diff --git a/charts/kubezero-kiam/templates/sync-ns.yaml b/charts/kubezero-kiam/templates/sync-ns.yaml
index 8170b9e..cc270a0 100644
--- a/charts/kubezero-kiam/templates/sync-ns.yaml
+++ b/charts/kubezero-kiam/templates/sync-ns.yaml
@@ -60,3 +60,6 @@ spec:
           - -c
           - kubectl annotate --overwrite namespace kube-system 'iam.amazonaws.com/permitted=.*'
       restartPolicy: Never
+      tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/master
diff --git a/deploy/.gitignore b/deploy/.gitignore
new file mode 100644
index 0000000..58d6106
--- /dev/null
+++ b/deploy/.gitignore
@@ -0,0 +1 @@
+generated-values.yaml
diff --git a/deploy/.helmignore b/deploy/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/deploy/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/deploy/Chart.yaml b/deploy/Chart.yaml
new file mode 100644
index 0000000..6769f33
--- /dev/null
+++ b/deploy/Chart.yaml
@@ -0,0 +1,6 @@
+apiVersion: v2
+name: deploy
+description: "This chart is only used to generate the values.yaml for KubeZero !! Once something like https://github.com/helm/helm/pull/6876 gets merged this will be removed !"
+type: application
+version: 0.0.1
+appVersion: 1.16.0
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
new file mode 100755
index 0000000..bab1380
--- /dev/null
+++ b/deploy/deploy.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -ex
+
+DEPLOY_DIR=$( dirname $( realpath $0 ))
+
+helm repo add kubezero https://zero-down-time.github.io/kubezero
+helm repo update
+
+# Determine if we bootstrap or update
+helm list -n argocd -f kubezero -q | grep -q kubezero && rc=$? || rc=$?
+if [ $rc -eq 0 ]; then
+  helm template $DEPLOY_DIR -f values.yaml -f kubezero.yaml > generated-values.yaml
+  helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd -f generated-values.yaml
+else
+  # During bootstrap we first generate a minimal values.yaml to prevent various deadlocks
+  helm template $DEPLOY_DIR -f values.yaml -f kubezero.yaml --set=bootstrap=true > generated-values.yaml
+  helm install -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml
+fi
diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml
new file mode 100644
index 0000000..800fee4
--- /dev/null
+++ b/deploy/templates/values.yaml
@@ -0,0 +1,63 @@
+kubezero:
+  calico:
+    enabled: {{ .Values.calico.enabled  }}
+  cert-manager:
+    enabled: {{ index .Values "cert-manager" "enabled" }}
+{{- if not .Values.bootstrap }}
+    values:
+      {{- if .Values.aws }}
+      cert-manager:
+        podAnnotations:
+          iam.amazonaws.com/role: "{{ index .Values "cert-manager" "IamArn" }}"
+      {{- end }}
+      clusterIssuer:
+        name: letsencrypt-dns-prod
+        server: https://acme-v02.api.letsencrypt.org/directory
+        email: {{ index .Values "cert-manager" "email" }}
+        solvers:
+          - selector:
+              dnsZones: {{ index .Values "cert-manager" "domains" }}
+            dns01:
+              {{- if .Values.aws }}
+              route53:
+                region: {{ .Values.region }}
+              {{- end }}
+
+  {{- if .Values.aws }}
+  aws-ebs-csi-driver:
+    enabled: {{ index .Values "aws-ebs-csi-driver" "enabled" }}
+    values:
+      aws-ebs-csi-driver:
+        replicaCount: {{ ternary 2 1 .Values.HighAvailableControlplane }}
+        podAnnotations:
+          iam.amazonaws.com/role: "{{ index .Values "aws-ebs-csi-driver" "IamArn" }}"
+        extraVolumeTags:
+          Name: {{ .Values.ClusterName }}
+  kiam:
+    enabled: {{ .Values.kiam.enabled }}
+    values:
+      kiam:
+        server:
+          assumeRoleArn: "{{ .Values.kiam.IamArn }}"
+          deployment:
+            replicas: {{ ternary 2 1 .Values.HighAvailableControlplane }}
+          prometheus:
+            servicemonitor:
+              enabled: {{ .Values.prometheus.enabled }}
+  {{- end }}
+{{- end }}
+
+argo-cd:
+  {{- with index .Values "argo-cd" "server" }}
+  server:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with index .Values "argo-cd" "configs" }}
+  configs:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if not .Values.bootstrap }}
+  istio:
+    enabled: {{ .Values.istio.enabled }}
+    gateway: private-ingressgateway.istio-system.svc.cluster.local
+  {{- end }}
diff --git a/deploy/values.yaml b/deploy/values.yaml
new file mode 100644
index 0000000..53e1f99
--- /dev/null
+++ b/deploy/values.yaml
@@ -0,0 +1,26 @@
+ClusterName: Test-cluster
+Domain: example.com
+
+aws: true
+HighAvailableControlplane: false
+
+calico:
+  enabled: true
+
+cert-manager:
+  enabled: true
+  IamArn: ""
+
+aws-ebs-csi-driver:
+  enabled: true
+  IamArn: ""
+
+kiam:
+  enabled: true
+  IamArn: ""
+
+istio:
+  enabled: false
+
+prometheus:
+  enabled: false