diff --git a/CHANGES.md b/CHANGES.md
new file mode 100644
index 0000000..6c36fad
--- /dev/null
+++ b/CHANGES.md
@@ -0,0 +1,14 @@
+# CFN / Platform
+- Kube to 1.17
+- Kube-proxy uses ipvs
+- metrics support for kube-proxy
+- no reliance on custom resource for S3 buckets anymore
+
+
+# Kubezero
+- fully automated one command bootstrap incl. all kubezero components 
+- migrated from kube-prometheuss to community helm charts for metrics
+- latest Grafana incl. peristence
+- kube-prometheus adapter improvements / customizations
+- integrated EFS CSI driver into Kubezero
+- prometheus itself can be exposed via istio ingress on demand to ease development of custom metrics
diff --git a/charts/kubezero-metrics/Chart.yaml b/charts/kubezero-metrics/Chart.yaml
index 9a15444..b08e8ef 100644
--- a/charts/kubezero-metrics/Chart.yaml
+++ b/charts/kubezero-metrics/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: kubezero-metrics
 description: KubeZero Umbrella Chart for prometheus-operator
 type: application
-version: 0.1.0
+version: 0.1.1
 home: https://kubezero.com
 icon: https://cdn.zero-downtime.net/assets/kubezero/logo-small-64.png
 keywords:
diff --git a/charts/kubezero-metrics/values.yaml b/charts/kubezero-metrics/values.yaml
index f2256ab..3d9af7b 100644
--- a/charts/kubezero-metrics/values.yaml
+++ b/charts/kubezero-metrics/values.yaml
@@ -19,7 +19,7 @@ prometheus-operator:
     enabled: true
   kubeStateMetrics:
     enabled: true
-  kubelet:
+  kubeProxy:
     enabled: true
 
   # Disabled until we figure out how to scrape etcd with ssl client certs, scheduler/proxy/controller require https since 1.17
@@ -29,11 +29,15 @@ prometheus-operator:
     enabled: false
   kubeEtcd:
     enabled: false
-  kubeProxy:
-    enabled: true
   kubeScheduler:
     enabled: false
 
+  kubelet:
+    enabled: true
+    serviceMonitor:
+      # removed with 1.18 anyways
+      cAdvisor: false
+
   prometheusOperator:
     enabled: true
     #image:
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index d2b458a..62a4cab 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -50,6 +50,10 @@ EOF
   echo "Waiting for cert-manager to be deployed..."
   wait_for kubectl get deployment -n cert-manager cert-manager-webhook 2>/dev/null 1>&2
   kubectl rollout status deployment -n cert-manager cert-manager-webhook
+
+  # Now that we have the cert-manager webhook, get the kiam certs in place but do NOT deploy kiam yet
+  helm template $DEPLOY_DIR -f values.yaml -f cloudbender.yaml --set kiam.not_ready=true --set kiam.enabled=false --set istio.enabled=false --set prometheus.enabled=false > generated-values.yaml
+  helm upgrade -n argocd kubezero kubezero/kubezero-argo-cd --create-namespace -f generated-values.yaml
   wait_for kubectl get Issuer -n kube-system kubezero-local-ca-issuer 2>/dev/null 1>&2
   kubectl wait --for=condition=Ready -n kube-system Issuer/kubezero-local-ca-issuer
 
diff --git a/deploy/templates/values.yaml b/deploy/templates/values.yaml
index d3c1ecc..efb8c99 100644
--- a/deploy/templates/values.yaml
+++ b/deploy/templates/values.yaml
@@ -13,6 +13,11 @@ kubezero:
   cert-manager:
     enabled: {{ index .Values "cert-manager" "enabled" }}
     values:
+      # Disable all until webhook is in place
+      {{- if index .Values "cert-manager" "not_ready" }}
+      localCA:
+        enabled: false
+      {{- end }}
       {{- if eq .Values.platform "aws" }}
       cert-manager:
         podAnnotations: