <title>500 Internal Server Error</title>
+        <style>
+            body {
+                background-color: #f8f9fa;
+                color: #343a40;
+                font-family: Arial, sans-serif;
+                text-align: center;
+                padding: 50px;
+            }
+            h1 {
+                font-size: 50px;
+                margin-bottom: 20px;
+            }
+            p {
+                font-size: 20px;
+                margin-bottom: 30px;
+            }
+            a {
+                text-decoration: none;
+                color: #007bff;
+                font-size: 18px;
+            }
+            a:hover {
+                text-decoration: underline;
+            }
+        </style>
+    </head>
+    <body>
+        <h1>500 Internal Server Error</h1>
+        <p>Oops! Something went wrong on our end.</p>
+        <p>Please try refreshing the page, or come back later.</p>
+        <p><a href="/">Go to Homepage</a></p>
+    </body>
+    </html>
+  abinitio-environment.json: |
+    {
+      "isKeyed": true
+    }
+  abinitio-platform.json: |
+    {
+      "platform": {
+        "name": "Ab Initio Data Platform",
+        "version": "4.4.1.1-1"
+      },
+      "content": {
+        "tutorials": false
+      },
+      "products": []
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: portal-nginx
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portal-nginx
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: portal-nginx-2.4.3-a
+  name: portal-nginx-platform-data
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_cafe-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_cafe-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: portal
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cafe
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: cafe-2.4.3-a
+  name: cafe-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/name: cafe
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_cafe.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_cafe.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: portal
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: cafe
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: cafe-2.4.3-a
+  name: cafe
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: cafe
+    app.kubernetes.io/name: cafe
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_portal-nginx.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/portal/v1_service_portal-nginx.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: portal-nginx
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: portal-nginx
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: portal-nginx-2.4.3-a
+  name: portal-nginx
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app.kubernetes.io/instance: portal-nginx
+    app.kubernetes.io/name: portal-nginx
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/apps_v1_deployment_queryit-0.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/apps_v1_deployment_queryit-0.yaml
@@ -0,0 +1,409 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: queryit-0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-2.4.3-a
+  name: queryit-0
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: queryit-0
+      app.kubernetes.io/name: queryit
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: queryit-0
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: queryit
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: queryit-2.4.3-a
+      name: queryit-0
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-start-reporter
+        - "true"
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_PHYSICAL_HOSTNAME
+          value: queryit-0
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DATACATALOG_ENABLE
+          value: "true"
+        - name: DATACATALOG_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: DATACATALOG_USERNAME
+          value: aiadmin
+        - name: DEPLOY_NAME
+          value: queryit
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: METADATA_LOADER_HOST
+          value: metadata-loader
+        - name: METADATA_LOADER_PKG_DIR
+          value: /abinitio/package/physobjects
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: queryit, abinitio/deployment: queryit'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: queryit-0
+        - name: POD_SERVICE_HEADLESS
+          value: queryit-0-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/queryit:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: queryit
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 8Gi
+            memory: 8Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 8Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /config/pod/enterprise-data-masking
+          name: enterprise-data-masking
+          readOnly: true
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - queryit-0.abinitio
+        ip: 127.0.0.1
+      hostname: queryit-0
+      initContainers:
+      - args:
+        - -c
+        - cp /edm.tar.gz /tmp/edm.tar.gz
+        command:
+        - sh
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/enterprise-data-masking:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: copy-edm
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+          requests:
+            cpu: 500m
+            ephemeral-storage: 1Gi
+            memory: 1Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-volume
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: queryit-0
+        name: pod-config
+      - configMap:
+          name: enterprise-data-masking
+        name: enterprise-data-masking
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: queryit-0-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/apps_v1_deployment_queryit-admin.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/apps_v1_deployment_queryit-admin.yaml
@@ -0,0 +1,312 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    abinitio/deployment: qiadmin
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit-admin
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-admin-2.4.3-a
+  name: queryit-admin
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: queryit-admin
+      app.kubernetes.io/name: queryit-admin
+  template:
+    metadata:
+      labels:
+        abinitio/deployment: qiadmin
+        app.kubernetes.io/instance: queryit-admin
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: queryit-admin
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: queryit-admin-2.4.3-a
+      name: queryit-admin
+    spec:
+      containers:
+      - env:
+        - name: AB_CONFIG_PROVIDER_URL
+          value: file://localhost/config
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: CATALINA_TMPDIR
+          value: /tmp
+        - name: DEPLOY_NAME
+          value: qiadmin
+        - name: JAVA_OPTS
+          value: -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=75.0
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: queryit-admin, abinitio/deployment: qiadmin'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: queryit-admin
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/queryit-admin:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        lifecycle:
+          preStop:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - ${CATALINA_HOME}/bin/catalina.sh stop
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /qiadmin/api/abwebinternal/health/k8s/liveness
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 30
+        name: queryit-admin-app
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /qiadmin/api/abwebinternal/health/k8s/readiness
+            port: 8080
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        startupProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /qiadmin/api/abwebinternal/health/k8s/startup
+            port: 8080
+          initialDelaySeconds: 15
+          periodSeconds: 30
+        volumeMounts:
+        - mountPath: /config/qiadmin
+          name: app-external-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      hostname: queryit-admin
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: abinitio-local
+      - configMap:
+          defaultMode: 511
+          name: queryit-admin-external-config
+        name: app-external-config
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_configmap_queryit-0.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_configmap_queryit-0.yaml
@@ -0,0 +1,71 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY : file=/secrets/bridge/password
+    AB_CONNECTION_BRIDGE_PORT : 7070
+    AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE : aes128-gcm
+    AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION : container-bridge-security
+    AB_ENV_ROOT : /abinitio/sandboxes/sand/stdenv
+    AB_HOME @ emeabeme : /usr/local/abinitio
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_NODES @ emeabeme : eme-0.eme-headless metadatahub-importer
+    AB_SQL_SANDBOX : /abinitio/sandboxes/private_sand/queryit-instance-0
+  apphubrc: |
+    AB_AIR_BRANCH @ eme : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ eme : //eme-0.eme-headless/abinitio/eme/eme
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_DESCRIPTION @ eme : Ab Initio Data Platform technical repository
+    AB_DESCRIPTION @ queryit-instance-0 : Sandbox path queryit-instance-0
+    AB_DISPLAY_NAME @ eme : Default technical repository deployed in eme StatefulSet
+    AB_DISPLAY_NAME @ queryit-instance-0 : queryit-instance-0
+    AB_EME_REPOSITORIES : eme
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+    AB_SQL_INSTANCES : queryit-instance-0
+    AB_SQL_INSTANCE_PATH @ queryit-instance-0 : /abinitio/sandboxes/private_sand/queryit-instance-0
+  physobjects.properties: |
+    AB_MHUB_LOCAL_DIR=/abinitio/deploy/metadatahub-importer
+    DCS_URL=http://datacatalog:8080/datacatalog
+    DO_MHUB_INSTALL=y
+    INSTALL_CONFIG_USING_ABAPP_MHUB=y
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_IMPORT_PROFILE_PATH=/abinitio/deploy/metadatahub-importer/config/import.profile
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    SKIP_MHUB_BACKUP=y
+    product_name=physical-objects
+    property_file_version=PF_V1
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+  qi_instance.config: |
+    QI_DEPLOY_NAME=queryit
+    QI_INSTANCE_NAME="queryit-instance-0"
+    QI_INSTANCE_NUMBER=0
+    QI_FLAG_BARE=
+    QI_FLAG_RESTORE=false
+    QI_BACKUP_PATH=
+    QI_AB_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    MHUB_LOCAL_DIR=/abinitio/deploy/metadatahub-importer
+    AG_URL=http://authgateway:8080/authgateway
+    AG_USERNAME=qi_join_user
+    AG_PASSWORD=file=/secrets/qi_join_user/password
+    DCS_URL=http://datacatalog:8080/datacatalog
+    ## The requirement of qi pod as a mh importer will be released soon after 4.2.1
+    ## TODO: this env can be removed after
+    MHUB_URL=http://metadatahub:8080/metadatahub
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: queryit-0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-2.4.3-a
+  name: queryit-0
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_configmap_queryit-admin-external-config.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_configmap_queryit-admin-external-config.yaml
@@ -0,0 +1,52 @@
+apiVersion: v1
+data:
+  qiadmin.yaml: |
+    externalConfig:
+      queryItAdministrator:
+        appserverType: tomcat
+        authentication:
+          type: ag
+        authorization:
+          type: ag
+        authorizationGateway:
+          password: file=/secrets/qiadmin_join_user/password
+          productIdentifier: Query>It Administrator
+          productName: Query>It Administrator
+          url: http://authgateway:8080/authgateway
+          username: qiadmin_join_user
+        bridgeConnection:
+          encryptionType: aes128-gcm
+          name: container-bridge
+          rpcSecret: file=/secrets/bridge/password
+          securityConfig: container-bridge-security
+          url: http://queryit-0:7070
+        cluster:
+          autoConfig:
+            hosts: queryit-admin-jgroup
+            port: 7800
+            protocol: tcp
+          channelName: ch01
+          enabled: true
+        logging:
+          directoryPath: /abinitio/webapp/logs
+          maxBackups: 3
+        packageForSupport:
+          encrypted: EncryptForNonAdmins
+        security:
+          dataCatalog:
+            hmacKey: file=/secrets/dcs_hmac_key/password
+        urlFromBrowser: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/qiadmin
+        websockets:
+          forceDisable: false
+kind: ConfigMap
+metadata:
+  labels:
+    abinitio/deployment: qiadmin
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit-admin
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-admin-2.4.3-a
+  name: queryit-admin-external-config
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_persistentvolumeclaim_queryit-0-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_persistentvolumeclaim_queryit-0-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: queryit-0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-2.4.3-a
+  name: queryit-0-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-0.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-0.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: queryit-0
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-2.4.3-a
+  name: queryit-0
+  namespace: abinitio
+spec:
+  ports:
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  - name: odbc
+    port: 11065
+    protocol: TCP
+    targetPort: 11065
+  - name: db
+    port: 11105
+    protocol: TCP
+    targetPort: 11105
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: queryit-0
+    app.kubernetes.io/name: queryit
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-admin-jgroup.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-admin-jgroup.yaml
@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: qiadmin
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit-admin
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-admin-2.4.3-a
+  name: queryit-admin-jgroup
+  namespace: abinitio
+spec:
+  clusterIP: None
+  ports:
+  - name: jgroup-channel
+    port: 7800
+    protocol: TCP
+    targetPort: 7800
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/name: queryit-admin
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-admin.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/queryit/v1_service_queryit-admin.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    abinitio/deployment: qiadmin
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: queryit-admin
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: queryit-admin-2.4.3-a
+  name: queryit-admin
+  namespace: abinitio
+spec:
+  ports:
+  - name: http
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/instance: queryit-admin
+    app.kubernetes.io/name: queryit-admin
+  sessionAffinity: ClientIP
+  sessionAffinityConfig:
+    clientIP:
+      timeoutSeconds: 86400
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/apps_v1_deployment_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/apps_v1_deployment_runtime-locator.yaml
@@ -0,0 +1,168 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: runtime-locator
+      app.kubernetes.io/name: runtime-locator
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: runtime-locator
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: runtime-locator
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: runtime-locator-2.4.3-a
+    spec:
+      containers:
+      - args:
+        - -v
+        - "3"
+        - --port
+        - "8888"
+        - --context-root
+        - runtime-locator
+        - --tls-cert-file
+        - /var/run/secrets/abinitio/cert/server.crt
+        - --tls-key-file
+        - /var/run/secrets/abinitio/cert/server.key
+        - --ag-url
+        - http://authgateway:8080/authgateway
+        - --default-product-name
+        - Runtime Locator
+        - --full-permissions
+        - --post-events
+        - --contact-url
+        - https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/bridge
+        - --locations-file
+        - /tmp/locations.conf
+        - --upstreams-file
+        - /tmp/upstreams.conf
+        - --monitor-interval
+        - "0"
+        env:
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: AB_AG_USERNAME
+          value: aiadmin
+        - name: AB_AG_ENCRYPTED_PASSWORD
+          value: FORMAT_3_AIADMIN_PASSWORD
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/runtime-locator:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: runtime-locator
+        resources:
+          limits:
+            cpu: 100m
+            ephemeral-storage: 100Mi
+            memory: 30Mi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 10Mi
+            memory: 20Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+      - args:
+        - nginx
+        - -g
+        - daemon off;
+        command:
+        - /nginx-watcher-entrypoint.sh
+        env:
+        - name: LOG_DIR
+          value: /tmp/logs/nginx
+        - name: LOCATIONS_CONFIG_FILE
+          value: /tmp/locations.conf
+        - name: UPSTREAMS_CONFIG_FILE
+          value: /tmp/upstreams.conf
+        - name: NGINX_PID_FILE
+          value: /tmp/nginx.pid
+        - name: DEBUG_NGINX_LOCATIONS_CONFIG_WATCHER_SH
+          value: "true"
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/portal-nginx:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: bridge-gateway
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        - containerPort: 8443
+          protocol: TCP
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 4Gi
+          requests:
+            cpu: 1m
+            ephemeral-storage: 1Gi
+            memory: 512Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmp-volume
+        - mountPath: /etc/nginx/nginx.conf
+          name: nginx-config
+          readOnly: true
+          subPath: nginx.conf
+      hostAliases:
+      - hostnames:
+        - runtime-locator.abinitio
+        ip: 127.0.0.1
+      hostname: runtime-locator
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: runtime-locator
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: tmp-volume
+      - configMap:
+          defaultMode: 420
+          items:
+          - key: nginx.conf
+            path: nginx.conf
+          name: runtime-locator-nginx-conf
+        name: nginx-config
+      - name: password-key-file
+        secret:
+          defaultMode: 420
+          secretName: password-key-file
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/cloud.abinitio.com_v1_cooperatingsystemruntimetemplate_hello-world.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/cloud.abinitio.com_v1_cooperatingsystemruntimetemplate_hello-world.yaml
@@ -0,0 +1,133 @@
+apiVersion: cloud.abinitio.com/v1
+kind: CoOperatingSystemRuntimeTemplate
+metadata:
+  name: hello-world
+  namespace: abinitio
+spec:
+  authGatewayServers:
+  - products:
+    - groups:
+      - GDE Users
+    url: http://authgateway:8080/authgateway
+  jobTemplate:
+    bridgeConfig:
+      authorizationGateway:
+        password: file=/secrets/runtime_locator_join_user/password
+        productIdentifier: runtime-locator-bridge
+        productName: Runtime Locator (Bridge)
+        url: http://authgateway:8080/authgateway
+        username: runtime_locator_join_user
+      name: default-bridge
+      transportProtocol: http
+    jobDeletePolicy: AlwaysRetainPvcs
+    launcher:
+      jobRecoveryVolumeClaim:
+        metadata:
+          name: launcher-claim
+        spec:
+          accessModes:
+          - ReadWriteOnce
+          resources:
+            requests:
+              storage: 5Gi
+      pod:
+        metadata:
+          name: launcher-pod
+        spec:
+          containers:
+          - env:
+            - name: AB_BRIDGE_SECURITY_ALLOW_UNSECURED_AG_OVER_HTTP
+              value: "true"
+            - name: AB_BRIDGE_SECURITY_ALLOW_UNSECURED_BASIC_AUTH_OVER_HTTP
+              value: "true"
+            - name: AB_CONFIGURATION
+              value: /config/pod/abinitiorc:/config/pod/apphubrc
+            - name: AB_CONTAINER_DYNAMIC_ALLOCATION_TIMEOUT
+              value: "120"
+            - name: AB_CONTAINER_VDL_ALLOCATION_TIMEOUT
+              value: "120"
+            - name: AB_HOSTNAME_KEYSERVER_URLS
+              value: abks://key-server:6151
+            - name: AB_IPV4_ONLY
+              value: "true"
+            - name: AB_KEY_DAEMON_DIR
+              value: /tmp/abkc/data
+            - name: AB_PASSWORD_KEY_FILE
+              value: /secrets/password_key_file/password
+            - name: AB_YARN_ALIAS_MISSING_HOSTS_ON_RECOVERY
+              value: "0"
+            - name: LOAD_PHYSOBJECTS
+              value: "true"
+            image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/cooperating-system-with-examples:4.4.1.1-1
+            imagePullPolicy: IfNotPresent
+            name: launcher-container
+            ports:
+            - containerPort: 7070
+              protocol: TCP
+            volumeMounts:
+            - mountPath: /abinitio
+              name: persistent-storage
+            - mountPath: /config/pod
+              name: pod-config
+              readOnly: true
+            - mountPath: /var/run/secrets/abinitio/password-key-file
+              name: password-key-file
+              readOnly: true
+          restartPolicy: Never
+          securityContext:
+            fsGroup: 1000
+          serviceAccountName: abinitio-sa
+          terminationGracePeriodSeconds: 0
+          volumes:
+          - name: persistent-storage
+            persistentVolumeClaim:
+              claimName: launcher-claim
+          - configMap:
+              defaultMode: 511
+              name: runtime-locator
+            name: pod-config
+          - name: password-key-file
+            secret:
+              secretName: password-key-file-secret
+      releasePvcUponDelete: true
+    launcherRestartPolicy: IfFailedOrMissing
+    maxIdleSeconds: "3600"
+    useExternalConfigProvider: false
+    workerTemplateSpec:
+      jobRecoveryVolumeClaim:
+        metadata:
+          name: worker-claim
+        spec:
+          accessModes:
+          - ReadWriteOnce
+          resources:
+            requests:
+              storage: 1Gi
+      pod:
+        metadata:
+          name: worker-pod
+        spec:
+          containers:
+          - env:
+            - name: AB_CHARSET
+              value: utf-8
+            - name: AB_HOSTNAME_KEYSERVER_URLS
+              value: abks://key-server:6151
+            - name: AB_KEY_DAEMON_DIR
+              value: /tmp/abkc/data
+            image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/cooperating-system-with-examples:4.4.1.1-1
+            imagePullPolicy: IfNotPresent
+            name: worker-container
+            volumeMounts:
+            - mountPath: /abinitio
+              name: persistent-storage
+          restartPolicy: Never
+          securityContext:
+            fsGroup: 1000
+          serviceAccountName: abinitio-sa
+          terminationGracePeriodSeconds: 0
+          volumes:
+          - name: persistent-storage
+            persistentVolumeClaim:
+              claimName: worker-claim
+      releasePvcUponDelete: true
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/rbac.authorization.k8s.io_v1_role_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/rbac.authorization.k8s.io_v1_role_runtime-locator.yaml
@@ -0,0 +1,48 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+  - update
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimes
+  - cooperatingsystemruntimeclaims
+  verbs:
+  - create
+  - list
+  - get
+  - patch
+  - delete
+- apiGroups:
+  - cloud.abinitio.com
+  resources:
+  - cooperatingsystemruntimepools
+  - cooperatingsystemruntimeprofiles
+  - cooperatingsystemruntimetemplates
+  verbs:
+  - list
+  - get
+  - watch
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/rbac.authorization.k8s.io_v1_rolebinding_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/rbac.authorization.k8s.io_v1_rolebinding_runtime-locator.yaml
@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: runtime-locator
+subjects:
+- kind: ServiceAccount
+  name: runtime-locator
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator-examples.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator-examples.yaml
@@ -0,0 +1,47 @@
+apiVersion: v1
+data:
+  gde-config-internal.yaml: |
+    ---
+    externalConfig:
+      gde:
+        authentication:
+          type: AG
+        authorization:
+          type: AG
+        authorizationGateway:
+          url: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/authgateway
+          productName: Runtime Locator
+        runtimeLocator:
+          url: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/runtime-locator
+          serviceMesh: true
+          interop:
+            dataCatalogServices:
+              queryItAgProductName: Query>It
+  gde-config.yaml: |
+    ---
+    externalConfig:
+      gde:
+        authentication:
+          type: AG
+        authorization:
+          type: AG
+        authorizationGateway:
+          url: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/authgateway
+          productName: Runtime Locator
+        runtimeLocator:
+          url: https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/runtime-locator/external
+          serviceMesh: true
+          interop:
+            dataCatalogServices:
+              queryItAgProductName: Query>It
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator-examples
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator-nginx-conf.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator-nginx-conf.yaml
@@ -0,0 +1,73 @@
+apiVersion: v1
+data:
+  nginx.conf: |
+    worker_processes auto;
+    error_log stderr;
+    pid /tmp/nginx.pid;
+
+    events {
+      worker_connections 1024;
+    }
+
+    http {
+      # When running as non root user, set *temp* paths to /tmp/*
+      client_body_temp_path /tmp/client_temp;
+      proxy_temp_path       /tmp/proxy_temp_path;
+      fastcgi_temp_path     /tmp/fastcgi_temp;
+      uwsgi_temp_path       /tmp/uwsgi_temp;
+      scgi_temp_path        /tmp/scgi_temp;
+
+      sendfile            on;
+      tcp_nopush          on;
+      tcp_nodelay         on;
+
+      proxy_read_timeout    300;
+      proxy_connect_timeout 300;
+      proxy_send_timeout    300;
+      proxy_intercept_errors on;
+
+      client_max_body_size  100m;
+
+      include             /etc/nginx/mime.types;
+      default_type        application/octet-stream;
+
+      map $http_upgrade $connection_upgrade {
+        default          upgrade;
+        # See https://nginx.org/en/docs/http/ngx_http_upstream_module.html#keepalive
+        ''               '';
+      }
+
+      map $http_x_request_id $req_id {
+        default   $http_x_request_id;
+        ""        $request_id;
+      }
+
+      include /tmp/upstreams.conf;
+
+      # Main AIDP ingress must route /bridge/ paths to this HTTPS service
+      server {
+        listen      8080;
+        listen      8443 ssl;
+        server_name  _;
+        root        /usr/share/nginx/html;
+
+        ssl_certificate /var/run/secrets/abinitio/cert/server.crt;
+        ssl_certificate_key /var/run/secrets/abinitio/cert/server.key;
+
+        ssl_protocols TLSv1.2 TLSv1.3;  # Adjust as necessary
+        ssl_ciphers HIGH:!aNULL:!MD5;   # Ensure strong ciphers
+
+        include  /tmp/locations.conf;
+      }
+    }
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator-nginx-conf
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_configmap_runtime-locator.yaml
@@ -0,0 +1,30 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_URL @ eme-0 : http://eme-0.eme-headless:7070
+    AB_CHARSET : utf-8
+    AB_CONNECTION @ eme-0 : bridge_tunnel
+    AB_ENV_ROOT : /abinitio/sandboxes/sand/stdenv
+    AB_HOME @ eme-0 : /usr/local/abinitio
+    AB_NODES @ eme-0 : eme-0 eme-0.eme-headless
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_AIR_BRANCHES @ eme : main
+    AB_AIR_ROOT @ eme : //eme-0/abinitio/eme/eme
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_DESCRIPTION @ eme : Default technical repository deployed in eme StatefulSet
+    AB_DISPLAY_NAME @ eme : Ab Initio Data Platform technical repository
+    AB_EME_REPOSITORIES : eme
+    AB_TRW_SHARED_MODULES_URL : https://aidp.k3s.sg.ic.cloudguild.gcp.abinitio.com/trw/app
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_service_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_service_runtime-locator.yaml
@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
+spec:
+  ports:
+  - name: runtime-locator
+    port: 8888
+    protocol: TCP
+    targetPort: 8888
+  - name: bridge-gateway
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  - name: bridge-gateway-https
+    port: 8443
+    protocol: TCP
+    targetPort: 8443
+  selector:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/name: runtime-locator
+  sessionAffinity: None
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_serviceaccount_runtime-locator.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/runtime-locator/v1_serviceaccount_runtime-locator.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/instance: runtime-locator
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: runtime-locator
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: runtime-locator-2.4.3-a
+  name: runtime-locator
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/rwi/apps_v1_deployment_rwi.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/rwi/apps_v1_deployment_rwi.yaml
@@ -0,0 +1,362 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: rwi
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rwi
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: rwi-2.4.3-a
+  name: rwi
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: rwi
+      app.kubernetes.io/name: rwi
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: rwi
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: rwi
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: rwi-2.4.3-a
+      name: rwi
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: AB_RWI_BRIDGE_CONNECTION_ENC_PASSWORD
+          value: file=/secrets/bridge/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: rwi
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: rwi, abinitio/deployment: rwi'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: rwi
+        - name: POD_SERVICE_HEADLESS
+          value: rwi-headless
+        - name: RWI_BRIDGE_PORT
+          value: "7171"
+        - name: RWI_DATA_ROOT
+          value: /ab_share/data/mfs/mfs_2way
+        - name: RWI_METADATA_ROOT
+          value: /abinitio/rwi/mount/data/serial
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/rwi:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: rwi
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 8Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - rwi.abinitio
+        ip: 127.0.0.1
+      hostname: rwi
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: rwi
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: rwi-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_configmap_rwi.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_configmap_rwi.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : rwi
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: rwi
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rwi
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: rwi-2.4.3-a
+  name: rwi
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_persistentvolumeclaim_rwi-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_persistentvolumeclaim_rwi-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: rwi
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rwi
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: rwi-2.4.3-a
+  name: rwi-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_service_rwi.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/rwi/v1_service_rwi.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: rwi
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: rwi
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: rwi-2.4.3-a
+  name: rwi
+  namespace: abinitio
+spec:
+  ports:
+  - name: rwi
+    port: 7171
+    protocol: TCP
+    targetPort: 7171
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: false
+  selector:
+    app.kubernetes.io/instance: rwi
+    app.kubernetes.io/name: rwi
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/apps_v1_deployment_semantic-discovery.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/apps_v1_deployment_semantic-discovery.yaml
@@ -0,0 +1,364 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/instance: semantic-discovery
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: semantic-discovery
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: semantic-discovery-2.4.3-a
+  name: semantic-discovery
+  namespace: abinitio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: semantic-discovery
+      app.kubernetes.io/name: semantic-discovery
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: semantic-discovery
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: semantic-discovery
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: semantic-discovery-2.4.3-a
+      name: semantic-discovery
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: background
+        - name: AB_K8S_START_REPORTER
+          value: "true"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MHUB_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_MHUB_URL
+          value: http://metadatahub:8080/metadatahub
+        - name: AB_MHUB_USERNAME
+          value: aiadmin
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_OPS_WSS_ENCRYPTED_PASSWORD
+          value: file=/secrets/ocagent/password
+        - name: AB_OPS_WSS_USERNAME
+          value: ocagent
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CC_ADMIN_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: CC_ADMIN_USERNAME
+          value: aiadmin
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: semantic-discovery
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: semantic-discovery, abinitio/deployment: semantic-discovery'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: semantic-discovery
+        - name: POD_SERVICE_HEADLESS
+          value: semantic-discovery-headless
+        - name: SD_CC_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: SD_CC_USERNAME
+          value: aiadmin
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/semantic-discovery:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: semantic-discovery
+        readinessProbe:
+          exec:
+            command:
+            - stat
+            - /tmp/.pod.ready
+          failureThreshold: 240
+          periodSeconds: 10
+        resources:
+          limits:
+            ephemeral-storage: 3Gi
+            memory: 16Gi
+          requests:
+            cpu: "1"
+            ephemeral-storage: 3Gi
+            memory: 8Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - semantic-discovery.abinitio
+        ip: 127.0.0.1
+      hostname: semantic-discovery
+      initContainers: null
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: semantic-discovery
+        name: pod-config
+      - name: abinitio-local
+        persistentVolumeClaim:
+          claimName: semantic-discovery-claim
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
--- a/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_configmap_semantic-discovery.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_configmap_semantic-discovery.yaml
@@ -0,0 +1,95 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_BRIDGE_WORKDIR @ container-bridge : /tmp/container-bridge-workdir
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY @ emeabeme : file=/secrets/bridge/password
+    AB_ENV_ROOT : /abinitio/sandboxes/sand/stdenv
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_MHUB_CONFIG_DIR : /abinitio/deploy/metadatahub-importer/config
+    AB_MHUB_LOCAL_ROOT : /abinitio/deploy
+    AB_OPS_CONSOLE_URL : http://controlcenter:8080/controlcenter
+    AB_OPS_MONITOR : true
+    AB_OPS_MONITOR_RESOURCES : false
+    AB_OPS_PHYSICAL_HOSTNAME : semantic-discovery
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_BRIDGE_VOLATILE_DIR : /tmp/ab-bridge-volatile-dir
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+  ccScheduler.dbc: |
+    db_home: ${AB_HOME}/lib/postgresql
+    db_name: controlcenter
+    db_nodes: localhost
+    db_server_host: controlcenter-rw.abinitio-db.svc
+    db_server_port: 5432
+    dbms: postgresql
+    encrypted_password: file=/secrets/cc_jdbc/password
+    user: cc_jdbc
+  install-properties.config: |
+    AB_AIR_BRANCH=main
+    AB_AIR_ROOT=//eme-0.eme-headless/abinitio/eme/eme
+    AB_HOME=/usr/local/abinitio
+    AB_MHUB_LOCAL_DIR=/abinitio/deploy
+    AB_OPS_CONSOLE_URL=http://controlcenter:8080/controlcenter
+    AB_START_SCHEDULER_SERVICE=y
+    COUNTRY_PACKS=US
+    DCS_INTEGRATION=y
+    DCS_URL=http://datacatalog:8080/datacatalog
+    DCS_USERNAME=aiadmin
+    DEFAULT_SD_LOCATIONS=n
+    DO_LOAD_EXTENSION_SETS=y
+    DO_MHUB_DATASTORE_BACKUP=n
+    INSTALL_CONFIG_USING_ABAPP_MHUB=n
+    INTRO_PROMPT=y
+    INTRO_PROMPT_UPGRADE=y
+    LOAD_ASSETS_LANGUAGE=ALL
+    MHUB_ABAPP_NAME=metadatahub
+    MHUB_DATASTORE_NAME=metadatahub-importer
+    MHUB_DB_APPSERVER_USERNAME=mhub_appserver
+    MHUB_DEPLOY_NAME=metadatahub-importer
+    MHUB_DS_RUNNING=y
+    MHUB_EXTENSION_PROMPT=y
+    MHUB_IMPORTER_USERNAME=aiadmin
+    MHUB_IMPORT_PROFILE_PATH=/abinitio/deploy/metadatahub-importer/config/import.profile
+    MHUB_NON_ABAPP_NAME=metadatahub-importer
+    MHUB_URL=http://metadatahub:8080/metadatahub
+    PRIVATE_SANDBOX_ROOT=/abinitio/sandboxes/private_sand
+    PUBLIC_SANDBOX_ROOT=/abinitio/sandboxes/sand
+    SANDBOX_PATH_TO_STDENV=/abinitio/sandboxes/sand/stdenv
+    SD_CC_BRIDGE_CONFIGURATION_NAME=container-bridge
+    SD_CC_BRIDGE_HOST_NAME=semantic-discovery
+    SD_CC_BRIDGE_HOST_PORT=7070
+    SD_CC_DEFAULT_API_PORT=5454
+    SD_CC_INTEGRATION=y
+    SD_CC_USERNAME=aiadmin
+    SD_COMMON_SANDBOX_REL=abinitio/semantic_discovery
+    SD_DEPLOY_DIR=/abinitio/deploy/semantic_discovery
+    SD_DO_NAVBAR_INSTALL=n
+    SD_INSTALL_ROOT=/abinitio
+    SD_OPDB_DBC_FILE=/config/pod/ccScheduler.dbc
+    SD_PRIVATE_PROJECT=/Projects/workspace/semantic_discovery_private
+    SD_PRIVATE_SANDBOX_REL=semantic_discovery_private
+    SD_USE_OPDB_DBC_FILE=y
+    USE_COUNTRY_PACKS=y
+    USE_LOAD_ASSETS_LANGUAGE=y
+    USE_SPECIFIC_UPGRADE_BRANCH=n
+    WAIT_BETWEEN_LOAD_ATTEMPTS=60
+    WAIT_FOR_LOAD_ATTEMPTS=150
+    MHUB_DB_APPSERVER_ENCRYPTED_PASSWORD=file=/secrets/mhub_appserver/password
+    DCS_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    SD_CC_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+    MHUB_IMPORTER_ENCRYPTED_PASSWORD=file=/secrets/aiadmin/password
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: semantic-discovery
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: semantic-discovery
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: semantic-discovery-2.4.3-a
+  name: semantic-discovery
+  namespace: abinitio
--- a/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_persistentvolumeclaim_semantic-discovery-claim.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_persistentvolumeclaim_semantic-discovery-claim.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/instance: semantic-discovery
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: semantic-discovery
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: semantic-discovery-2.4.3-a
+  name: semantic-discovery-claim
+  namespace: abinitio
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 6Gi
--- a/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_service_semantic-discovery.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/semantic-discovery/v1_service_semantic-discovery.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/instance: semantic-discovery
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: semantic-discovery
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: semantic-discovery-2.4.3-a
+  name: semantic-discovery
+  namespace: abinitio
+spec:
+  ports:
+  - name: semantic-discovery
+    port: 5454
+    protocol: TCP
+    targetPort: 5454
+  - name: bridge
+    port: 7070
+    protocol: TCP
+    targetPort: 7070
+  publishNotReadyAddresses: true
+  selector:
+    app.kubernetes.io/instance: semantic-discovery
+    app.kubernetes.io/name: semantic-discovery
+  type: ClusterIP
--- a/rendered/manifests/k3s-dev/abinitio-platform/tdm/batch_v1_job_tdm-4.4.1.1-1.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/tdm/batch_v1_job_tdm-4.4.1.1-1.yaml
@@ -0,0 +1,327 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: tdm-4.4.1.1-1
+  namespace: abinitio
+spec:
+  backoffLimit: 3
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: tdm
+        app.kubernetes.io/managed-by: Helm
+        app.kubernetes.io/name: tdm
+        app.kubernetes.io/part-of: AbInitio
+        app.kubernetes.io/version: 4.4.1
+        helm.sh/chart: tdm-2.4.3-a
+      name: tdm
+    spec:
+      containers:
+      - args:
+        - --ab-k8s-job-launch-script
+        - /ab-setup/setup_pod.sh
+        command:
+        - ab-container-entrypoint.ksh
+        env:
+        - name: AB_AIR_ENCRYPTED_PASSWORD
+          value: file=/secrets/aiadmin/password
+        - name: AB_AIR_ROOT
+          value: //eme-0.eme-headless/abinitio/eme/eme
+        - name: AB_AIR_USER
+          value: aiadmin
+        - name: AB_ALLOW_FILE_LOCK_ON_REMOTE_FILE_SYSTEM
+          value: "true"
+        - name: AB_AUTHORIZATION_GATEWAY_URL
+          value: http://authgateway:8080/authgateway
+        - name: AB_BRIDGE_CONFIGURATION_DIR
+          value: /abinitio/bridge
+        - name: AB_BRIDGE_CONFIGURATION_NAME
+          value: container-bridge
+        - name: AB_CHARSET
+          value: utf-8
+        - name: AB_CONFIGURATION
+          value: /config/pod/abinitiorc:/config/pod/apphubrc
+        - name: AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY
+          value: file=/secrets/bridge/password
+        - name: AB_CONNECTION_BRIDGE_PORT
+          value: "7070"
+        - name: AB_CONNECTION_BRIDGE_RPC_ENCRYPTION_TYPE
+          value: aes128-gcm
+        - name: AB_CONNECTION_BRIDGE_SECURITY_CONFIGURATION
+          value: container-bridge-security
+        - name: AB_HOSTNAME_KEYSERVER_URLS
+          value: abks://key-server:6151
+        - name: AB_IPV4_ONLY
+          value: "true"
+        - name: AB_K8S_MAX_IDLE_SECONDS
+          value: "0"
+        - name: AB_K8S_START_BRIDGE
+          value: none
+        - name: AB_K8S_START_REPORTER
+          value: "false"
+        - name: AB_KEY_DAEMON_DIR
+          value: /tmp/abkc/data
+        - name: AB_MUX_ENABLE_AG_CREDENTIAL_MAPPING
+          value: "false"
+        - name: AB_OPS_CONSOLE_URL
+          value: http://controlcenter:8080/controlcenter
+        - name: AB_PASSWORD_KEY_FILE
+          value: /secrets/password_key_file/password
+        - name: BRIDGE_AB_ENCRYPTED_KEY
+          value: file=/secrets/bridge/password
+        - name: CMAP_MOUNT
+          value: /config/pod
+        - name: DEPLOY_NAME
+          value: tdm
+        - name: LOAD_PHYSOBJECTS
+          value: "true"
+        - name: NAMESPACE
+          value: abinitio
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        - name: POD_LABEL
+          value: 'abinitio/product: tdm, abinitio/deployment: tdm'
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_SERVICE
+          value: tdm
+        - name: POD_SERVICE_HEADLESS
+          value: tdm-headless
+        image: asia-southeast1-docker.pkg.dev/str-22391/cloudplatform-proxy/aidp/tdm:4.4.1.1-1
+        imagePullPolicy: IfNotPresent
+        name: tdm
+        resources:
+          limits:
+            ephemeral-storage: 2Gi
+            memory: 2Gi
+          requests:
+            cpu: 100m
+            ephemeral-storage: 2Gi
+            memory: 1Gi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+          runAsGroup: 1000
+          runAsNonRoot: true
+          runAsUser: 1000
+          seccompProfile:
+            type: RuntimeDefault
+        volumeMounts:
+        - mountPath: /config/pod
+          name: pod-config
+        - mountPath: /abinitio
+          name: abinitio-local
+        - mountPath: /secrets/aiadmin/password
+          name: aiadmin
+          subPath: password
+        - mountPath: /secrets/ocagent/password
+          name: ocagent
+          subPath: password
+        - mountPath: /secrets/bridge/password
+          name: bridge
+          subPath: password
+        - mountPath: /secrets/eme_join_user/password
+          name: eme-join-user
+          subPath: password
+        - mountPath: /secrets/qi_join_user/password
+          name: qi-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_utility_user/password
+          name: dcs-utility-user
+          subPath: password
+        - mountPath: /secrets/mhub_utility_user/password
+          name: mhub-utility-user
+          subPath: password
+        - mountPath: /secrets/ag_db_importer/password
+          name: ag-db-importer
+          subPath: password
+        - mountPath: /secrets/admin/password
+          name: admin
+          subPath: password
+        - mountPath: /secrets/ag_ui_importer/password
+          name: ag-ui-importer
+          subPath: password
+        - mountPath: /secrets/cafe_join_user/password
+          name: cafe-join-user
+          subPath: password
+        - mountPath: /secrets/cc_join_user/password
+          name: cc-join-user
+          subPath: password
+        - mountPath: /secrets/dcs_join_user/password
+          name: dcs-join-user
+          subPath: password
+        - mountPath: /secrets/ei_join_user/password
+          name: ei-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_join_user/password
+          name: mhub-join-user
+          subPath: password
+        - mountPath: /secrets/qiadmin_join_user/password
+          name: qiadmin-join-user
+          subPath: password
+        - mountPath: /secrets/sd_join_user/password
+          name: sd-join-user
+          subPath: password
+        - mountPath: /secrets/trw_join_user/password
+          name: trw-join-user
+          subPath: password
+        - mountPath: /secrets/mhub_db_importer/password
+          name: mhub-db-importer
+          subPath: password
+        - mountPath: /secrets/mhub_ui_importer/password
+          name: mhub-ui-importer
+          subPath: password
+        - mountPath: /secrets/ag_appserver/password
+          name: ag-appserver
+          subPath: password
+        - mountPath: /secrets/ag_report/password
+          name: ag-report
+          subPath: password
+        - mountPath: /secrets/cc_jdbc/password
+          name: cc-jdbc
+          subPath: password
+        - mountPath: /secrets/dcs_hmac_key/password
+          name: dcs-hmac-key
+          subPath: password
+        - mountPath: /secrets/abinitio/password
+          name: abinitio
+          subPath: password
+        - mountPath: /secrets/mhub_appserver/password
+          name: mhub-appserver
+          subPath: password
+        - mountPath: /secrets/mhub_report/password
+          name: mhub-report
+          subPath: password
+        - mountPath: /secrets/runtime_locator_join_user/password
+          name: runtime-locator-join-user
+          subPath: password
+        - mountPath: /secrets/password_key_file/password
+          name: password-key-file
+          subPath: password
+        - mountPath: /ab_share
+          name: ab-share-data-and-appconf-root
+        - mountPath: /tmp
+          name: tmp-volume
+      hostAliases:
+      - hostnames:
+        - tdm.abinitio
+        ip: 127.0.0.1
+      hostname: tdm
+      initContainers: null
+      restartPolicy: Never
+      securityContext:
+        fsGroup: 1000
+        fsGroupChangePolicy: OnRootMismatch
+        runAsGroup: 1000
+        runAsNonRoot: true
+        runAsUser: 1000
+        seccompProfile:
+          type: RuntimeDefault
+      serviceAccountName: abinitio-sa
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - configMap:
+          defaultMode: 511
+          name: tdm
+        name: pod-config
+      - emptyDir: {}
+        name: abinitio-local
+      - emptyDir: {}
+        name: tmp-volume
+      - name: aiadmin
+        secret:
+          secretName: aiadmin
+      - name: ocagent
+        secret:
+          secretName: ocagent
+      - name: bridge
+        secret:
+          secretName: bridge
+      - name: eme-join-user
+        secret:
+          secretName: eme-join-user
+      - name: qi-join-user
+        secret:
+          secretName: qi-join-user
+      - name: dcs-utility-user
+        secret:
+          secretName: dcs-utility-user
+      - name: mhub-utility-user
+        secret:
+          secretName: mhub-utility-user
+      - name: ag-db-importer
+        secret:
+          secretName: ag-db-importer
+      - name: admin
+        secret:
+          secretName: admin
+      - name: ag-ui-importer
+        secret:
+          secretName: ag-ui-importer
+      - name: cafe-join-user
+        secret:
+          secretName: cafe-join-user
+      - name: cc-join-user
+        secret:
+          secretName: cc-join-user
+      - name: dcs-join-user
+        secret:
+          secretName: dcs-join-user
+      - name: ei-join-user
+        secret:
+          secretName: ei-join-user
+      - name: mhub-join-user
+        secret:
+          secretName: mhub-join-user
+      - name: qiadmin-join-user
+        secret:
+          secretName: qiadmin-join-user
+      - name: sd-join-user
+        secret:
+          secretName: sd-join-user
+      - name: trw-join-user
+        secret:
+          secretName: trw-join-user
+      - name: mhub-db-importer
+        secret:
+          secretName: mhub-db-importer
+      - name: mhub-ui-importer
+        secret:
+          secretName: mhub-ui-importer
+      - name: ag-appserver
+        secret:
+          secretName: ag-appserver
+      - name: ag-report
+        secret:
+          secretName: ag-report
+      - name: cc-jdbc
+        secret:
+          secretName: cc-jdbc
+      - name: dcs-hmac-key
+        secret:
+          secretName: dcs-hmac-key
+      - name: abinitio
+        secret:
+          secretName: abinitio
+      - name: mhub-appserver
+        secret:
+          secretName: mhub-appserver
+      - name: mhub-report
+        secret:
+          secretName: mhub-report
+      - name: runtime-locator-join-user
+        secret:
+          secretName: runtime-locator-join-user
+      - name: password-key-file
+        secret:
+          secretName: password-key-file
+      - name: ab-share-data-and-appconf-root
+        persistentVolumeClaim:
+          claimName: ab-shared-data-and-appconf-root-claim
+  ttlSecondsAfterFinished: 3600
--- a/rendered/manifests/k3s-dev/abinitio-platform/tdm/v1_configmap_tdm.yaml
+++ b/rendered/manifests/k3s-dev/abinitio-platform/tdm/v1_configmap_tdm.yaml
@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+  abinitiorc: |
+    AB_AIR_BRANCH @ expressit : main
+    AB_AIR_ROOT : //eme-0.eme-headless/abinitio/eme/eme
+    AB_AIR_ROOT @ expressit : //eme-0.eme-headless/abinitio/eme/eme
+    AB_APPCONF_ROOT_DIR @ expressit : /ab_share/ab_appconf_root
+    AB_CHARSET : utf-8
+    AB_CONNECTION : bridge
+    AB_CONNECTION_BRIDGE_ENCRYPTED_RPC_ENCRYPTION_KEY : file=/secrets/bridge/password
+    AB_ENV_ROOT : /abinitio/sandboxes/sand/stdenv
+    AB_HOSTNAME_KEYSERVER_URLS : abks://key-server:6151
+    AB_PROC_DIR : /tmp
+    AB_WORK_DIR : /abinitio/work
+  apphubrc: |
+    AB_KEYSERVER_GROUP : AI-IC-AWS001a
+    AB_KEYSERVER_URLS : abks://key-server:6150
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: tdm
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: tdm
+    app.kubernetes.io/part-of: AbInitio
+    app.kubernetes.io/version: 4.4.1
+    helm.sh/chart: tdm-2.4.3-a
+  name: tdm
+  namespace: abinitio
--- a/Show More
+++ b/Show More