diff --git a/bootstrap/boot.yaml b/bootstrap/boot.yaml
index c38845bf..e9eb0c25 100644
--- a/bootstrap/boot.yaml
+++ b/bootstrap/boot.yaml
@@ -86,8 +86,11 @@ spec:
       - heqet/values.yaml
   interval: 5m
   install:
+    crds: CreateReplace
     remediation:
       retries: 3
+  upgrade:
+    crds: CreateReplace
   # We can overwrite some defaults here:
   values:
     server: https://kubernetes.default.svc
diff --git a/projects/core/project.yml b/projects/core/project.yml
new file mode 100644
index 00000000..98ed3a6b
--- /dev/null
+++ b/projects/core/project.yml
@@ -0,0 +1,62 @@
+config:
+  description: Core Components for Kubernetes
+
+apps:
+- name: cert-manager
+  namespace: cert-manager
+  repoURL: https://charts.jetstack.io
+  chart: cert-manager
+  targetRevision: v1.7.1
+  parameters:
+  - name: installCRDs
+    value: 'true'
+  secrets:
+  - name: cert-manager-vault-approle
+    keys:
+    - secretId
+
+- name: fast-storage
+  namespace: fast-storage
+  repoURL: https://github.com/rancher/local-path-provisioner
+  path: deploy/chart
+  syncWave: '0'
+  parameters:
+  - name: storageClass.name
+    value: fast
+  - name: nodePathMap[0].node
+    value: DEFAULT_PATH_FOR_NON_LISTED_NODES
+  - name: nodePathMap[0].paths[0]
+    value: /var/lib/rancher/k3s/storage
+
+- name: ssd-storage
+  namespace: ssd-storage
+  repoURL: https://github.com/rancher/local-path-provisioner
+  path: deploy/chart
+  syncWave: '0'
+  parameters:
+  - name: storageClass.name
+    value: ssd
+  - name: nodePathMap[0].node
+    value: DEFAULT_PATH_FOR_NON_LISTED_NODES
+  - name: nodePathMap[0].paths[0]
+    value: /data/kubernetes/ssd
+
+- name: metallb
+  repoURL: https://charts.bitnami.com/bitnami
+  chart: metallb
+  namespace: metallb
+  targetRevision: 2.5.16
+  syncWave: '0'
+
+- name: ingress-internal
+  namespace: ingress-internal
+  repoURL: https://helm.traefik.io/traefik
+  chart: traefik
+  targetRevision: 10.15.0
+  syncWave: '0'
+
+- name: cilium
+  existingNamespace: kube-system
+  repoURL: https://helm.cilium.io
+  chart: cilium
+  targetRevision: 1.11.2
diff --git a/projects/core/values/cilium.yaml b/projects/core/values/cilium.yaml
new file mode 100644
index 00000000..2dcc677f
--- /dev/null
+++ b/projects/core/values/cilium.yaml
@@ -0,0 +1,41 @@
+---
+kubeProxyReplacement: strict
+hubble:
+  relay:
+    enabled: true
+
+  ui:
+    enabled: true
+    ingress:
+      enabled: true
+      className: ingress-internal-traefik
+      annotations:
+        cert-manager.io/cluster-issuer: vault-issuer
+        traefik.ingress.kubernetes.io/router.tls: 'true'
+      hosts:
+        - cilium.dc
+      tls:
+      - secretName: cilium-dc-tls
+        hosts:
+        - cilium.dc
+
+  metrics:
+    enabled:
+    - dns:query;ignoreAAAA
+    - drop
+    - tcp
+    - flow
+    - icmp
+    - http
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9091"
+
+prometheus:
+  enabled: true
+
+operator:
+  replicas: 1
+
+hostServices:
+  enabled: true
diff --git a/projects/core/values/ingress-internal.yaml b/projects/core/values/ingress-internal.yaml
new file mode 100644
index 00000000..de75da7a
--- /dev/null
+++ b/projects/core/values/ingress-internal.yaml
@@ -0,0 +1,32 @@
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+providers:
+  kubernetesCRD:
+    ingressClass: traefik
+  kubernetesIngress:
+    publishedService:
+      enabled: true
+
+globalArguments: []
+
+ports:
+  web:
+    redirectTo: websecure
+  websecure:
+    tls:
+      enabled: true
+
+service:
+  enabled: true
+  type: LoadBalancer
+  annotations:
+    metallb.universe.tf/address-pool: internal
+
+  externalIPs:
+  - 192.168.1.11
+
+logs:
+  general:
+    level: DEBUG
diff --git a/projects/core/values/metallb.yaml b/projects/core/values/metallb.yaml
new file mode 100644
index 00000000..73a9e84d
--- /dev/null
+++ b/projects/core/values/metallb.yaml
@@ -0,0 +1,34 @@
+configInline:
+  address-pools:
+  - name: default
+    protocol: layer2
+    addresses:
+    - 192.168.1.13/32
+    - 192.168.1.14/32
+    - 192.168.1.15/32
+    - 192.168.1.16/32
+    - 192.168.1.17/32
+    - 192.168.1.18/32
+    - 192.168.1.19/32
+    - 192.168.1.20/32
+
+  - name: dns
+    protocol: layer2
+    addresses:
+    - 192.168.1.53/32
+
+  - name: external
+    protocol: layer2
+    addresses:
+    - 192.168.1.12/32
+  
+  - name: internal
+    protocol: layer2
+    addresses:
+    - 192.168.1.11/32
+
+prometheus:
+  serviceMonitor:
+    enabled: true
+  prometheusRule:
+    enabled: true
diff --git a/projects/vault/project.yml b/projects/vault/project.yml
new file mode 100644
index 00000000..84276ac4
--- /dev/null
+++ b/projects/vault/project.yml
@@ -0,0 +1,14 @@
+config:
+  description: Vault Secret Managemet
+apps:
+- name: vault
+  repoURL: https://helm.releases.hashicorp.com
+  chart: vault
+  targetRevision: 0.19.0
+  syncWave: '-3'
+- name: vault-secrets-operator
+  namespace: vault-secrets-operator
+  repoURL: https://ricoberger.github.io/helm-charts
+  chart: vault-secrets-operator
+  targetRevision: 1.16.5
+  syncWave: '-2'
diff --git a/projects/vault/values/vault-secrets-operator.yaml b/projects/vault/values/vault-secrets-operator.yaml
new file mode 100644
index 00000000..6d218bd0
--- /dev/null
+++ b/projects/vault/values/vault-secrets-operator.yaml
@@ -0,0 +1,17 @@
+vault:
+  address: "http://vault.vault.svc.cluster.local:8200"
+  authMethod: kubernetes
+  kubernetesRole: heqet-app
+  namespaces: ""
+
+crd:
+  create: false
+
+rbac:
+  create: true
+  createrole: true
+  namespaced: false
+
+serviceAccount:
+  create: true
+  name: vault-secrets-operator
diff --git a/projects/vault/values/vault.yaml b/projects/vault/values/vault.yaml
new file mode 100644
index 00000000..f75bb0dd
--- /dev/null
+++ b/projects/vault/values/vault.yaml
@@ -0,0 +1,70 @@
+global:
+  enabled: true
+  tlsDisable: true
+  psp:
+    enable: true
+
+injector:
+  enabled: false
+
+server:
+  enabled: true
+  image:
+    repository: "hashicorp/vault"
+    tag: "1.9.4"
+  auditStorage:
+    accessMode: ReadWriteOnce
+    annotations: {}
+    enabled: false
+    mountPath: /vault/audit
+    size: 10Gi
+    storageClass: null
+  authDelegator:
+    enabled: true
+  dataStorage:
+    accessMode: ReadWriteOnce
+    annotations: {}
+    enabled: true
+    mountPath: /vault/data
+    size: 10Gi
+    storageClass: local-path
+  dev:
+    enabled: false
+  ha:
+    enabled: false
+
+  ingress:
+    annotations:
+      cert-manager.io/cluster-issuer: vault-issuer
+      traefik.ingress.kubernetes.io/router.tls: 'true'
+    enabled: true
+    extraPaths: []
+    hosts:
+    - host: vault.dc
+      paths: []
+    labels: {}
+    tls:
+    - hosts:
+      - vault.dc
+      secretName: vault-tls
+
+  networkPolicy:
+    egress: []
+    enabled: true
+
+  standalone:
+    enabled: true
+    config: |
+      ui = true
+
+      listener "tcp" {
+        tls_disable = 1
+        address = "[::]:8200"
+        cluster_address = "[::]:8201"
+      }
+      storage "file" {
+        path = "/vault/data"
+      }
+
+ui:
+  enabled: true